diff --git a/dependency-check-gradle/README.md b/dependency-check-gradle/README.md
index a1d37491e..d12265b6c 100644
--- a/dependency-check-gradle/README.md
+++ b/dependency-check-gradle/README.md
@@ -24,11 +24,11 @@ buildscript {
mavenCentral()
}
dependencies {
- classpath 'com.thoughtworks.tools:dependency-check:0.0.8'
+ classpath 'org.owasp:dependency-check-gradle:1.3.2'
}
}
-apply plugin: 'dependency-check'
+apply plugin: 'dependency-check-gradle'
```
### Step 2, Run gradle task
@@ -59,10 +59,10 @@ dependencyCheck {
proxy {
server = "127.0.0.1" // required, the server name or IP address of the proxy
port = 3128 // required, the port number of the proxy
-
+
// optional, the proxy server might require username
// username = "username"
-
+
// optional, the proxy server might require password
// password = "password"
}
diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle
index 1bf6714bc..09c700fbd 100644
--- a/dependency-check-gradle/build.gradle
+++ b/dependency-check-gradle/build.gradle
@@ -16,6 +16,10 @@
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
+
+group = 'org.owasp'
+version = '1.3.2-SNAPSHOT'
+
buildscript {
repositories {
maven {
@@ -43,14 +47,15 @@ targetCompatibility = 1.6
repositories {
mavenCentral()
+ mavenLocal()
}
dependencies {
compile(
localGroovy(),
gradleApi(),
- 'org.owasp:dependency-check-core:1.3.1',
- 'org.owasp:dependency-check-utils:1.3.1'
+ 'org.owasp:dependency-check-core:1.3.2-SNAPSHOT',
+ 'org.owasp:dependency-check-utils:1.3.2-SNAPSHOT'
)
testCompile ('com.netflix.nebula:nebula-test:2.2.2'){
@@ -75,11 +80,6 @@ task integTest(type: Test) {
jvmArgs '-XX:MaxPermSize=256m'
}
-group = 'com.thoughtworks.tools'
-version = '0.0.8'
-
-targetCompatibility = 1.7
-
apply from: 'conf/publish/local.gradle'
//apply from: 'conf/publish/maven.gradle'
//apply from: 'conf/publish/gradlePluginsPortal.gradle'
diff --git a/dependency-check-gradle/conf/publish/maven.gradle b/dependency-check-gradle/conf/publish/maven.gradle
index 462ced0f7..0cb9faf65 100644
--- a/dependency-check-gradle/conf/publish/maven.gradle
+++ b/dependency-check-gradle/conf/publish/maven.gradle
@@ -50,6 +50,11 @@ uploadArchives {
}
developers {
+ developer {
+ id 'jeremylong'
+ name 'Jeremy Long'
+ email 'jeremy.long@owasp.org'
+ }
developer {
id 'wmaintw'
name 'Wei Ma'
diff --git a/dependency-check-gradle/pom.xml b/dependency-check-gradle/pom.xml
index 2b9540b2e..401196cba 100644
--- a/dependency-check-gradle/pom.xml
+++ b/dependency-check-gradle/pom.xml
@@ -26,7 +26,7 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved.
dependency-check-gradle
- 0.0.6
+ 0.0.8
pom
diff --git a/dependency-check-gradle/settings.gradle b/dependency-check-gradle/settings.gradle
index b460ef63c..522f2e666 100644
--- a/dependency-check-gradle/settings.gradle
+++ b/dependency-check-gradle/settings.gradle
@@ -16,4 +16,4 @@
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
-rootProject.name = 'dependency-check'
\ No newline at end of file
+rootProject.name = 'dependency-check-gradle'
\ No newline at end of file
diff --git a/dependency-check-gradle/src/integTest/groovy/com/tools/security/plugin/DependencyCheckGradlePluginIntegSpec.groovy b/dependency-check-gradle/src/integTest/groovy/com/tools/security/plugin/DependencyCheckGradlePluginIntegSpec.groovy
index 895571d3c..3e89f88e2 100644
--- a/dependency-check-gradle/src/integTest/groovy/com/tools/security/plugin/DependencyCheckGradlePluginIntegSpec.groovy
+++ b/dependency-check-gradle/src/integTest/groovy/com/tools/security/plugin/DependencyCheckGradlePluginIntegSpec.groovy
@@ -10,7 +10,7 @@ class DependencyCheckGradlePluginIntegSpec extends IntegrationSpec {
def "I can add the plugin to a build with no errors"() {
setup:
buildFile << '''
- apply plugin: 'dependency-check'
+ apply plugin: 'dependencyCheck'
'''.stripIndent()
when:
diff --git a/dependency-check-gradle/src/integTest/resources/outputDir.gradle b/dependency-check-gradle/src/integTest/resources/outputDir.gradle
index 8212eeed6..e2f104e73 100644
--- a/dependency-check-gradle/src/integTest/resources/outputDir.gradle
+++ b/dependency-check-gradle/src/integTest/resources/outputDir.gradle
@@ -3,7 +3,7 @@
* @author Sion Williams
*/
apply plugin: 'java'
-apply plugin: 'dependency-check'
+apply plugin: 'dependencyCheck'
sourceCompatibility = 1.5
version = '1.0'
@@ -17,5 +17,5 @@ dependencies {
}
dependencyCheck {
- outputDirectory = "${buildDir}/dependencyCheckReport"
+ reportsDirName = "reports"
}
\ No newline at end of file
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/AnalyzerExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/AnalyzerExtension.groovy
new file mode 100644
index 000000000..64953e7ae
--- /dev/null
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/AnalyzerExtension.groovy
@@ -0,0 +1,100 @@
+/*
+ * This file is part of dependency-check-gradle.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
+ */
+
+package com.tools.security.extension
+
+/**
+ * The analyzer configuration extension. Any value not configured will use the dependency-check-core defaults.
