From c11cb38269a723eb30bed9873a9b1d449e8c3385 Mon Sep 17 00:00:00 2001 From: Henri Gomez Date: Tue, 11 Feb 2014 14:05:26 +0100 Subject: [PATCH] Add support for extra extensions provided externally Former-commit-id: c827feb563cde449090dade2b17bfa6709df37be --- .../taskdefs/DependencyCheckTask.java | 34 +++++++++++++++++++ .../src/site/markdown/configuration.md | 1 + .../java/org/owasp/dependencycheck/App.java | 17 ++++++++-- .../owasp/dependencycheck/cli/CliParser.java | 20 ++++++++++- .../src/site/markdown/arguments.md | 3 +- .../analyzer/ArchiveAnalyzer.java | 8 +++++ .../owasp/dependencycheck/utils/Settings.java | 4 +++ .../maven/DependencyCheckMojo.java | 20 ++++++++--- .../src/site/markdown/configuration.md | 1 + 9 files changed, 99 insertions(+), 9 deletions(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index 093ab32e8..cf92df0ef 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -20,6 +20,8 @@ package org.owasp.dependencycheck.taskdefs; import java.io.File; import java.io.IOException; import java.io.InputStream; +import java.util.Arrays; +import java.util.HashSet; import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; @@ -32,6 +34,8 @@ import org.apache.tools.ant.types.ResourceCollection; import org.apache.tools.ant.types.resources.FileProvider; import org.apache.tools.ant.types.resources.Resources; import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.Analyzer; +import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; @@ -616,6 +620,30 @@ public class DependencyCheckTask extends Task { this.databasePassword = databasePassword; } + /** + * File extensions to add to analysis next to jar, zip, .... + */ + private String extraExtensions; + + /** + * Get the value of extraExtensions. + * + * @return the value of extraExtensions + */ + public String getExtraExtensions() { + return extraExtensions; + } + + /** + * Set the value of extraExtensions. + * + * @param extraExtensions new value of extraExtensions + */ + public void setExtraExtensions(String extraExtensions) { + this.extraExtensions = extraExtensions; + } + + @Override public void execute() throws BuildException { final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE); @@ -626,6 +654,12 @@ public class DependencyCheckTask extends Task { populateSettings(); final Engine engine = new Engine(); + + if (extraExtensions != null && ! extraExtensions.isEmpty()) + for (Analyzer analyzer : engine.getAnalyzers()) + if (analyzer instanceof ArchiveAnalyzer) + ((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet(Arrays.asList(extraExtensions.split("\\s*,\\s*")))); + for (Resource resource : path) { final FileProvider provider = resource.as(FileProvider.class); if (provider != null) { diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index a6df15f31..2da5c7c70 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -42,5 +42,6 @@ databaseDriverPath | The path to the database driver JAR file; only used if t connectionString | The connection string used to connect to the database. | Optional databaseUser | The username used when connecting to the database. | Optional databasePassword | The password used when connecting to the database. | Optional +extraExtensions | List of extra extensions to be scanned, comma separated. | Optional diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 84b734316..733d8d7ad 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -21,10 +21,14 @@ import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; +import java.util.Arrays; +import java.util.HashSet; import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; import org.apache.commons.cli.ParseException; +import org.owasp.dependencycheck.analyzer.Analyzer; +import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer; import org.owasp.dependencycheck.cli.CliParser; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; @@ -83,7 +87,7 @@ public class App { cli.printVersionInfo(); } else if (cli.isRunScan()) { updateSettings(cli); - runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles()); + runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getExtraExtensions()); } else { cli.printHelp(); } @@ -97,9 +101,14 @@ public class App { * @param applicationName the application name for the report * @param files the files/directories to scan */ - private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) { + private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, String extraExtensions) { final Engine scanner = new Engine(); + if (extraExtensions != null && ! extraExtensions.isEmpty()) + for (Analyzer analyzer : scanner.getAnalyzers()) + if (analyzer instanceof ArchiveAnalyzer) + ((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet(Arrays.asList(extraExtensions.split("\\s*,\\s*")))); + for (String file : files) { scanner.scan(file); } @@ -155,6 +164,7 @@ public class App { final String connectionString = cli.getConnectionString(); final String databaseUser = cli.getDatabaseUser(); final String databasePassword = cli.getDatabasePassword(); + final String extraExtensions = cli.getExtraExtensions(); if (propertiesFile != null) { try { @@ -220,5 +230,8 @@ public class App { if (databasePassword != null && !databasePassword.isEmpty()) { Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword); } + if (extraExtensions!