github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into parallelize-analyzers-aftermath

Browse Source
This commit is contained in:
Stefan Neuhaus
2016-10-09 16:08:46 +02:00
parent 9b43bf004a 5d73faa1f0
commit 9fdff51f26
17 changed files with 33047 additions and 9524 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
View File

@@ -346,6 +346,28 @@ public class Check extends Update {
public void setSuppressionFile(String suppressionFile) {
this.suppressionFile = suppressionFile;
}
/**
* The path to the suppression file.
*/
private String hintsFile;
/**
* Get the value of hintsFile.
*
* @return the value of hintsFile
*/
public String getHintsFile() {
return hintsFile;
}
/**
* Set the value of hintsFile.
*
* @param hintsFile new value of hintsFile
*/
public void setHintsFile(String hintsFile) {
this.hintsFile = hintsFile;
}
/**
* flag indicating whether or not to show a summary of findings.
*/
@@ -904,6 +926,7 @@ public class Check extends Update {
super.populateSettings();
Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
Settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);

2
dependency-check-ant/src/site/markdown/config-purge.md
View File

@@ -2,7 +2,7 @@ Configuration
====================
The dependency-check-purge task deletes the local copy of the NVD. This task
should rarely be used, if ever. This is included as a convenience method in
the rare circumstance that the local H2 database because corrupt.
the rare circumstance that the local H2 database becomes corrupt.
```xml
<target name="dependency-check-purge" description="Dependency-Check purge">

1
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -39,6 +39,7 @@ projectName | The name of the project being scanned.
reportFormat | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html) | &nbsp;
hintsFile | The file path to the XML hints file \- used to add evidence [false negatives](../general/hints.html) | &nbsp;
proxyServer | The Proxy Server; see the [proxy configuration](../data/proxy.html) page for more information. | &nbsp;
proxyPort | The Proxy Port. | &nbsp;
proxyUsername | Defines the proxy user name. | &nbsp;

2
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -347,6 +347,7 @@ public class App {
final String dataDirectory = cli.getDataDirectory();
final File propertiesFile = cli.getPropertiesFile();
final String suppressionFile = cli.getSuppressionFile();
final String hintsFile = cli.getHintsFile();
final String nexusUrl = cli.getNexusUrl();
final String databaseDriverName = cli.getDatabaseDriverName();
final String databaseDriverPath = cli.getDatabaseDriverPath();
@@ -394,6 +395,7 @@ public class App {
Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPass);
Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
Settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
//File Type Analyzer Settings

21
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -277,6 +277,10 @@ public final class CliParser {
.desc("The file path to the suppression XML file.")
.build();
final Option hintsFile = Option.builder().argName("file").hasArg().longOpt(ARGUMENT.HINTS_FILE)
.desc("The file path to the hints XML file.")
.build();
final Option cveValidForHours = Option.builder().argName("hours").hasArg().longOpt(ARGUMENT.CVE_VALID_FOR_HOURS)
.desc("The number of hours to wait before checking for new updates from the NVD.")
.build();
@@ -305,6 +309,7 @@ public final class CliParser {
.addOption(props)
.addOption(verboseLog)
.addOption(suppressionFile)
.addOption(hintsFile)
.addOption(cveValidForHours)
.addOption(experimentalEnabled);
}
@@ -962,6 +967,15 @@ public final class CliParser {
return line.getOptionValue(ARGUMENT.SUPPRESSION_FILE);
}
/**
* Returns the path to the hints file.
*
* @return the path to the hints file
*/
public String getHintsFile() {
return line.getOptionValue(ARGUMENT.HINTS_FILE);
}
/**
* <p>
* Prints the manifest information to standard output.</p>
@@ -1273,9 +1287,14 @@ public final class CliParser {
*/
public static final String SUPPRESSION_FILE = "suppression";
/**
* The CLI argument name for setting the location of the suppression
* The CLI argument name for setting the location of the hint
* file.
*/
public static final String HINTS_FILE = "hints";
/**
* The CLI argument name for setting the number of hours to wait before
* checking for new updates from the NVD.
*/
public static final String CVE_VALID_FOR_HOURS = "cveValidForHours";
/**
* Disables the Jar Analyzer.

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -323,7 +323,7 @@ public class HintAnalyzer extends AbstractAnalyzer {
try {
org.apache.commons.io.FileUtils.copyInputStreamToFile(fromClasspath, file);
} catch (IOException ex) {
throw new HintParseException("Unable to locate suppressions file in classpath", ex);
throw new HintParseException("Unable to locate hints file in classpath", ex);
}
}
} finally {

8
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -206,6 +206,13 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
*/
@Parameter(property = "suppressionFile", defaultValue = "", required = false)
private String suppressionFile;
/**
* The path to the hints file.
*/
@Parameter(property = "hintsFile", defaultValue = "", required = false)
private String hintsFile;
/**
* Flag indicating whether or not to show a summary in the output.
*/
@@ -848,6 +855,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
Settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
//File Type Analyzer Settings
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);

1
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -26,6 +26,7 @@ skipTestScope | Skip analysis for artifacts with Test Scope
skipProvidedScope | Skip analysis for artifacts with Provided Scope | false
skipRuntimeScope | Skip analysis for artifacts with Runtime Scope | false
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html) | &nbsp;
hintsFile | The file path to the XML hints file \- used to suppress [false negatives](../general/hints.html) | &nbsp;
enableExperimental | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used. | false
Analyzer Configuration

11
src/site/markdown/analyzers/cocoapods.md Normal file
View File

@@ -0,0 +1,11 @@
CocoaPods Analyzer
================
*Experimental*: This analyzer is considered experimental. While this analyzer may
be useful and provide valid results more testing must be completed to ensure that
