github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-19 15:54:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

updates to resolve issue #71 - added configuration for cve urls

Browse Source 
Former-commit-id: 5b1ce45649cdefc92c694cea54cedd18fa30b005
This commit is contained in:
Jeremy Long
2014-02-15 07:50:00 -05:00
parent 2f20bf1bee
commit ae76a7f7d4
3 changed files with 97 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
View File

@@ -248,7 +248,31 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
*/ */
@Parameter(property = "skipProvidedScope", defaultValue = "false", required = false) @Parameter(property = "skipProvidedScope", defaultValue = "false", required = false)
private boolean skipProvidedScope = false; private boolean skipProvidedScope = false;
/**
* The data directory, hold DC SQL DB.
*/
@Parameter(property = "dataDirectory", defaultValue = "", required = false)
private String dataDirectory;
/**
* Data Mirror URL for CVE 1.2
*/
@Parameter(property = "cveUrl12Modified", defaultValue = "", required = false)
private String cveUrl12Modified;
/**
* Data Mirror URL for CVE 2.0
*/
@Parameter(property = "cveUrl20Modified", defaultValue = "", required = false)
private String cveUrl20Modified;
/**
* Base Data Mirror URL for CVE 1.2
*/
@Parameter(property = "cveUrl12Base", defaultValue = "", required = false)
private String cveUrl12Base;
/**
* Data Mirror URL for CVE 2.0
*/
@Parameter(property = "cveUrl20Base", defaultValue = "", required = false)
private String cveUrl20Base;
// </editor-fold> // </editor-fold>
/** /**
@@ -265,16 +289,19 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
final Engine engine = new Engine(); final Engine engine = new Engine();
final Set<Artifact> artifacts = project.getArtifacts(); final Set<Artifact> artifacts = project.getArtifacts();
for (Artifact a : artifacts) { for (Artifact a : artifacts) {
if (skipTestScope && Artifact.SCOPE_TEST.equals(a.getScope())) if (skipTestScope && Artifact.SCOPE_TEST.equals(a.getScope())) {
continue;
if (skipProvidedScope && Artifact.SCOPE_PROVIDED.equals(a.getScope()))
continue; continue;
}
if (skipRuntimeScope && !Artifact.SCOPE_RUNTIME.equals(a.getScope())) if (skipProvidedScope && Artifact.SCOPE_PROVIDED.equals(a.getScope())) {
continue; continue;
}
engine.scan(a.getFile().getAbsolutePath()); if (skipRuntimeScope && !Artifact.SCOPE_RUNTIME.equals(a.getScope())) {
continue;
}
engine.scan(a.getFile().getAbsolutePath());
} }
engine.analyzeDependencies(); engine.analyzeDependencies();
return engine; return engine;
@@ -734,9 +761,30 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
if (zipExtensions != null && !zipExtensions.isEmpty()) { if (zipExtensions != null && !zipExtensions.isEmpty()) {
Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions); Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
} }
// Scope Exclusion
Settings.setBoolean(Settings.KEYS.SKIP_TEST_SCOPE, skipTestScope); Settings.setBoolean(Settings.KEYS.SKIP_TEST_SCOPE, skipTestScope);
Settings.setBoolean(Settings.KEYS.SKIP_RUNTIME_SCOPE, skipRuntimeScope); Settings.setBoolean(Settings.KEYS.SKIP_RUNTIME_SCOPE, skipRuntimeScope);
Settings.setBoolean(Settings.KEYS.SKIP_PROVIDED_SCOPE, skipProvidedScope); Settings.setBoolean(Settings.KEYS.SKIP_PROVIDED_SCOPE, skipProvidedScope);
// Data Directory
if (dataDirectory != null && !dataDirectory.isEmpty()) {
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
}
// CVE Data Mirroring
if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
}
if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
}
if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
}
if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
}
} }
/** /**

11
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -23,6 +23,11 @@ connectionString | The connection string used to connect to the database. |
databaseUser | The username used when connecting to the database. | databaseUser | The username used when connecting to the database. |
databasePassword | The password used when connecting to the database. | databasePassword | The password used when connecting to the database. |
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |
skipTestScope | Should be skip analysis for artifacts with Test Scope (default: true) | skipTestScope | Should be skip analysis for artifacts with Test Scope | true
skipProvidedScope | Should be skip analysis for artifacts with Provided Scope (default: false) | skipProvidedScope | Should be skip analysis for artifacts with Provided Scope | false
skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope (default: false) | skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope | false
dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. |
cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml

34
dependency-check-maven/src/site/markdown/usage.md.vm
View File

@@ -135,4 +135,38 @@ Create the DependencyCheck-report.html and skip artifacts no bundled in distribu
... ...
</project> </project>
``` ```
Example 5:
---------------------
Create the DependencyCheck-report.html and use internal mirroring of CVE contents
```xml
<project>
<build>
<plugins>
...
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${project.version}</version>
<configuration>
<cveUrl12Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-modified.xml</cveUrl12Modified>
<cveUrl20Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-modified.xml</cveUrl20Modified>
<cveUrl12Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-%d.xml</cveUrl12Base>
<cveUrl20Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-%d.xml</cveUrl20Base>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
...
</plugins>
...
</build>
...
</project>
```