github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-15 00:03:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

updated to be feature complete with 1.3.2-SNAPSHOT

Browse Source
This commit is contained in:
Jeremy Long
2015-11-11 18:44:19 -05:00
parent 09c4708a22
commit acb9d04c51
23 changed files with 888 additions and 253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
dependency-check-gradle/README.md
View File

@@ -24,11 +24,11 @@ buildscript {
mavenCentral()
}
dependencies {
classpath 'com.thoughtworks.tools:dependency-check:0.0.8'
classpath 'org.owasp:dependency-check-gradle:1.3.2'
}
}
apply plugin: 'dependency-check'
apply plugin: 'dependency-check-gradle'
```
### Step 2, Run gradle task
@@ -59,10 +59,10 @@ dependencyCheck {
proxy {
server = "127.0.0.1" // required, the server name or IP address of the proxy
port = 3128 // required, the port number of the proxy
// optional, the proxy server might require username
// username = "username"
// optional, the proxy server might require password
// password = "password"
}

14
dependency-check-gradle/build.gradle
View File

@@ -16,6 +16,10 @@
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
group = 'org.owasp'
version = '1.3.2-SNAPSHOT'
buildscript {
repositories {
maven {
@@ -43,14 +47,15 @@ targetCompatibility = 1.6
repositories {
mavenCentral()
mavenLocal()
}
dependencies {
compile(
localGroovy(),
gradleApi(),
'org.owasp:dependency-check-core:1.3.1',
'org.owasp:dependency-check-utils:1.3.1'
'org.owasp:dependency-check-core:1.3.2-SNAPSHOT',
'org.owasp:dependency-check-utils:1.3.2-SNAPSHOT'
)
testCompile ('com.netflix.nebula:nebula-test:2.2.2'){
@@ -75,11 +80,6 @@ task integTest(type: Test) {
jvmArgs '-XX:MaxPermSize=256m'
}
group = 'com.thoughtworks.tools'
version = '0.0.8'
targetCompatibility = 1.7
apply from: 'conf/publish/local.gradle'
//apply from: 'conf/publish/maven.gradle'
//apply from: 'conf/publish/gradlePluginsPortal.gradle'

5
dependency-check-gradle/conf/publish/maven.gradle
View File

@@ -50,6 +50,11 @@ uploadArchives {
}
developers {
developer {
id 'jeremylong'
name 'Jeremy Long'
email 'jeremy.long@owasp.org'
}
developer {
id 'wmaintw'
name 'Wei Ma'

2
dependency-check-gradle/pom.xml
View File

@@ -26,7 +26,7 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved.
</parent>
<artifactId>dependency-check-gradle</artifactId>
<version>0.0.6</version>
<version>0.0.8</version>
<!-- we must use gradle to build this, as such the packaging is pom -->
<packaging>pom</packaging>

2
dependency-check-gradle/settings.gradle
View File

@@ -16,4 +16,4 @@
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
rootProject.name = 'dependency-check'
rootProject.name = 'dependency-check-gradle'

2
dependency-check-gradle/src/integTest/groovy/com/tools/security/plugin/DependencyCheckGradlePluginIntegSpec.groovy
View File

@@ -10,7 +10,7 @@ class DependencyCheckGradlePluginIntegSpec extends IntegrationSpec {
def "I can add the plugin to a build with no errors"() {
setup:
buildFile << '''
apply plugin: 'dependency-check'
apply plugin: 'dependencyCheck'
'''.stripIndent()
when:

4
dependency-check-gradle/src/integTest/resources/outputDir.gradle
View File

@@ -3,7 +3,7 @@
* @author Sion Williams
*/
apply plugin: 'java'
apply plugin: 'dependency-check'
apply plugin: 'dependencyCheck'
sourceCompatibility = 1.5
version = '1.0'
@@ -17,5 +17,5 @@ dependencies {
}
dependencyCheck {
outputDirectory = "${buildDir}/dependencyCheckReport"
reportsDirName = "reports"
}

100
dependency-check-gradle/src/main/groovy/com/tools/security/extension/AnalyzerExtension.groovy Normal file
View File

@@ -0,0 +1,100 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package com.tools.security.extension
/**
* The analyzer configuration extension. Any value not configured will use the dependency-check-core defaults.
*/
class AnalyzerExtension {
/**
* Sets whether the Archive Analyzer will be used.
