From 810530fabdafc98234f89ca465aa3b09a24c9309 Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:08:37 +0800 Subject: [PATCH 01/33] upgrade dependency check core and utils version to 1.3.0 --- dependency-check-gradle/build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index 2c0d302a9..c447bc8ec 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -46,8 +46,8 @@ dependencies { compile( localGroovy(), gradleApi(), - 'org.owasp:dependency-check-core:1.2.11', - 'org.owasp:dependency-check-utils:1.2.11' + 'org.owasp:dependency-check-core:1.3.0', + 'org.owasp:dependency-check-utils:1.3.0' ) testCompile ('com.netflix.nebula:nebula-test:2.2.+'){ @@ -78,4 +78,4 @@ task integTest(type: Test) { classpath = sourceSets.integTest.runtimeClasspath reports.html.destination = file("$buildDir/reports/integ") jvmArgs '-XX:MaxPermSize=256m' -} \ No newline at end of file +} From 62a0b8da90596a486bf5e5c25878b54833be5626 Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:09:40 +0800 Subject: [PATCH 02/33] add configuration, let user has ability to control HTTP method used during the update process to avoid proxy problem --- .../DependencyCheckConfigurationExtension.groovy | 2 ++ .../security/plugin/DependencyCheckGradlePlugin.groovy | 1 + .../com/tools/security/tasks/DependencyCheckTask.groovy | 8 ++++++++ .../plugin/DependencyCheckGradlePluginSpec.groovy | 3 +++ 4 files changed, 14 insertions(+) diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy index 8e7a29ce3..e86f66e25 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy @@ -31,4 +31,6 @@ class DependencyCheckConfigurationExtension { String cveUrl20Base = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz" String outputDirectory = "./reports" + + Boolean quickQueryTimestamp = true; } diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy index 937226401..2274c9af4 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy @@ -49,6 +49,7 @@ class DependencyCheckGradlePlugin implements Plugin { conventionMapping.cveUrl12Base = { extension.cveUrl12Base } conventionMapping.cveUrl20Base = { extension.cveUrl20Base } conventionMapping.outputDirectory = { extension.outputDirectory } + conventionMapping.quickQueryTimestamp = { extension.quickQueryTimestamp } } } } \ No newline at end of file diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy index c76f1ab92..3e371ec81 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy @@ -28,6 +28,7 @@ import org.owasp.dependencycheck.dependency.Dependency import org.owasp.dependencycheck.reporting.ReportGenerator import org.owasp.dependencycheck.utils.Settings +import static org.owasp.dependencycheck.utils.Settings.setBoolean import static org.owasp.dependencycheck.utils.Settings.setString class DependencyCheckTask extends DefaultTask { @@ -47,6 +48,8 @@ class DependencyCheckTask extends DefaultTask { String outputDirectory = "./reports" + Boolean quickQueryTimestamp = true; + DependencyCheckTask() { group = 'Dependency Check' description = 'Produce dependency security report.' @@ -73,6 +76,7 @@ class DependencyCheckTask extends DefaultTask { Settings.initialize() overrideProxySetting() overrideCveUrlSetting() + overrideDownloaderSetting() } def cleanup(engine) { @@ -140,4 +144,8 @@ class DependencyCheckTask extends DefaultTask { setString(Settings.KEYS.CVE_SCHEMA_2_0, getCveUrl20Base()) setString(Settings.KEYS.CVE_SCHEMA_1_2, getCveUrl12Base()) } + + def overrideDownloaderSetting() { + setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, getQuickQueryTimestamp()) + } } diff --git a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy index 892285197..6a9666240 100644 --- a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy +++ b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy @@ -58,6 +58,7 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec { task.cveUrl12Base == 'https://nvd.nist.gov/download/nvdcve-%d.xml.gz' task.cveUrl20Base == 'https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz' task.outputDirectory == './reports' + task.quickQueryTimestamp == true } def 'tasks use correct values when extension is used'() { @@ -73,6 +74,7 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec { cveUrl12Base = 'cveUrl12Base' cveUrl20Base = 'cveUrl20Base' outputDirectory = 'outputDirectory' + quickQueryTimestamp = false } then: @@ -87,5 +89,6 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec { task.cveUrl12Base == 'cveUrl12Base' task.cveUrl20Base == 'cveUrl20Base' task.outputDirectory == 'outputDirectory' + task.quickQueryTimestamp == false } } From 0472471ac984ac25520668c336bf8e93abcac26b Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:11:34 +0800 Subject: [PATCH 03/33] update the gradle plugin version to 0.0.6 --- dependency-check-gradle/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index c447bc8ec..ed71a7c3d 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -56,7 +56,7 @@ dependencies { } group = 'com.thoughtworks.tools' -version = '0.0.5' +version = '0.0.6' apply from: 'conf/publish/local.gradle' //apply from: 'conf/publish/maven.gradle' From d1dbde28907530cd80c3b4151000f44816ea983e Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:13:00 +0800 Subject: [PATCH 04/33] fix issue that fail to publish gradle plugin to maven central --- dependency-check-gradle/build.gradle | 18 +++++++++--------- .../conf/publish/maven.gradle | 5 +++++ 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index ed71a7c3d..18f7454a7 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -50,19 +50,11 @@ dependencies { 'org.owasp:dependency-check-utils:1.3.0' ) - testCompile ('com.netflix.nebula:nebula-test:2.2.+'){ + testCompile ('com.netflix.nebula:nebula-test:2.2.2'){ exclude group: 'org.codehaus.groovy' } } -group = 'com.thoughtworks.tools' -version = '0.0.6' - -apply from: 'conf/publish/local.gradle' -//apply from: 'conf/publish/maven.gradle' -apply from: 'conf/publish/gradlePluginsPortal.gradle' -//apply from: 'conf/publish/bintray.gradle' // according to the documentation of plugindev, this line has to be placed and the very end of the build file - sourceSets { integTest { groovy.srcDir file('src/integTest/groovy') @@ -79,3 +71,11 @@ task integTest(type: Test) { reports.html.destination = file("$buildDir/reports/integ") jvmArgs '-XX:MaxPermSize=256m' } + +group = 'com.thoughtworks.tools' +version = '0.0.6' + +apply from: 'conf/publish/local.gradle' +//apply from: 'conf/publish/maven.gradle' +apply from: 'conf/publish/gradlePluginsPortal.gradle' +//apply from: 'conf/publish/bintray.gradle' // according to the documentation of plugindev, this line has to be placed and the very end of the build file \ No newline at end of file diff --git a/dependency-check-gradle/conf/publish/maven.gradle b/dependency-check-gradle/conf/publish/maven.gradle index 5f9787387..462ced0f7 100644 --- a/dependency-check-gradle/conf/publish/maven.gradle +++ b/dependency-check-gradle/conf/publish/maven.gradle @@ -66,6 +66,11 @@ task javadocJar(type: Jar) { from javadoc } +task sourcesJar(type: Jar, dependsOn: classes) { + classifier = 'sources' + from sourceSets.main.allSource +} + artifacts { archives javadocJar, sourcesJar } From 706967147156d2ced8355c1a20d19eeb89ab1947 Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:13:27 +0800 Subject: [PATCH 05/33] fix issue that fail to publish gradle plugin to gradle plugin portal --- .../dependency.check.properties | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties diff --git a/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties b/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties new file mode 100644 index 000000000..877c70050 --- /dev/null +++ b/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties @@ -0,0 +1,19 @@ +# +# This file is part of dependency-check-gradle. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Copyright (c) 2015 Wei Ma. All Rights Reserved. +# + +implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin \ No newline at end of file From 7837718d04d1a7a56b4ff3489fda6bc9445e3b81 Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:13:53 +0800 Subject: [PATCH 06/33] update README file --- dependency-check-gradle/README.md | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/dependency-check-gradle/README.md b/dependency-check-gradle/README.md index ead2a50af..7707db3ec 100644 --- a/dependency-check-gradle/README.md +++ b/dependency-check-gradle/README.md @@ -7,6 +7,8 @@ This is a DependencyCheck gradle plugin designed for project which use Gradle as Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. +Current latest version is `0.0.6` + ========= ## Usage @@ -15,7 +17,7 @@ Dependency-Check is a utility that attempts to detect publicly disclosed vulnera Please refer to either one of the solution -#### Solution 1,Install from Maven Central +#### Solution 1,Install from Maven Central (Recommended) ```groovy buildscript { @@ -23,7 +25,7 @@ buildscript { mavenCentral() } dependencies { - classpath 'com.thoughtworks.tools:dependency-check:0.0.5' + classpath 'com.thoughtworks.tools:dependency-check:0.0.6' } } ``` @@ -38,7 +40,7 @@ apply plugin: 'dependency.check' ```groovy plugins { - id "dependency.check" version "0.0.5" + id "dependency.check" version "0.0.6" } ``` @@ -52,11 +54,11 @@ buildscript { } } dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5" + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6" } } -apply plugin: "dependency.check" +apply plugin: "dependency-check" ``` #### Solution 3,Install from Bintray @@ -73,7 +75,7 @@ buildscript { } dependencies { classpath( - 'com.tools.security:dependency-check:0.0.5' + 'com.tools.security:dependency-check:0.0.6' ) } } @@ -115,6 +117,19 @@ dependencyCheck { } ``` +In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail, + the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action, + and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration: + +```groovy +dependencyCheck { + proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy + proxyPort = 3128 // required, the port number of the proxy + + quickQueryTimestamp = false // when set to false, it means use HTTP GET method to query timestamp. (default value is true) +} +``` + ### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project? Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below: @@ -127,7 +142,7 @@ buildscript { mavenCentral() } dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5" + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6" } } @@ -144,7 +159,7 @@ buildscript { mavenCentral() } dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.5" + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.6" } } From c39eec32f2d02cde0fa91e6a542dfb32705a2fd9 Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 7 Aug 2015 10:14:34 +0800 Subject: [PATCH 07/33] ignore gradle generated temporary files --- dependency-check-gradle/.gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/dependency-check-gradle/.gitignore b/dependency-check-gradle/.gitignore index 2a132566c..487d7533f 100644 --- a/dependency-check-gradle/.gitignore +++ b/dependency-check-gradle/.gitignore @@ -1,5 +1,6 @@ .idea/ .gradle +gradle/ *.iml *.ipr From fb3951772fe160c3858241789d2dbbe46cd41bd1 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 9 Aug 2015 09:10:18 -0400 Subject: [PATCH 08/33] fixed errors due to null values per issue #309 --- .../src/main/resources/templates/HtmlReport.vsl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl index ac1bf63e9..a6f3bf4d8 100644 --- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl @@ -591,6 +591,7 @@ arising out of or in connection with the use of this tool, the analysis performe #else $enc.html($id.value) #end + #set($cpeSort=0) #if ($cpeIdConf == "") #set($cpeIdConf=$id.confidence) #set($cpeSort=$id.confidence.ordinal()) @@ -602,11 +603,15 @@ arising out of or in connection with the use of this tool, the analysis performe #end #end + #if ($mavenlink=="") + + #else #if( $mavenlink.url ) - ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here... + ##yes, we are HTML Encoding the href. This is okay. We can't URL encode as we have to trust the analyzer here... $enc.html($mavenlink.value) #elseif ($mavenlink.value) $enc.html($mavenlink.value) + #end #end #set($cveImpact=-1) #foreach($vuln in $dependency.getVulnerabilities()) From ccb87f43b78ba09f14a8d5e031972feaf0bf74bf Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 9 Aug 2015 09:36:55 -0400 Subject: [PATCH 09/33] made suppression notes textarea readonly to resolve issue #306 --- .../src/main/resources/templates/HtmlReport.vsl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl index a6f3bf4d8..35f673c9e 100644 --- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl +++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl @@ -504,7 +504,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