+ */
+class AnalyzerExtension {
+
+ /**
+ * Sets whether the Archive Analyzer will be used.
+ */
+ Boolean archiveEnabled
+ /**
+ * A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.
+ */
+ String zipExtensions
+ /**
+ * Sets whether Jar Analyzer will be used.
+ */
+ Boolean jarEnabled
+ /**
+ * Sets whether Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below).
+ */
+ Boolean centralEnabled
+ /**
+ * Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation.
+ */
+ Boolean nexusEnabled
+ /**
+ * Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.
+ */
+ String nexusUrl
+ /**
+ * Whether or not the defined proxy should be used when connecting to Nexus.
+ */
+ Boolean nexusUsesProxy
+ /**
+ * Sets whether or not the .NET Nuget Nuspec Analyzer will be used.
+ */
+ Boolean nuspecEnabled
+ /**
+ * Sets whether or not the .NET Assembly Analyzer should be used.
+ */
+ Boolean assemblyEnabled
+ /**
+ * The path to Mono for .NET assembly analysis on non-windows systems.
+ */
+ String pathToMono
+
+
+ /**
+ * Sets whether the Python Distribution Analyzer will be used.
+ */
+ Boolean pyDistributionEnabled
+ /**
+ * Sets whether the Python Package Analyzer will be used.
+ */
+ Boolean pyPackageEnabled
+ /**
+ * Sets whether the Ruby Gemspec Analyzer will be used.
+ */
+ Boolean rubygemsEnabled
+ /**
+ * Sets whether or not the openssl Analyzer should be used.
+ */
+ Boolean opensslEnabled
+ /**
+ * Sets whether or not the CMake Analyzer should be used.
+ */
+ Boolean cmakeEnabled
+ /**
+ * Sets whether or not the autoconf Analyzer should be used.
+ */
+ Boolean autoconfEnabled
+ /**
+ * Sets whether or not the PHP Composer Lock File Analyzer should be used.
+ */
+ Boolean composerEnabled
+ /**
+ * Sets whether or not the Node.js Analyzer should be used.
+ */
+ Boolean nodeEnabled
+}
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CheckExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CheckExtension.groovy
new file mode 100644
index 000000000..e92326729
--- /dev/null
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CheckExtension.groovy
@@ -0,0 +1,70 @@
+/*
+ * This file is part of dependency-check-gradle.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Wei Ma. All Rights Reserved.
+ */
+
+package com.tools.security.extension
+
+import static org.owasp.dependencycheck.reporting.ReportGenerator.Format
+
+/*
+ * Configuration extension for the dependencyCheck plugin.
+ *
+ * @author Wei Ma
+ * @author Jeremy Long
+ */
+class CheckExtension extends UpdateExtension {
+ /**
+ * Configuration for the analyzers.
+ */
+ AnalyzerExtension analyzerExtension
+
+ /**
+ * The path to the suppression file.
+ */
+ String suppressionFile
+ /**
+ * Sets whether auto-updating of the NVD CVE/CPE data is enabled.
+ */
+ Boolean autoUpdate
+ /**
+ * When set to true dependency groups that start with 'test' will not be included in the analysis.
+ */
+ Boolean skipTestGroups
+
+ //The following properties are not used via the settings object, instead
+ // they are directly used by the check task.
+
+ /**
+ * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has
+ * no affect if using this within the Site plugin unless the externalReport is set to true.
+ * The default is HTML.
+ */
+ Format format = Format.HTML
+ /**
+ * The name of the directory where reports will be written. Defaults to 'reports'.
+ */
+ String reportsDirName = "reports"
+ /**
+ * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is
+ * 11 which means since the CVSS scores are 0-10, by default the build will never fail.
+ */
+ Float failBuildOnCVSS = 11.0
+ /**
+ * Displays a summary of the findings. Defaults to true.
+ */
+ Boolean showSummary = true
+}
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy
index a91eee97f..857b63bce 100644
--- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy
@@ -18,10 +18,25 @@
package com.tools.security.extension
-class CveExtension {
+public class CveExtension {
+ /**
+ * URL for the modified CVE 1.2:
+ * https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
+ **/
String url20Modified
+ /**
+ * URL for the modified CVE 1.2:
+ * https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
+ **/
String url12Modified
- Integer startYear
+ /**
+ * URL for the modified CVE 1.2:
+ * https://nvd.nist.gov/download/nvdcve-%d.xml.gz
+ **/
String url20Base
+ /**
+ * Base URL for each year's CVE 2.0, the %d will be replaced with the year.