*/
Boolean archiveEnabled
/**
* A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.
*/
String zipExtensions
/**
* Sets whether Jar Analyzer will be used.
*/
Boolean jarEnabled
/**
* Sets whether Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below).
*/
Boolean centralEnabled
/**
* Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation.
*/
Boolean nexusEnabled
/**
* Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.
*/
String nexusUrl
/**
* Whether or not the defined proxy should be used when connecting to Nexus.
*/
Boolean nexusUsesProxy
/**
* Sets whether or not the .NET Nuget Nuspec Analyzer will be used.
*/
Boolean nuspecEnabled
/**
* Sets whether or not the .NET Assembly Analyzer should be used.
*/
Boolean assemblyEnabled
/**
* The path to Mono for .NET assembly analysis on non-windows systems.
*/
String pathToMono
/**
* Sets whether the Python Distribution Analyzer will be used.
*/
Boolean pyDistributionEnabled
/**
* Sets whether the Python Package Analyzer will be used.
*/
Boolean pyPackageEnabled
/**
* Sets whether the Ruby Gemspec Analyzer will be used.
*/
Boolean rubygemsEnabled
/**
* Sets whether or not the openssl Analyzer should be used.
*/
Boolean opensslEnabled
/**
* Sets whether or not the CMake Analyzer should be used.
*/
Boolean cmakeEnabled
/**
* Sets whether or not the autoconf Analyzer should be used.
*/
Boolean autoconfEnabled
/**
* Sets whether or not the PHP Composer Lock File Analyzer should be used.
*/
Boolean composerEnabled
/**
* Sets whether or not the Node.js Analyzer should be used.
*/
Boolean nodeEnabled
}

70
dependency-check-gradle/src/main/groovy/com/tools/security/extension/CheckExtension.groovy Normal file
View File

@@ -0,0 +1,70 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
package com.tools.security.extension
import static org.owasp.dependencycheck.reporting.ReportGenerator.Format
/*
* Configuration extension for the dependencyCheck plugin.
*
* @author Wei Ma
* @author Jeremy Long
*/
class CheckExtension extends UpdateExtension {
/**
* Configuration for the analyzers.
*/
AnalyzerExtension analyzerExtension
/**
* The path to the suppression file.
*/
String suppressionFile
/**
* Sets whether auto-updating of the NVD CVE/CPE data is enabled.
*/
Boolean autoUpdate
/**
* When set to true dependency groups that start with 'test' will not be included in the analysis.
*/
Boolean skipTestGroups
//The following properties are not used via the settings object, instead
// they are directly used by the check task.
/**
* The report format to be generated (HTML, XML, VULN, ALL). This configuration option has
* no affect if using this within the Site plugin unless the externalReport is set to true.
* The default is HTML.
*/
Format format = Format.HTML
/**
* The name of the directory where reports will be written. Defaults to 'reports'.
*/
String reportsDirName = "reports"
/**
* Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is
* 11 which means since the CVSS scores are 0-10, by default the build will never fail.
*/
Float failBuildOnCVSS = 11.0
/**
* Displays a summary of the findings. Defaults to true.
*/
Boolean showSummary = true
}

19
dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy
View File

@@ -18,10 +18,25 @@
package com.tools.security.extension
class CveExtension {
public class CveExtension {
/**
* URL for the modified CVE 1.2:
* https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
**/
String url20Modified
/**
* URL for the modified CVE 1.2:
* https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
**/
String url12Modified
Integer startYear
/**
* URL for the modified CVE 1.2:
* https://nvd.nist.gov/download/nvdcve-%d.xml.gz
**/
String url20Base
/**
* Base URL for each year's CVE 2.0, the %d will be replaced with the year.
* https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
**/
String url12Base
}

45
dependency-check-gradle/src/main/groovy/com/tools/security/extension/DataExtension.groovy Normal file
View File

@@ -0,0 +1,45 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package com.tools.security.extension
/**
* The update data configuration extension. Any value not configured will use the dependency-check-core defaults.
*/
class DataExtension extends PurgeDataExtension {
/**
* The connection string to the database.
*/
String connectionString
/**
* The user name to use when connecting to the database.
*/
String username
/**
* The password to use when connecting to the database.
*/
String password
/**
* The database dirver name (e.g. org.h2.Driver).
*/
String driver
/**
* The path to the driver (JAR) in case it is not already in the classpath.