Press CTR-C to copy XML [help]
-
+
From 37f50db00e9878c44b85cbea8e5b1ef714b8ee0b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 9 Aug 2015 09:56:20 -0400 Subject: [PATCH 10/33] removed related dependencies from hashCode and equals to resolve issue #293 --- .../org/owasp/dependencycheck/dependency/Dependency.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index dd2f5bb26..26a6d1b56 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -720,7 +720,7 @@ public class Dependency implements Serializable, Comparable { && ObjectUtils.equals(this.description, other.description) && ObjectUtils.equals(this.license, other.license) && ObjectUtils.equals(this.vulnerabilities, other.vulnerabilities) - && ObjectUtils.equals(this.relatedDependencies, other.relatedDependencies) + //&& ObjectUtils.equals(this.relatedDependencies, other.relatedDependencies) && ObjectUtils.equals(this.projectReferences, other.projectReferences) && ObjectUtils.equals(this.availableVersions, other.availableVersions); } @@ -735,8 +735,9 @@ public class Dependency implements Serializable, Comparable { int hash = MAGIC_HASH_INIT_VALUE; for (Object field : new Object[]{this.actualFilePath, this.filePath, this.fileName, this.md5sum, this.sha1sum, this.identifiers, this.vendorEvidence, this.productEvidence, this.versionEvidence, - this.description, this.license, this.vulnerabilities, this.relatedDependencies, this.projectReferences, - this.availableVersions}) { + this.description, this.license, this.vulnerabilities, + //this.relatedDependencies, + this.projectReferences, this.availableVersions}) { hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(field); } return hash; From a543fbbec96a473b5c6fc9760621fa4d79862694 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 9 Aug 2015 10:25:30 -0400 Subject: [PATCH 11/33] added an additional attempt to remove the temporary directory --- .../java/org/owasp/dependencycheck/utils/Settings.java | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index e8da13f70..7cb006aeb 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -31,6 +31,7 @@ import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.util.Enumeration; import java.util.Properties; +import java.util.logging.Level; /** * A simple settings container that wraps the dependencycheck.properties file. @@ -364,6 +365,14 @@ public final class Settings { public static void cleanup(boolean deleteTemporary) { if (deleteTemporary && tempDirectory != null && tempDirectory.exists()) { FileUtils.delete(tempDirectory); + if (tempDirectory.exists()) { + try { + Thread.sleep(2000); + } catch (InterruptedException ex) { + //ignore + } + FileUtils.delete(tempDirectory); + } } try { localSettings.remove(); From 8d1f3f723fdb62965013230b66f40b4ceab10d47 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 9 Aug 2015 10:25:44 -0400 Subject: [PATCH 12/33] version 1.3.1-SNAPSHOT --- dependency-check-ant/pom.xml | 2 +- dependency-check-cli/pom.xml | 2 +- dependency-check-core/pom.xml | 2 +- dependency-check-gradle/pom.xml | 4 ++-- dependency-check-jenkins/pom.xml | 2 +- dependency-check-maven/pom.xml | 2 +- dependency-check-utils/pom.xml | 2 +- pom.xml | 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml index dd5473d17..7e7208aef 100644 --- a/dependency-check-ant/pom.xml +++ b/dependency-check-ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-ant diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index 3d3231738..c76f50b72 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-cli diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 9086dfde3..21ffa0c6c 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-core diff --git a/dependency-check-gradle/pom.xml b/dependency-check-gradle/pom.xml index e6c206b24..8bfaa9197 100644 --- a/dependency-check-gradle/pom.xml +++ b/dependency-check-gradle/pom.xml @@ -22,11 +22,11 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-gradle - 0.0.5 + 0.0.6 pom diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml index a3b420bbe..7816728b6 100644 --- a/dependency-check-jenkins/pom.xml +++ b/dependency-check-jenkins/pom.xml @@ -3,7 +3,7 @@ org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-jenkins Dependency-Check Jenkins Plugin diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index add74999c..c9de29a1f 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -22,7 +22,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-maven diff --git a/dependency-check-utils/pom.xml b/dependency-check-utils/pom.xml index cf5d49168..21ce57bdd 100644 --- a/dependency-check-utils/pom.xml +++ b/dependency-check-utils/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT dependency-check-utils diff --git a/pom.xml b/pom.xml index b433f9a36..2c712d053 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 1.3.0 + 1.3.1-SNAPSHOT pom From c856d01b524a240b5612b5e8163250ebce5ea2e5 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 9 Aug 2015 16:05:14 -0400 Subject: [PATCH 13/33] removed un-needed dependencies --- dependency-check-core/pom.xml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 21ffa0c6c..4276d35e9 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -123,6 +123,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. test-jar + + + **/*.class + + From 7eb2c89f3935a3b7066d46547101f75b9301bd7c Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Sun, 9 Aug 2015 14:34:24 -0400 Subject: [PATCH 14/33] rugygems: Added gemspec test resources, test cases, and minimal code to run tests and have evidence gathering test fail. --- .../analyzer/RubyGemspecAnalyzer.java | 117 ++++++++++++++++++ .../analyzer/RubyGemspecAnalyzerTest.java | 103 +++++++++++++++ .../specifications/mime-types-2.6.1.gemspec | 72 +++++++++++ .../gems/specifications/netrc-0.10.3.gemspec | 32 +++++ .../specifications/rest-client-1.7.2.gemspec | 54 ++++++++ .../owasp/dependencycheck/utils/Settings.java | 4 + 6 files changed, 382 insertions(+) create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java create mode 100644 dependency-check-core/src/test/resources/ruby/gems/specifications/mime-types-2.6.1.gemspec create mode 100644 dependency-check-core/src/test/resources/ruby/gems/specifications/netrc-0.10.3.gemspec create mode 100644 dependency-check-core/src/test/resources/ruby/gems/specifications/rest-client-1.7.2.gemspec diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java new file mode 100644 index 000000000..8cca141f5 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -0,0 +1,117 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.apache.commons.io.FileUtils; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.FileFilterBuilder; +import org.owasp.dependencycheck.utils.Settings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.File; +import java.io.FileFilter; +import java.io.IOException; + +/** + * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine + * the associated CPE. + * + * @author Dale Visser + */ +public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { + + /** + * The logger. + */ + private static final Logger LOGGER = LoggerFactory.getLogger(RubyGemspecAnalyzer.class); + + /** + * The name of the analyzer. + */ + private static final String ANALYZER_NAME = "Ruby Gemspec Analyzer"; + + /** + * The phase that this analyzer is intended to run in. + */ + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; + + private static final FileFilter FILTER = + FileFilterBuilder.newInstance().addExtensions("gemspec").addFilenames("Rakefile").build(); + + /** + * Returns the FileFilter + * + * @return the FileFilter + */ + @Override + protected FileFilter getFileFilter() { + return FILTER; + } + + @Override + protected void initializeFileTypeAnalyzer() throws Exception { + // NO-OP + } + + /** + * Returns the name of the analyzer. + * + * @return the name of the analyzer. + */ + @Override + public String getName() { + return ANALYZER_NAME; + } + + /** + * Returns the phase that the analyzer is intended to run in. + * + * @return the phase that the analyzer is intended to run in. + */ + @Override + public AnalysisPhase getAnalysisPhase() { + return ANALYSIS_PHASE; + } + + /** + * Returns the key used in the properties file to reference the analyzer's enabled property. + * + * @return the analyzer's enabled property setting key + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED; + } + + @Override + protected void analyzeFileType(Dependency dependency, Engine engine) + throws AnalysisException { + final File file = dependency.getActualFile(); + String contents; + try { + contents = FileUtils.readFileToString(file).trim(); + } catch (IOException e) { + throw new AnalysisException( + "Problem occurred while reading dependency file.", e); + } + // TODO analyze contents + } +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java new file mode 100644 index 000000000..dd749f193 --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java @@ -0,0 +1,103 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Dependency; + +import java.io.File; + +import static org.hamcrest.CoreMatchers.containsString; +import static org.hamcrest.CoreMatchers.is; +import static org.junit.Assert.*; + +/** + * Unit tests for {@link RubyGemspecAnalyzer}. + * + * @author Dale Visser + */ +public class RubyGemspecAnalyzerTest extends BaseTest { + + /** + * The analyzer to test. + */ + RubyGemspecAnalyzer analyzer; + + /** + * Correctly setup the analyzer for testing. + * + * @throws Exception thrown if there is a problem + */ + @Before + public void setUp() throws Exception { + analyzer = new RubyGemspecAnalyzer(); + analyzer.setFilesMatched(true); + analyzer.initialize(); + } + + /** + * Cleanup the analyzer's temp files, etc. + * + * @throws Exception thrown if there is a problem + */ + @After + public void tearDown() throws Exception { + analyzer.close(); + analyzer = null; + } + + /** + * Test of getName method, of class PythonDistributionAnalyzer. + */ + @Test + public void testGetName() { + assertThat(analyzer.getName(), is("Ruby Gemspec Analyzer")); + } + + /** + * Test of supportsExtension method, of class PythonDistributionAnalyzer. + */ + @Test + public void testSupportsFiles() { + assertThat(analyzer.accept(new File("test.gemspec")), is(true)); + assertThat(analyzer.accept(new File("Rakefile")), is(true)); + } + + /** + * Test of inspect method, of class PythonDistributionAnalyzer. + * + * @throws AnalysisException is thrown when an exception occurs. + */ + @Test + public void testAnalyzePackageJson() throws AnalysisException { + final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, + "ruby/gems/specifications/rest-client-1.7.2.gemspec")); + analyzer.analyze(result, null); + final String vendorString = result.getVendorEvidence().toString(); + assertThat(vendorString, containsString("REST Client Team")); + assertThat(vendorString, containsString("rest-client_project")); + assertThat(vendorString, containsString("rest.client@librelist.com")); + assertThat(vendorString, containsString("https://github.com/rest-client/rest-client")); + assertThat(result.getProductEvidence().toString(), containsString("rest-client")); + assertThat(result.getVersionEvidence().toString(), containsString("1.7.2")); + } +} diff --git a/dependency-check-core/src/test/resources/ruby/gems/specifications/mime-types-2.6.1.gemspec b/dependency-check-core/src/test/resources/ruby/gems/specifications/mime-types-2.6.1.gemspec new file mode 100644 index 000000000..1bea93f2f --- /dev/null +++ b/dependency-check-core/src/test/resources/ruby/gems/specifications/mime-types-2.6.1.gemspec @@ -0,0 +1,72 @@ +# -*- encoding: utf-8 -*- +# stub: mime-types 2.6.1 ruby lib + +Gem::Specification.new do |s| + s.name = "mime-types" + s.version = "2.6.1" + + s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= + s.require_paths = ["lib"] + s.authors = ["Austin Ziegler"] + s.date = "2015-05-25" + s.description = "The mime-types library provides a library and registry for information about\nMIME content type definitions. It can be used to determine defined filename\nextensions for MIME types, or to use filename extensions to look up the likely\nMIME type definitions.