+ * https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
+ **/
String url12Base
}
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DataExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DataExtension.groovy
new file mode 100644
index 000000000..c20c64632
--- /dev/null
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DataExtension.groovy
@@ -0,0 +1,45 @@
+/*
+ * This file is part of dependency-check-gradle.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
+ */
+
+package com.tools.security.extension
+
+/**
+ * The update data configuration extension. Any value not configured will use the dependency-check-core defaults.
+ */
+class DataExtension extends PurgeDataExtension {
+ /**
+ * The connection string to the database.
+ */
+ String connectionString
+ /**
+ * The user name to use when connecting to the database.
+ */
+ String username
+ /**
+ * The password to use when connecting to the database.
+ */
+ String password
+ /**
+ * The database dirver name (e.g. org.h2.Driver).
+ */
+ String driver
+ /**
+ * The path to the driver (JAR) in case it is not already in the classpath.
+ */
+ String driverPath
+}
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy
index 97763ad76..e7bd282ad 100644
--- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy
@@ -17,7 +17,10 @@
*/
package com.tools.security.extension
-
+/**
+ * TODO - this should not be needed, instead rely on the configured HTTP or HTTPS proxies
+ * https://docs.gradle.org/current/userguide/build_environment.html
+ */
class ProxyExtension {
String server
Integer port
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeDataExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeDataExtension.groovy
new file mode 100644
index 000000000..92e996362
--- /dev/null
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeDataExtension.groovy
@@ -0,0 +1,29 @@
+/*
+ * This file is part of dependency-check-gradle.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
+ */
+
+package com.tools.security.extension
+
+/**
+ * The data configuration extension. Any value not configured will use the dependency-check-core defaults.
+ */
+class PurgeDataExtension {
+ /**
+ * The directory to store the H2 database that contains the cache of the NVD CVE data.
+ */
+ String directory="[JAR]/../../dependency-check-data"
+}
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeExtension.groovy
similarity index 77%
rename from dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy
rename to dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeExtension.groovy
index 8872dcd2a..27bd8c831 100644
--- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeExtension.groovy
@@ -18,11 +18,6 @@
package com.tools.security.extension
-class DependencyCheckExtension {
- ProxyExtension proxyExtension
- CveExtension cveExtension
-
- String outputDirectory = "./reports"
- String suppressionFile;
- Boolean quickQueryTimestamp;
+class PurgeExtension {
+ PurgeDataExtension dataExtension
}
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/UpdateExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/UpdateExtension.groovy
new file mode 100644
index 000000000..0bdb0b886
--- /dev/null
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/UpdateExtension.groovy
@@ -0,0 +1,33 @@
+/*
+ * This file is part of dependency-check-gradle.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Wei Ma. All Rights Reserved.
+ */
+
+package com.tools.security.extension
+
+class UpdateExtension extends PurgeExtension {
+ ProxyExtension proxyExtension
+ CveExtension cveExtension
+ DataExtension dataExtension
+ /**
+ * Set to false if the proxy does not support HEAD requests. The default is true.
+ */
+ Boolean quickQueryTimestamp
+ /**
+ * The number of hours to wait before checking for additional updates from the NVD.
+ */
+ Integer cveValidForHours
+}
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheck.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheck.groovy
new file mode 100644
index 000000000..55753c43b
--- /dev/null
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheck.groovy
@@ -0,0 +1,75 @@
+/*
+ * This file is part of dependency-check-gradle.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Wei Ma. All Rights Reserved.
+ */
+
+package com.tools.security.plugin
+
+import com.tools.security.extension.CveExtension
+import com.tools.security.extension.CheckExtension
+import com.tools.security.extension.ProxyExtension
+import com.tools.security.extension.DataExtension
+import com.tools.security.extension.AnalyzerExtension
+import com.tools.security.extension.UpdateExtension
+import com.tools.security.extension.PurgeExtension
+import com.tools.security.extension.PurgeDataExtension
+import com.tools.security.tasks.Check
+import com.tools.security.tasks.Update
+import com.tools.security.tasks.Purge
+
+import org.gradle.api.Plugin
+import org.gradle.api.Project
+
+class DependencyCheck implements Plugin {
+ private static final String CHECK_TASK = 'dependencyCheck'
+ private static final String UPDATE_TASK = 'dependencyCheckUpdate'
+ private static final String PURGE_TASK = 'dependencyCheckPurge'
+
+
+ /* configuration extensions */
+ private static final String PROXY_EXTENSION_NAME = "proxy"
+ private static final String CVE_EXTENSION_NAME = "cve"
+ private static final String DATA_EXTENSION_NAME = "data"
+ private static final String ANALYZER_EXTENSION_NAME = "analyzer"
+
+ @Override
+ void apply(Project project) {
+ initializeConfigurations(project)
+ registerTasks(project)
+ }
+
+ def initializeConfigurations(Project project) {
+ def ext = project.extensions.create(CHECK_TASK, CheckExtension)
+ ext.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension)
+ ext.extensions.create(CVE_EXTENSION_NAME, CveExtension)
+ ext.extensions.create(DATA_EXTENSION_NAME, DataExtension)
+ ext.extensions.create(ANALYZER_EXTENSION_NAME, AnalyzerExtension)
+
+ def extu = project.extensions.create(UPDATE_TASK, UpdateExtension)
+ extu.extensions.create(CVE_EXTENSION_NAME, CveExtension)
+ extu.extensions.create(DATA_EXTENSION_NAME, DataExtension)
+ extu.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension)
+
+ def extp = project.extensions.create(PURGE_TASK, PurgeExtension)
+ extp.extensions.create(DATA_EXTENSION_NAME, PurgeDataExtension)
+ }
+
+ def registerTasks(Project project) {
+ project.task(CHECK_TASK, type: Check)
+ project.task(UPDATE_TASK, type: Update)
+ project.task(PURGE_TASK, type: Purge)
+ }
+}
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy
deleted file mode 100644
index a1f94a13c..000000000
--- a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * This file is part of dependency-check-gradle.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2015 Wei Ma. All Rights Reserved.