*/
String driverPath
}

5
dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy
View File

@@ -17,7 +17,10 @@
*/
package com.tools.security.extension
/**
* TODO - this should not be needed, instead rely on the configured HTTP or HTTPS proxies
* https://docs.gradle.org/current/userguide/build_environment.html
*/
class ProxyExtension {
String server
Integer port

29
dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeDataExtension.groovy Normal file
View File

@@ -0,0 +1,29 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package com.tools.security.extension
/**
* The data configuration extension. Any value not configured will use the dependency-check-core defaults.
*/
class PurgeDataExtension {
/**
* The directory to store the H2 database that contains the cache of the NVD CVE data.
*/
String directory="[JAR]/../../dependency-check-data"
}

9
dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy → dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeExtension.groovy
View File

@@ -18,11 +18,6 @@
package com.tools.security.extension
class DependencyCheckExtension {
ProxyExtension proxyExtension
CveExtension cveExtension
String outputDirectory = "./reports"
String suppressionFile;
Boolean quickQueryTimestamp;
class PurgeExtension {
PurgeDataExtension dataExtension
}

33
dependency-check-gradle/src/main/groovy/com/tools/security/extension/UpdateExtension.groovy Normal file
View File

@@ -0,0 +1,33 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
package com.tools.security.extension
class UpdateExtension extends PurgeExtension {
ProxyExtension proxyExtension
CveExtension cveExtension
DataExtension dataExtension
/**
* Set to false if the proxy does not support HEAD requests. The default is true.
*/
Boolean quickQueryTimestamp
/**
* The number of hours to wait before checking for additional updates from the NVD.
*/
Integer cveValidForHours
}

75
dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheck.groovy Normal file
View File

@@ -0,0 +1,75 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
package com.tools.security.plugin
import com.tools.security.extension.CveExtension
import com.tools.security.extension.CheckExtension
import com.tools.security.extension.ProxyExtension
import com.tools.security.extension.DataExtension
import com.tools.security.extension.AnalyzerExtension
import com.tools.security.extension.UpdateExtension
import com.tools.security.extension.PurgeExtension
import com.tools.security.extension.PurgeDataExtension
import com.tools.security.tasks.Check
import com.tools.security.tasks.Update
import com.tools.security.tasks.Purge
import org.gradle.api.Plugin
import org.gradle.api.Project
class DependencyCheck implements Plugin<Project> {
private static final String CHECK_TASK = 'dependencyCheck'
private static final String UPDATE_TASK = 'dependencyCheckUpdate'
private static final String PURGE_TASK = 'dependencyCheckPurge'
/* configuration extensions */
private static final String PROXY_EXTENSION_NAME = "proxy"
private static final String CVE_EXTENSION_NAME = "cve"
private static final String DATA_EXTENSION_NAME = "data"
private static final String ANALYZER_EXTENSION_NAME = "analyzer"
@Override
void apply(Project project) {
initializeConfigurations(project)
registerTasks(project)
}
def initializeConfigurations(Project project) {
def ext = project.extensions.create(CHECK_TASK, CheckExtension)
ext.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension)
ext.extensions.create(CVE_EXTENSION_NAME, CveExtension)
ext.extensions.create(DATA_EXTENSION_NAME, DataExtension)
ext.extensions.create(ANALYZER_EXTENSION_NAME, AnalyzerExtension)
def extu = project.extensions.create(UPDATE_TASK, UpdateExtension)
extu.extensions.create(CVE_EXTENSION_NAME, CveExtension)
extu.extensions.create(DATA_EXTENSION_NAME, DataExtension)
extu.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension)
def extp = project.extensions.create(PURGE_TASK, PurgeExtension)
extp.extensions.create(DATA_EXTENSION_NAME, PurgeDataExtension)
}
def registerTasks(Project project) {
project.task(CHECK_TASK, type: Check)
project.task(UPDATE_TASK, type: Update)
