Merge branch 'master' of github.com:ctrl-alt-dev/DependencyCheck into ctrl-alt-dev-master

Former-commit-id: 4d1ab5ecacf0ca7354f57d3a49accd5a173e0a26

.gitignore

@@ -7,6 +7,9 @@
 # Eclipse project files
 .classpath
 .project
+.settings
+maven-eclipse.xml
+.externalToolBuilders
 # Netbeans configuration
 nb-configuration.xml
 /target/

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -27,6 +27,7 @@ import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+
 import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.analyzer.AnalyzerService;
@@ -34,12 +35,14 @@ import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
 import org.owasp.dependencycheck.data.cpe.IndexException;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.update.CachedWebDataSource;
 import org.owasp.dependencycheck.data.update.UpdateService;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.exception.NoDataException;
 import org.owasp.dependencycheck.utils.FileUtils;
@@ -188,7 +191,7 @@ public class Engine implements Serializable {
     public void scan(String path) {
         if (path.matches("^.*[\\/]\\*\\.[^\\/:*|?<>\"]+$")) {
             final String[] parts = path.split("\\*\\.");
-            final String[] ext = new String[]{parts[parts.length - 1]};
+            final String[] ext = new String[] { parts[parts.length - 1] };
             final File dir = new File(path.substring(0, path.length() - ext[0].length() - 2));
             if (dir.isDirectory()) {
                 final List<File> files = (List<File>) org.apache.commons.io.FileUtils.listFiles(dir, ext, true);
@@ -287,6 +290,17 @@ public class Engine implements Serializable {
      * @param file The file to scan.
      */
     protected void scanFile(File file) {
+        scan(file, null);
+    }
+
+    /**
+     * Scans a specified file. If a dependency is identified it is added to the dependency collection.
+     * If there is an mavenArtifact present, it will be added to
+     * 
+     * @param file The file to scan.
+     * @param mavenArtifact The (optional) Maven artifact.
+     */
+    public void scan(File file, MavenArtifact mavenArtifact) {
         if (!file.isFile()) {
             final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
             LOGGER.log(Level.FINE, msg);
@@ -297,11 +311,13 @@ public class Engine implements Serializable {
         if (extension != null) {
             if (supportsExtension(extension)) {
                 final Dependency dependency = new Dependency(file);
+                if (mavenArtifact != null) {
+                    dependency.addAsEvidence("project-pom", mavenArtifact, Confidence.HIGH);
+                }
                 dependencies.add(dependency);
             }
         } else {
-            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.",
+            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.", file.toString());
-                    file.toString());
             LOGGER.log(Level.FINEST, msg);
         }
     }
@@ -326,9 +342,7 @@ public class Engine implements Serializable {
 
         }
 
-        final String logHeader = String.format("%n"
+        final String logHeader = String.format("%n" + "----------------------------------------------------%n" + "BEGIN ANALYSIS%n"
-                + "----------------------------------------------------%n"
-                + "BEGIN ANALYSIS%n"
                 + "----------------------------------------------------");
         LOGGER.log(Level.FINE, logHeader);
         LOGGER.log(Level.INFO, "Analysis Starting");
@@ -381,9 +395,7 @@ public class Engine implements Serializable {
             }
         }
 
-        final String logFooter = String.format("%n"
+        final String logFooter = String.format("%n" + "----------------------------------------------------%n" + "END ANALYSIS%n"
-                + "----------------------------------------------------%n"
-                + "END ANALYSIS%n"
                 + "----------------------------------------------------");
         LOGGER.log(Level.FINE, logFooter);
         LOGGER.log(Level.INFO, "Analysis Complete");
@@ -437,10 +449,8 @@ public class Engine implements Serializable {
             try {
                 source.update();
             } catch (UpdateException ex) {
-                LOGGER.log(Level.WARNING,
+                LOGGER.log(Level.WARNING, "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
-                        "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
+                LOGGER.log(Level.FINE, String.format("Unable to update details for %s", source.getClass().getName()), ex);
-                LOGGER.log(Level.FINE,
-                        String.format("Unable to update details for %s", source.getClass().getName()), ex);
             }
         }
     }
@@ -503,4 +513,5 @@ public class Engine implements Serializable {
             throw new NoDataException("No documents exist");
         }
     }
+
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java

