github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:jeremylong/DependencyCheck

Browse Source
This commit is contained in:
Jeremy Long
2017-06-04 07:50:22 -04:00
parent 060cfd625e 38c0882a3a
commit b3216effa4
27 changed files with 277 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.travis.yml
View File

@@ -12,5 +12,4 @@ before_install:
after_success:
- java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml
- chmod +x coverity_scan.sh
- ./coverity_scan.sh

0
coverity_scan.sh Normal file → Executable file
View File

13
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
View File

@@ -28,16 +28,13 @@ import org.apache.tools.ant.types.ResourceCollection;
import org.apache.tools.ant.types.resources.FileProvider;
import org.apache.tools.ant.types.resources.Resources;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.exception.ExceptionCollection;
import org.owasp.dependencycheck.exception.ReportException;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.impl.StaticLoggerBinder;
@@ -146,8 +143,8 @@ public class Check extends Update {
private boolean updateOnly = false;
/**
* The report format to be generated (HTML, XML, VULN, CSV, JSON, ALL). Default is
* HTML.
* The report format to be generated (HTML, XML, VULN, CSV, JSON, ALL).
* Default is HTML.
*/
private String reportFormat = "HTML";
/**
@@ -940,7 +937,7 @@ public class Check extends Update {
throw new BuildException(ex);
}
}
engine.writeReports(getProjectName(),new File(reportOutputDirectory), reportFormat);
engine.writeReports(getProjectName(), new File(reportOutputDirectory), reportFormat);
if (this.failBuildOnCVSS <= 10) {
checkForFailure(engine.getDependencies());
@@ -1093,8 +1090,8 @@ public class Check extends Update {
}
/**
* An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV", "JSON", "VULN",
* etc..
* An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV",
* "JSON", "VULN", etc..
*/
public static class ReportFormats extends EnumeratedAttribute {