project.task(PURGE_TASK, type: Purge)
}
}

49
dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy
View File

@@ -1,49 +0,0 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
package com.tools.security.plugin
import com.tools.security.extension.CveExtension
import com.tools.security.extension.DependencyCheckExtension
import com.tools.security.extension.ProxyExtension
import com.tools.security.tasks.DependencyCheckTask
import org.gradle.api.Plugin
import org.gradle.api.Project
class DependencyCheckGradlePlugin implements Plugin<Project> {
private static final String ROOT_EXTENSION_NAME = 'dependencyCheck'
private static final String TASK_NAME = 'dependencyCheck'
private static final String PROXY_EXTENSION_NAME = "proxy"
private static final String CVE_EXTENSION_NAME = "cve"
@Override
void apply(Project project) {
initializeConfigurations(project)
registerTasks(project)
}
def initializeConfigurations(Project project) {
project.extensions.create(ROOT_EXTENSION_NAME, DependencyCheckExtension)
project.dependencyCheck.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension)
project.dependencyCheck.extensions.create(CVE_EXTENSION_NAME, CveExtension)
}
def registerTasks(Project project) {
project.task(TASK_NAME, type: DependencyCheckTask)
}
}

292
dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Check.groovy Normal file
View File

@@ -0,0 +1,292 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
package com.tools.security.tasks
import org.gradle.api.DefaultTask
import org.gradle.api.artifacts.Configuration
import org.gradle.api.artifacts.ResolvedArtifact
import org.gradle.api.tasks.TaskAction
import org.gradle.api.GradleException
import org.gradle.api.InvalidUserDataException
import org.owasp.dependencycheck.Engine
import org.owasp.dependencycheck.data.nvdcve.CveDB
import org.owasp.dependencycheck.dependency.Dependency
import org.owasp.dependencycheck.reporting.ReportGenerator
import org.owasp.dependencycheck.utils.Settings
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_12_URL
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_20_URL
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_1_2
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_2_0
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_START_YEAR
import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PASSWORD
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PORT
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_SERVER
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_USERNAME
import static org.owasp.dependencycheck.utils.Settings.KEYS.AUTO_UPDATE
import static org.owasp.dependencycheck.utils.Settings.KEYS.DATA_DIRECTORY
import static org.owasp.dependencycheck.utils.Settings.KEYS.SUPPRESSION_FILE
import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_NAME
import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_PATH
import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_CONNECTION_STRING
import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_USER
import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_PASSWORD
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_JAR_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NUSPEC_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_CENTRAL_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NEXUS_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NEXUS_URL
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NEXUS_USES_PROXY
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_ARCHIVE_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_OPENSSL_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_CMAKE_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_AUTOCONF_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED
import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED
/**
* Checks the projects dependencies for known vulnerabilities.
*/
class Check extends DefaultTask {
def currentProjectName = project.getName()
def config = project.dependencyCheck
/**
* Initializes the check task.
*/
Check() {
group = 'OWASP dependency-check'
description = 'Produce dependency security report.'
}