- */
-
-package com.tools.security.plugin
-
-import com.tools.security.extension.CveExtension
-import com.tools.security.extension.DependencyCheckExtension
-import com.tools.security.extension.ProxyExtension
-import com.tools.security.tasks.DependencyCheckTask
-import org.gradle.api.Plugin
-import org.gradle.api.Project
-
-class DependencyCheckGradlePlugin implements Plugin {
- private static final String ROOT_EXTENSION_NAME = 'dependencyCheck'
- private static final String TASK_NAME = 'dependencyCheck'
- private static final String PROXY_EXTENSION_NAME = "proxy"
- private static final String CVE_EXTENSION_NAME = "cve"
-
- @Override
- void apply(Project project) {
- initializeConfigurations(project)
- registerTasks(project)
- }
-
- def initializeConfigurations(Project project) {
- project.extensions.create(ROOT_EXTENSION_NAME, DependencyCheckExtension)
- project.dependencyCheck.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension)
- project.dependencyCheck.extensions.create(CVE_EXTENSION_NAME, CveExtension)
- }
-
- def registerTasks(Project project) {
- project.task(TASK_NAME, type: DependencyCheckTask)
- }
-}
\ No newline at end of file
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Check.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Check.groovy
new file mode 100644
index 000000000..0f87aa8bc
--- /dev/null
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Check.groovy
@@ -0,0 +1,292 @@
+/*
+ * This file is part of dependency-check-gradle.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Wei Ma. All Rights Reserved.
+ */
+
+package com.tools.security.tasks
+
+import org.gradle.api.DefaultTask
+import org.gradle.api.artifacts.Configuration
+import org.gradle.api.artifacts.ResolvedArtifact
+import org.gradle.api.tasks.TaskAction
+import org.gradle.api.GradleException
+import org.gradle.api.InvalidUserDataException
+
+import org.owasp.dependencycheck.Engine
+import org.owasp.dependencycheck.data.nvdcve.CveDB
+import org.owasp.dependencycheck.dependency.Dependency
+import org.owasp.dependencycheck.reporting.ReportGenerator
+import org.owasp.dependencycheck.utils.Settings
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+
+
+import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_12_URL
+import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_20_URL
+import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_1_2
+import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_2_0
+import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_START_YEAR
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP
+import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PASSWORD
+import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PORT
+import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_SERVER
+import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_USERNAME
+import static org.owasp.dependencycheck.utils.Settings.KEYS.AUTO_UPDATE
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DATA_DIRECTORY
+import static org.owasp.dependencycheck.utils.Settings.KEYS.SUPPRESSION_FILE
+
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_NAME
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_PATH
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_CONNECTION_STRING
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_USER
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_PASSWORD
+
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_JAR_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NUSPEC_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_CENTRAL_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NEXUS_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NEXUS_URL
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NEXUS_USES_PROXY
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_ARCHIVE_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_OPENSSL_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_CMAKE_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_AUTOCONF_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED
+import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED
+
+/**
+ * Checks the projects dependencies for known vulnerabilities.
+ */
+class Check extends DefaultTask {
+
+ def currentProjectName = project.getName()
+ def config = project.dependencyCheck
+
+ /**
+ * Initializes the check task.
+ */
+ Check() {
+ group = 'OWASP dependency-check'
+ description = 'Produce dependency security report.'
+ }
+
+ /**
+ * Calls dependency-check-core's analysis engine to scan
+ * all of the projects dependencies.
+ */
+ @TaskAction
+ def check() {
+ initializeSettings()
+ def engine = new Engine()
+
+ scanDependencies(engine)
+ analyzeDependencies(engine)
+ generateReport(engine)
+ showSummary(engine)
+ checkForFailure(engine)
+ cleanup(engine)
+ }
+
+ /**
+ * Initializes the settings object. If the setting is not set the
+ * default from dependency-check-core is used.