= null && !extraExtensions.isEmpty()) { + Settings.setString(Settings.KEYS.EXTRA_EXTENSIONS, extraExtensions); + } } } diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java index 03139b8ea..384855da8 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java @@ -204,6 +204,10 @@ public final class CliParser { .withDescription("The url to the Nexus Server.") .create(); + final Option extraExtensions = OptionBuilder.withArgName("extraExtensions").hasArg().withLongOpt(ArgumentName.EXTRA_EXTENSIONS) + .withDescription("List of extra extensions to be scanned") + .create(); + //This is an option group because it can be specified more then once. final OptionGroup og = new OptionGroup(); og.addOption(path); @@ -220,7 +224,8 @@ public final class CliParser { .addOption(verboseLog) .addOption(suppressionFile) .addOption(disableNexusAnalyzer) - .addOption(nexusUrl); + .addOption(nexusUrl) + .addOption(extraExtensions); } /** @@ -548,6 +553,15 @@ public final class CliParser { return line.getOptionValue(ArgumentName.DB_PASSWORD); } + /** + * Returns the extra Extensions if specified; otherwise null is returned. + * + * @return the extra Extensions; otherwise null is returned + */ + public String getExtraExtensions() { + return line.getOptionValue(ArgumentName.EXTRA_EXTENSIONS); + } + /** * A collection of static final strings that represent the possible command line arguments. */ @@ -701,5 +715,9 @@ public final class CliParser { * The CLI argument name for setting the path to the database driver; in case it is not on the class path. */ public static final String DB_DRIVER_PATH = "dbDriverPath"; + /** + * The CLI argument name for setting extra extensions. + */ + public static final String EXTRA_EXTENSIONS = "extraExtension"; } } diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index 9c7122caa..7ffd9bdaa 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -27,4 +27,5 @@ Short | Argument Name | Parameter | Description | Requirement | \-\-dbPassword | \| The password for connecting to the database. | Optional | \-\-dbUser | \ | The username used to connect to the database. | Optional | \-\-disableNexus | | Disable the Nexus Analyzer. | Optional - | \-\-nexus | \ | The url to the Nexus Server. | Optional \ No newline at end of file + | \-\-nexus | \ | The url to the Nexus Server. | Optional + | \-\-extraExtensions | \ | List of extensions to be scanned, comma separated. | Optional \ No newline at end of file diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index 80b2f4fe9..6dbe6edd6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -95,6 +95,14 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer { EXTENSIONS.addAll(ZIPPABLES); } + /** + * Add a list of file EXTENSIONS to be supported by this analyzer. + * + */ + public void addSupportedExtensions(Set extraExtensions) { + EXTENSIONS.addAll(extraExtensions); + } + /** * Returns a list of file EXTENSIONS supported by this analyzer. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 3c51f738d..7b5e33199 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -149,6 +149,10 @@ public final class Settings { * The path to mono, if available. */ public static final String ANALYZER_ASSEMBLY_MONO_PATH = "analyzer.assembly.mono.path"; + /** + * The extra extensions, if available. + */ + public static final String EXTRA_EXTENSIONS = "extra.extensions"; } /** * The properties file location. diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java index a3cc86096..ff9d10116 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java @@ -23,10 +23,7 @@ import java.io.InputStream; import java.io.UnsupportedEncodingException; import java.net.URLEncoder; import java.text.DateFormat; -import java.util.Date; -import java.util.List; -import java.util.Locale; -import java.util.Set; +import java.util.*; import java.util.logging.Level; import java.util.logging.Logger; import org.apache.maven.artifact.Artifact; @@ -45,6 +42,8 @@ import org.apache.maven.reporting.MavenMultiPageReport; import org.apache.maven.reporting.MavenReport; import org.apache.maven.reporting.MavenReportException; import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.Analyzer; +import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; @@ -229,7 +228,11 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR @Parameter(property = "databasePassword", defaultValue = "", required = false) private String databasePassword; // - + /** + * File extensions to add to analysis next to jar, zip, .... + */ + @Parameter(property = "extraExtensions", required = false) + private String[] extraExtensions; /** * Executes the Dependency-Check on the dependent libraries. * @@ -242,6 +245,13 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR populateSettings(); final Engine engine = new Engine(); + + if (extraExtensions != null) { + for (Analyzer analyzer : engine.getAnalyzers()) + if (analyzer instanceof ArchiveAnalyzer) + ((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet(Arrays.asList(extraExtensions))); + } + final Set artifacts = project.getArtifacts(); for (Artifact a : artifacts) { if (!Artifact.SCOPE_TEST.equals(a.getScope()) && !Artifact.SCOPE_PROVIDED.equals(a.getScope()) && !Artifact.SCOPE_RUNTIME.equals(a.getScope())) { diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md index 12a26b05d..ad56c3705 100644 --- a/dependency-check-maven/src/site/markdown/configuration.md +++ b/dependency-check-maven/src/site/markdown/configuration.md @@ -22,3 +22,4 @@ databaseDriverPath | The path to the database driver JAR file; only used if t connectionString | The connection string used to connect to the database. | databaseUser | The username used when connecting to the database. | databasePassword | The password used when connecting to the database. | +extraExtensions | List of extra extensions to be scanned. |