/**
* Calls dependency-check-core's analysis engine to scan
* all of the projects dependencies.
*/
@TaskAction
def check() {
initializeSettings()
def engine = new Engine()
scanDependencies(engine)
analyzeDependencies(engine)
generateReport(engine)
showSummary(engine)
checkForFailure(engine)
cleanup(engine)
}
/**
* Initializes the settings object. If the setting is not set the
* default from dependency-check-core is used.
*/
def initializeSettings() {
Settings.initialize()
Settings.setBooleanIfNotNull(AUTO_UPDATE, config.autoUpdate)
Settings.setStringIfNotEmpty(SUPPRESSION_FILE, config.suppressionFile)
Settings.setStringIfNotEmpty(PROXY_SERVER, config.proxy.server)
Settings.setStringIfNotEmpty(PROXY_PORT, "${config.proxy.port}")
Settings.setStringIfNotEmpty(PROXY_USERNAME, config.proxy.username)
Settings.setStringIfNotEmpty(PROXY_PASSWORD, config.proxy.password)
//Settings.setStringIfNotEmpty(CONNECTION_TIMEOUT, connectionTimeout)
Settings.setStringIfNotNull(DATA_DIRECTORY, config.data.directory)
Settings.setStringIfNotEmpty(DB_DRIVER_NAME, config.data.driver)
Settings.setStringIfNotEmpty(DB_DRIVER_PATH, config.data.driverPath)
Settings.setStringIfNotEmpty(DB_CONNECTION_STRING, config.data.connectionString)
Settings.setStringIfNotEmpty(DB_USER, config.data.username)
Settings.setStringIfNotEmpty(DB_PASSWORD, config.data.password)
Settings.setStringIfNotEmpty(CVE_MODIFIED_12_URL, config.cve.url12Modified)
Settings.setStringIfNotEmpty(CVE_MODIFIED_20_URL, config.cve.url20Modified)
Settings.setStringIfNotEmpty(CVE_SCHEMA_1_2, config.cve.url12Base)
Settings.setStringIfNotEmpty(CVE_SCHEMA_2_0, config.cve.url20Base)
if (config.cveValidForHours != null) {
if (config.cveValidForHours >= 0) {
Settings.setInt(CVE_CHECK_VALID_FOR_HOURS, config.cveValidForHours);
} else {
throw new InvalidUserDataException("Invalid setting: `validForHours` must be 0 or greater");
}
}
Settings.setBooleanIfNotNull(ANALYZER_JAR_ENABLED, config.analyzer.jarEnabled)
Settings.setBooleanIfNotNull(ANALYZER_NUSPEC_ENABLED, config.analyzer.nuspecEnabled)
Settings.setBooleanIfNotNull(ANALYZER_CENTRAL_ENABLED, config.analyzer.centralEnabled)
Settings.setBooleanIfNotNull(ANALYZER_NEXUS_ENABLED, config.analyzer.nexusEnabled)
Settings.setStringIfNotEmpty(ANALYZER_NEXUS_URL, config.analyzer.nexusUrl)
Settings.setBooleanIfNotNull(ANALYZER_NEXUS_USES_PROXY, config.analyzer.nexusUsesProxy)
Settings.setBooleanIfNotNull(ANALYZER_ARCHIVE_ENABLED, config.analyzer.archiveEnabled)
Settings.setStringIfNotEmpty(ADDITIONAL_ZIP_EXTENSIONS, config.analyzer.zipExtensions)
Settings.setBooleanIfNotNull(ANALYZER_ASSEMBLY_ENABLED, config.analyzer.assemblyEnabled)
Settings.setStringIfNotEmpty(ANALYZER_ASSEMBLY_MONO_PATH, config.analyzer.pathToMono)
Settings.setBooleanIfNotNull(ANALYZER_PYTHON_DISTRIBUTION_ENABLED, config.analyzer.pyDistributionEnabled)
Settings.setBooleanIfNotNull(ANALYZER_PYTHON_PACKAGE_ENABLED, config.analyzer.pyPackageEnabled)
Settings.setBooleanIfNotNull(ANALYZER_RUBY_GEMSPEC_ENABLED, config.analyzer.rubygemsEnabled)
Settings.setBooleanIfNotNull(ANALYZER_OPENSSL_ENABLED, config.analyzer.opensslEnabled)
Settings.setBooleanIfNotNull(ANALYZER_CMAKE_ENABLED, config.analyzer.cmakeEnabled)
Settings.setBooleanIfNotNull(ANALYZER_AUTOCONF_ENABLED, config.analyzer.autoconfEnabled)
Settings.setBooleanIfNotNull(ANALYZER_COMPOSER_LOCK_ENABLED, config.analyzer.composerEnabled)
Settings.setBooleanIfNotNull(ANALYZER_NODE_PACKAGE_ENABLED, config.analyzer.nodeEnabled)
}
/**
* Relases resources and removes temporary files used.
*/
def cleanup(engine) {
Settings.cleanup(true)
engine.cleanup();
}
/**
* Loads the projects dependencies into the dependency-check analysis engine.
*/
def scanDependencies(engine) {
logger.lifecycle("Verifying dependencies for project ${currentProjectName}")
getAllDependencies(project).each {
engine.scan(it)
}
}
/**
* Performs the dependency-check analysis.
*/
def analyzeDependencies(Engine engine) {
logger.lifecycle("Checking for updates and analyzing vulnerabilities for dependencies")
engine.analyzeDependencies()
}
/**
* Displays a summary of the dependency-check results to the build console.