the false negative/false positive rates are acceptable.
OWASP dependency-check includes an analyzer that will analyze SWIFT and Objective-C
packages by scanning [CocoaPods](https://cocoapods.org/) specification file.
Files Types Scanned: [*.podspec](https://guides.cocoapods.org/making/specs-and-specs-repo.html)

2
src/site/markdown/analyzers/index.md
View File

@@ -24,7 +24,9 @@ several teams have found them useful in their current state.
| -------- | ------------------ | --------------- |
| [Autoconf](./autoconf.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | [Regex](https://en.wikipedia.org/wiki/Regular_expression) scan for AC_INIT metadata, including in generated configuration script. |
| [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. |
| [CocoaPods](./cocoapods.html) | CocoaPods `.podspec` files | Extracts dependency information from specification file. |
| [Composer Lock](./composer-lock.html) | PHP [Composer](http://getcomposer.org) Lock files (composer.lock) | Parses PHP [Composer](http://getcomposer.org) lock files for exact versions of dependencies. |
| [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parse JSON format for metadata. |
| [Python](./python.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. |
| [Ruby Gemspec](./ruby-gemspec.html) | Ruby makefiles (Rakefile); Ruby Gemspec files (\*.gemspec) | Regex scan Gemspec initialization blocks for metadata. |
| [SWIFT](./swift.html) | SWIFT Package Manager's `Package.swift` | Extracts dependency information from swift package file. |

11
src/site/markdown/analyzers/swift.md Normal file
View File

@@ -0,0 +1,11 @@
SWIFT Package Manager Analyzer
================
*Experimental*: This analyzer is considered experimental. While this analyzer may
be useful and provide valid results more testing must be completed to ensure that
the false negative/false positive rates are acceptable.
OWASP dependency-check includes an analyzer that will scan the [SWIFT Package
Manager](https://swift.org/package-manager/)'s `Package.swift` file to obtain information on the dependencies used.
Files Types Scanned: [Package.swift](https://swift.org/package-manager/#example-usage)

1
src/site/markdown/dependency-check-gradle/configuration.md
View File

@@ -20,6 +20,7 @@ format | The report format to be generated (HTML, XML, VULN, ALL).
outputDirectory | The location to write the report(s). This directory will be located in the build directory. | build/reports
skipTestGroups | When set to true (the default) all dependency groups that being with 'test' will be skipped. | true
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html) | &nbsp;
hintsFile | The file path to the XML hints file \- used to suppress [false negatives](../general/hints.html) | &nbsp;
skipConfigurations | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property. | `[]` which means no configuration is skipped.
scanConfigurations | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property. | `[]` which implicitly means all configurations get scanned.

69
src/site/markdown/general/hints.md Normal file
View File

@@ -0,0 +1,69 @@
Resolving False Negatives
====================
Due to how dependency-check identifies libraries, false negatives may occur (a CPE was NOT identified for a library). Identifying these false negatives can be accomplished using the HTML report. In the report, click on the "Display: Showing Vulnerable Dependencies (click to show all)" link. You can then browse the dependencies and review the CPEs that are there for accuracy. You can also review the dependencies where no CPE match was made. Using the CPE dictionary search manually to verify that there is a CPE to match is a good verification that a false negative has been found. If you identify a dependency that is missing a CPE you can add evidence to help identify the correct CPE.
A possible reason for false negatives is re-naming of either the vendor or library name over time. Another case is when an artifact has missing info (manifest with no vendor).
Dependency Check has a built in [hints](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml) file that is used in every check to help correct well known false negatives.
A sample hints file that add a product name and possible vendors for Spring framework dependencies would look like:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
<hint>
<given>
<evidence type="product" source="Manifest" name="Implementation-Title" value="Spring Framework" confidence="HIGH"/>
<evidence type="product" source="Manifest" name="Implementation-Title" value="org.springframework.core" confidence="HIGH"/>
<evidence type="product" source="Manifest" name="Implementation-Title" value="spring-core" confidence="HIGH"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
</add>
</hint>
</hints>
```
The above XML file will add the 4 evidence entries to any dependency that matches any one of the 3 givens.
The following shows some other ways to add evidence
```xml
<?xml version="1.0" encoding="UTF-8"?>
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
<hint>
<given>
<evidence type="product" source="jar" name="package name" value="springframework" confidence="LOW"/>
<fileName contains="spring"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="springsource_spring_framework" confidence="HIGH"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="SpringSource" confidence="HIGH"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="vmware" confidence="HIGH"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="pivotal" confidence="HIGH"/>
</add>
</hint>
<hint>
<given>
<fileName contains="my-thelib-.*\.jar" regex="true" caseSensitive="true"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="thelib" confidence="HIGH"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="thevendor" confidence="HIGH"/>
</add>
</hint>
</hints>
```
The full schema for hints files can be found here: [dependency-hint.xsd](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/dependency-hint.1.1.xsd "Hint Schema")
Please see the appropriate configuration option in each interfaces configuration guide:
- [Command Line Tool](../dependency-check-cli/arguments.html)
- [Maven Plugin](../dependency-check-maven/configuration.html)
- [Ant Task](../dependency-check-ant/configuration.html)
- [Jenkins Plugin](../dependency-check-jenkins/index.html)