164
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -28,13 +28,10 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.commons.cli.ParseException;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.dependency.Dependency;
import org.apache.tools.ant.DirectoryScanner;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -220,56 +217,11 @@ public class App {
String[] excludes, int symLinkDepth, int cvssFailScore) throws InvalidScanPathException, DatabaseException,
ExceptionCollection, ReportException {
Engine engine = null;
int retCode = 0;
try {
final List<String> antStylePaths = getPaths(files);
final Set<File> paths = scanAntStylePaths(antStylePaths, symLinkDepth, excludes);
engine = new Engine();
final List<String> antStylePaths = new ArrayList<>();
for (String file : files) {
final String antPath = ensureCanonicalPath(file);
antStylePaths.add(antPath);
}
final Set<File> paths = new HashSet<>();
for (String file : antStylePaths) {
LOGGER.debug("Scanning {}", file);
final DirectoryScanner scanner = new DirectoryScanner();
String include = file.replace('\\', '/');
File baseDir;
if (include.startsWith("//")) {
throw new InvalidScanPathException("Unable to scan paths specified by //");
} else {
final int pos = getLastFileSeparator(include);
final String tmpBase = include.substring(0, pos);
final String tmpInclude = include.substring(pos + 1);
if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0
|| (new File(include)).isFile()) {
baseDir = new File(tmpBase);
include = tmpInclude;
} else {
baseDir = new File(tmpBase, tmpInclude);
include = "**/*";
}
}
scanner.setBasedir(baseDir);
final String[] includes = {include};
scanner.setIncludes(includes);
scanner.setMaxLevelsOfSymlinks(symLinkDepth);
if (symLinkDepth <= 0) {
scanner.setFollowSymlinks(false);
}
if (excludes != null && excludes.length > 0) {
scanner.addExcludes(excludes);
}
scanner.scan();
if (scanner.getIncludedFilesCount() > 0) {
for (String s : scanner.getIncludedFiles()) {
final File f = new File(baseDir, s);
LOGGER.debug("Found file {}", f.toString());
paths.add(f);
}
}
}
engine.scan(paths);
ExceptionCollection exCol = null;
@@ -295,19 +247,7 @@ public class App {
if (exCol != null && exCol.getExceptions().size() > 0) {
throw exCol;
}
//Set the exit code based on whether we found a high enough vulnerability
for (Dependency dep : engine.getDependencies()) {
if (!dep.getVulnerabilities().isEmpty()) {
for (Vulnerability vuln : dep.getVulnerabilities()) {
LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName());
if (vuln.getCvssScore() > cvssFailScore) {
retCode = 1;
}
}
}
}
return retCode;
return determineReturnCode(engine, cvssFailScore);
} finally {
if (engine != null) {
engine.cleanup();
@@ -315,6 +255,102 @@ public class App {
}
}
/**
* Determines the return code based on if one of the dependencies scanned
* has a vulnerability with a CVSS score above the cvssFailScore.
*
* @param engine the engine used during analysis
* @param cvssFailScore the max allowed CVSS score
* @return returns <code>1</code> if a severe enough vulnerability is
* identified; otherwise <code>0</code>
*/
private int determineReturnCode(Engine engine, int cvssFailScore) {
int retCode = 0;
//Set the exit code based on whether we found a high enough vulnerability
for (Dependency dep : engine.getDependencies()) {
if (!dep.getVulnerabilities().isEmpty()) {
for (Vulnerability vuln : dep.getVulnerabilities()) {
LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName());
if (vuln.getCvssScore() > cvssFailScore) {
retCode = 1;
}
}
}
}
return retCode;
}
/**
* Scans the give Ant Style paths and collects the actual files.
*
* @param antStylePaths a list of ant style paths to scan for actual files
* @param symLinkDepth the depth to traverse symbolic links
* @param excludes an array of ant style excludes
* @return returns the set of identified files
* @throws InvalidScanPathException thrown when the scan path is invalid
* @throws IllegalStateException
*/
private Set<File> scanAntStylePaths(List<String> antStylePaths, int symLinkDepth, String[] excludes)
throws InvalidScanPathException {
final Set<File> paths = new HashSet<>();
for (String file : antStylePaths) {
LOGGER.debug("Scanning {}", file);
final DirectoryScanner scanner = new DirectoryScanner();
String include = file.replace('\\', '/');
File baseDir;
if (include.startsWith("//")) {
throw new InvalidScanPathException("Unable to scan paths specified by //");
} else {
final int pos = getLastFileSeparator(include);
final String tmpBase = include.substring(0, pos);
final String tmpInclude = include.substring(pos + 1);
if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0
|| (new File(include)).isFile()) {
baseDir = new File(tmpBase);
include = tmpInclude;
} else {
baseDir = new File(tmpBase, tmpInclude);
include = "**/*";
}
}
scanner.setBasedir(baseDir);
final String[] includes = {include};
scanner.setIncludes(includes);
scanner.setMaxLevelsOfSymlinks(symLinkDepth);
if (symLinkDepth <= 0) {
scanner.setFollowSymlinks(false);
}
if (excludes != null && excludes.length > 0) {
scanner.addExcludes(excludes);
}
scanner.scan();
if (scanner.getIncludedFilesCount() > 0) {
for (String s : scanner.getIncludedFiles()) {
final File f = new File(baseDir, s);
LOGGER.debug("Found file {}", f.toString());
paths.add(f);
}
}
}
return paths;
}
/**
* Determines the ant style paths from the given array of files.
*
* @param files an array of file paths
* @return a list containing ant style paths
*/
private List<String> getPaths(String[] files) {
final List<String> antStylePaths = new ArrayList<>();
for (String file : files) {
final String antPath = ensureCanonicalPath(file);
antStylePaths.add(antPath);
}
return antStylePaths;
}
/**
* Only executes the update phase of dependency-check.
*

42
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -50,11 +50,30 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
* The Logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(FalsePositiveAnalyzer.class);
/**
* The file filter used to find DLL and EXE.
*/
private static final FileFilter DLL_EXE_FILTER = FileFilterBuilder.newInstance().addExtensions("dll", "exe").build();
/**
* Regex to identify core java libraries and a few other commonly
* misidentified ones.
*/
public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
+ "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+ "jdk|jre|jsse)($|:.*)");
/**
* Regex to identify core jsf libraries.
*/
public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
/**
* Regex to identify core java library files. This is currently incomplete.
*/
public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
/**
* Regex to identify core jsf java library files. This is currently
* incomplete.
*/
public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
@@ -214,27 +233,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
}
}
/**
* Regex to identify core java libraries and a few other commonly
* misidentified ones.
*/
public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
+ "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+ "jdk|jre|jsse)($|:.*)");
/**
* Regex to identify core jsf libraries.
*/
public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
/**
* Regex to identify core java library files. This is currently incomplete.
*/
public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
/**
* Regex to identify core jsf java library files. This is currently
* incomplete.
*/
public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");
/**
* Removes any CPE entries for the JDK/JRE unless the filename ends with