*/
def showSummary(Engine engine) {
def vulnerabilities = engine.getDependencies().collect { Dependency dependency ->
dependency.getVulnerabilities()
}.flatten()
logger.lifecycle("Found ${vulnerabilities.size()} vulnerabilities in project ${currentProjectName}")
if (config.showSummary) {
final StringBuilder summary = new StringBuilder()
for (Dependency d : engine.getDependencies()) {
boolean firstEntry = true
final StringBuilder ids = new StringBuilder()
for (Vulnerability v : d.getVulnerabilities()) {
if (firstEntry) {
firstEntry = false
} else {
ids.append(", ")
}
ids.append(v.getName())
}
if (ids.length() > 0) {
summary.append(d.getFileName()).append(" (")
firstEntry = true
for (Identifier id : d.getIdentifiers()) {
if (firstEntry) {
firstEntry = false
} else {
summary.append(", ")
}
summary.append(id.getValue())
}
summary.append(") : ").append(ids).append('\n')
}
}
if (summary.length() > 0) {
final String msg = String.format("%n%n"
+ "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+ "%n%nSee the dependency-check report for more details.%n%n", summary.toString())
logger.lifecycle(msg)
}
}
}
/**
* If configured, fails the build if a vulnerability is identified with a CVSS
* score higher then the failure threshold configured.
*/
def checkForFailure(Engine engine) {
if (config.failBuildOnCVSS>10) {
return
}
def vulnerabilities = engine.getDependencies().collect { Dependency dependency ->
dependency.getVulnerabilities()
}.flatten()
final StringBuilder ids = new StringBuilder();
vulnerabilities.each {
if (it.getCvssScore() >= config.failBuildOnCVSS) {
if (ids.length() == 0) {
ids.append(it.getName());
} else {
ids.append(", ").append(it.getName());
}
}
}
if (ids.length() > 0) {
final String msg = String.format("%n%nDependency-Check Failure:%n"
+ "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
+ "See the dependency-check report for more details.%n%n", config.failBuildOnCVSS, ids.toString());
throw new GradleException(msg);
}
}
/**
* Writes the report(s) to the configured output directory.
*/
def generateReport(Engine engine) {
logger.lifecycle("Generating report for project ${currentProjectName}")
def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers,
new CveDB().databaseProperties)
reportGenerator.generateReports("$project.buildDir/${config.reportsDirName}", config.format)
}
/**
* Returns all dependencies associated wtihin the configured dependency groups. Test
* groups can be excluded by setting the skipTestGroups configuration to true.
*/
def getAllDependencies(project) {
return project.getConfigurations().findAll {
!config.skipTestGroups || (config.skipTestGroups && !it.getName().startsWith("test"))
}.collect {
it.getResolvedConfiguration().getResolvedArtifacts().collect { ResolvedArtifact artifact ->
artifact.getFile()
}
}.flatten().unique();
}
}

176
dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy
View File

@@ -1,176 +0,0 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
package com.tools.security.tasks
import org.gradle.api.DefaultTask
import org.gradle.api.artifacts.Configuration
import org.gradle.api.artifacts.ResolvedArtifact
import org.gradle.api.tasks.TaskAction
import org.owasp.dependencycheck.Engine
import org.owasp.dependencycheck.data.nvdcve.CveDB
import org.owasp.dependencycheck.dependency.Dependency
import org.owasp.dependencycheck.reporting.ReportGenerator
import org.owasp.dependencycheck.utils.Settings
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_12_URL
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_20_URL
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_1_2
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_2_0
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_START_YEAR
import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PASSWORD
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PORT
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_SERVER
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_USERNAME
import static org.owasp.dependencycheck.utils.Settings.KEYS.SUPPRESSION_FILE
import static org.owasp.dependencycheck.utils.Settings.setBoolean
import static org.owasp.dependencycheck.utils.Settings.setString
class DependencyCheckTask extends DefaultTask {
def currentProjectName = project.getName()
def config = project.dependencyCheck
DependencyCheckTask() {
group = 'Dependency Check'
description = 'Produce dependency security report.'