@@ -24,13 +24,13 @@ import java.net.URL;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
@@ -152,29 +152,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
-            if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
+            dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
-                dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
-            }
-            if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
-                dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
-            }
-            if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
-                dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
-            }
-            if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
-                boolean found = false;
-                for (Identifier i : dependency.getIdentifiers()) {
-                    if ("maven".equals(i.getType()) && i.getValue().equals(ma.toString())) {
-                        found = true;
-                        i.setConfidence(Confidence.HIGHEST);
-                        i.setUrl(ma.getArtifactUrl());
-                        break;
-                    }
-                }
-                if (!found) {
-                    dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
-                }
-            }
         } catch (IllegalArgumentException iae) {
             //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
             LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -26,6 +26,8 @@ import java.util.SortedSet;
 import java.util.TreeSet;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.FileUtils;
 
@@ -316,6 +318,38 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.identifiers.add(i);
     }
 
+    /**
+     * Adds the maven artifact as evidence.
+     * @param source The source of the evidence.
+     * @param mavenArtifact The maven artifact.
+     * @param confidence The confidence level of this evidence.
+     */
+    public void addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence) {
+        if (mavenArtifact.getGroupId() != null && !"".equals(mavenArtifact.getGroupId())) {
+            this.getVendorEvidence().addEvidence(source, "groupid", mavenArtifact.getGroupId(), confidence);
+        }
+        if (mavenArtifact.getArtifactId() != null && !"".equals(mavenArtifact.getArtifactId())) {
+            this.getProductEvidence().addEvidence(source, "artifactid", mavenArtifact.getArtifactId(), confidence);
+        }
+        if (mavenArtifact.getVersion() != null && !"".equals(mavenArtifact.getVersion())) {
+            this.getVersionEvidence().addEvidence(source, "version", mavenArtifact.getVersion(), confidence);
+        }
+        if (mavenArtifact.getArtifactUrl() != null && !"".equals(mavenArtifact.getArtifactUrl())) {
+            boolean found = false;
+            for (Identifier i : this.getIdentifiers()) {
+                if ("maven".equals(i.getType()) && i.getValue().equals(mavenArtifact.toString())) {
+                    found = true;
+                    i.setConfidence(Confidence.HIGHEST);
+                    i.setUrl(mavenArtifact.getArtifactUrl());
+                    break;
+                }
+            }
+            if (!found) {
+                this.addIdentifier("maven", mavenArtifact.toString(), mavenArtifact.getArtifactUrl(), Confidence.HIGHEST);
+            }
+        }
+    }
+
     /**
      * Adds an entry to the list of detected Identifiers for the dependency file.
      *
@@ -324,6 +358,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     public void addIdentifier(Identifier identifier) {
         this.identifiers.add(identifier);
     }
+
     /**
      * A set of identifiers that have been suppressed.
      */
@@ -441,6 +476,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     public EvidenceCollection getVersionEvidence() {
         return this.versionEvidence;
     }
+
     /**
      * The description of the JAR file.
      */
@@ -463,6 +499,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     public void setDescription(String description) {
         this.description = description;
     }
+
     /**
      * The license that this dependency uses.
      */
@@ -485,6 +522,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     public void setLicense(String license) {
         this.license = license;
     }
+
     /**
      * A list of vulnerabilities for this dependency.
      */
@@ -540,6 +578,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     public void addVulnerability(Vulnerability vulnerability) {
         this.vulnerabilities.add(vulnerability);
     }
+
     /**
      * A collection of related dependencies.
      */

dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java

@@ -17,16 +17,20 @@
  */
 package org.owasp.dependencycheck.dependency;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
 import java.io.File;
 import java.util.List;
 import java.util.Set;
+
 import org.junit.After;
 import org.junit.AfterClass;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 
 /**
  *
@@ -152,7 +156,7 @@ public class DependencyTest {
     public void testGetMd5sum() {
         File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         Dependency instance = new Dependency(file);
-//        assertEquals("89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B", result.getSha1sum());
+        //        assertEquals("89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B", result.getSha1sum());
         String expResult = "C30B57142E1CCBC1EFD5CD15F307358F";
         String result = instance.getMd5sum();
         assertEquals(expResult, result);
@@ -294,4 +298,34 @@ public class DependencyTest {
         EvidenceCollection result = instance.getVersionEvidence();
         assertTrue(true); //this is just a getter setter pair.
     }
+
+    /**
+     * Test of addAsEvidence method, of class Dependency.
+     */
+    @Test
+    public void testAddAsEvidence() {
+        Dependency instance = new Dependency();
+        MavenArtifact mavenArtifact = new MavenArtifact("group", "artifact", "version", "url");
+        instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH);
+        assertTrue(instance.getEvidence().contains(Confidence.HIGH));
+        assertFalse(instance.getEvidence().getEvidence("pom", "groupid").isEmpty());
+        assertFalse(instance.getEvidence().getEvidence("pom", "artifactid").isEmpty());
+        assertFalse(instance.getEvidence().getEvidence("pom", "version").isEmpty());
+        assertFalse(instance.getIdentifiers().isEmpty());
+    }
+
+    /**
+     * Test of addAsEvidence method, of class Dependency.
+     */
+    @Test
+    public void testAddAsEvidenceWithEmptyArtefact() {
+        Dependency instance = new Dependency();
+        MavenArtifact mavenArtifact = new MavenArtifact(null, null, null, null);
+        instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH);
+        assertFalse(instance.getEvidence().contains(Confidence.HIGH));
+        assertTrue(instance.getEvidence().getEvidence("pom", "groupid").isEmpty());
+        assertTrue(instance.getEvidence().getEvidence("pom", "artifactid").isEmpty());
+        assertTrue(instance.getEvidence().getEvidence("pom", "version").isEmpty());
+        assertTrue(instance.getIdentifiers().isEmpty());
+    }
 }

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java

@@ -32,6 +32,8 @@ import java.util.Locale;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+
+import org.apache.commons.lang.StringUtils;
 import org.apache.maven.artifact.Artifact;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
@@ -46,6 +48,7 @@ import org.apache.maven.settings.Proxy;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
@@ -58,9 +61,7 @@ import org.owasp.dependencycheck.utils.Settings;
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
-@Mojo(name = "check", defaultPhase = LifecyclePhase.COMPILE, threadSafe = true,
+@Mojo(name = "check", defaultPhase = LifecyclePhase.COMPILE, threadSafe = true, requiresDependencyResolution = ResolutionScope.RUNTIME_PLUS_SYSTEM, requiresOnline = true)
-        requiresDependencyResolution = ResolutionScope.RUNTIME_PLUS_SYSTEM,
-        requiresOnline = true)
 public class DependencyCheckMojo extends ReportAggregationMojo {
 
     //<editor-fold defaultstate="collapsed" desc="Private fields">
@@ -242,6 +243,17 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
     @SuppressWarnings("CanBeFinal")
     @Parameter(property = "skipProvidedScope", defaultValue = "false", required = false)
     private boolean skipProvidedScope = false;
+    /**
+     * Skip Analysis of Dependencies that have a groupId that starts with this string.
+     * <pre>
+     * &lt;excludeInternalGroupIds&gt;
+     *  &lt;groupId&gt;some.group.id&lt;/groupId&gt;
+     * &lt;/excludeInternalGroupIds&gt;
+     * </pre> 
+     */
+    @SuppressWarnings("CanBeFinal")
+    @Parameter(property = "excludeInternalGroupIds", required = false)
+    private String[] excludeInternalGroupIds = new String[0];
     /**
      * The data directory, hold DC SQL DB.
      */
@@ -292,6 +304,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
     @Parameter(property = "externalReport")
     @Deprecated
     private String externalReport = null;
+
     // </editor-fold>
     /**
      * Constructs a new dependency-check-mojo.
@@ -326,8 +339,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
             if (excludeFromScan(a)) {
                 continue;
             }
-
+            localEngine.scan(a.getFile().getAbsoluteFile(), new MavenArtifact(a.getGroupId(), a.getArtifactId(), a.getVersion()));
-            localEngine.scan(a.getFile().getAbsolutePath());
         }
         localEngine.analyzeDependencies();
 