42408
src/site/resources/general/SampleReport.html
View File

File diff suppressed because one or more lines are too long

BIN
src/site/resources/general/dependency-check.pdf
View File

Binary file not shown.

BIN
src/site/resources/general/dependency-check.pptx
View File

Binary file not shown.

9
src/site/site.xml
View File

@@ -80,6 +80,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<item name="False Positives" href="./general/suppression.html">
<description>Suppressing False Positives</description>
</item>
<item name="False Negatives" href="./general/hints.html">
<description>Resolving False Negatives</description>
</item>
<item collapse="true" name="Internet Access Required" href="./data/index.html">
<item name="Proxy" href="./data/proxy.html" />
<item name="Mirroring NVD" href="./data/mirrornvd.html" />
@@ -118,6 +121,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<item name="CMake" href="./analyzers/cmake.html">
<description>CMake Analyzer</description>
</item>
<item name="CocoaPods" href="./analyzers/cocoapods.html">
<description>CocoaPods Analyzer</description>
</item>
<item name="Jar" href="./analyzers/jar-analyzer.html">
<description>Jar Analyzer</description>
</item>
@@ -139,6 +145,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<item name="Ruby Gemspec" href="./analyzers/ruby-gemspec.html">
<description>Ruby Gemspec Analyzer</description>
</item>
<item name="Swift" href="./analyzers/swift.html">
<description>Swift Package Manager Analyzer</description>
</item>
</item>
<item collapse="true" name="Modules" href="./modules.html">
<item name="CLI" href="./dependency-check-cli/index.html">