From acb9d04c51b5d9cb07cbfac547057824267a4ff4 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 11 Nov 2015 18:44:19 -0500 Subject: [PATCH] updated to be feature complete with 1.3.2-SNAPSHOT --- dependency-check-gradle/README.md | 8 +- dependency-check-gradle/build.gradle | 14 +- .../conf/publish/maven.gradle | 5 + dependency-check-gradle/pom.xml | 2 +- dependency-check-gradle/settings.gradle | 2 +- ...ependencyCheckGradlePluginIntegSpec.groovy | 2 +- .../src/integTest/resources/outputDir.gradle | 4 +- .../extension/AnalyzerExtension.groovy | 100 ++++++ .../security/extension/CheckExtension.groovy | 70 +++++ .../security/extension/CveExtension.groovy | 19 +- .../security/extension/DataExtension.groovy | 45 +++ .../security/extension/ProxyExtension.groovy | 5 +- .../extension/PurgeDataExtension.groovy | 29 ++ ...Extension.groovy => PurgeExtension.groovy} | 9 +- .../security/extension/UpdateExtension.groovy | 33 ++ .../security/plugin/DependencyCheck.groovy | 75 +++++ .../plugin/DependencyCheckGradlePlugin.groovy | 49 --- .../com/tools/security/tasks/Check.groovy | 292 ++++++++++++++++++ .../security/tasks/DependencyCheckTask.groovy | 176 ----------- .../com/tools/security/tasks/Purge.groovy | 82 +++++ .../com/tools/security/tasks/Update.groovy | 116 +++++++ ....properties => dependencyCheck.properties} | 2 +- .../DependencyCheckGradlePluginSpec.groovy | 2 +- 23 files changed, 888 insertions(+), 253 deletions(-) create mode 100644 dependency-check-gradle/src/main/groovy/com/tools/security/extension/AnalyzerExtension.groovy create mode 100644 dependency-check-gradle/src/main/groovy/com/tools/security/extension/CheckExtension.groovy create mode 100644 dependency-check-gradle/src/main/groovy/com/tools/security/extension/DataExtension.groovy create mode 100644 dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeDataExtension.groovy rename dependency-check-gradle/src/main/groovy/com/tools/security/extension/{DependencyCheckExtension.groovy => PurgeExtension.groovy} (77%) create mode 100644 dependency-check-gradle/src/main/groovy/com/tools/security/extension/UpdateExtension.groovy create mode 100644 dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheck.groovy delete mode 100644 dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy create mode 100644 dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Check.groovy delete mode 100644 dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy create mode 100644 dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Purge.groovy create mode 100644 dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Update.groovy rename dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/{dependency-check.properties => dependencyCheck.properties} (89%) diff --git a/dependency-check-gradle/README.md b/dependency-check-gradle/README.md index a1d37491e..d12265b6c 100644 --- a/dependency-check-gradle/README.md +++ b/dependency-check-gradle/README.md @@ -24,11 +24,11 @@ buildscript { mavenCentral() } dependencies { - classpath 'com.thoughtworks.tools:dependency-check:0.0.8' + classpath 'org.owasp:dependency-check-gradle:1.3.2' } } -apply plugin: 'dependency-check' +apply plugin: 'dependency-check-gradle' ``` ### Step 2, Run gradle task @@ -59,10 +59,10 @@ dependencyCheck { proxy { server = "127.0.0.1" // required, the server name or IP address of the proxy port = 3128 // required, the port number of the proxy - + // optional, the proxy server might require username // username = "username" - + // optional, the proxy server might require password // password = "password" } diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index 1bf6714bc..09c700fbd 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -16,6 +16,10 @@ * Copyright (c) 2015 Wei Ma. All Rights Reserved. */ + +group = 'org.owasp' +version = '1.3.2-SNAPSHOT' + buildscript { repositories { maven { @@ -43,14 +47,15 @@ targetCompatibility = 1.6 repositories { mavenCentral() + mavenLocal() } dependencies { compile( localGroovy(), gradleApi(), - 'org.owasp:dependency-check-core:1.3.1', - 'org.owasp:dependency-check-utils:1.3.1' + 'org.owasp:dependency-check-core:1.3.2-SNAPSHOT', + 'org.owasp:dependency-check-utils:1.3.2-SNAPSHOT' ) testCompile ('com.netflix.nebula:nebula-test:2.2.2'){ @@ -75,11 +80,6 @@ task integTest(type: Test) { jvmArgs '-XX:MaxPermSize=256m' } -group = 'com.thoughtworks.tools' -version = '0.0.8' - -targetCompatibility = 1.7 - apply from: 'conf/publish/local.gradle' //apply from: 'conf/publish/maven.gradle' //apply from: 'conf/publish/gradlePluginsPortal.gradle' diff --git a/dependency-check-gradle/conf/publish/maven.gradle b/dependency-check-gradle/conf/publish/maven.gradle index 462ced0f7..0cb9faf65 100644 --- a/dependency-check-gradle/conf/publish/maven.gradle +++ b/dependency-check-gradle/conf/publish/maven.gradle @@ -50,6 +50,11 @@ uploadArchives { } developers { + developer { + id 'jeremylong' + name 'Jeremy Long' + email 'jeremy.long@owasp.org' + } developer { id 'wmaintw' name 'Wei Ma' diff --git a/dependency-check-gradle/pom.xml b/dependency-check-gradle/pom.xml index 2b9540b2e..401196cba 100644 --- a/dependency-check-gradle/pom.xml +++ b/dependency-check-gradle/pom.xml @@ -26,7 +26,7 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved. dependency-check-gradle - 0.0.6 + 0.0.8 pom diff --git a/dependency-check-gradle/settings.gradle b/dependency-check-gradle/settings.gradle index b460ef63c..522f2e666 100644 --- a/dependency-check-gradle/settings.gradle +++ b/dependency-check-gradle/settings.gradle @@ -16,4 +16,4 @@ * Copyright (c) 2015 Wei Ma. All Rights Reserved. */ -rootProject.name = 'dependency-check' \ No newline at end of file +rootProject.name = 'dependency-check-gradle' \ No newline at end of file diff --git a/dependency-check-gradle/src/integTest/groovy/com/tools/security/plugin/DependencyCheckGradlePluginIntegSpec.groovy b/dependency-check-gradle/src/integTest/groovy/com/tools/security/plugin/DependencyCheckGradlePluginIntegSpec.groovy index 895571d3c..3e89f88e2 100644 --- a/dependency-check-gradle/src/integTest/groovy/com/tools/security/plugin/DependencyCheckGradlePluginIntegSpec.groovy +++ b/dependency-check-gradle/src/integTest/groovy/com/tools/security/plugin/DependencyCheckGradlePluginIntegSpec.groovy @@ -10,7 +10,7 @@ class DependencyCheckGradlePluginIntegSpec extends IntegrationSpec { def "I can add the plugin to a build with no errors"() { setup: buildFile << ''' - apply plugin: 'dependency-check' + apply plugin: 'dependencyCheck' '''.stripIndent() when: diff --git a/dependency-check-gradle/src/integTest/resources/outputDir.gradle b/dependency-check-gradle/src/integTest/resources/outputDir.gradle index 8212eeed6..e2f104e73 100644 --- a/dependency-check-gradle/src/integTest/resources/outputDir.gradle +++ b/dependency-check-gradle/src/integTest/resources/outputDir.gradle @@ -3,7 +3,7 @@ * @author Sion Williams */ apply plugin: 'java' -apply plugin: 'dependency-check' +apply plugin: 'dependencyCheck' sourceCompatibility = 1.5 version = '1.0' @@ -17,5 +17,5 @@ dependencies { } dependencyCheck { - outputDirectory = "${buildDir}/dependencyCheckReport" + reportsDirName = "reports" } \ No newline at end of file diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/AnalyzerExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/AnalyzerExtension.groovy new file mode 100644 index 000000000..64953e7ae --- /dev/null +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/AnalyzerExtension.groovy @@ -0,0 +1,100 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Jeremy Long. All Rights Reserved. + */ + +package com.tools.security.extension + +/** + * The analyzer configuration extension. Any value not configured will use the dependency-check-core defaults. + */ +class AnalyzerExtension { + + /** + * Sets whether the Archive Analyzer will be used. + */ + Boolean archiveEnabled + /** + * A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. + */ + String zipExtensions + /** + * Sets whether Jar Analyzer will be used. + */ + Boolean jarEnabled + /** + * Sets whether Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). + */ + Boolean centralEnabled + /** + * Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. + */ + Boolean nexusEnabled + /** + * Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. + */ + String nexusUrl + /** + * Whether or not the defined proxy should be used when connecting to Nexus. + */ + Boolean nexusUsesProxy + /** + * Sets whether or not the .NET Nuget Nuspec Analyzer will be used. + */ + Boolean nuspecEnabled + /** + * Sets whether or not the .NET Assembly Analyzer should be used. + */ + Boolean assemblyEnabled + /** + * The path to Mono for .NET assembly analysis on non-windows systems. + */ + String pathToMono + + + /** + * Sets whether the Python Distribution Analyzer will be used. + */ + Boolean pyDistributionEnabled + /** + * Sets whether the Python Package Analyzer will be used. + */ + Boolean pyPackageEnabled + /** + * Sets whether the Ruby Gemspec Analyzer will be used. + */ + Boolean rubygemsEnabled + /** + * Sets whether or not the openssl Analyzer should be used. + */ + Boolean opensslEnabled + /** + * Sets whether or not the CMake Analyzer should be used. + */ + Boolean cmakeEnabled + /** + * Sets whether or not the autoconf Analyzer should be used. + */ + Boolean autoconfEnabled + /** + * Sets whether or not the PHP Composer Lock File Analyzer should be used. + */ + Boolean composerEnabled + /** + * Sets whether or not the Node.js Analyzer should be used. + */ + Boolean nodeEnabled +} diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CheckExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CheckExtension.groovy new file mode 100644 index 000000000..e92326729 --- /dev/null +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CheckExtension.groovy @@ -0,0 +1,70 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + +package com.tools.security.extension + +import static org.owasp.dependencycheck.reporting.ReportGenerator.Format + +/* + * Configuration extension for the dependencyCheck plugin. + * + * @author Wei Ma + * @author Jeremy Long + */ +class CheckExtension extends UpdateExtension { + /** + * Configuration for the analyzers. + */ + AnalyzerExtension analyzerExtension + + /** + * The path to the suppression file. + */ + String suppressionFile + /** + * Sets whether auto-updating of the NVD CVE/CPE data is enabled. + */ + Boolean autoUpdate + /** + * When set to true dependency groups that start with 'test' will not be included in the analysis. + */ + Boolean skipTestGroups + + //The following properties are not used via the settings object, instead + // they are directly used by the check task. + + /** + * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has + * no affect if using this within the Site plugin unless the externalReport is set to true. + * The default is HTML. + */ + Format format = Format.HTML + /** + * The name of the directory where reports will be written. Defaults to 