\n\nMIME content types are used in MIME-compliant communications, as in e-mail or\nHTTP traffic, to indicate the type of content which is transmitted. The\nmime-types library provides the ability for detailed information about MIME\nentities (provided as an enumerable collection of MIME::Type objects) to be\ndetermined and used. There are many types defined by RFCs and vendors, so the\nlist is long but by definition incomplete; don't hesitate to add additional\ntype definitions. MIME type definitions found in mime-types are from RFCs, W3C\nrecommendations, the {IANA Media Types\nregistry}[https://www.iana.org/assignments/media-types/media-types.xhtml], and\nuser contributions. It conforms to RFCs 2045 and 2231.\n\nThis is release 2.6 with two new experimental features. The first new feature\nis a new default registry storage format that greatly reduces the initial\nmemory use of the mime-types library. This feature is enabled by requiring\n+mime/types/columnar+ instead of +mime/types+ with a small performance cost and\nno change in *total* memory use if certain methods are called (see {Columnar\nStore}[#columnar-store] for more details). The second new feature is a logger\ninterface that conforms to the expectations of an ActiveSupport::Logger so that\nwarnings can be written to an application's log rather than the default\nlocation for +warn+. This interface may be used for other logging purposes in\nthe future.\n\nmime-types 2.6 is the last planned version of mime-types 2.x, so deprecation\nwarnings are no longer cached but provided every time the method is called.\nmime-types 2.6 supports Ruby 1.9.2 or later." + s.email = ["halostatue@gmail.com"] + s.extra_rdoc_files = ["Contributing.rdoc", "History-Types.rdoc", "History.rdoc", "Licence.rdoc", "Manifest.txt", "README.rdoc", "docs/COPYING.txt", "docs/artistic.txt"] + s.files = ["Contributing.rdoc", "History-Types.rdoc", "History.rdoc", "Licence.rdoc", "Manifest.txt", "README.rdoc", "docs/COPYING.txt", "docs/artistic.txt"] + s.homepage = "https://github.com/mime-types/ruby-mime-types/" + s.licenses = ["MIT", "Artistic 2.0", "GPL-2"] + s.rdoc_options = ["--main", "README.rdoc"] + s.required_ruby_version = Gem::Requirement.new(">= 1.9.2") + s.rubygems_version = "2.2.2" + s.summary = "The mime-types library provides a library and registry for information about MIME content type definitions" + + s.installed_by_version = "2.2.2" if s.respond_to? :installed_by_version + + if s.respond_to? :specification_version then + s.specification_version = 4 + + if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then + s.add_development_dependency(%q, ["~> 5.6"]) + s.add_development_dependency(%q, ["~> 4.0"]) + s.add_development_dependency(%q, ["~> 1.0"]) + s.add_development_dependency(%q, ["~> 1.1"]) + s.add_development_dependency(%q, ["~> 1.6"]) + s.add_development_dependency(%q, ["~> 1.0"]) + s.add_development_dependency(%q, ["~> 1.2"]) + s.add_development_dependency(%q, ["~> 1.0"]) + s.add_development_dependency(%q, ["~> 1.0"]) + s.add_development_dependency(%q, ["~> 10.0"]) + s.add_development_dependency(%q, ["~> 0.7"]) + s.add_development_dependency(%q, ["~> 0.8"]) + s.add_development_dependency(%q, ["~> 3.13"]) + else + s.add_dependency(%q, ["~> 5.6"]) + s.add_dependency(%q, ["~> 4.0"]) + s.add_dependency(%q, ["~> 1.0"]) + s.add_dependency(%q, ["~> 1.1"]) + s.add_dependency(%q, ["~> 1.6"]) + s.add_dependency(%q, ["~> 1.0"]) + s.add_dependency(%q, ["~> 1.2"]) + s.add_dependency(%q, ["~> 1.0"]) + s.add_dependency(%q, ["~> 1.0"]) + s.add_dependency(%q, ["~> 10.0"]) + s.add_dependency(%q, ["~> 0.7"]) + s.add_dependency(%q, ["~> 0.8"]) + s.add_dependency(%q, ["~> 3.13"]) + end + else + s.add_dependency(%q, ["~> 5.6"]) + s.add_dependency(%q, ["~> 4.0"]) + s.add_dependency(%q, ["~> 1.0"]) + s.add_dependency(%q, ["~> 1.1"]) + s.add_dependency(%q, ["~> 1.6"]) + s.add_dependency(%q, ["~> 1.0"]) + s.add_dependency(%q, ["~> 1.2"]) + s.add_dependency(%q, ["~> 1.0"]) + s.add_dependency(%q, ["~> 1.0"]) + s.add_dependency(%q, ["~> 10.0"]) + s.add_dependency(%q, ["~> 0.7"]) + s.add_dependency(%q, ["~> 0.8"]) + s.add_dependency(%q, ["~> 3.13"]) + end +end diff --git a/dependency-check-core/src/test/resources/ruby/gems/specifications/netrc-0.10.3.gemspec b/dependency-check-core/src/test/resources/ruby/gems/specifications/netrc-0.10.3.gemspec new file mode 100644 index 000000000..f93212cf0 --- /dev/null +++ b/dependency-check-core/src/test/resources/ruby/gems/specifications/netrc-0.10.3.gemspec @@ -0,0 +1,32 @@ +# -*- encoding: utf-8 -*- +# stub: netrc 0.10.3 ruby lib + +Gem::Specification.new do |s| + s.name = "netrc" + s.version = "0.10.3" + + s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= + s.require_paths = ["lib"] + s.authors = ["Keith Rarick", "geemus (Wesley Beary)"] + s.date = "2015-02-24" + s.description = "This library can read and update netrc files, preserving formatting including comments and whitespace." + s.email = "geemus@gmail.com" + s.homepage = "https://github.com/geemus/netrc" + s.licenses = ["MIT"] + s.rubygems_version = "2.2.2" + s.summary = "Library to read and write netrc files." + + s.installed_by_version = "2.2.2" if s.respond_to? :installed_by_version + + if s.respond_to? :specification_version then + s.specification_version = 4 + + if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then + s.add_development_dependency(%q, [">= 0"]) + else + s.add_dependency(%q, [">= 0"]) + end + else + s.add_dependency(%q, [">= 0"]) + end +end diff --git a/dependency-check-core/src/test/resources/ruby/gems/specifications/rest-client-1.7.2.gemspec b/dependency-check-core/src/test/resources/ruby/gems/specifications/rest-client-1.7.2.gemspec new file mode 100644 index 000000000..b5939feac --- /dev/null +++ b/dependency-check-core/src/test/resources/ruby/gems/specifications/rest-client-1.7.2.gemspec @@ -0,0 +1,54 @@ +# -*- encoding: utf-8 -*- +# stub: rest-client 1.7.2 ruby lib + +Gem::Specification.new do |s| + s.name = "rest-client" + s.version = "1.7.2" + + s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= + s.require_paths = ["lib"] + s.authors = ["REST Client Team"] + s.date = "2014-07-14" + s.description = "A simple HTTP and REST client for Ruby, inspired by the Sinatra microframework style of specifying actions: get, put, post, delete." + s.email = "rest.client@librelist.com" + s.executables = ["restclient"] + s.extra_rdoc_files = ["README.rdoc", "history.md"] + s.files = ["README.rdoc", "bin/restclient", "history.md"] + s.homepage = "https://github.com/rest-client/rest-client" + s.licenses = ["MIT"] + s.required_ruby_version = Gem::Requirement.new(">= 1.9.2") + s.rubygems_version = "2.2.2" + s.summary = "Simple HTTP and REST client for Ruby, inspired by microframework syntax for specifying actions." + + s.installed_by_version = "2.2.2" if s.respond_to? :installed_by_version + + if s.respond_to? :specification_version then + s.specification_version = 3 + + if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then + s.add_development_dependency(%q, ["~> 1.4"]) + s.add_development_dependency(%q, ["~> 2.4"]) + s.add_development_dependency(%q, [">= 0"]) + s.add_development_dependency(%q, [">= 0"]) + s.add_development_dependency(%q, ["< 5.0", ">= 2.4.2"]) + s.add_runtime_dependency(%q, ["< 3.0", ">= 1.16"]) + s.add_runtime_dependency(%q, ["~> 0.7"]) + else + s.add_dependency(%q, ["~> 1.4"]) + s.add_dependency(%q, ["~> 2.4"]) + s.add_dependency(%q, [">= 0"]) + s.add_dependency(%q, [">= 0"]) + s.add_dependency(%q, ["< 5.0", ">= 2.4.2"]) + s.add_dependency(%q, ["< 3.0", ">= 1.16"]) + s.add_dependency(%q, ["~> 0.7"]) + end + else + s.add_dependency(%q, ["~> 1.4"]) + s.add_dependency(%q, ["~> 2.4"]) + s.add_dependency(%q, [">= 0"]) + s.add_dependency(%q, [">= 0"]) + s.add_dependency(%q, ["< 5.0", ">= 2.4.2"]) + s.add_dependency(%q, ["< 3.0", ">= 1.16"]) + s.add_dependency(%q, ["~> 0.7"]) + end +end diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 7cb006aeb..482e19753 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -194,6 +194,10 @@ public final class Settings { * The properties key for whether the Python Package analyzer is enabled. */ public static final String ANALYZER_PYTHON_PACKAGE_ENABLED = "analyzer.python.package.enabled"; + /** + * The properties key for whether the Ruby Gemspec Analyzer is enabled. + */ + public static final String ANALYZER_RUBY_GEMSPEC_ENABLED = "analyzer.ruby.gemspec.enabled"; /** * The properties key for whether the Autoconf analyzer is enabled. */ From c0752575c6a9840fb0149f54f64432c5ef36a0c1 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Sun, 9 Aug 2015 18:57:52 -0400 Subject: [PATCH 15/33] rubygems: All evidence assertions now passing. --- .../analyzer/RubyGemspecAnalyzer.java | 89 +++++++++++++++++-- 1 file changed, 81 insertions(+), 8 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index 8cca141f5..27499a1e0 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -20,15 +20,17 @@ package org.owasp.dependencycheck.analyzer; import org.apache.commons.io.FileUtils; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileFilter; import java.io.IOException; +import java.util.regex.Matcher; +import java.util.regex.Pattern; /** * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine @@ -38,11 +40,6 @@ import java.io.IOException; */ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { - /** - * The logger. - */ - private static final Logger LOGGER = LoggerFactory.getLogger(RubyGemspecAnalyzer.class); - /** * The name of the analyzer. */ @@ -55,6 +52,12 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions("gemspec").addFilenames("Rakefile").build(); + public static final String AUTHORS = "authors"; + public static final String NAME = "name"; + public static final String EMAIL = "email"; + public static final String HOMEPAGE = "homepage"; + public static final String GEMSPEC = "gemspec"; + private static final String VERSION = "version"; /** * Returns the FileFilter @@ -101,6 +104,41 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { return Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED; } + /** + * Used when compiling file scanning regex patterns. + */ + private static final int REGEX_OPTIONS = Pattern.DOTALL | Pattern.CASE_INSENSITIVE; + + /** + * The capture group #1 is the block variable. + */ + private static final Pattern GEMSPEC_BLOCK_INIT = + Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|"); + + /** + * Utility function to create a regex pattern matcher. Group 1 captures the choice of quote character. + * Group 2 captures the string literal. + * + * @param blockVariable the gemspec block variable (usually 's') + * @param field the gemspec field name to capture + * @return the compiled Pattern + */ + private static Pattern compileStringAssignPattern(String blockVariable, String field) { + return Pattern.compile(String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)); + } + + /** + * Utility function to create a regex pattern matcher. Group 1 captures the list literal. + * + * @param blockVariable the gemspec block variable (usually 's') + * @param field the gemspec field name to capture + */ + private static Pattern compileListAssignPattern(String blockVariable, String field) { + return Pattern.compile( + String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field), + REGEX_OPTIONS); + } + @Override protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { @@ -112,6 +150,41 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { throw new AnalysisException( "Problem occurred while reading dependency file.", e); } - // TODO analyze contents + Matcher matcher = GEMSPEC_BLOCK_INIT.matcher(contents); + if (matcher.find()){ + final int startAt = matcher.end(); + final String blockVariable = matcher.group(1); + final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); + matcher = compileListAssignPattern(blockVariable, AUTHORS).matcher(contents); + if (matcher.find(startAt)) { + final String authors = matcher.group(1).replaceAll("['\"]", " ").trim(); + vendorEvidence.addEvidence(GEMSPEC, AUTHORS, authors, Confidence.HIGHEST); + } + matcher = compileStringAssignPattern(blockVariable, NAME).matcher(contents); + if (matcher.find(startAt)) { + final String name = matcher.group(2); + dependency.getProductEvidence().addEvidence(GEMSPEC, NAME, name, Confidence.HIGHEST); + vendorEvidence.