github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-21 16:49:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add an update only option

Browse Source 
Former-commit-id: 67253232762acb61e1400dc60443e556f71db874
This commit is contained in:
Jeremy Long
2015-03-28 12:17:24 -04:00
parent f247978d12
commit d0401f3f8d
10 changed files with 300 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/Engine.java
View File

@@ -27,8 +27,8 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.utils.Settings;
/**
* A modified version of the core engine specifically designed to persist some
* data between multiple executions of a multi-module Maven project.
* A modified version of the core engine specifically designed to persist some data between multiple executions of a multi-module
* Maven project.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
@@ -51,8 +51,7 @@ public class Engine extends org.owasp.dependencycheck.Engine {
*/
private List<MavenProject> reactorProjects;
/**
* Key used in the MavenProject context values to note whether or not an
* update has been executed.
* Key used in the MavenProject context values to note whether or not an update has been executed.
*/
public static final String UPDATE_EXECUTED_FLAG = "dependency-check-update-executed";
@@ -60,10 +59,8 @@ public class Engine extends org.owasp.dependencycheck.Engine {
* Creates a new Engine to perform anyalsis on dependencies.
*
* @param project the current Maven project
* @param reactorProjects the reactor projects for the current Maven
* execution
* @throws DatabaseException thrown if there is an issue connecting to the
* database
* @param reactorProjects the reactor projects for the current Maven execution
* @throws DatabaseException thrown if there is an issue connecting to the database
*/
public Engine(MavenProject project, List<MavenProject> reactorProjects) throws DatabaseException {
this.currentProject = project;
@@ -91,18 +88,28 @@ public class Engine extends org.owasp.dependencycheck.Engine {
}
}
/**
* Runs the update steps of dependency-check.
*/
public void update() {
final MavenProject root = getExecutionRoot();
if (root != null && root.getContextValue(UPDATE_EXECUTED_FLAG) != null) {
System.setProperty(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE.toString());
}
this.doUpdates();
}
/**
* This constructor should not be called. Use Engine(MavenProject) instead.
*
* @throws DatabaseException thrown if there is an issue connecting to the
* database
* @throws DatabaseException thrown if there is an issue connecting to the database
*/
private Engine() throws DatabaseException {
}
/**
* Initializes the given analyzer. This skips the initialization of the
* CPEAnalyzer if it has been initialized by a previous execution.
* Initializes the given analyzer. This skips the initialization of the CPEAnalyzer if it has been initialized by a previous
* execution.
*
* @param analyzer the analyzer to initialize
* @return the initialized analyzer
@@ -121,8 +128,7 @@ public class Engine extends org.owasp.dependencycheck.Engine {
}
/**
* Releases resources used by the analyzers by calling close() on each
* analyzer.
* Releases resources used by the analyzers by calling close() on each analyzer.
*/
@Override
public void cleanup() {
@@ -209,10 +215,8 @@ public class Engine extends org.owasp.dependencycheck.Engine {
}
/**
* Resets the file type analyzers so that they can be re-used to scan
* additional directories. Without the reset the analyzer might be disabled
* because the first scan/analyze did not identify any files that could be
* processed by the analyzer.
* Resets the file type analyzers so that they can be re-used to scan additional directories. Without the reset the analyzer
* might be disabled because the first scan/analyze did not identify any files that could be processed by the analyzer.
*/
public void resetFileTypeAnalyzers() {
for (FileTypeAnalyzer a : getFileTypeAnalyzers()) {

101
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java Normal file
View File

@@ -0,0 +1,101 @@
/*
* This file is part of dependency-check-maven.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.maven;
import java.util.Locale;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.ResolutionScope;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.utils.Settings;
/**
* Maven Plugin that checks the project dependencies to see if they have any known published vulnerabilities.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
@Mojo(
name = "update-only",
defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
threadSafe = true,
requiresDependencyResolution = ResolutionScope.NONE,
requiresOnline = true
)
public class UpdateMojo extends BaseDependencyCheckMojo {
/**
* Logger field reference.
*/
private static final Logger LOGGER = Logger.getLogger(UpdateMojo.class.getName());
/**
* Returns false; this mojo cannot generate a report.
*
* @return <code>false</code>
*/
@Override
public boolean canGenerateReport() {
return false;
}
/**
* Executes the dependency-check engine on the project's dependencies and generates the report.
*
* @throws MojoExecutionException thrown if there is an exception executing the goal
* @throws MojoFailureException thrown if dependency-check is configured to fail the build
*/
@Override
public void runCheck() throws MojoExecutionException, MojoFailureException {
final Engine engine;
try {
engine = initializeEngine();
engine.update();
} catch (DatabaseException ex) {
LOGGER.log(Level.FINE, "Database connection error", ex);
throw new MojoExecutionException("An exception occured connecting to the local database. Please see the log file for more details.", ex);
}
engine.cleanup();
Settings.cleanup();
}
/**
* Returns the report name.
*
* @param locale the location
* @return the report name
*/
public String getName(Locale locale) {
return "dependency-check-update";
}
/**
* Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
*
* @param locale The Locale to get the description for
* @return the description
*/
public String getDescription(Locale locale) {
return "Updates the local cache of the NVD data from NIST.";
}
}

11
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -1,10 +1,11 @@
Goals
====================
Goal | Description
-----------|-----------------------
aggregate | Runs dependency-check against the child projects and aggregates the results into a single report.
check | Runs dependency-check against the project and generates a report.
Goal | Description
------------|-----------------------
aggregate | Runs dependency-check against the child projects and aggregates the results into a single report.
check | Runs dependency-check against the project and generates a report.
update-only | Updates the local cache of the NVD data from NIST.
Configuration
====================
@@ -38,7 +39,7 @@ zipExtensions | A comma-separated list of additional file extensions t
jarAnalyzer | Sets whether Jar Analyzer will be used. | true
centralAnalyzerEnabled | Sets whether Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
nexusUrl | Defines the Nexus Pro Server URL. If not set the Nexus Analyzer will be disabled. | &nbsp;
nexusUrl | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
nuspecAnalyzerEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true
assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used. | true

30
dependency-check-maven/src/site/markdown/usage.md.vm
View File

@@ -176,3 +176,33 @@ Create the DependencyCheck-report.html and use internal mirroring of CVE content
...
</project>
```
$H$H$H Example 6:
Update the local cache of the NVD data from NIST without analyzing the dependencies.
```xml
<project>
...
<build>
...
<plugins>
...
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${project.version}</version>
<executions>
<execution>
<goals>
<goal>update-only</goal>
</goals>
</execution>
</executions>
</plugin>
...
</plugins>
...
</build>
...
</project>
```