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
View File

@@ -61,6 +61,10 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
* The types of files on which this will work.
*/
private static final String SUPPORTED_EXTENSIONS = "nuspec";
/**
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build();
/**
* Initializes the analyzer once before any analysis is performed.
@@ -102,12 +106,6 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
return ANALYSIS_PHASE;
}
/**
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(
SUPPORTED_EXTENSIONS).build();
/**
* Returns the FileFilter
*

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
View File

@@ -105,6 +105,11 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final FileFilter PY_FILTER = new SuffixFileFilter(".py");
/**
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
/**
* Returns the name of the Python Package Analyzer.
*
@@ -125,11 +130,6 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
return AnalysisPhase.INFORMATION_COLLECTION;
}
/**
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
/**
* Returns the FileFilter
*

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
View File

@@ -17,14 +17,22 @@
*/
package org.owasp.dependencycheck.reporting;
import java.io.*;
import java.util.List;
import com.google.gson.JsonSyntaxException;
import com.google.gson.stream.JsonReader;
import com.google.gson.stream.JsonToken;
import static com.google.gson.stream.JsonToken.*;
import com.google.gson.stream.JsonWriter;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.UnsupportedEncodingException;
import java.math.BigDecimal;
import java.nio.charset.StandardCharsets;
import org.apache.velocity.VelocityContext;

23
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java
View File

@@ -31,12 +31,6 @@ import java.util.regex.Pattern;
* @author Jeremy Long
*/
public final class UrlStringUtils {
/**
* Private constructor for a utility class.
*/
private UrlStringUtils() {
}
/**
* A regular expression to test if a string contains a URL.
*/
@@ -45,7 +39,18 @@ public final class UrlStringUtils {
* A regular expression to test if a string is a URL.
*/
private static final Pattern IS_URL_TEST = Pattern.compile("^(ht|f)tps?://.*", Pattern.CASE_INSENSITIVE);
/**
* A listing of domain parts that should not be used as evidence. Yes, this
* is an incomplete list.
*/
private static final Set<String> IGNORE_LIST = new HashSet<>(
Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx"));
/**
* Private constructor for a utility class.
*/
private UrlStringUtils() {
}
/**
* Tests if the text provided contains a URL. This is somewhat limited
* search in that it only looks for (ftp|http|https)://
@@ -66,12 +71,6 @@ public final class UrlStringUtils {
public static boolean isUrl(String text) {
return IS_URL_TEST.matcher(text).matches();
}
/**
* A listing of domain parts that should not be used as evidence. Yes, this
* is an incomplete list.
*/
private static final Set<String> IGNORE_LIST = new HashSet<>(
Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx"));
/**
* <p>

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlEntity.java
View File

@@ -12,7 +12,8 @@ import java.util.Map;
*
* @author https://stackoverflow.com/users/823393/oldcurmudgeon
*/
public class XmlEntity {
public final class XmlEntity {
/**
* The map of HTML entities.
*/
@@ -292,8 +293,8 @@ public class XmlEntity {
/**
* Converts a named XML entity into its HTML encoded Unicode code point.
*
* @param s the named entity (note, this should not include the leading '&amp;'
* or trailing ';'
* @param s the named entity (note, this should not include the leading
* '&amp;' or trailing ';'
* @return the HTML encoded Unicode code point representation of the named
* entity
*/

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlInputStream.java
View File

@@ -162,7 +162,7 @@ public class XmlInputStream extends FilterInputStream {
throw new IOException("Invalid/Unknown reference '&" + reference + ";'");
}
} else {
// Did not terminate properly!
// Did not terminate properly!
// Perhaps an & on its own or a malformed reference.
// Either way, escape the &
pushBack.append("&#38;").append(reference).append((char) ch);