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW); + } + matcher = compileStringAssignPattern(blockVariable, EMAIL).matcher(contents); + if (matcher.find(startAt)) { + final String email = matcher.group(2); + vendorEvidence.addEvidence(GEMSPEC, EMAIL, email, Confidence.MEDIUM); + } else { + matcher = compileListAssignPattern(blockVariable, EMAIL).matcher(contents); + final String email = matcher.group(1).replaceAll("['\"]", " ").trim(); + vendorEvidence.addEvidence(GEMSPEC, EMAIL, email, Confidence.MEDIUM); + } + matcher = compileStringAssignPattern(blockVariable, HOMEPAGE).matcher(contents); + if (matcher.find(startAt)){ + final String homepage = matcher.group(2); + vendorEvidence.addEvidence(GEMSPEC, HOMEPAGE, homepage, Confidence.MEDIUM); + } + matcher = compileStringAssignPattern(blockVariable, VERSION).matcher(contents); + if (matcher.find(startAt)){ + final String version = matcher.group(2); + dependency.getVersionEvidence().addEvidence(GEMSPEC, VERSION, version, Confidence.HIGHEST); + } + } } } From e7f154b58dd0cc204e8aaf46ebc6f7b3ff1c95b0 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Sun, 9 Aug 2015 19:34:30 -0400 Subject: [PATCH 16/33] rubygems: Various refactoring improvements. --- .../analyzer/RubyGemspecAnalyzer.java | 100 +++++++----------- 1 file changed, 38 insertions(+), 62 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index 27499a1e0..e85677cd5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -52,11 +52,11 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions("gemspec").addFilenames("Rakefile").build(); - public static final String AUTHORS = "authors"; - public static final String NAME = "name"; - public static final String EMAIL = "email"; - public static final String HOMEPAGE = "homepage"; - public static final String GEMSPEC = "gemspec"; + private static final String AUTHORS = "authors"; + private static final String NAME = "name"; + private static final String EMAIL = "email"; + private static final String HOMEPAGE = "homepage"; + private static final String GEMSPEC = "gemspec"; private static final String VERSION = "version"; /** @@ -104,41 +104,12 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { return Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED; } - /** - * Used when compiling file scanning regex patterns. - */ - private static final int REGEX_OPTIONS = Pattern.DOTALL | Pattern.CASE_INSENSITIVE; - /** * The capture group #1 is the block variable. */ private static final Pattern GEMSPEC_BLOCK_INIT = Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|"); - /** - * Utility function to create a regex pattern matcher. Group 1 captures the choice of quote character. - * Group 2 captures the string literal. - * - * @param blockVariable the gemspec block variable (usually 's') - * @param field the gemspec field name to capture - * @return the compiled Pattern - */ - private static Pattern compileStringAssignPattern(String blockVariable, String field) { - return Pattern.compile(String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)); - } - - /** - * Utility function to create a regex pattern matcher. Group 1 captures the list literal. - * - * @param blockVariable the gemspec block variable (usually 's') - * @param field the gemspec field name to capture - */ - private static Pattern compileListAssignPattern(String blockVariable, String field) { - return Pattern.compile( - String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field), - REGEX_OPTIONS); - } - @Override protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { @@ -152,39 +123,44 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { } Matcher matcher = GEMSPEC_BLOCK_INIT.matcher(contents); if (matcher.find()){ - final int startAt = matcher.end(); + final int blockStart = matcher.end(); final String blockVariable = matcher.group(1); final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); - matcher = compileListAssignPattern(blockVariable, AUTHORS).matcher(contents); - if (matcher.find(startAt)) { - final String authors = matcher.group(1).replaceAll("['\"]", " ").trim(); - vendorEvidence.addEvidence(GEMSPEC, AUTHORS, authors, Confidence.HIGHEST); - } - matcher = compileStringAssignPattern(blockVariable, NAME).matcher(contents); - if (matcher.find(startAt)) { - final String name = matcher.group(2); - dependency.getProductEvidence().addEvidence(GEMSPEC, NAME, name, Confidence.HIGHEST); + addListEvidence(vendorEvidence, contents, blockStart, blockVariable, AUTHORS, Confidence.HIGHEST); + String name = addStringEvidence( + dependency.getProductEvidence(), contents, blockStart, blockVariable, NAME, Confidence.HIGHEST); + if (!name.isEmpty()) { vendorEvidence.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW); } - matcher = compileStringAssignPattern(blockVariable, EMAIL).matcher(contents); - if (matcher.find(startAt)) { - final String email = matcher.group(2); - vendorEvidence.addEvidence(GEMSPEC, EMAIL, email, Confidence.MEDIUM); - } else { - matcher = compileListAssignPattern(blockVariable, EMAIL).matcher(contents); - final String email = matcher.group(1).replaceAll("['\"]", " ").trim(); - vendorEvidence.addEvidence(GEMSPEC, EMAIL, email, Confidence.MEDIUM); - } - matcher = compileStringAssignPattern(blockVariable, HOMEPAGE).matcher(contents); - if (matcher.find(startAt)){ - final String homepage = matcher.group(2); - vendorEvidence.addEvidence(GEMSPEC, HOMEPAGE, homepage, Confidence.MEDIUM); - } - matcher = compileStringAssignPattern(blockVariable, VERSION).matcher(contents); - if (matcher.find(startAt)){ - final String version = matcher.group(2); - dependency.getVersionEvidence().addEvidence(GEMSPEC, VERSION, version, Confidence.HIGHEST); + String email = addStringEvidence(vendorEvidence, contents, blockStart, blockVariable, EMAIL, Confidence.MEDIUM); + if (email.isEmpty()) { + addListEvidence(vendorEvidence, contents, blockStart, blockVariable, EMAIL, Confidence.MEDIUM); } + addStringEvidence(vendorEvidence, contents, blockStart, blockVariable, HOMEPAGE, Confidence.MEDIUM); + addStringEvidence( + dependency.getVersionEvidence(), contents, blockStart, blockVariable, VERSION, Confidence.HIGHEST); } } + + private void addListEvidence(EvidenceCollection vendorEvidence, String contents, int blockStart, + String blockVariable, String field, Confidence confidence) { + final Matcher matcher = Pattern.compile( + String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents); + if (matcher.find(blockStart)) { + final String value = matcher.group(1).replaceAll("['\"]", " ").trim(); + vendorEvidence.addEvidence(GEMSPEC, field, value, confidence); + } + } + + private String addStringEvidence(EvidenceCollection collection, String contents, int blockStart, + String blockVariable, String field, Confidence confidence) { + final Matcher matcher = Pattern.compile( + String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)).matcher(contents); + String value = ""; + if (matcher.find(blockStart)){ + value = matcher.group(2); + collection.addEvidence(GEMSPEC, field, value, confidence); + } + return value; + } } From 5c02b4dccbac15e0267b17a1977d9868ea43f2fd Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Sun, 9 Aug 2015 19:48:05 -0400 Subject: [PATCH 17/33] rubygems: Added new analyzer to META-INF/services. Confirmed correlation with CPE in CLI. --- .../services/org.owasp.dependencycheck.analyzer.Analyzer | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index 84d9863df..659c104b5 100644 --- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -16,4 +16,5 @@ org.owasp.dependencycheck.analyzer.PythonDistributionAnalyzer org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer org.owasp.dependencycheck.analyzer.AutoconfAnalyzer org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer -org.owasp.dependencycheck.analyzer.CMakeAnalyzer \ No newline at end of file +org.owasp.dependencycheck.analyzer.CMakeAnalyzer +org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer \ No newline at end of file From 2d109b81cff2bcba61557a7059507caf04720094 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 11 Aug 2015 13:13:50 -0400 Subject: [PATCH 18/33] rubygems: Used substring(int) to remove the need for Matcher.find(int). Also fixed javadoc, made some variables final, shortened a variable name. --- .../analyzer/RubyGemspecAnalyzer.java | 43 +++++++++---------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index e85677cd5..a7e0089ad 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -33,8 +33,8 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; /** - * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine - * the associated CPE. + * Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE. + * Regular expressions are used to parse the well-defined Ruby syntax that forms the specification. * * @author Dale Visser */ @@ -52,6 +52,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions("gemspec").addFilenames("Rakefile").build(); + private static final String AUTHORS = "authors"; private static final String NAME = "name"; private static final String EMAIL = "email"; @@ -60,9 +61,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { private static final String VERSION = "version"; /** - * Returns the FileFilter - * - * @return the FileFilter + * @return a filter that accepts files named Rakefile or matching the glob pattern, *.gemspec */ @Override protected FileFilter getFileFilter() { @@ -113,51 +112,49 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { @Override protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { - final File file = dependency.getActualFile(); String contents; try { - contents = FileUtils.readFileToString(file).trim(); + contents = FileUtils.readFileToString(dependency.getActualFile()); } catch (IOException e) { throw new AnalysisException( "Problem occurred while reading dependency file.", e); } - Matcher matcher = GEMSPEC_BLOCK_INIT.matcher(contents); + final Matcher matcher = GEMSPEC_BLOCK_INIT.matcher(contents); if (matcher.find()){ - final int blockStart = matcher.end(); + contents = contents.substring(matcher.end()); final String blockVariable = matcher.group(1); - final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); - addListEvidence(vendorEvidence, contents, blockStart, blockVariable, AUTHORS, Confidence.HIGHEST); - String name = addStringEvidence( - dependency.getProductEvidence(), contents, blockStart, blockVariable, NAME, Confidence.HIGHEST); + final EvidenceCollection vendor = dependency.getVendorEvidence(); + addListEvidence(vendor, contents, blockVariable, AUTHORS, Confidence.HIGHEST); + final String name = addStringEvidence( + dependency.getProductEvidence(), contents, blockVariable, NAME, Confidence.HIGHEST); if (!name.isEmpty()) { - vendorEvidence.