'reports'. + */ + String reportsDirName = "reports" + /** + * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is + * 11 which means since the CVSS scores are 0-10, by default the build will never fail. + */ + Float failBuildOnCVSS = 11.0 + /** + * Displays a summary of the findings. Defaults to true. + */ + Boolean showSummary = true +} diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy index a91eee97f..857b63bce 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/CveExtension.groovy @@ -18,10 +18,25 @@ package com.tools.security.extension -class CveExtension { +public class CveExtension { + /** + * URL for the modified CVE 1.2: + * https://nvd.nist.gov/download/nvdcve-Modified.xml.gz + **/ String url20Modified + /** + * URL for the modified CVE 1.2: + * https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz + **/ String url12Modified - Integer startYear + /** + * URL for the modified CVE 1.2: + * https://nvd.nist.gov/download/nvdcve-%d.xml.gz + **/ String url20Base + /** + * Base URL for each year's CVE 2.0, the %d will be replaced with the year. + * https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz + **/ String url12Base } diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DataExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DataExtension.groovy new file mode 100644 index 000000000..c20c64632 --- /dev/null +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DataExtension.groovy @@ -0,0 +1,45 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Jeremy Long. All Rights Reserved. + */ + +package com.tools.security.extension + +/** + * The update data configuration extension. Any value not configured will use the dependency-check-core defaults. + */ +class DataExtension extends PurgeDataExtension { + /** + * The connection string to the database. + */ + String connectionString + /** + * The user name to use when connecting to the database. + */ + String username + /** + * The password to use when connecting to the database. + */ + String password + /** + * The database dirver name (e.g. org.h2.Driver). + */ + String driver + /** + * The path to the driver (JAR) in case it is not already in the classpath. + */ + String driverPath +} diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy index 97763ad76..e7bd282ad 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/ProxyExtension.groovy @@ -17,7 +17,10 @@ */ package com.tools.security.extension - +/** + * TODO - this should not be needed, instead rely on the configured HTTP or HTTPS proxies + * https://docs.gradle.org/current/userguide/build_environment.html + */ class ProxyExtension { String server Integer port diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeDataExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeDataExtension.groovy new file mode 100644 index 000000000..92e996362 --- /dev/null +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeDataExtension.groovy @@ -0,0 +1,29 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Jeremy Long. All Rights Reserved. + */ + +package com.tools.security.extension + +/** + * The data configuration extension. Any value not configured will use the dependency-check-core defaults. + */ +class PurgeDataExtension { + /** + * The directory to store the H2 database that contains the cache of the NVD CVE data. + */ + String directory="[JAR]/../../dependency-check-data" +} diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeExtension.groovy similarity index 77% rename from dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy rename to dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeExtension.groovy index 8872dcd2a..27bd8c831 100644 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckExtension.groovy +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/PurgeExtension.groovy @@ -18,11 +18,6 @@ package com.tools.security.extension -class DependencyCheckExtension { - ProxyExtension proxyExtension - CveExtension cveExtension - - String outputDirectory = "./reports" - String suppressionFile; - Boolean quickQueryTimestamp; +class PurgeExtension { + PurgeDataExtension dataExtension } diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/extension/UpdateExtension.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/UpdateExtension.groovy new file mode 100644 index 000000000..0bdb0b886 --- /dev/null +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/extension/UpdateExtension.groovy @@ -0,0 +1,33 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + +package com.tools.security.extension + +class UpdateExtension extends PurgeExtension { + ProxyExtension proxyExtension + CveExtension cveExtension + DataExtension dataExtension + /** + * Set to false if the proxy does not support HEAD requests. The default is true. + */ + Boolean quickQueryTimestamp + /** + * The number of hours to wait before checking for additional updates from the NVD. + */ + Integer cveValidForHours +} diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheck.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheck.groovy new file mode 100644 index 000000000..55753c43b --- /dev/null +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheck.groovy @@ -0,0 +1,75 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + +package com.tools.security.plugin + +import com.tools.security.extension.CveExtension +import com.tools.security.extension.CheckExtension +import com.tools.security.extension.ProxyExtension +import com.tools.security.extension.DataExtension +import com.tools.security.extension.AnalyzerExtension +import com.tools.security.extension.UpdateExtension +import com.tools.security.extension.PurgeExtension +import com.tools.security.extension.PurgeDataExtension +import com.tools.security.tasks.Check +import com.tools.security.tasks.Update +import com.tools.security.tasks.Purge + +import org.gradle.api.Plugin +import org.gradle.api.Project + +class DependencyCheck implements Plugin { + private static final String CHECK_TASK = 'dependencyCheck' + private static final String UPDATE_TASK = 'dependencyCheckUpdate' + private static final String PURGE_TASK = 'dependencyCheckPurge' + + + /* configuration extensions */ + private static final String PROXY_EXTENSION_NAME = "proxy" + private static final String CVE_EXTENSION_NAME = "cve" + private static final String DATA_EXTENSION_NAME = "data" + private static final String ANALYZER_EXTENSION_NAME = "analyzer" + + @Override + void apply(Project project) { + initializeConfigurations(project) + registerTasks(project) + } + + def initializeConfigurations(Project project) { + def ext = project.extensions.create(CHECK_TASK, CheckExtension) + ext.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension) + ext.extensions.create(CVE_EXTENSION_NAME, CveExtension) + ext.extensions.create(DATA_EXTENSION_NAME, DataExtension) + ext.extensions.create(ANALYZER_EXTENSION_NAME, AnalyzerExtension) + + def extu = project.extensions.create(UPDATE_TASK, UpdateExtension) + extu.extensions.create(CVE_EXTENSION_NAME, CveExtension) + extu.extensions.create(DATA_EXTENSION_NAME, DataExtension) + extu.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension) + + def extp = project.extensions.create(PURGE_TASK, PurgeExtension) + extp.extensions.create(DATA_EXTENSION_NAME, PurgeDataExtension) + } + + def registerTasks(Project project) { + project.task(CHECK_TASK, type: Check) + project.task(UPDATE_TASK, type: Update) + project.task(PURGE_TASK, type: Purge) + } +} diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy deleted file mode 100644 index a1f94a13c..000000000 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/plugin/DependencyCheckGradlePlugin.groovy +++ /dev/null @@ -1,49 +0,0 @@ -/* - * This file is part of dependency-check-gradle. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Copyright (c) 2015 Wei Ma. All Rights Reserved. - */ - -package com.tools.security.plugin - -import com.tools.security.extension.CveExtension -import com.tools.security.extension.DependencyCheckExtension -import com.tools.security.extension.ProxyExtension -import com.tools.security.tasks.DependencyCheckTask -import org.gradle.api.Plugin -import org.gradle.api.Project - -class DependencyCheckGradlePlugin implements Plugin { - private static final String ROOT_EXTENSION_NAME = 'dependencyCheck' - private static final String TASK_NAME = 'dependencyCheck' - private static final String PROXY_EXTENSION_NAME = "proxy" - private static final String CVE_EXTENSION_NAME = "cve" - - @Override - void apply(Project project) { - initializeConfigurations(project) - registerTasks(project) - } - - def initializeConfigurations(Project project) { - project.extensions.create(ROOT_EXTENSION_NAME, DependencyCheckExtension) - project.dependencyCheck.extensions.create(PROXY_EXTENSION_NAME, ProxyExtension) - project.dependencyCheck.extensions.create(CVE_EXTENSION_NAME, CveExtension) - } - - def registerTasks(Project project) { - project.task(TASK_NAME, type: DependencyCheckTask) - } -} \ No newline at end of file diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Check.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Check.groovy new file mode 100644 index 000000000..0f87aa8bc --- /dev/null +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Check.groovy @@ -0,0 +1,292 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Wei Ma. All Rights Reserved. + */ + +package com.tools.security.tasks + +import org.gradle.api.DefaultTask +import org.gradle.api.artifacts.Configuration +import org.gradle.api.artifacts.ResolvedArtifact +import org.gradle.api.tasks.TaskAction +import org.gradle.api.GradleException +import org.gradle.api.InvalidUserDataException + +import org.owasp.dependencycheck.Engine +import org.owasp.dependencycheck.data.nvdcve.CveDB +import org.owasp.dependencycheck.dependency.Dependency +import org.owasp.dependencycheck.reporting.ReportGenerator +import org.owasp.dependencycheck.utils.Settings +import org.owasp.dependencycheck.dependency.Identifier; +import org.owasp.dependencycheck.dependency.Vulnerability; + + +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_12_URL +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_20_URL +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_1_2 +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_2_0 +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_START_YEAR +import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PASSWORD +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PORT +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_SERVER +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_USERNAME +import static org.owasp.dependencycheck.utils.Settings.KEYS.AUTO_UPDATE +import static org.owasp.dependencycheck.utils.Settings.KEYS.DATA_DIRECTORY +import static org.owasp.dependencycheck.utils.Settings.KEYS.SUPPRESSION_FILE + +import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_NAME +import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_PATH +import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_CONNECTION_STRING +import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_USER +import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_PASSWORD + +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_JAR_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NUSPEC_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_CENTRAL_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NEXUS_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NEXUS_URL +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NEXUS_USES_PROXY +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_ARCHIVE_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_OPENSSL_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_CMAKE_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_AUTOCONF_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED +import static org.owasp.dependencycheck.utils.Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED + +/** + * Checks the projects dependencies for known vulnerabilities. + */ +class Check extends DefaultTask { + + def currentProjectName = project.getName() + def config = project.dependencyCheck + + /** + * Initializes the check task. + */ + Check() { + group = 'OWASP dependency-check' + description = 'Produce dependency security report.' + } + + /** + * Calls dependency-check-core's analysis engine to scan + * all of the projects dependencies. + */ + @TaskAction + def check() { + initializeSettings() + def engine = new Engine() + + scanDependencies(engine) + analyzeDependencies(engine) + generateReport(engine) + showSummary(engine) + checkForFailure(engine) + cleanup(engine) + } + + /** + * Initializes the settings object. If the setting is not set the + * default from dependency-check-core is used. + */ + def initializeSettings() { + Settings.initialize() + + Settings.setBooleanIfNotNull(AUTO_UPDATE, config.autoUpdate) + Settings.setStringIfNotEmpty(SUPPRESSION_FILE, config.suppressionFile) + + Settings.setStringIfNotEmpty(PROXY_SERVER, config.proxy.server) + Settings.setStringIfNotEmpty(PROXY_PORT, "${config.proxy.port}") + Settings.setStringIfNotEmpty(PROXY_USERNAME, config.proxy.username) + Settings.setStringIfNotEmpty(PROXY_PASSWORD, config.proxy.password) + //Settings.setStringIfNotEmpty(CONNECTION_TIMEOUT, connectionTimeout) + Settings.setStringIfNotNull(DATA_DIRECTORY, config.data.directory) + Settings.setStringIfNotEmpty(DB_DRIVER_NAME, config.data.driver) + Settings.setStringIfNotEmpty(DB_DRIVER_PATH, config.data.driverPath) + Settings.setStringIfNotEmpty(DB_CONNECTION_STRING, config.data.connectionString) + Settings.setStringIfNotEmpty(DB_USER, config.data.username) + Settings.setStringIfNotEmpty(DB_PASSWORD, config.data.password) + Settings.setStringIfNotEmpty(CVE_MODIFIED_12_URL, config.cve.url12Modified) + Settings.setStringIfNotEmpty(CVE_MODIFIED_20_URL, config.cve.url20Modified) + Settings.setStringIfNotEmpty(CVE_SCHEMA_1_2, config.cve.url12Base) + Settings.setStringIfNotEmpty(CVE_SCHEMA_2_0, config.cve.url20Base) + + if (config.cveValidForHours != null) { + if (config.cveValidForHours >= 0) { + Settings.setInt(CVE_CHECK_VALID_FOR_HOURS, config.cveValidForHours); + } else { + throw new InvalidUserDataException("Invalid setting: `validForHours` must be 0 or greater"); + } + } + Settings.setBooleanIfNotNull(ANALYZER_JAR_ENABLED, config.analyzer.jarEnabled) + Settings.setBooleanIfNotNull(ANALYZER_NUSPEC_ENABLED, config.analyzer.nuspecEnabled) + Settings.setBooleanIfNotNull(ANALYZER_CENTRAL_ENABLED, config.analyzer.centralEnabled) + + Settings.setBooleanIfNotNull(ANALYZER_NEXUS_ENABLED, config.analyzer.nexusEnabled) + Settings.setStringIfNotEmpty(ANALYZER_NEXUS_URL, config.analyzer.nexusUrl) + Settings.setBooleanIfNotNull(ANALYZER_NEXUS_USES_PROXY, config.analyzer.nexusUsesProxy) + + Settings.setBooleanIfNotNull(ANALYZER_ARCHIVE_ENABLED, config.analyzer.archiveEnabled) + Settings.setStringIfNotEmpty(ADDITIONAL_ZIP_EXTENSIONS, config.analyzer.zipExtensions) + Settings.setBooleanIfNotNull(ANALYZER_ASSEMBLY_ENABLED, config.analyzer.assemblyEnabled) + Settings.setStringIfNotEmpty(ANALYZER_ASSEMBLY_MONO_PATH, config.analyzer.pathToMono) + + Settings.setBooleanIfNotNull(ANALYZER_PYTHON_DISTRIBUTION_ENABLED, config.analyzer.pyDistributionEnabled) + Settings.setBooleanIfNotNull(ANALYZER_PYTHON_PACKAGE_ENABLED, config.analyzer.pyPackageEnabled) + Settings.setBooleanIfNotNull(ANALYZER_RUBY_GEMSPEC_ENABLED, config.analyzer.rubygemsEnabled) + Settings.setBooleanIfNotNull(ANALYZER_OPENSSL_ENABLED, config.analyzer.opensslEnabled) + Settings.setBooleanIfNotNull(ANALYZER_CMAKE_ENABLED, config.analyzer.cmakeEnabled) + Settings.setBooleanIfNotNull(ANALYZER_AUTOCONF_ENABLED, config.analyzer.autoconfEnabled) + Settings.setBooleanIfNotNull(ANALYZER_COMPOSER_LOCK_ENABLED, config.analyzer.composerEnabled) + Settings.setBooleanIfNotNull(ANALYZER_NODE_PACKAGE_ENABLED, config.analyzer.nodeEnabled) + } + /** + * Relases resources and removes temporary files used. + */ + def cleanup(engine) { + Settings.cleanup(true) + engine.cleanup(); + } + + /** + * Loads the projects dependencies into the dependency-check analysis engine. + */ + def scanDependencies(engine) { + logger.lifecycle("Verifying dependencies for project ${currentProjectName}") + getAllDependencies(project).each { + engine.scan(it) + } + } + + /** + * Performs the dependency-check analysis. + */ + def analyzeDependencies(Engine engine) { + logger.lifecycle("Checking for updates and analyzing