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/Hints.java
View File

@@ -31,6 +31,11 @@ public class Hints {
*/
private List<HintRule> hintRules;
/**
* The duplicating hint rules.
*/
private List<VendorDuplicatingHintRule> vendorDuplicatingHintRules;
/**
* Get the value of hintRules.
*
@@ -49,11 +54,6 @@ public class Hints {
this.hintRules = hintRules;
}
/**
* The duplicating hint rules.
*/
private List<VendorDuplicatingHintRule> vendorDuplicatingHintRules;
/**
* Get the value of vendorDuplicatingHintRules.
*

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/package-info.java Normal file
View File

@@ -0,0 +1,4 @@
/**
* Contains classes used to fix XML prior to parsing.
*/
package org.owasp.dependencycheck.xml;

32
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java
View File

@@ -74,11 +74,22 @@ public class PomHandler extends DefaultHandler {
* The url element.
*/
public static final String URL = "url";
/**
* The pom model.
*/
private final Model model = new Model();
/**
* The stack of elements processed; used to determine the parent node.
*/
private final Deque<String> stack = new ArrayDeque<>();
/**
* The license object.
*/
private License license = null;
/**
* The current node text being extracted from the element.
*/
private StringBuilder currentText;
/**
* Returns the model obtained from the pom.xml.
@@ -88,19 +99,6 @@ public class PomHandler extends DefaultHandler {
public Model getModel() {
return model;
}
/**
* The stack of elements processed; used to determine the parent node.
*/
private final Deque<String> stack = new ArrayDeque<>();
/**
* The license object.
*/
private License license = null;
/**
* The current node text being extracted from the element.
*/
private StringBuilder currentText;
/**
* Handles the start element event.
@@ -194,10 +192,8 @@ public class PomHandler extends DefaultHandler {
}
break;
case LICENSES:
if (LICENSE.equals(qName)) {
if (license != null) {
model.addLicense(license);
}
if (LICENSE.equals(qName) && license != null) {
model.addLicense(license);
}
break;
default:

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java
View File

@@ -19,15 +19,11 @@ package org.owasp.dependencycheck;
import java.io.File;
import java.io.IOException;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.exception.ExceptionCollection;
import org.owasp.dependencycheck.exception.ReportException;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import static org.junit.Assert.assertTrue;

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
View File

@@ -58,7 +58,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
String vendor = "apache software foundation";
String product = "struts 2 core";
String version = "2.1.2";
CPEAnalyzer instance = new CPEAnalyzer();
String queryText = instance.buildSearch(vendor, product, null, null);

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java
View File

@@ -19,10 +19,6 @@ package org.owasp.dependencycheck.data.nvdcve;
import java.util.List;
import java.util.Set;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
View File

@@ -47,14 +47,10 @@ public class ReportGeneratorIT extends BaseDBTestCase {
/**
* Generates an XML report containing known vulnerabilities and realistic
* data and validates the generated XML document against the XSD.
*
* @throws Exception
*/
@Test
public void testGenerateReport() {
try {
String templateName = "XmlReport";
File f = new File("target/test-reports");
if (!f.exists()) {
f.mkdir();

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java
View File

@@ -66,7 +66,7 @@ public class UrlStringUtilsTest {
assertEquals(expResult, result);
text = "http://github.com/jeremylong/DependencyCheck/something";
expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "something");;
expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "something");
result = UrlStringUtils.extractImportantUrlData(text);
assertEquals(expResult, result);
}