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW); + vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW); } - String email = addStringEvidence(vendorEvidence, contents, blockStart, blockVariable, EMAIL, Confidence.MEDIUM); + final String email = addStringEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM); if (email.isEmpty()) { - addListEvidence(vendorEvidence, contents, blockStart, blockVariable, EMAIL, Confidence.MEDIUM); + addListEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM); } - addStringEvidence(vendorEvidence, contents, blockStart, blockVariable, HOMEPAGE, Confidence.MEDIUM); - addStringEvidence( - dependency.getVersionEvidence(), contents, blockStart, blockVariable, VERSION, Confidence.HIGHEST); + addStringEvidence(vendor, contents, blockVariable, HOMEPAGE, Confidence.MEDIUM); + addStringEvidence(dependency.getVersionEvidence(), contents, blockVariable, VERSION, Confidence.HIGHEST); } } - private void addListEvidence(EvidenceCollection vendorEvidence, String contents, int blockStart, + private void addListEvidence(EvidenceCollection vendorEvidence, String contents, String blockVariable, String field, Confidence confidence) { final Matcher matcher = Pattern.compile( String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents); - if (matcher.find(blockStart)) { + if (matcher.find()) { final String value = matcher.group(1).replaceAll("['\"]", " ").trim(); vendorEvidence.addEvidence(GEMSPEC, field, value, confidence); } } - private String addStringEvidence(EvidenceCollection collection, String contents, int blockStart, + private String addStringEvidence(EvidenceCollection collection, String contents, String blockVariable, String field, Confidence confidence) { final Matcher matcher = Pattern.compile( String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)).matcher(contents); String value = ""; - if (matcher.find(blockStart)){ + if (matcher.find()){ value = matcher.group(2); collection.addEvidence(GEMSPEC, field, value, confidence); } From 89166e81fbd92840434936d02bfb9290ca9182a0 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 11 Aug 2015 13:48:30 -0400 Subject: [PATCH 19/33] rubygems: Add summary to evidence, inline constants that were only being used once. --- .../analyzer/RubyGemspecAnalyzer.java | 23 ++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index a7e0089ad..f657ab393 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -26,7 +26,6 @@ import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; -import java.io.File; import java.io.FileFilter; import java.io.IOException; import java.util.regex.Matcher; @@ -53,12 +52,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions("gemspec").addFilenames("Rakefile").build(); - private static final String AUTHORS = "authors"; - private static final String NAME = "name"; private static final String EMAIL = "email"; - private static final String HOMEPAGE = "homepage"; private static final String GEMSPEC = "gemspec"; - private static final String VERSION = "version"; /** * @return a filter that accepts files named Rakefile or matching the glob pattern, *.gemspec @@ -124,18 +119,20 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { contents = contents.substring(matcher.end()); final String blockVariable = matcher.group(1); final EvidenceCollection vendor = dependency.getVendorEvidence(); - addListEvidence(vendor, contents, blockVariable, AUTHORS, Confidence.HIGHEST); - final String name = addStringEvidence( - dependency.getProductEvidence(), contents, blockVariable, NAME, Confidence.HIGHEST); - if (!name.isEmpty()) { - vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW); - } + addStringEvidence(vendor, contents, blockVariable, "author", Confidence.HIGHEST); + addListEvidence(vendor, contents, blockVariable, "authors", Confidence.HIGHEST); final String email = addStringEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM); if (email.isEmpty()) { addListEvidence(vendor, contents, blockVariable, EMAIL, Confidence.MEDIUM); } - addStringEvidence(vendor, contents, blockVariable, HOMEPAGE, Confidence.MEDIUM); - addStringEvidence(dependency.getVersionEvidence(), contents, blockVariable, VERSION, Confidence.HIGHEST); + addStringEvidence(vendor, contents, blockVariable, "homepage", Confidence.MEDIUM); + final EvidenceCollection product = dependency.getProductEvidence(); + final String name = addStringEvidence(product, contents, blockVariable, "name", Confidence.HIGHEST); + if (!name.isEmpty()) { + vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW); + } + addStringEvidence(product, contents, blockVariable, "summary", Confidence.LOW); + addStringEvidence(dependency.getVersionEvidence(), contents, blockVariable, "version", Confidence.HIGHEST); } } From 235869fc79789ec784bf33880e969ea2e203559b Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 11 Aug 2015 13:56:01 -0400 Subject: [PATCH 20/33] rubygems: Reformat and consisitent parameter naming in private methods. --- .../analyzer/RubyGemspecAnalyzer.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java index f657ab393..5112912e7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java @@ -115,7 +115,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { "Problem occurred while reading dependency file.", e); } final Matcher matcher = GEMSPEC_BLOCK_INIT.matcher(contents); - if (matcher.find()){ + if (matcher.find()) { contents = contents.substring(matcher.end()); final String blockVariable = matcher.group(1); final EvidenceCollection vendor = dependency.getVendorEvidence(); @@ -136,24 +136,24 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer { } } - private void addListEvidence(EvidenceCollection vendorEvidence, String contents, + private void addListEvidence(EvidenceCollection evidences, String contents, String blockVariable, String field, Confidence confidence) { final Matcher matcher = Pattern.compile( String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents); if (matcher.find()) { final String value = matcher.group(1).replaceAll("['\"]", " ").trim(); - vendorEvidence.addEvidence(GEMSPEC, field, value, confidence); + evidences.addEvidence(GEMSPEC, field, value, confidence); } } - private String addStringEvidence(EvidenceCollection collection, String contents, + private String addStringEvidence(EvidenceCollection evidences, String contents, String blockVariable, String field, Confidence confidence) { final Matcher matcher = Pattern.compile( String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)).matcher(contents); String value = ""; - if (matcher.find()){ + if (matcher.find()) { value = matcher.group(2); - collection.addEvidence(GEMSPEC, field, value, confidence); + evidences.addEvidence(GEMSPEC, field, value, confidence); } return value; } From 88569cb36999b8e5e4ef1fb98f818839167527de Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 11 Aug 2015 14:23:49 -0400 Subject: [PATCH 21/33] rubygems: Finished command-line interface integration. --- .../main/java/org/owasp/dependencycheck/App.java | 1 + .../java/org/owasp/dependencycheck/CliParser.java | 15 +++++++++++++++ .../src/site/markdown/arguments.md | 1 + 3 files changed, 17 insertions(+) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index ff6dfd27d..648c32cd3 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -325,6 +325,7 @@ public class App { Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !centralDisabled); Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 4f903eede..7101fa389 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -416,6 +416,8 @@ public final class CliParser { .addOption(disablePythonDistributionAnalyzer) .addOption(disableCmakeAnalyzer) .addOption(disablePythonPackageAnalyzer) + .addOption(OptionBuilder.withLongOpt(ARGUMENT.DISABLE_RUBYGEMS) + .withDescription("Disable the Ruby Gemspec Analyzer.").create()) .addOption(disableAutoconfAnalyzer) .addOption(disableOpenSSLAnalyzer) .addOption(disableNuspecAnalyzer) @@ -543,6 +545,15 @@ public final class CliParser { return (line != null) && line.hasOption(ARGUMENT.DISABLE_PY_PKG); } + /** + * Returns whether the Ruby gemspec analyzer is disabled. + * + * @return true if the {@link ARGUMENT#DISABLE_RUBYGEMS} command line argument was specified; otherwise false + */ + public boolean isRubyGemspecDisabled() { + return (null != line) && line.hasOption(ARGUMENT.DISABLE_RUBYGEMS); + } + /** * Returns true if the disableCmake command line argument was specified. * @@ -1077,6 +1088,10 @@ public final class CliParser { * Disables the Python Package Analyzer. */ public static final String DISABLE_PY_PKG = "disablePyPkg"; + /** + * Disables the Ruby Gemspec Analyzer. + */ + public static final String DISABLE_RUBYGEMS = "disableRubygems"; /** * Disables the Autoconf Analyzer. */ diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index 15a1248cc..cd7160a62 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -30,6 +30,7 @@ Short | Argument Name        | Paramete | \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. |   | \-\-disablePyDist | | Sets whether the Python Distribution Analyzer will be used. | false | \-\-disablePyPkg | | Sets whether the Python Package Analyzer will be used. | false + | \-\-disableRubygems | | Sets whether the Ruby Gemspec Analyzer will be used. | false | \-\-disableAutoconf | | Sets whether the Autoconf Analyzer will be used. | false | \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false | \-\-disableCmake | | Sets whether the Cmake Analyzer will be used. | false From d308e50e1e4accefc239c08f00e554807a1e192e Mon Sep 17 00:00:00 2001 From: ma wei Date: Fri, 14 Aug 2015 17:12:28 +0800 Subject: [PATCH 22/33] remove duplicated plugin properties file --- .../dependency.check.properties | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties diff --git a/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties b/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties deleted file mode 100644 index 877c70050..000000000 --- a/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency.check.properties +++ /dev/null @@ -1,19 +0,0 @@ -# -# This file is part of dependency-check-gradle. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Copyright (c) 2015 Wei Ma. All Rights Reserved. -# - -implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin \ No newline at end of file From 7eb18e1931b09d1ed3fdaf0e709d2f1079a93ed3 Mon Sep 17 00:00:00 2001 From: Manuel Recena Date: Fri, 14 Aug 2015 12:33:47 +0200 Subject: [PATCH 23/33] Fixed links --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5f09b24ab..fab943828 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Current Releases ------------- ### Jenkins Plugin -For instructions on the use of the Jenkins plugin please see the [Jenkins dependency-check page](http://wiki.jenkins-ci.org/x/CwDgAQ). +For instructions on the use of the Jenkins plugin please see the [OWASP Dependency-Check Plugin page](https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin). ### Command Line @@ -37,7 +37,7 @@ $ dependency-check --app Testing --out . --scan [path to jar files to be scanned ### Maven Plugin -More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/usage.html). +More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven). The plugin can be configured using the following: ```xml @@ -66,7 +66,7 @@ The plugin can be configured using the following: ### Ant Task -For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html). +For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant). Development Usage ------------- From 1cd12d0a0cfff6c59f76719def88cc2bafecb588 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 12 Aug 2015 15:08:20 -0400 Subject: [PATCH 24/33] Documentation giving help for scanning ISO images on Linux, Mac OS X, and Windows. --- src/site/markdown/general/scan_iso.md | 122 ++++++++++++++++++++++++++ src/site/site.xml | 3 + 2 files changed, 125 insertions(+) create mode 100644 src/site/markdown/general/scan_iso.md diff --git a/src/site/markdown/general/scan_iso.md b/src/site/markdown/general/scan_iso.md new file mode 100644 index 000000000..075c6fdd6 --- /dev/null +++ b/src/site/markdown/general/scan_iso.md @@ -0,0 +1,122 @@ +How to Mount ISO Files for Scanning +=================================== + +Dependency-Check can be used as one of your tools for vetting software +distributed via an [ISO image](https://en.wikipedia.org/wiki/ISO_image). These +disk image files are not a standard archive format, however. Tools must be +used that can interpret the contained file system. As will be shown below, +Linux, Mac OS X, and recent versions of Windows can be used to mount the +image's file system, which can then be scanned by Dependency-Check. + +ISO images are named for the fact that they nearly always contain one of a +pair of international file system standards published by +[ISO](http://www.iso.org/): [ISO 9660](https://en.wikipedia.org/wiki/ISO_9660) +and ISO/IEC 13346, a.k.a. [UDF](https://en.wikipedia.org/wiki/Universal_Disk_Format). Other