vulnerabilities for dependencies") + engine.analyzeDependencies() + } + + /** + * Displays a summary of the dependency-check results to the build console. + */ + def showSummary(Engine engine) { + def vulnerabilities = engine.getDependencies().collect { Dependency dependency -> + dependency.getVulnerabilities() + }.flatten() + + logger.lifecycle("Found ${vulnerabilities.size()} vulnerabilities in project ${currentProjectName}") + if (config.showSummary) { + final StringBuilder summary = new StringBuilder() + for (Dependency d : engine.getDependencies()) { + boolean firstEntry = true + final StringBuilder ids = new StringBuilder() + for (Vulnerability v : d.getVulnerabilities()) { + if (firstEntry) { + firstEntry = false + } else { + ids.append(", ") + } + ids.append(v.getName()) + } + if (ids.length() > 0) { + summary.append(d.getFileName()).append(" (") + firstEntry = true + for (Identifier id : d.getIdentifiers()) { + if (firstEntry) { + firstEntry = false + } else { + summary.append(", ") + } + summary.append(id.getValue()) + } + summary.append(") : ").append(ids).append('\n') + } + } + if (summary.length() > 0) { + final String msg = String.format("%n%n" + + "One or more dependencies were identified with known vulnerabilities:%n%n%s" + + "%n%nSee the dependency-check report for more details.%n%n", summary.toString()) + logger.lifecycle(msg) + } + } + + } + + /** + * If configured, fails the build if a vulnerability is identified with a CVSS + * score higher then the failure threshold configured. + */ + def checkForFailure(Engine engine) { + if (config.failBuildOnCVSS>10) { + return + } + + def vulnerabilities = engine.getDependencies().collect { Dependency dependency -> + dependency.getVulnerabilities() + }.flatten() + + final StringBuilder ids = new StringBuilder(); + + vulnerabilities.each { + if (it.getCvssScore() >= config.failBuildOnCVSS) { + if (ids.length() == 0) { + ids.append(it.getName()); + } else { + ids.append(", ").append(it.getName()); + } + } + } + if (ids.length() > 0) { + final String msg = String.format("%n%nDependency-Check Failure:%n" + + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n" + + "See the dependency-check report for more details.%n%n", config.failBuildOnCVSS, ids.toString()); + throw new GradleException(msg); + } + + } + /** + * Writes the report(s) to the configured output directory. + */ + def generateReport(Engine engine) { + logger.lifecycle("Generating report for project ${currentProjectName}") + def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers, + new CveDB().databaseProperties) + + reportGenerator.generateReports("$project.buildDir/${config.reportsDirName}", config.format) + } + + /** + * Returns all dependencies associated wtihin the configured dependency groups. Test + * groups can be excluded by setting the skipTestGroups configuration to true. + */ + def getAllDependencies(project) { + return project.getConfigurations().findAll { + !config.skipTestGroups || (config.skipTestGroups && !it.getName().startsWith("test")) + }.collect { + it.getResolvedConfiguration().getResolvedArtifacts().collect { ResolvedArtifact artifact -> + artifact.getFile() + } + }.flatten().unique(); + } +} diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy deleted file mode 100644 index 2c63c03c2..000000000 --- a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy +++ /dev/null @@ -1,176 +0,0 @@ -/* - * This file is part of dependency-check-gradle. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Copyright (c) 2015 Wei Ma. All Rights Reserved. - */ - -package com.tools.security.tasks - -import org.gradle.api.DefaultTask -import org.gradle.api.artifacts.Configuration -import org.gradle.api.artifacts.ResolvedArtifact -import org.gradle.api.tasks.TaskAction -import org.owasp.dependencycheck.Engine -import org.owasp.dependencycheck.data.nvdcve.CveDB -import org.owasp.dependencycheck.dependency.Dependency -import org.owasp.dependencycheck.reporting.ReportGenerator -import org.owasp.dependencycheck.utils.Settings - -import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_12_URL -import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_20_URL -import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_1_2 -import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_2_0 -import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_START_YEAR -import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP -import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PASSWORD -import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PORT -import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_SERVER -import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_USERNAME -import static org.owasp.dependencycheck.utils.Settings.KEYS.SUPPRESSION_FILE -import static org.owasp.dependencycheck.utils.Settings.setBoolean -import static org.owasp.dependencycheck.utils.Settings.setString - -class DependencyCheckTask extends DefaultTask { - - def currentProjectName = project.getName() - def config = project.dependencyCheck - - DependencyCheckTask() { - group = 'Dependency Check' - description = 'Produce dependency security report.' - } - - @TaskAction - def check() { - initializeSettings() - def engine = initializeEngine() - - verifyDependencies(engine) - analyzeDependencies(engine) - retrieveVulnerabilities(engine) - generateReport(engine) - - cleanup(engine) - } - - private Engine initializeEngine() { - new Engine() - } - - def