@@ -362,6 +374,12 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
         if (skipRuntimeScope && !Artifact.SCOPE_RUNTIME.equals(a.getScope())) {
             return true;
         }
+        for (String groupId : excludeInternalGroupIds) {
+            if (!StringUtils.isEmpty(groupId) && (a.getGroupId().startsWith(groupId))) {
+                LOGGER.log(Level.INFO, "Excluding " + a.getGroupId() + ":" + a.getArtifactId());
+                return true;
+            }
+        }
         return false;
     }
 
@@ -396,8 +414,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
         }
 
         if (proxyUrl != null && !proxyUrl.isEmpty()) {
-            LOGGER.warning("Deprecated configuration detected, proxyUrl will be ignored; use the maven settings "
+            LOGGER.warning("Deprecated configuration detected, proxyUrl will be ignored; use the maven settings " + "to configure the proxy instead");
-                    + "to configure the proxy instead");
         }
         final Proxy proxy = getMavenProxy();
         if (proxy != null) {
@@ -510,6 +527,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
         }
         return null;
     }
+
     //</editor-fold>
 
     /**
@@ -530,8 +548,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
                 checkForFailure(engine.getDependencies());
             }
         } catch (DatabaseException ex) {
-            LOGGER.log(Level.SEVERE,
+            LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
-                    "Unable to connect to the dependency-check database; analysis has stopped");
             LOGGER.log(Level.FINE, "", ex);
         }
     }
@@ -580,16 +597,15 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
                 engine = initializeEngine();
                 engine.getDependencies().addAll(deps);
             } catch (DatabaseException ex) {
-                final String msg = String.format("An unrecoverable exception with the dependency-check initialization occured while scanning %s",
+                final String msg = String.format("An unrecoverable exception with the dependency-check initialization occured while scanning %s", getProject()
-                        getProject().getName());
+                        .getName());
                 throw new MavenReportException(msg, ex);
             }
         } else {
             try {
                 engine = executeDependencyCheck();
             } catch (DatabaseException ex) {
-                final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s",
+                final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s", getProject().getName());
-                        getProject().getName());
                 throw new MavenReportException(msg, ex);
             }
         }
@@ -612,8 +628,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
             try {
                 engine = executeDependencyCheck(project);
             } catch (DatabaseException ex) {
-                final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s",
+                final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s", project.getName());
-                        project.getName());
                 throw new MavenReportException(msg, ex);
             }
         }
@@ -646,8 +661,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
      * @return the output name
      */
     public String getOutputName() {
-        if ("HTML".equalsIgnoreCase(this.format)
+        if ("HTML".equalsIgnoreCase(this.format) || "ALL".equalsIgnoreCase(this.format)) {
-                || "ALL".equalsIgnoreCase(this.format)) {
             return "dependency-check-report";
         } else if ("XML".equalsIgnoreCase(this.format)) {
             return "dependency-check-report.xml#";
@@ -685,8 +699,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
      * @return the description
      */
     public String getDescription(Locale locale) {
-        return "A report providing details on any published "
+        return "A report providing details on any published " + "vulnerabilities within project dependencies. This report is a best effort but may contain "
-                + "vulnerabilities within project dependencies. This report is a best effort but may contain "
                 + "false positives and false negatives.";
     }
 
@@ -740,6 +753,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
     protected boolean canGenerateAggregateReport() {
         return isAggregate() && isLastProject();
     }
+
     // </editor-fold>
 
     //<editor-fold defaultstate="collapsed" desc="Methods to fail build or show summary">
@@ -807,12 +821,12 @@ public class DependencyCheckMojo extends ReportAggregationMojo {
             }
         }
         if (summary.length() > 0) {
-            final String msg = String.format("%n%n"
+            final String msg = String.format("%n%n" + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
-                    + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
                     + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
             LOGGER.log(Level.WARNING, msg);
         }
     }
+
     //</editor-fold>
 
     //<editor-fold defaultstate="collapsed" desc="Methods to read/write the serialized data file">