}
@TaskAction
def check() {
initializeSettings()
def engine = initializeEngine()
verifyDependencies(engine)
analyzeDependencies(engine)
retrieveVulnerabilities(engine)
generateReport(engine)
cleanup(engine)
}
private Engine initializeEngine() {
new Engine()
}
def initializeSettings() {
Settings.initialize()
overrideProxySetting()
overrideCveUrlSetting()
overrideDownloaderSetting()
overrideSuppressionFile()
}
def cleanup(engine) {
Settings.cleanup(true)
engine.cleanup();
}
def verifyDependencies(engine) {
logger.lifecycle("Verifying dependencies for project ${currentProjectName}")
getAllDependencies(project).each { engine.scan(it) }
}
def analyzeDependencies(Engine engine) {
logger.lifecycle("Checking for updates and analyzing vulnerabilities for dependencies")
engine.analyzeDependencies()
}
def retrieveVulnerabilities(Engine engine) {
def vulnerabilities = engine.getDependencies().collect { Dependency dependency ->
dependency.getVulnerabilities()
}.flatten()
logger.lifecycle("Found ${vulnerabilities.size()} vulnerabilities in project ${currentProjectName}")
}
def generateReport(Engine engine) {
logger.lifecycle("Generating report for project ${currentProjectName}")
def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers,
new CveDB().databaseProperties)
reportGenerator.generateReports(generateReportDirectory(currentProjectName), ReportGenerator.Format.ALL)
}
def generateReportDirectory(String currentProjectName) {
"${config.outputDirectory}/${currentProjectName}"
}
def overrideProxySetting() {
if (isProxySettingExist()) {
logger.lifecycle("Using proxy ${config.proxy.server}:${config.proxy.port}")
overrideStringSetting(PROXY_SERVER, config.proxy.server)
overrideStringSetting(PROXY_PORT, "${config.proxy.port}")
overrideStringSetting(PROXY_USERNAME, config.proxy.username)
overrideStringSetting(PROXY_PASSWORD, config.proxy.password)
}
}
def isProxySettingExist() {
config.proxy.server != null && config.proxy.port != null
}
def getAllDependencies(project) {
return project.getConfigurations().collect { Configuration configuration ->
configuration.getResolvedConfiguration().getResolvedArtifacts().collect { ResolvedArtifact artifact ->
artifact.getFile()
}
}.flatten();
}
def overrideCveUrlSetting() {
overrideStringSetting(CVE_MODIFIED_20_URL, config.cve.url20Modified)
overrideStringSetting(CVE_MODIFIED_12_URL, config.cve.url12Modified)
overrideIntegerSetting(CVE_START_YEAR, config.cve.startYear)
overrideStringSetting(CVE_SCHEMA_2_0, config.cve.url20Base)
overrideStringSetting(CVE_SCHEMA_1_2, config.cve.url12Base)
}
def overrideDownloaderSetting() {
overrideBooleanSetting(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp)
}
def overrideSuppressionFile() {
if (config.suppressionFile) {
overrideStringSetting(SUPPRESSION_FILE, config.suppressionFile);
}
}
private overrideStringSetting(String key, String providedValue) {
if (providedValue != null) {
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
setString(key, providedValue)
}
}
private overrideIntegerSetting(String key, Integer providedValue) {
if (providedValue != null) {
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
setString(key, "${providedValue}")
}
}
private overrideBooleanSetting(String key, Boolean providedValue) {
if (providedValue != null) {
logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
setBoolean(key, providedValue)
}
}
}

82
dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Purge.groovy Normal file
View File

@@ -0,0 +1,82 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package com.tools.security.tasks
import org.gradle.api.DefaultTask
import org.gradle.api.artifacts.Configuration
import org.gradle.api.artifacts.ResolvedArtifact
import org.gradle.api.tasks.TaskAction
import java.io.File
import org.owasp.dependencycheck.Engine
import org.owasp.dependencycheck.data.nvdcve.CveDB
import org.owasp.dependencycheck.dependency.Dependency
import org.owasp.dependencycheck.reporting.ReportGenerator
import org.owasp.dependencycheck.utils.Settings
import static org.owasp.dependencycheck.utils.Settings.KEYS.DATA_DIRECTORY
/**
* Purges the local cache of the NVD CVE data.
*/
class Purge extends DefaultTask {
def config = project.dependencyCheckPurge
/**
* Initializes the purge task.
*/
Purge() {
group = 'OWASP dependency-check'
description = 'Purges the local cache of the NVD.'
}
/**
* Purges the local cache of the NVD data.
*/
@TaskAction
def purge() {
initializeSettings()
def db = new File(Settings.getDataDirectory(), "dc.h2.db")
if (db.exists()) {
if (db.delete()) {
logger.info("Database file purged; local copy of the NVD has been removed")
} else {
logger.warn("Unable to delete '${db.getAbsolutePath()}'; please delete the file manually")
}
} else {
logger.warn("Unable to purge database; the database file does not exists: ${db.getAbsolutePath()}")
}
cleanup()
}
/**
* Intializes the configuration.
*/
def initializeSettings() {
Settings.initialize()
Settings.setStringIfNotNull(DATA_DIRECTORY, config.data.directory)
}
/**
* Relases resources and removes temporary files used.