102
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java
View File

@@ -18,49 +18,77 @@
package org.owasp.dependencycheck.maven;
import org.owasp.dependencycheck.utils.Filter;
import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME_PLUS_SYSTEM;
import static org.apache.maven.artifact.Artifact.SCOPE_COMPILE_PLUS_RUNTIME;
import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME;
import static org.apache.maven.artifact.Artifact.SCOPE_SYSTEM;
import static org.apache.maven.artifact.Artifact.SCOPE_TEST;
import static org.apache.maven.artifact.Artifact.SCOPE_PROVIDED;
/**
* Tests is the artifact should be included in the scan (i.e. is the
* dependency in a scope that is being scanned).
* Utility class to determine if an artifact should be excluded.
*
* @param scope the scope of the artifact to test
* @return <code>true</code> if the artifact is in an excluded scope;
* otherwise <code>false</code>
* @author Josh Cain
*/
public class ArtifactScopeExcluded extends Filter<String> {
private final boolean skipTestScope;
private final boolean skipProvidedScope;
private final boolean skipSystemScope;
private final boolean skipRuntimeScope;
/**
* Whether or not to skip the test scope.
*/
private final boolean skipTestScope;
/**
* Whether or not to skip the provided scope.
*/
private final boolean skipProvidedScope;
/**
* Whether or not to skip the system scope.
*/
private final boolean skipSystemScope;
/**
* Whether or not to skip the runtime scope.
*/
private final boolean skipRuntimeScope;
public ArtifactScopeExcluded(final boolean skipTestScope, final boolean skipProvidedScope, final boolean skipSystemScope, final boolean skipRuntimeScope) {
this.skipTestScope = skipTestScope;
this.skipProvidedScope = skipProvidedScope;
this.skipSystemScope = skipSystemScope;
this.skipRuntimeScope = skipRuntimeScope;
}
/**
* Constructs a new ArtifactScopeExcluded object.
*
* @param skipTestScope whether or not to skip the test scope
* @param skipProvidedScope whether or not to skip the provided scope
* @param skipSystemScope whether or not to skip the system scope
* @param skipRuntimeScope whether or not to skip the runtime scope
*/
public ArtifactScopeExcluded(final boolean skipTestScope, final boolean skipProvidedScope,
final boolean skipSystemScope, final boolean skipRuntimeScope) {
this.skipTestScope = skipTestScope;
this.skipProvidedScope = skipProvidedScope;
this.skipSystemScope = skipSystemScope;
this.skipRuntimeScope = skipRuntimeScope;
}
@Override
public boolean passes(final String scope) {
if (skipTestScope && org.apache.maven.artifact.Artifact.SCOPE_TEST.equals(scope)) {
return true;
}
if (skipProvidedScope && org.apache.maven.artifact.Artifact.SCOPE_PROVIDED.equals(scope)) {
return true;
}
if (skipSystemScope && org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(scope)) {
return true;
}
if (skipRuntimeScope && org.apache.maven.artifact.Artifact.SCOPE_RUNTIME.equals(scope)) {
return true;
}
if (skipRuntimeScope && skipSystemScope && org.apache.maven.artifact.Artifact.SCOPE_COMPILE_PLUS_RUNTIME.equals(SCOPE_RUNTIME_PLUS_SYSTEM)) {
return true;
}
return false;
}
/**
* Tests is the artifact should be included in the scan (i.e. is the
* dependency in a scope that is being scanned).
*
* @param scope the scope of the artifact to test
* @return <code>true</code> if the artifact is in an excluded scope;
* otherwise <code>false</code>
*/
@Override
public boolean passes(final String scope) {
if (skipTestScope && SCOPE_TEST.equals(scope)) {
return true;
}
if (skipProvidedScope && SCOPE_PROVIDED.equals(scope)) {
return true;
}
if (skipSystemScope && SCOPE_SYSTEM.equals(scope)) {
return true;
}
if (skipRuntimeScope && SCOPE_RUNTIME.equals(scope)) {
return true;
}
if (skipRuntimeScope && skipSystemScope && SCOPE_COMPILE_PLUS_RUNTIME.equals(scope)) {
return true;
}
return false;
}
}

16
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -465,7 +465,10 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@Deprecated
private String externalReport = null;
protected Filter<String> artifactScopeExcluded;
/**
* The artifact scope filter.
*/
private Filter<String> artifactScopeExcluded;
// </editor-fold>
//<editor-fold defaultstate="collapsed" desc="Base Maven implementation">
@@ -650,7 +653,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
String version = null;
if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
for (org.apache.maven.model.Dependency d : project.getDependencies()) {
Artifact a = dependencyNode.getArtifact();
final Artifact a = dependencyNode.getArtifact();
if (d.getSystemPath() != null && artifactsMatch(d, a)) {
artifactFile = new File(d.getSystemPath());
@@ -1048,6 +1051,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
return format;
}
/**
* Returns the artifact scope excluded filter.
*
* @return the artifact scope excluded filter
*/
protected Filter<String> getArtifactScopeExcluded() {
return artifactScopeExcluded;
}
//<editor-fold defaultstate="collapsed" desc="Methods to fail build or show summary">
/**
* Checks to see if a vulnerability has been identified with a CVSS score