+ */
+ def initializeSettings() {
+ Settings.initialize()
+
+ Settings.setBooleanIfNotNull(AUTO_UPDATE, config.autoUpdate)
+ Settings.setStringIfNotEmpty(SUPPRESSION_FILE, config.suppressionFile)
+
+ Settings.setStringIfNotEmpty(PROXY_SERVER, config.proxy.server)
+ Settings.setStringIfNotEmpty(PROXY_PORT, "${config.proxy.port}")
+ Settings.setStringIfNotEmpty(PROXY_USERNAME, config.proxy.username)
+ Settings.setStringIfNotEmpty(PROXY_PASSWORD, config.proxy.password)
+ //Settings.setStringIfNotEmpty(CONNECTION_TIMEOUT, connectionTimeout)
+ Settings.setStringIfNotNull(DATA_DIRECTORY, config.data.directory)
+ Settings.setStringIfNotEmpty(DB_DRIVER_NAME, config.data.driver)
+ Settings.setStringIfNotEmpty(DB_DRIVER_PATH, config.data.driverPath)
+ Settings.setStringIfNotEmpty(DB_CONNECTION_STRING, config.data.connectionString)
+ Settings.setStringIfNotEmpty(DB_USER, config.data.username)
+ Settings.setStringIfNotEmpty(DB_PASSWORD, config.data.password)
+ Settings.setStringIfNotEmpty(CVE_MODIFIED_12_URL, config.cve.url12Modified)
+ Settings.setStringIfNotEmpty(CVE_MODIFIED_20_URL, config.cve.url20Modified)
+ Settings.setStringIfNotEmpty(CVE_SCHEMA_1_2, config.cve.url12Base)
+ Settings.setStringIfNotEmpty(CVE_SCHEMA_2_0, config.cve.url20Base)
+
+ if (config.cveValidForHours != null) {
+ if (config.cveValidForHours >= 0) {
+ Settings.setInt(CVE_CHECK_VALID_FOR_HOURS, config.cveValidForHours);
+ } else {
+ throw new InvalidUserDataException("Invalid setting: `validForHours` must be 0 or greater");
+ }
+ }
+ Settings.setBooleanIfNotNull(ANALYZER_JAR_ENABLED, config.analyzer.jarEnabled)
+ Settings.setBooleanIfNotNull(ANALYZER_NUSPEC_ENABLED, config.analyzer.nuspecEnabled)
+ Settings.setBooleanIfNotNull(ANALYZER_CENTRAL_ENABLED, config.analyzer.centralEnabled)
+
+ Settings.setBooleanIfNotNull(ANALYZER_NEXUS_ENABLED, config.analyzer.nexusEnabled)
+ Settings.setStringIfNotEmpty(ANALYZER_NEXUS_URL, config.analyzer.nexusUrl)
+ Settings.setBooleanIfNotNull(ANALYZER_NEXUS_USES_PROXY, config.analyzer.nexusUsesProxy)
+
+ Settings.setBooleanIfNotNull(ANALYZER_ARCHIVE_ENABLED, config.analyzer.archiveEnabled)
+ Settings.setStringIfNotEmpty(ADDITIONAL_ZIP_EXTENSIONS, config.analyzer.zipExtensions)
+ Settings.setBooleanIfNotNull(ANALYZER_ASSEMBLY_ENABLED, config.analyzer.assemblyEnabled)
+ Settings.setStringIfNotEmpty(ANALYZER_ASSEMBLY_MONO_PATH, config.analyzer.pathToMono)
+
+ Settings.setBooleanIfNotNull(ANALYZER_PYTHON_DISTRIBUTION_ENABLED, config.analyzer.pyDistributionEnabled)
+ Settings.setBooleanIfNotNull(ANALYZER_PYTHON_PACKAGE_ENABLED, config.analyzer.pyPackageEnabled)
+ Settings.setBooleanIfNotNull(ANALYZER_RUBY_GEMSPEC_ENABLED, config.analyzer.rubygemsEnabled)
+ Settings.setBooleanIfNotNull(ANALYZER_OPENSSL_ENABLED, config.analyzer.opensslEnabled)
+ Settings.setBooleanIfNotNull(ANALYZER_CMAKE_ENABLED, config.analyzer.cmakeEnabled)
+ Settings.setBooleanIfNotNull(ANALYZER_AUTOCONF_ENABLED, config.analyzer.autoconfEnabled)
+ Settings.setBooleanIfNotNull(ANALYZER_COMPOSER_LOCK_ENABLED, config.analyzer.composerEnabled)
+ Settings.setBooleanIfNotNull(ANALYZER_NODE_PACKAGE_ENABLED, config.analyzer.nodeEnabled)
+ }
+ /**
+ * Relases resources and removes temporary files used.
+ */
+ def cleanup(engine) {
+ Settings.cleanup(true)
+ engine.cleanup();
+ }
+
+ /**
+ * Loads the projects dependencies into the dependency-check analysis engine.
+ */
+ def scanDependencies(engine) {
+ logger.lifecycle("Verifying dependencies for project ${currentProjectName}")
+ getAllDependencies(project).each {
+ engine.scan(it)
+ }
+ }
+
+ /**
+ * Performs the dependency-check analysis.
+ */
+ def analyzeDependencies(Engine engine) {
+ logger.lifecycle("Checking for updates and analyzing vulnerabilities for dependencies")
+ engine.analyzeDependencies()
+ }
+
+ /**
+ * Displays a summary of the dependency-check results to the build console.