initializeSettings() { - Settings.initialize() - overrideProxySetting() - overrideCveUrlSetting() - overrideDownloaderSetting() - overrideSuppressionFile() - } - - def cleanup(engine) { - Settings.cleanup(true) - engine.cleanup(); - } - - def verifyDependencies(engine) { - logger.lifecycle("Verifying dependencies for project ${currentProjectName}") - getAllDependencies(project).each { engine.scan(it) } - } - - def analyzeDependencies(Engine engine) { - logger.lifecycle("Checking for updates and analyzing vulnerabilities for dependencies") - engine.analyzeDependencies() - } - - def retrieveVulnerabilities(Engine engine) { - def vulnerabilities = engine.getDependencies().collect { Dependency dependency -> - dependency.getVulnerabilities() - }.flatten() - - logger.lifecycle("Found ${vulnerabilities.size()} vulnerabilities in project ${currentProjectName}") - } - - def generateReport(Engine engine) { - logger.lifecycle("Generating report for project ${currentProjectName}") - def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers, - new CveDB().databaseProperties) - - reportGenerator.generateReports(generateReportDirectory(currentProjectName), ReportGenerator.Format.ALL) - } - - def generateReportDirectory(String currentProjectName) { - "${config.outputDirectory}/${currentProjectName}" - } - - def overrideProxySetting() { - if (isProxySettingExist()) { - logger.lifecycle("Using proxy ${config.proxy.server}:${config.proxy.port}") - - overrideStringSetting(PROXY_SERVER, config.proxy.server) - overrideStringSetting(PROXY_PORT, "${config.proxy.port}") - overrideStringSetting(PROXY_USERNAME, config.proxy.username) - overrideStringSetting(PROXY_PASSWORD, config.proxy.password) - } - } - - def isProxySettingExist() { - config.proxy.server != null && config.proxy.port != null - } - - def getAllDependencies(project) { - return project.getConfigurations().collect { Configuration configuration -> - configuration.getResolvedConfiguration().getResolvedArtifacts().collect { ResolvedArtifact artifact -> - artifact.getFile() - } - }.flatten(); - } - - def overrideCveUrlSetting() { - overrideStringSetting(CVE_MODIFIED_20_URL, config.cve.url20Modified) - overrideStringSetting(CVE_MODIFIED_12_URL, config.cve.url12Modified) - overrideIntegerSetting(CVE_START_YEAR, config.cve.startYear) - overrideStringSetting(CVE_SCHEMA_2_0, config.cve.url20Base) - overrideStringSetting(CVE_SCHEMA_1_2, config.cve.url12Base) - } - - def overrideDownloaderSetting() { - overrideBooleanSetting(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp) - } - - def overrideSuppressionFile() { - if (config.suppressionFile) { - overrideStringSetting(SUPPRESSION_FILE, config.suppressionFile); - } - } - - private overrideStringSetting(String key, String providedValue) { - if (providedValue != null) { - logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]") - setString(key, providedValue) - } - } - - private overrideIntegerSetting(String key, Integer providedValue) { - if (providedValue != null) { - logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]") - setString(key, "${providedValue}") - } - } - - private overrideBooleanSetting(String key, Boolean providedValue) { - if (providedValue != null) { - logger.lifecycle("Setting [${key}] overrided with value [${providedValue}]") - setBoolean(key, providedValue) - } - } -} diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Purge.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Purge.groovy new file mode 100644 index 000000000..89e74a9a1 --- /dev/null +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Purge.groovy @@ -0,0 +1,82 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Jeremy Long. All Rights Reserved. + */ + +package com.tools.security.tasks + +import org.gradle.api.DefaultTask +import org.gradle.api.artifacts.Configuration +import org.gradle.api.artifacts.ResolvedArtifact +import org.gradle.api.tasks.TaskAction +import java.io.File +import org.owasp.dependencycheck.Engine +import org.owasp.dependencycheck.data.nvdcve.CveDB +import org.owasp.dependencycheck.dependency.Dependency +import org.owasp.dependencycheck.reporting.ReportGenerator +import org.owasp.dependencycheck.utils.Settings + +import static org.owasp.dependencycheck.utils.Settings.KEYS.DATA_DIRECTORY + +/** + * Purges the local cache of the NVD CVE data. + */ +class Purge extends DefaultTask { + + def config = project.dependencyCheckPurge + + /** + * Initializes the purge task. + */ + Purge() { + group = 'OWASP dependency-check' + description = 'Purges the local cache of the NVD.' + } + + /** + * Purges the local cache of the NVD data. + */ + @TaskAction + def purge() { + initializeSettings() + def db = new File(Settings.getDataDirectory(), "dc.h2.db") + if (db.exists()) { + if (db.delete()) { + logger.info("Database file purged; local copy of the NVD has been removed") + } else { + logger.warn("Unable to delete '${db.getAbsolutePath()}'; please delete the file manually") + } + } else { + logger.warn("Unable to purge database; the database file does not exists: ${db.getAbsolutePath()}") + } + cleanup() + } + + /** + * Intializes the configuration. + */ + def initializeSettings() { + Settings.initialize() + Settings.setStringIfNotNull(DATA_DIRECTORY, config.data.directory) + } + + /** + * Relases resources and removes temporary files used. + */ + def cleanup() { + Settings.cleanup(true) + } +} diff --git a/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Update.groovy b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Update.groovy new file mode 100644 index 000000000..93881b286 --- /dev/null +++ b/dependency-check-gradle/src/main/groovy/com/tools/security/tasks/Update.groovy @@ -0,0 +1,116 @@ +/* + * This file is part of dependency-check-gradle. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 Jeremy Long. All Rights Reserved. + */ + +package com.tools.security.tasks + +import org.gradle.api.DefaultTask +import org.gradle.api.artifacts.Configuration +import org.gradle.api.artifacts.ResolvedArtifact +import org.gradle.api.tasks.TaskAction +import org.gradle.api.InvalidUserDataException +import org.owasp.dependencycheck.Engine +import org.owasp.dependencycheck.data.nvdcve.CveDB +import org.owasp.dependencycheck.dependency.Dependency +import org.owasp.dependencycheck.reporting.ReportGenerator +import org.owasp.dependencycheck.utils.Settings + +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_12_URL +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_MODIFIED_20_URL +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_1_2 +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_SCHEMA_2_0 +import static org.owasp.dependencycheck.utils.Settings.KEYS.CVE_START_YEAR +import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PASSWORD +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_PORT +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_SERVER +import static org.owasp.dependencycheck.utils.Settings.KEYS.PROXY_USERNAME +import static org.owasp.dependencycheck.utils.Settings.KEYS.DATA_DIRECTORY +import static org.owasp.dependencycheck.utils.Settings.KEYS.SUPPRESSION_FILE + +import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_NAME +import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_DRIVER_PATH +import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_CONNECTION_STRING +import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_USER +import static org.owasp.dependencycheck.utils.Settings.KEYS.DB_PASSWORD + +/** + * Updates the local cache of the NVD CVE data. + * + * @author Jeremy Long + */ +class Update extends DefaultTask { + + def config = project.dependencyCheckUpdate + + /** + * Initializes the update task. + */ + Update() { + group = 'OWASP dependency-check' + description = 'Downloads and stores updates from the NVD CVE data feeds.' + } + + /** + * Executes the update task. + */ + @TaskAction + def update() { + initializeSettings() + def engine = new Engine() + engine.doUpdates() + cleanup(engine) + } + + /** + * Initializes the settings; if the setting is not configured + * then the default value from dependency-check-core is used. + */ + def initializeSettings() { + Settings.initialize() + Settings.setStringIfNotEmpty(PROXY_SERVER, config.proxy.server) + Settings.setStringIfNotEmpty(PROXY_PORT, "${config.proxy.port}") + Settings.setStringIfNotEmpty(PROXY_USERNAME, config.proxy.username) + Settings.setStringIfNotEmpty(PROXY_PASSWORD, config.proxy.password) + //Settings.setStringIfNotEmpty(CONNECTION_TIMEOUT, connectionTimeout) + Settings.setStringIfNotNull(DATA_DIRECTORY, config.data.directory) + Settings.setStringIfNotEmpty(DB_DRIVER_NAME, config.data.driver) + Settings.setStringIfNotEmpty(DB_DRIVER_PATH, config.data.driverPath) + Settings.setStringIfNotEmpty(DB_CONNECTION_STRING, config.data.connectionString) + Settings.setStringIfNotEmpty(DB_USER, config.data.username) + Settings.setStringIfNotEmpty(DB_PASSWORD, config.data.password) + Settings.setStringIfNotEmpty(CVE_MODIFIED_12_URL, config.cve.url12Modified) + Settings.setStringIfNotEmpty(CVE_MODIFIED_20_URL, config.cve.url20Modified) + Settings.setStringIfNotEmpty(CVE_SCHEMA_1_2, config.cve.url12Base) + Settings.setStringIfNotEmpty(CVE_SCHEMA_2_0, config.cve.url20Base) + + if (config.cveValidForHours != null) { + if (config.cveValidForHours >= 0) { + Settings.setInt(CVE_CHECK_VALID_FOR_HOURS, config.cveValidForHours); + } else { + throw new InvalidUserDataException("Invalid setting: `validForHours` must be 0 or greater"); + } + } + } + /** + * Relases resources and removes temporary files used. + */ + def cleanup(engine) { + Settings.cleanup(true) + engine.cleanup(); + } +} diff --git a/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check.properties b/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependencyCheck.properties similarity index 89% rename from dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check.properties rename to dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependencyCheck.properties index 877c70050..523794cc4 100644 --- a/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check.properties +++ b/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependencyCheck.properties @@ -16,4 +16,4 @@ # Copyright (c) 2015 Wei Ma. All Rights Reserved. # -implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin \ No newline at end of file +implementation-class=com.tools.security.plugin.DependencyCheck \ No newline at end of file diff --git a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy index 43ddd93b0..4d793c351 100644 --- a/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy +++ b/dependency-check-gradle/src/test/groovy/com/tools/security/plugin/DependencyCheckGradlePluginSpec.groovy @@ -22,7 +22,7 @@ import nebula.test.PluginProjectSpec import org.gradle.api.Task class DependencyCheckGradlePluginSpec extends PluginProjectSpec { - static final String PLUGIN_ID = 'dependency-check' + static final String PLUGIN_ID = 'dependency-check-gradle' @Override String getPluginName() {