types of disk images (e.g., +[VHD](https://en.wikipedia.org/wiki/VHD_%28file_format%29)) are outside the +scope of this article, though the ideas presented here may likely be +succesfully applied. + +Linux +----- + +Assume you've downloaded an ISO image called `foo.iso`, and you want to mount +it at /mnt/foo. (Why /mnt? See the +[Filesystem Hierarchy Standard](http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s12.html).) +First make sure that the mount point exists using `mkdir /mnt/foo`. Then, the +[mount](http://linux.die.net/man/8/mount) command *must be run with root +privileges*. On Debian and Ubuntu Linux, this is accomplished by prefacing the +command with `sudo`. + +```sh +$ sudo mount -o loop foo.iso /mnt/foo +``` + +Next, you can use Dependency-Check's [command line tool](dependency-check-cli/index.html) +to scan the mount point. When you are finished, run the +[umount](http://linux.die.net/man/8/umount) command with root privileges: + +```sh +$ sudo umount -d /mnt/foo +``` + +This will unmount the file system, and detach the loop device. + +Mac OS X +-------- + +### Using the GUI + +Simply double-click on the image file in Mac OS X Finder. + +### Using a Terminal Window + +Use the [hdiutil](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/hdiutil.1.html) +command. + +```sh +$ hdiutil attach foo.iso +``` + +The output will show the `/dev` entry assigned as well as the mount point, +which is where you may now read the files in the image's file system. + +To detach: + +```sh +$ hdiutil detach foo.iso +``` + +Windows +------- + +Windows 8 and later versions support mounting ISO images as a virtual drive. + +### Using the GUI + +1. In *File Explorer*, right-click on "foo.iso". +2. Select "Mount" + +File Explorer then redirects to showing the files on your virtual drive. You can then use the [command line tool](dependency-check-cli/index.html) to scan the virtual drive. When finished, "Windows-E" will open File Explorer showing the various drives on your computer. To eject the virtual drive: + +1. Right-click on the virtual drive. +2. Select "Eject" + +### Using PowerShell + +To mount, use the [Mount-DiskImage](https://technet.microsoft.com/en-us/%5Clibrary/Hh848706%28v=WPS.630%29.aspx) +cmdlet: + +```posh +$ Mount-DiskImage -ImagePath C:\Full\Path\to\foo.iso +``` + +To view all drives (and find your virtual drive), use the +[Get-PSDrive](https://technet.microsoft.com/en-us/library/Hh849796.aspx) +cmdlet: + +```posh +$ Get-PSDrive -PSProvider 'FileSystem' +``` + +To dismount, use the [Dismount-DiskImage](https://technet.microsoft.com/en-us/library/hh848693%28v=wps.630%29.aspx) +cmdlet: + +```posh +$ Dismount-DiskImage -ImagePath C:\Full\Path\to\file.iso +``` + +### Windows 7 + +Third-party tools exist that can be used to mount ISO images. Without such +tools, it is still possible to burn the ISO image to physical media, and scan +the media: + +1. Right-click on "foo.iso" +2. Select "Windows Disc Image Burner" +3. Follow the instructions to burn the image. + +### Windows Vista + +Just as with Windows 7, you will need a third-party tool to mount an ISO +image. You will also need a third-party tool to burn the image to media. +Many machines are shipped with such a tool included. \ No newline at end of file diff --git a/src/site/site.xml b/src/site/site.xml index 6ca795342..855f94911 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -102,6 +102,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Sample Report + + How to Scan an ISO Image + From 8d3f08e529c4e38b071da2c26b331f0bb1230d08 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 16 Aug 2015 06:24:08 -0400 Subject: [PATCH 25/33] fixed links --- dependency-check-cli/src/site/markdown/arguments.md | 2 +- dependency-check-maven/src/site/markdown/configuration.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index 15a1248cc..123571643 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -13,7 +13,7 @@ Short | Argument Name   | Parameter | Description | Requir \-f | \-\-format | \ | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required \-l | \-\-log | \ | The file path to write verbose logging information. | Optional \-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional - | \-\-suppression | \ | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional + | \-\-suppression | \ | The file path to the suppression XML file; used to suppress [false positives](../general/suppression.html). | Optional \-h | \-\-help | | Print the help message. | Optional | \-\-advancedHelp | | Print the advanced help message. | Optional \-v | \-\-version | | Print the version information. | Optional diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md index 7f767f0c3..afe2e9e99 100644 --- a/dependency-check-maven/src/site/markdown/configuration.md +++ b/dependency-check-maven/src/site/markdown/configuration.md @@ -18,7 +18,7 @@ autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is ena outputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target' failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11 format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML -suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) |   +suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html) |   skipTestScope | Should be skip analysis for artifacts with Test Scope | true skipProvidedScope | Should be skip analysis for artifacts with Provided Scope | false skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope | false From 38cd19de1584dc0ccd2691d7f73ce7a08988a0a6 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Mon, 17 Aug 2015 12:16:45 -0400 Subject: [PATCH 26/33] ISO scanning: Added clarification on what can be scanned. Fleshed out file type analyzers page with details. Re-ordered side menu alphabetically to match. --- src/site/markdown/analyzers/index.md | 20 +++++++++++--------- src/site/markdown/general/scan_iso.md | 14 +++++++------- src/site/site.xml | 18 +++++++++--------- 3 files changed, 27 insertions(+), 25 deletions(-) diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 30dfb3a21..d21725319 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -3,12 +3,14 @@ File Type Analyzers OWASP dependency-check contains several file type analyzers that are used to extract identification information from the files analyzed. -- [Archive Analyzer](./archive-analyzer.html) -- [Assembly Analyzer](./assembly-analyzer.html) -- [Autoconf Analyzer](./autoconf-analyzer.html) -- [Central Analyzer](./central-analyzer.html) -- [Jar Analyzer](./jar-analyzer.html) -- [Nexus Analyzer](./nexus-analyzer.html) -- [Nuspec Analyzer](./nuspec-analyzer.html) -- [OpenSSL Analyzer](./openssl-analyzer.html) -- [Python Analyzer](./python-analyzer.html) +| Analyzer | File Types Scanned | Analysis Method | +| -------- | ------------------ | --------------- | +| [Archive Analyzer](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, *.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. | +| [Assembly Analyzer](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. | +| [Autoconf Analyzer](./autoconf-analyzer.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | Regex scan for AC_INIT metadata, including in generated configuration script. | +| [Central Analyzer](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. | +| [Jar Analyzer](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | +| [Nexus Analyzer](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central Analyzer. | +| [Nuspec Analyzer](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | +| [OpenSSL Analyzer](./openssl-analyzer.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | +| [Python Analyzer](./python-analyzer.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (whl, egg, zip, PKG-INFO, and METADATA) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | diff --git a/src/site/markdown/general/scan_iso.md b/src/site/markdown/general/scan_iso.md index 075c6fdd6..66e3c03a7 100644 --- a/src/site/markdown/general/scan_iso.md +++ b/src/site/markdown/general/scan_iso.md @@ -2,11 +2,10 @@ How to Mount ISO Files for Scanning =================================== Dependency-Check can be used as one of your tools for vetting software -distributed via an [ISO image](https://en.wikipedia.org/wiki/ISO_image). These -disk image files are not a standard archive format, however. Tools must be -used that can interpret the contained file system. As will be shown below, -Linux, Mac OS X, and recent versions of Windows can be used to mount the -image's file system, which can then be scanned by Dependency-Check. +distributed via an [ISO image](https://en.wikipedia.org/wiki/ISO_image). (See +[File Type Analyzers](../analyzers/) for a list of what types of artifacts +Dependency-Check is capable of scanning.) These disk image files are not a standard archive format, however. Tools must be used that can interpret the contained file system. As will be shown below, Linux, Mac OS X, and recent versions of Windows can be used to mount the image's file system, which can +then be scanned by Dependency-Check. ISO images are named for the fact that they nearly always contain one of a pair of international file system standards published by @@ -31,7 +30,7 @@ command with `sudo`. $ sudo mount -o loop foo.iso /mnt/foo ``` -Next, you can use Dependency-Check's [command line tool](dependency-check-cli/index.html) +Next, you can use Dependency-Check's [command line tool](dependency-check-cli/) to scan the mount point. When you are finished, run the [umount](http://linux.die.net/man/8/umount) command with root privileges: @@ -76,7 +75,8 @@ Windows 8 and later versions support mounting ISO images as a virtual drive. 1. In *File Explorer*, right-click on "foo.iso". 2. Select "Mount" -File Explorer then redirects to showing the files on your virtual drive. You can then use the [command line tool](dependency-check-cli/index.html) to scan the virtual drive. When finished, "Windows-E" will open File Explorer showing the various drives on your computer. To eject the virtual drive: +File Explorer then redirects to showing the files on your virtual drive. You can then use the [command line tool](dependency-check-cli/) to scan the +virtual drive. When finished, "Windows-E" will open File Explorer showing the various drives on your computer. To eject the virtual drive: 1. Right-click on the virtual drive. 2. Select "Eject" diff --git a/src/site/site.xml b/src/site/site.xml index 855f94911..314bf2cbf 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -110,26 +110,26 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. Archive Analyzer - - Jar Analyzer + + Assembly Analyzer - - Python Analyzer + + Autoconf Analyzer Central Analyzer + + Jar Analyzer + Nexus Analyzer - - Assembly Analyzer - Nuspec Analyzer - - Autoconf Analyzer + + Python Analyzer OpenSSL Analyzer From 4c5957ae404e58c3bbd1a1cdd48d7abf0cbc491f Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Mon, 17 Aug 2015 14:49:24 -0400 Subject: [PATCH 27/33] ISO scanning: Fixed slight errors in Python file types, and made formatting consistent. --- src/site/markdown/analyzers/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index d21725319..9f25d5566 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -13,4 +13,4 @@ to extract identification information from the files analyzed. | [Nexus Analyzer](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central Analyzer. | | [Nuspec Analyzer](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | | [OpenSSL Analyzer](./openssl-analyzer.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | -| [Python Analyzer](./python-analyzer.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (whl, egg, zip, PKG-INFO, and METADATA) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | +| [Python Analyzer](./python-analyzer.