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java
View File

@@ -64,7 +64,7 @@ public class CheckMojo extends BaseDependencyCheckMojo {
public boolean canGenerateReport() {
boolean isCapable = false;
for (Artifact a : getProject().getArtifacts()) {
if (!artifactScopeExcluded.passes(a.getScope())) {
if (!getArtifactScopeExcluded().passes(a.getScope())) {
isCapable = true;
break;
}

7
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java
View File

@@ -17,9 +17,6 @@
*/
package org.owasp.dependencycheck.utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@@ -36,10 +33,6 @@ import java.security.NoSuchAlgorithmException;
*/
public final class Checksum {
/**
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(Checksum.class);
/**
* Hex code characters used in getHex.
*/

20
pom.xml
View File

@@ -124,12 +124,10 @@ Copyright (c) 2012 - Jeremy Long
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<github.global.server>github</github.global.server>
<!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
thus, we cannot upgrade beyond 4.7.2 -->
<apache.lucene.version>4.7.2</apache.lucene.version>
<apache.ant.version>1.9.8</apache.ant.version>
<slf4j.version>1.7.23</slf4j.version>
<logback.version>1.1.9</logback.version>
<slf4j.version>1.7.24</slf4j.version>
<logback.version>1.2.0</logback.version>
<!-- Note that Maven will use classes from the distro, ignoring declared dependencies for Maven core... -->
<maven.api.version>3.0</maven.api.version>
<reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
@@ -199,7 +197,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>2.19.1</version>
<version>2.20</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -234,7 +232,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.19.1</version>
<version>2.20</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -670,7 +668,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.3.1</version>
<version>2.4</version>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
@@ -680,7 +678,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>commons-cli</groupId>
<artifactId>commons-cli</artifactId>
<version>1.3.1</version>
<version>1.4</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
@@ -691,7 +689,7 @@ Copyright (c) 2012 - Jeremy Long
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<!--upgrading beyond this may cause issues with the Jenkins plugin-->
<version>3.3.2</version>
<version>3.4</version>
</dependency>
<dependency>
<groupId>com.sun.mail</groupId>
@@ -717,7 +715,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.13</version>
<version>1.14</version>
</dependency>
<dependency>
<groupId>org.apache.ant</groupId>
@@ -815,7 +813,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>org.jmockit</groupId>
<artifactId>jmockit</artifactId>
<version>1.26</version>
<version>1.27</version>
<scope>test</scope>
</dependency>
<dependency>

2
src/main/config/checkstyle-header.txt
View File

@@ -13,6 +13,6 @@
^ \* See the License for the specific language governing permissions and\s*$
^ \* limitations under the License\.\s*$
^ \*\s*$
^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$
^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|Josh Cain|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$
^ \*/\s*$
^package

2
src/site/resources/general/dep-check-date.sh
View File

@@ -1,7 +1,7 @@
#!/bin/sh
CLI_LOCATION=~/.local/dependency-check-1.2.11
CLI_SCRIPT=$CLI_LOCATION/bin/dependency-check.sh
NVD_PATH=$1/`date -I -d $2`
NVD_PATH=$1/$(date -I -d $2)
NVD=file://$NVD_PATH
shift 2 # We've used the first two params. The rest go to CLI_SCRIPT.
$CLI_SCRIPT --cveUrl20Base $NVD/nvdcve-2.0-%d.xml.gz \

2
src/site/resources/general/nvd_download.sh
View File

@@ -1,5 +1,5 @@
#!/bin/sh
NVD_ROOT=$1/`date -I`
NVD_ROOT=$1/$(date -I)
JAR_PATH=$2/nist-data-mirror-1.0.0.jar
java -jar $JAR_PATH $NVD_ROOT
rm $NVD_ROOT/*.xml # D-C works directly with .gz files anyway.