+ */
+ def showSummary(Engine engine) {
+ def vulnerabilities = engine.getDependencies().collect { Dependency dependency ->
+ dependency.getVulnerabilities()
+ }.flatten()
+
+ logger.lifecycle("Found ${vulnerabilities.size()} vulnerabilities in project ${currentProjectName}")
+ if (config.showSummary) {
+ final StringBuilder summary = new StringBuilder()
+ for (Dependency d : engine.getDependencies()) {
+ boolean firstEntry = true
+ final StringBuilder ids = new StringBuilder()
+ for (Vulnerability v : d.getVulnerabilities()) {
+ if (firstEntry) {
+ firstEntry = false
+ } else {
+ ids.append(", ")
+ }
+ ids.append(v.getName())
+ }
+ if (ids.length() > 0) {
+ summary.append(d.getFileName()).append(" (")
+ firstEntry = true
+ for (Identifier id : d.getIdentifiers()) {
+ if (firstEntry) {
+ firstEntry = false
+ } else {
+ summary.append(", ")
+ }
+ summary.append(id.getValue())
+ }
+ summary.append(") : ").append(ids).append('\n')
+ }
+ }
+ if (summary.length() > 0) {
+ final String msg = String.format("%n%n"
+ + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+ + "%n%nSee the dependency-check report for more details.%n%n", summary.toString())
+ logger.lifecycle(msg)
+ }
+ }
+
+ }
+
+ /**
+ * If configured, fails the build if a vulnerability is identified with a CVSS
+ * score higher then the failure threshold configured.
+ */
+ def checkForFailure(Engine engine) {
+ if (config.failBuildOnCVSS>10) {
+ return
+ }
+
+ def vulnerabilities = engine.getDependencies().collect { Dependency dependency ->
+ dependency.getVulnerabilities()
+ }.flatten()
+
+ final StringBuilder ids = new StringBuilder();
+
+ vulnerabilities.each {
+ if (it.getCvssScore() >= config.failBuildOnCVSS) {
+ if (ids.length() == 0) {
+ ids.append(it.getName());
+ } else {
+ ids.append(", ").append(it.getName());
+ }
+ }
+ }
+ if (ids.length() > 0) {
+ final String msg = String.format("%n%nDependency-Check Failure:%n"
+ + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
+ + "See the dependency-check report for more details.%n%n", config.failBuildOnCVSS, ids.toString());
+ throw new GradleException(msg);
+ }
+
+ }
+ /**
+ * Writes the report(s) to the configured output directory.
+ */
+ def generateReport(Engine engine) {
+ logger.lifecycle("Generating report for project ${currentProjectName}")
+ def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers,
+ new CveDB().databaseProperties)
+
+ reportGenerator.generateReports("$project.buildDir/${config.reportsDirName}", config.format)
+ }
+
+ /**
+ * Returns all dependencies associated wtihin the configured dependency groups. Test
+ * groups can be excluded by setting the skipTestGroups configuration to true.
+ */
+ def getAllDependencies(project) {
+ return project.getConfigurations().findAll {
+ !config.skipTestGroups || (config.skipTestGroups && !it.getName().startsWith("test"))
+ }.collect {
+ it.getResolvedConfiguration().getResolvedArtifacts().collect { ResolvedArtifact artifact ->
+ artifact.getFile()
+ }
+ }.flatten().unique();
+ }
+}
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy
deleted file mode 100644
index 2c63c03c2..000000000
--- a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy
+++ /dev/null
@@ -1,176 +0,0 @@
-/*
- * This file is part of dependency-check-gradle.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2015 Wei Ma. All Rights Reserved.
- */
-
-package com.tools.security.tasks
-
-import org.gradle.api.DefaultTask
-import org.gradle.api.artifacts.Configuration
-import org.gradle.api.artifacts.ResolvedArtifact
-import org.gradle.api.tasks.TaskAction
-import org.owasp.dependencycheck.Engine
-import org.owasp.dependencycheck.data.nvdcve.CveDB
-import org.owasp.dependencycheck.dependency.Dependency
-import org.owasp.dependencycheck.reporting.ReportGenerator
-import org.owasp.dependencycheck.utils.Settings
-
-import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_12_URL
-import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_20_URL
-import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_1_2
-import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_2_0
-import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_START_YEAR
-import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP
-import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PASSWORD
-import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PORT
-import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_SERVER
-import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_USERNAME
-import static org.owasp.dependencycheck.utils.Settings.KEYS.SUPPRESSION_FILE
-import static org.owasp.dependencycheck.utils.Settings.setBoolean
-import static org.owasp.dependencycheck.utils.Settings.setString
-
-class DependencyCheckTask extends DefaultTask {
-
- def currentProjectName = project.getName()
- def config = project.dependencyCheck
-
- DependencyCheckTask() {
- group = 'Dependency Check'
- description = 'Produce dependency security report.'