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | From 2db1f8d2b672cd8809f7e003c8f93438cdbf6bc1 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Mon, 17 Aug 2015 18:55:51 -0400 Subject: [PATCH 28/33] Random fixes to issues found by IntelliJ IDEA code inspection. --- .../analyzer/AutoconfAnalyzer.java | 8 +- .../analyzer/PythonDistributionAnalyzer.java | 8 +- .../analyzer/PythonPackageAnalyzer.java | 74 ++++++++----------- .../analyzer/OpenSSLAnalyzerTest.java | 4 +- .../PythonDistributionAnalyzerTest.java | 2 +- .../analyzer/PythonPackageAnalyzerTest.java | 12 +-- 6 files changed, 44 insertions(+), 64 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java index d25ad57de..291c011bc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java @@ -173,10 +173,10 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer { } } else { // copy, alter and set in case some other thread is iterating over - final List deps = new ArrayList( + final List dependencies = new ArrayList( engine.getDependencies()); - deps.remove(dependency); - engine.setDependencies(deps); + dependencies.remove(dependency); + engine.setDependencies(dependencies); } } @@ -225,7 +225,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer { contents = FileUtils.readFileToString(actualFile).trim(); } catch (IOException e) { throw new AnalysisException( - "Problem occured while reading dependency file.", e); + "Problem occurred while reading dependency file.", e); } return contents; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index ff2064d91..c89aaed6f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -53,7 +53,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils; public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { /** - * Name of egg metatdata files to analyze. + * Name of egg metadata files to analyze. */ private static final String PKG_INFO = "PKG-INFO"; @@ -269,10 +269,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { * * @param dependency the dependency being analyzed * @param file a reference to the manifest/properties file - * @throws AnalysisException thrown when there is an error */ - private static void collectWheelMetadata(Dependency dependency, File file) - throws AnalysisException { + private static void collectWheelMetadata(Dependency dependency, File file) { final InternetHeaders headers = getManifestProperties(file); addPropertyToEvidence(headers, dependency.getVersionEvidence(), "Version", Confidence.HIGHEST); @@ -352,7 +350,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Retrieves the next temporary destingation directory for extracting an archive. + * Retrieves the next temporary destination directory for extracting an archive. * * @return a directory * @throws AnalysisException thrown if unable to create temporary directory diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 8f909614b..f5d27e981 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -28,13 +28,10 @@ import org.owasp.dependencycheck.dependency.EvidenceCollection; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.UrlStringUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileFilter; import java.io.IOException; -import java.net.MalformedURLException; import java.util.ArrayList; import java.util.List; import java.util.regex.Matcher; @@ -53,12 +50,6 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { private static final int REGEX_OPTIONS = Pattern.DOTALL | Pattern.CASE_INSENSITIVE; - /** - * The logger. - */ - private static final Logger LOGGER = LoggerFactory - .getLogger(PythonPackageAnalyzer.class); - /** * Filename extensions for files to be analyzed. */ @@ -173,7 +164,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { * Analyzes python packages and adds evidence to the dependency. * * @param dependency the dependency being analyzed - * @param engine the engine being used to perform the scan + * @param engine the engine being used to perform the scan * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency */ @Override @@ -184,8 +175,8 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { final String parentName = parent.getName(); boolean found = false; if (INIT_PY_FILTER.accept(file)) { - for (final File sourcefile : parent.listFiles(PY_FILTER)) { - found |= analyzeFileContents(dependency, sourcefile); + for (final File sourceFile : parent.listFiles(PY_FILTER)) { + found |= analyzeFileContents(dependency, sourceFile); } } if (found) { @@ -194,10 +185,10 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { "PackageName", parentName, Confidence.MEDIUM); } else { // copy, alter and set in case some other thread is iterating over - final List deps = new ArrayList( + final List dependencies = new ArrayList( engine.getDependencies()); - deps.remove(dependency); - engine.setDependencies(deps); + dependencies.remove(dependency); + engine.setDependencies(dependencies); } } @@ -206,7 +197,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { * __summary__, __uri__, __url__, __home*page__, __author__, and their all caps equivalents. * * @param dependency the dependency being analyzed - * @param file the file name to analyze + * @param file the file name to analyze * @return whether evidence was found * @throws AnalysisException thrown if there is an unrecoverable error */ @@ -238,14 +229,10 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { .getVendorEvidence(); found |= gatherEvidence(AUTHOR_PATTERN, contents, source, vendorEvidence, "SourceAuthor", Confidence.MEDIUM); - try { - found |= gatherHomePageEvidence(URI_PATTERN, vendorEvidence, - source, "URL", contents); - found |= gatherHomePageEvidence(HOMEPAGE_PATTERN, - vendorEvidence, source, "HomePage", contents); - } catch (MalformedURLException e) { - LOGGER.warn(e.getMessage()); - } + found |= gatherHomePageEvidence(URI_PATTERN, vendorEvidence, + source, "URL", contents); + found |= gatherHomePageEvidence(HOMEPAGE_PATTERN, + vendorEvidence, source, "HomePage", contents); } return found; } @@ -254,15 +241,15 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { * Adds summary information to the dependency * * @param dependency the dependency being analyzed - * @param pattern the pattern used to perform analysis - * @param group the group from the pattern that indicates the data to use - * @param contents the data being analyzed - * @param source the source name to use when recording the evidence - * @param key the key name to use when recording the evidence + * @param pattern the pattern used to perform analysis + * @param group the group from the pattern that indicates the data to use + * @param contents the data being analyzed + * @param source the source name to use when recording the evidence + * @param key the key name to use when recording the evidence * @return true if evidence was collected; otherwise false */ private boolean addSummaryInfo(Dependency dependency, Pattern pattern, - int group, String contents, String source, String key) { + int group, String contents, String source, String key) { final Matcher matcher = pattern.matcher(contents); final boolean found = matcher.find(); if (found) { @@ -275,17 +262,16 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { /** * Collects evidence from the home page URL. * - * @param pattern the pattern to match + * @param pattern the pattern to match * @param evidence the evidence collection to add the evidence to - * @param source the source of the evidence - * @param name the name of the evidence + * @param source the source of the evidence + * @param name the name of the evidence * @param contents the home page URL * @return true if evidence was collected; otherwise false - * @throws MalformedURLException thrown if the URL is malformed */ private boolean gatherHomePageEvidence(Pattern pattern, - EvidenceCollection evidence, String source, String name, - String contents) throws MalformedURLException { + EvidenceCollection evidence, String source, String name, + String contents) { final Matcher matcher = pattern.matcher(contents); boolean found = false; if (matcher.find()) { @@ -299,19 +285,19 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Gather evidence from a Python source file usin the given string assignment regex pattern. + * Gather evidence from a Python source file using the given string assignment regex pattern. * - * @param pattern to scan contents with - * @param contents of Python source file - * @param source for storing evidence - * @param evidence to store evidence in - * @param name of evidence + * @param pattern to scan contents with + * @param contents of Python source file + * @param source for storing evidence + * @param evidence to store evidence in + * @param name of evidence * @param confidence in evidence * @return whether evidence was found */ private boolean gatherEvidence(Pattern pattern, String contents, - String source, EvidenceCollection evidence, String name, - Confidence confidence) { + String source, EvidenceCollection evidence, String name, + Confidence confidence) { final Matcher matcher = pattern.matcher(contents); final boolean found = matcher.find(); if (found) { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java index c5fcc289e..f0ee9f7ac 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java @@ -39,10 +39,10 @@ public class OpenSSLAnalyzerTest extends BaseTest { /** * The package analyzer to test. */ - OpenSSLAnalyzer analyzer; + private OpenSSLAnalyzer analyzer; /** - * Setup the PtyhonPackageAnalyzer. + * Setup the {@link OpenSSLAnalyzer}. * * @throws Exception if there is a problem */ diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java index ded6cb20b..954d02274 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java @@ -40,7 +40,7 @@ public class PythonDistributionAnalyzerTest extends BaseTest { /** * The analyzer to test. */ - PythonDistributionAnalyzer analyzer; + private PythonDistributionAnalyzer analyzer; /** * Correctly setup the analyzer for testing. diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java index b132c2ec8..82bb3af09 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java @@ -40,10 +40,10 @@ public class PythonPackageAnalyzerTest extends BaseTest { /** * The package analyzer to test. */ - PythonPackageAnalyzer analyzer; + private PythonPackageAnalyzer analyzer; /** - * Setup the PtyhonPackageAnalyzer. + * Setup the {@link PythonPackageAnalyzer}. * * @throws Exception if there is a problem */ @@ -85,14 +85,9 @@ public class PythonPackageAnalyzerTest extends BaseTest { @Test public void testAnalyzeSourceMetadata() throws AnalysisException { - eggtestAssertions(this, - "python/eggtest/__init__.py"); - } - - public void eggtestAssertions(Object context, final String resource) throws AnalysisException { boolean found = false; final Dependency result = new Dependency(BaseTest.getResourceAsFile( - context, resource)); + this, "python/eggtest/__init__.py")); analyzer.analyze(result, null); assertTrue("Expected vendor evidence to contain \"example\".", result .getVendorEvidence().toString().contains("example")); @@ -104,4 +99,5 @@ public class PythonPackageAnalyzerTest extends BaseTest { } assertTrue("Version 0.0.1 not found in EggTest dependency.", found); } + } From 0b5244d32188ecf9484b2cfb055ef9dcdb92ee29 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 18 Aug 2015 12:37:09 -0400 Subject: [PATCH 29/33] Markdown escape * character fix --- src/site/markdown/analyzers/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 9f25d5566..298c2cd22 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -5,7 +5,7 @@ to extract identification information from the files analyzed. | Analyzer | File Types Scanned | Analysis Method | | -------- | ------------------ | --------------- | -| [Archive Analyzer](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, *.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. | +| [Archive Analyzer](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. | | [Assembly Analyzer](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. | | [Autoconf Analyzer](./autoconf-analyzer.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | Regex scan for AC_INIT metadata, including in generated configuration script. | | [Central Analyzer](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. | From 481e753ad46a1d1970a4d5bf69915114b74b8ebc Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 23 Aug 2015 06:45:35 -0400 Subject: [PATCH 30/33] corrected spring-security false positives per issue #319 and #311 --- .../src/main/resources/dependencycheck-base-suppression.