*/
def cleanup() {
Settings.cleanup(true)
}
}

116
dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Update.groovy Normal file
View File

@@ -0,0 +1,116 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package com.tools.security.tasks
import org.gradle.api.DefaultTask
import org.gradle.api.artifacts.Configuration
import org.gradle.api.artifacts.ResolvedArtifact
import org.gradle.api.tasks.TaskAction
import org.gradle.api.InvalidUserDataException
import org.owasp.dependencycheck.Engine
import org.owasp.dependencycheck.data.nvdcve.CveDB
import org.owasp.dependencycheck.dependency.Dependency
import org.owasp.dependencycheck.reporting.ReportGenerator
import org.owasp.dependencycheck.utils.Settings
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_12_URL
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_20_URL
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_1_2
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_2_0
import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_START_YEAR
import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PASSWORD
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PORT
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_SERVER
import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_USERNAME
import static org.owasp.dependencycheck.utils.Settings.KEYS.DATA_DIRECTORY
import static org.owasp.dependencycheck.utils.Settings.KEYS.SUPPRESSION_FILE
import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_NAME
import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_PATH
import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_CONNECTION_STRING
import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_USER
import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_PASSWORD
/**
* Updates the local cache of the NVD CVE data.
*
* @author Jeremy Long
*/
class Update extends DefaultTask {
def config = project.dependencyCheckUpdate
/**
* Initializes the update task.
*/
Update() {
group = 'OWASP dependency-check'
description = 'Downloads and stores updates from the NVD CVE data feeds.'
}
/**
* Executes the update task.
*/
@TaskAction
def update() {
initializeSettings()
def engine = new Engine()
engine.doUpdates()
cleanup(engine)
}
/**
* Initializes the settings; if the setting is not configured
* then the default value from dependency-check-core is used.
*/
def initializeSettings() {
Settings.initialize()
Settings.setStringIfNotEmpty(PROXY_SERVER, config.proxy.server)
Settings.setStringIfNotEmpty(PROXY_PORT, "${config.proxy.port}")
Settings.setStringIfNotEmpty(PROXY_USERNAME, config.proxy.username)
Settings.setStringIfNotEmpty(PROXY_PASSWORD, config.proxy.password)
//Settings.setStringIfNotEmpty(CONNECTION_TIMEOUT, connectionTimeout)
Settings.setStringIfNotNull(DATA_DIRECTORY, config.data.directory)
Settings.setStringIfNotEmpty(DB_DRIVER_NAME, config.data.driver)
Settings.setStringIfNotEmpty(DB_DRIVER_PATH, config.data.driverPath)
Settings.setStringIfNotEmpty(DB_CONNECTION_STRING, config.data.connectionString)
Settings.setStringIfNotEmpty(DB_USER, config.data.username)
Settings.setStringIfNotEmpty(DB_PASSWORD, config.data.password)
Settings.setStringIfNotEmpty(CVE_MODIFIED_12_URL, config.cve.url12Modified)
Settings.setStringIfNotEmpty(CVE_MODIFIED_20_URL, config.cve.url20Modified)
Settings.setStringIfNotEmpty(CVE_SCHEMA_1_2, config.cve.url12Base)
Settings.setStringIfNotEmpty(CVE_SCHEMA_2_0, config.cve.url20Base)
if (config.cveValidForHours != null) {
if (config.cveValidForHours >= 0) {
Settings.setInt(CVE_CHECK_VALID_FOR_HOURS, config.cveValidForHours);
} else {
throw new InvalidUserDataException("Invalid setting: `validForHours` must be 0 or greater");
}
}
}
/**
* Relases resources and removes temporary files used.
*/
def cleanup(engine) {
Settings.cleanup(true)
engine.cleanup();
}
}

2
dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check.properties → dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependencyCheck.properties
View File

@@ -16,4 +16,4 @@
# Copyright (c) 2015 Wei Ma. All Rights Reserved.
#
implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin
implementation-class=com.tools.security.plugin.DependencyCheck

2
dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy
View File

@@ -22,7 +22,7 @@ import nebula.test.PluginProjectSpec
import org.gradle.api.Task
class DependencyCheckGradlePluginSpec extends PluginProjectSpec {
static final String PLUGIN_ID = 'dependency-check'
static final String PLUGIN_ID = 'dependency-check-gradle'
@Override
String getPluginName() {