- }
-
- @TaskAction
- def check() {
- initializeSettings()
- def engine = initializeEngine()
-
- verifyDependencies(engine)
- analyzeDependencies(engine)
- retrieveVulnerabilities(engine)
- generateReport(engine)
-
- cleanup(engine)
- }
-
- private Engine initializeEngine() {
- new Engine()
- }
-
- def initializeSettings() {
- Settings.initialize()
- overrideProxySetting()
- overrideCveUrlSetting()
- overrideDownloaderSetting()
- overrideSuppressionFile()
- }
-
- def cleanup(engine) {
- Settings.cleanup(true)
- engine.cleanup();
- }
-
- def verifyDependencies(engine) {
- logger.lifecycle("Verifying dependencies for project ${currentProjectName}")
- getAllDependencies(project).each { engine.scan(it) }
- }
-
- def analyzeDependencies(Engine engine) {
- logger.lifecycle("Checking for updates and analyzing vulnerabilities for dependencies")
- engine.analyzeDependencies()
- }
-
- def retrieveVulnerabilities(Engine engine) {
- def vulnerabilities = engine.getDependencies().collect { Dependency dependency ->
- dependency.getVulnerabilities()
- }.flatten()
-
- logger.lifecycle("Found ${vulnerabilities.size()} vulnerabilities in project ${currentProjectName}")
- }
-
- def generateReport(Engine engine) {
- logger.lifecycle("Generating report for project ${currentProjectName}")
- def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers,
- new CveDB().databaseProperties)
-
- reportGenerator.generateReports(generateReportDirectory(currentProjectName), ReportGenerator.Format.ALL)
- }
-
- def generateReportDirectory(String currentProjectName) {
- "${config.outputDirectory}/${currentProjectName}"
- }
-
- def overrideProxySetting() {
- if (isProxySettingExist()) {
- logger.lifecycle("Using proxy ${config.proxy.server}:${config.proxy.port}")
-
- overrideStringSetting(PROXY_SERVER, config.proxy.server)
- overrideStringSetting(PROXY_PORT, "${config.proxy.port}")
- overrideStringSetting(PROXY_USERNAME, config.proxy.username)
- overrideStringSetting(PROXY_PASSWORD, config.proxy.password)
- }
- }
-
- def isProxySettingExist() {
- config.proxy.server != null && config.proxy.port != null
- }
-
- def getAllDependencies(project) {
- return project.getConfigurations().collect { Configuration configuration ->
- configuration.getResolvedConfiguration().getResolvedArtifacts().collect { ResolvedArtifact artifact ->
- artifact.getFile()
- }
- }.flatten();
- }
-
- def overrideCveUrlSetting() {
- overrideStringSetting(CVE_MODIFIED_20_URL, config.cve.url20Modified)
- overrideStringSetting(CVE_MODIFIED_12_URL, config.cve.url12Modified)
- overrideIntegerSetting(CVE_START_YEAR, config.cve.startYear)
- overrideStringSetting(CVE_SCHEMA_2_0, config.cve.url20Base)
- overrideStringSetting(CVE_SCHEMA_1_2, config.cve.url12Base)
- }
-
- def overrideDownloaderSetting() {
- overrideBooleanSetting(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp)
- }
-
- def overrideSuppressionFile() {
- if (config.suppressionFile) {
- overrideStringSetting(SUPPRESSION_FILE, config.suppressionFile);
- }
- }
-
- private overrideStringSetting(String key, String providedValue) {
- if (providedValue != null) {
- logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
- setString(key, providedValue)
- }
- }
-
- private overrideIntegerSetting(String key, Integer providedValue) {
- if (providedValue != null) {
- logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
- setString(key, "${providedValue}")
- }
- }
-
- private overrideBooleanSetting(String key, Boolean providedValue) {
- if (providedValue != null) {
- logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]")
- setBoolean(key, providedValue)
- }
- }
-}
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Purge.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Purge.groovy
new file mode 100644
index 000000000..89e74a9a1
--- /dev/null
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Purge.groovy
@@ -0,0 +1,82 @@
+/*
+ * This file is part of dependency-check-gradle.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
+ */
+
+package com.tools.security.tasks
+
+import org.gradle.api.DefaultTask
+import org.gradle.api.artifacts.Configuration
+import org.gradle.api.artifacts.ResolvedArtifact
+import org.gradle.api.tasks.TaskAction
+import java.io.File
+import org.owasp.dependencycheck.Engine
+import org.owasp.dependencycheck.data.nvdcve.CveDB
+import org.owasp.dependencycheck.dependency.Dependency
+import org.owasp.dependencycheck.reporting.ReportGenerator
+import org.owasp.dependencycheck.utils.Settings
+
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DATA_DIRECTORY
+
+/**
+ * Purges the local cache of the NVD CVE data.
+ */
+class Purge extends DefaultTask {
+
+ def config = project.dependencyCheckPurge
+
+ /**
+ * Initializes the purge task.
+ */
+ Purge() {
+ group = 'OWASP dependency-check'
+ description = 'Purges the local cache of the NVD.'
+ }
+
+ /**
+ * Purges the local cache of the NVD data.
+ */
+ @TaskAction
+ def purge() {
+ initializeSettings()
+ def db = new File(Settings.getDataDirectory(), "dc.h2.db")
+ if (db.exists()) {
+ if (db.delete()) {
+ logger.info("Database file purged; local copy of the NVD has been removed")
+ } else {
+ logger.warn("Unable to delete '${db.getAbsolutePath()}'; please delete the file manually")
+ }
+ } else {
+ logger.warn("Unable to purge database; the database file does not exists: ${db.getAbsolutePath()}")
+ }
+ cleanup()
+ }
+
+ /**
+ * Intializes the configuration.
+ */
+ def initializeSettings() {
+ Settings.initialize()
+ Settings.setStringIfNotNull(DATA_DIRECTORY, config.data.directory)
+ }
+
+ /**
+ * Relases resources and removes temporary files used.