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml index 40ae34dc0..98ad6a000 100644 --- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml +++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml @@ -17,6 +17,7 @@ cpe:/a:mod_security:mod_security cpe:/a:springsource:spring_framework cpe:/a:vmware:springsource_spring_framework + cpe:/a:pivotal:spring_framework Date: Mon, 24 Aug 2015 22:17:16 +0800 Subject: [PATCH 31/33] remove duplicated configuration items in DependencyCheckTask --- ...groovy => DependencyCheckExtension.groovy} | 18 ++--- .../plugin/DependencyCheckGradlePlugin.groovy | 22 ++---- .../security/tasks/DependencyCheckTask.groovy | 73 ++++++++++++------- 3 files changed, 59 insertions(+), 54 deletions(-) rename dependency-check-gradle/src/main/groovy/com/tools/security/extension/{DependencyCheckConfigurationExtension.groovy => DependencyCheckExtension.groovy} (60%) diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy similarity index 60% rename from dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy rename to dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy index e86f66e25..a0bc76dfe 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy @@ -18,19 +18,19 @@ package com.tools.security.extension -class DependencyCheckConfigurationExtension { +class DependencyCheckExtension { String proxyServer Integer proxyPort - String proxyUsername = "" - String proxyPassword = "" + String proxyUsername + String proxyPassword - String cveUrl12Modified = "https://nvd.nist.gov/download/nvdcve-Modified.xml.gz" - String cveUrl20Modified = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz" - Integer cveStartYear = 2002 - String cveUrl12Base = "https://nvd.nist.gov/download/nvdcve-%d.xml.gz" - String cveUrl20Base = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz" + String cveUrl20Modified + String cveUrl12Modified + Integer cveStartYear + String cveUrl20Base + String cveUrl12Base String outputDirectory = "./reports" - Boolean quickQueryTimestamp = true; + Boolean quickQueryTimestamp; } diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy index 2274c9af4..fc9a4df3d 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy @@ -18,13 +18,14 @@ package com.tools.security.plugin -import com.tools.security.extension.DependencyCheckConfigurationExtension +import com.tools.security.extension.DependencyCheckExtension import com.tools.security.tasks.DependencyCheckTask import org.gradle.api.Plugin import org.gradle.api.Project class DependencyCheckGradlePlugin implements Plugin { - static final String EXTENSION_NAME = 'dependencyCheck' + private static final String EXTENSION_NAME = 'dependencyCheck' + private static final String TASK_NAME = 'dependencyCheck' @Override void apply(Project project) { @@ -33,23 +34,10 @@ class DependencyCheckGradlePlugin implements Plugin { } def initializeConfigurations(Project project) { - project.extensions.create(EXTENSION_NAME, DependencyCheckConfigurationExtension) + project.extensions.create(EXTENSION_NAME, DependencyCheckExtension) } def registerTasks(Project project) { - project.task('dependencyCheck', type: DependencyCheckTask) { - def extension = project.extensions.findByName(EXTENSION_NAME) - conventionMapping.proxyServer = { extension.proxyServer } - conventionMapping.proxyPort = { extension.proxyPort } - conventionMapping.proxyUsername = { extension.proxyUsername } - conventionMapping.proxyPassword = { extension.proxyPassword } - conventionMapping.cveUrl12Modified = { extension.cveUrl12Modified } - conventionMapping.cveUrl20Modified = { extension.cveUrl20Modified } - conventionMapping.cveStartYear = { extension.cveStartYear } - conventionMapping.cveUrl12Base = { extension.cveUrl12Base } - conventionMapping.cveUrl20Base = { extension.cveUrl20Base } - conventionMapping.outputDirectory = { extension.outputDirectory } - conventionMapping.quickQueryTimestamp = { extension.quickQueryTimestamp } - } + project.task(TASK_NAME, type: DependencyCheckTask) } } \ No newline at end of file diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy index 3e371ec81..6c869657c 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy @@ -28,27 +28,23 @@ import org.owasp.dependencycheck.dependency.Dependency import org.owasp.dependencycheck.reporting.ReportGenerator import org.owasp.dependencycheck.utils.Settings +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_12_URL +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_20_URL +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_1_2 +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_2_0 +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_START_YEAR +import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PASSWORD +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PORT +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_SERVER +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_USERNAME import static org.owasp.dependencycheck.utils.Settings.setBoolean import static org.owasp.dependencycheck.utils.Settings.setString class DependencyCheckTask extends DefaultTask { def currentProjectName = project.getName() - - String proxyServer - Integer proxyPort - String proxyUsername = "" - String proxyPassword = "" - - String cveUrl12Modified = "https://nvd.nist.gov/download/nvdcve-Modified.xml.gz" - String cveUrl20Modified = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz" - Integer cveStartYear = 2002 - String cveUrl12Base = "https://nvd.nist.gov/download/nvdcve-%d.xml.gz" - String cveUrl20Base = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz" - - String outputDirectory = "./reports" - - Boolean quickQueryTimestamp = true; + def config = project.dependencyCheck DependencyCheckTask() { group = 'Dependency Check' @@ -111,22 +107,22 @@ class DependencyCheckTask extends DefaultTask { } def generateReportDirectory(String currentProjectName) { - "${getOutputDirectory()}/${currentProjectName}" + "${config.outputDirectory}/${currentProjectName}" } def overrideProxySetting() { if (isProxySettingExist()) { - logger.lifecycle("Using proxy ${getProxyServer()}:${getProxyPort()}") + logger.lifecycle("Using proxy ${config.proxyServer}:${config.proxyPort}") - setString(Settings.KEYS.PROXY_SERVER, getProxyServer()) - setString(Settings.KEYS.PROXY_PORT, "${getProxyPort()}") - setString(Settings.KEYS.PROXY_USERNAME, getProxyUsername()) - setString(Settings.KEYS.PROXY_PASSWORD, getProxyPassword()) + overrideStringBasedSettingWhenProvided(PROXY_SERVER, config.proxyServer) + overrideStringBasedSettingWhenProvided(PROXY_PORT, "${config.proxyPort}") + overrideStringBasedSettingWhenProvided(PROXY_USERNAME, config.proxyUsername) + overrideStringBasedSettingWhenProvided(PROXY_PASSWORD, config.proxyPassword) } } def isProxySettingExist() { - getProxyServer() != null && getProxyPort() != null + config.proxyServer != null && config.proxyPort != null } def getAllDependencies(project) { @@ -138,14 +134,35 @@ class DependencyCheckTask extends DefaultTask { } def overrideCveUrlSetting() { - setString(Settings.KEYS.CVE_MODIFIED_20_URL, getCveUrl20Modified()) - setString(Settings.KEYS.CVE_MODIFIED_12_URL, getCveUrl12Modified()) - setString(Settings.KEYS.CVE_START_YEAR, "${getCveStartYear()}") - setString(Settings.KEYS.CVE_SCHEMA_2_0, getCveUrl20Base()) - setString(Settings.KEYS.CVE_SCHEMA_1_2, getCveUrl12Base()) + overrideStringBasedSettingWhenProvided(CVE_MODIFIED_20_URL, config.cveUrl20Modified) + overrideStringBasedSettingWhenProvided(CVE_MODIFIED_12_URL, config.cveUrl12Modified) + overrideIntegerBasedSettingWhenProvided(CVE_START_YEAR, config.cveStartYear) + overrideStringBasedSettingWhenProvided(CVE_SCHEMA_2_0, config.cveUrl20Base) + overrideStringBasedSettingWhenProvided(CVE_SCHEMA_1_2, config.cveUrl12Base) } def overrideDownloaderSetting() { - setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, getQuickQueryTimestamp()) + overrideBooleanBasedSettingWhenProvided(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp) + } + + private overrideStringBasedSettingWhenProvided(String key, String providedValue) { + if (providedValue != null) { + logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]") + setString(key, providedValue) + } + } + + private overrideIntegerBasedSettingWhenProvided(String key, Integer providedValue) { + if (providedValue != null) { + logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]") + setString(key, "${providedValue}") + } + } + + private overrideBooleanBasedSettingWhenProvided(String key, Boolean providedValue) { + if (providedValue != null) { + logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]") + setBoolean(key, providedValue) + } } } From 9a7c342f91bca901c298cda41fa1295415740f5e Mon Sep 17 00:00:00 2001 From: ma wei Date: Mon, 24 Aug 2015 22:25:03 +0800 Subject: [PATCH 32/33] modify spec for testing project extension --- .../DependencyCheckGradlePluginSpec.groovy | 45 +++++++++---------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy index 6a9666240..a75db628b 100644 --- a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy +++ b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy @@ -48,17 +48,17 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec { expect: task.group == 'Dependency Check' task.description == 'Produce dependency security report.' - task.proxyServer == null - task.proxyPort == null - task.proxyUsername == '' - task.proxyPassword == '' - task.cveUrl12Modified == 'https://nvd.nist.gov/download/nvdcve-Modified.xml.gz' - task.cveUrl20Modified == 'https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz' - task.cveStartYear == 2002 - task.cveUrl12Base == 'https://nvd.nist.gov/download/nvdcve-%d.xml.gz' - task.cveUrl20Base == 'https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz' - task.outputDirectory == './reports' - task.quickQueryTimestamp == true + project.dependencyCheck.proxyServer == null + project.dependencyCheck.proxyPort == null + project.dependencyCheck.proxyUsername == null + project.dependencyCheck.proxyPassword == null + project.dependencyCheck.cveUrl12Modified == null + project.dependencyCheck.cveUrl20Modified == null + project.dependencyCheck.cveStartYear == null + project.dependencyCheck.cveUrl12Base == null + project.dependencyCheck.cveUrl20Base == null + project.dependencyCheck.outputDirectory == './reports' + project.dependencyCheck.quickQueryTimestamp == null } def 'tasks use correct values when extension is used'() { @@ -78,17 +78,16 @@ class DependencyCheckGradlePluginSpec extends PluginProjectSpec { } then: - Task task = project.tasks.findByName( 'dependencyCheck' ) - task.proxyServer == '127.0.0.1' - task.proxyPort == 3128 - task.proxyUsername == 'proxyUsername' - task.proxyPassword == 'proxyPassword' - task.cveUrl12Modified == 'cveUrl12Modified' - task.cveUrl20Modified == 'cveUrl20Modified' - task.cveStartYear == 2002 - task.cveUrl12Base == 'cveUrl12Base' - task.cveUrl20Base == 'cveUrl20Base' - task.outputDirectory == 'outputDirectory' - task.quickQueryTimestamp == false + project.dependencyCheck.proxyServer == '127.0.0.1' + project.dependencyCheck.proxyPort == 3128 + project.dependencyCheck.proxyUsername == 'proxyUsername' + project.dependencyCheck.proxyPassword == 'proxyPassword' + project.dependencyCheck.cveUrl12Modified == 'cveUrl12Modified' + project.dependencyCheck.cveUrl20Modified == 'cveUrl20Modified' + project.dependencyCheck.cveStartYear == 2002 + project.dependencyCheck.cveUrl12Base == 'cveUrl12Base' + project.dependencyCheck.cveUrl20Base == 'cveUrl20Base' + project.dependencyCheck.outputDirectory == 'outputDirectory' + project.dependencyCheck.quickQueryTimestamp == false } } From 054be314f6d198514f2ce833a57978baf315f092 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 25 Aug 2015 06:13:29 -0400 Subject: [PATCH 33/33] added targetCompatibility = 1.7 per issue #321 --- dependency-check-gradle/build.gradle | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index 18f7454a7..0a960a787 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -75,6 +75,8 @@ task integTest(type: Test) { group = 'com.thoughtworks.tools' version = '0.0.6' +targetCompatibility = 1.7 + apply from: 'conf/publish/local.gradle' //apply from: 'conf/publish/maven.gradle' apply from: 'conf/publish/gradlePluginsPortal.gradle'