+ */
+ def cleanup() {
+ Settings.cleanup(true)
+ }
+}
diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Update.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Update.groovy
new file mode 100644
index 000000000..93881b286
--- /dev/null
+++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Update.groovy
@@ -0,0 +1,116 @@
+/*
+ * This file is part of dependency-check-gradle.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
+ */
+
+package com.tools.security.tasks
+
+import org.gradle.api.DefaultTask
+import org.gradle.api.artifacts.Configuration
+import org.gradle.api.artifacts.ResolvedArtifact
+import org.gradle.api.tasks.TaskAction
+import org.gradle.api.InvalidUserDataException
+import org.owasp.dependencycheck.Engine
+import org.owasp.dependencycheck.data.nvdcve.CveDB
+import org.owasp.dependencycheck.dependency.Dependency
+import org.owasp.dependencycheck.reporting.ReportGenerator
+import org.owasp.dependencycheck.utils.Settings
+
+import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_12_URL
+import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_20_URL
+import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_1_2
+import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_2_0
+import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_START_YEAR
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP
+import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PASSWORD
+import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PORT
+import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_SERVER
+import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_USERNAME
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DATA_DIRECTORY
+import static org.owasp.dependencycheck.utils.Settings.KEYS.SUPPRESSION_FILE
+
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_NAME
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_PATH
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_CONNECTION_STRING
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_USER
+import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_PASSWORD
+
+/**
+ * Updates the local cache of the NVD CVE data.
+ *
+ * @author Jeremy Long
+ */
+class Update extends DefaultTask {
+
+ def config = project.dependencyCheckUpdate
+
+ /**
+ * Initializes the update task.
+ */
+ Update() {
+ group = 'OWASP dependency-check'
+ description = 'Downloads and stores updates from the NVD CVE data feeds.'
+ }
+
+ /**
+ * Executes the update task.
+ */
+ @TaskAction
+ def update() {
+ initializeSettings()
+ def engine = new Engine()
+ engine.doUpdates()
+ cleanup(engine)
+ }
+
+ /**
+ * Initializes the settings; if the setting is not configured
+ * then the default value from dependency-check-core is used.
+ */
+ def initializeSettings() {
+ Settings.initialize()
+ Settings.setStringIfNotEmpty(PROXY_SERVER, config.proxy.server)
+ Settings.setStringIfNotEmpty(PROXY_PORT, "${config.proxy.port}")
+ Settings.setStringIfNotEmpty(PROXY_USERNAME, config.proxy.username)
+ Settings.setStringIfNotEmpty(PROXY_PASSWORD, config.proxy.password)
+ //Settings.setStringIfNotEmpty(CONNECTION_TIMEOUT, connectionTimeout)
+ Settings.setStringIfNotNull(DATA_DIRECTORY, config.data.directory)
+ Settings.setStringIfNotEmpty(DB_DRIVER_NAME, config.data.driver)
+ Settings.setStringIfNotEmpty(DB_DRIVER_PATH, config.data.driverPath)
+ Settings.setStringIfNotEmpty(DB_CONNECTION_STRING, config.data.connectionString)
+ Settings.setStringIfNotEmpty(DB_USER, config.data.username)
+ Settings.setStringIfNotEmpty(DB_PASSWORD, config.data.password)
+ Settings.setStringIfNotEmpty(CVE_MODIFIED_12_URL, config.cve.url12Modified)
+ Settings.setStringIfNotEmpty(CVE_MODIFIED_20_URL, config.cve.url20Modified)
+ Settings.setStringIfNotEmpty(CVE_SCHEMA_1_2, config.cve.url12Base)
+ Settings.setStringIfNotEmpty(CVE_SCHEMA_2_0, config.cve.url20Base)
+
+ if (config.cveValidForHours != null) {
+ if (config.cveValidForHours >= 0) {
+ Settings.setInt(CVE_CHECK_VALID_FOR_HOURS, config.cveValidForHours);
+ } else {
+ throw new InvalidUserDataException("Invalid setting: `validForHours` must be 0 or greater");
+ }
+ }
+ }
+ /**
+ * Relases resources and removes temporary files used.
+ */
+ def cleanup(engine) {
+ Settings.cleanup(true)
+ engine.cleanup();
+ }
+}
diff --git a/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check.properties b/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependencyCheck.properties
similarity index 89%
rename from dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check.properties
rename to dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependencyCheck.properties
index 877c70050..523794cc4 100644
--- a/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check.properties
+++ b/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependencyCheck.properties
@@ -16,4 +16,4 @@
# Copyright (c) 2015 Wei Ma. All Rights Reserved.
#
-implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin
\ No newline at end of file
+implementation-class=com.tools.security.plugin.DependencyCheck
\ No newline at end of file
diff --git a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy
index 43ddd93b0..4d793c351 100644
--- a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy
+++ b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy
@@ -22,7 +22,7 @@ import nebula.test.PluginProjectSpec
import org.gradle.api.Task
class DependencyCheckGradlePluginSpec extends PluginProjectSpec {
- static final String PLUGIN_ID = 'dependency-check'
+ static final String PLUGIN_ID = 'dependency-check-gradle'
@Override
String getPluginName() {