github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-15 08:13:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

resolve conflicts

Browse Source
This commit is contained in:
Jeremy Long
2017-06-04 20:54:17 -04:00
parent 66dbcb98d2 422418f396
commit d498c7c7b0
34 changed files with 490 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
.travis.yml
View File

@@ -1,24 +1,15 @@
language: java
jdk: oraclejdk7
script: mvn install -DreleaseTesting
env:
global:
- secure: ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs=
- secure: pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A=
before_install:
- wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar
- wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar
after_success:
- java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter
-l Java -r build-reporting/target/coverage-reports/jacoco.xml
matrix:
include:
- env: CRON_ONLY=1
addons:
coverity_scan:
project:
name: OWASP dependency-check
version: 1.0
description: A software composition analsis tools that detects publicly
disclosed vulnerabilities in application dependencies.
build_command: mvn -DskipTests=true package
branch_pattern: master
- java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml
- ./coverity_scan.sh

2
README.md
View File

@@ -1,4 +1,4 @@
[![Build Status](https://travis-ci.org/jeremylong/DependencyCheck.svg?branch=master)](https://travis-ci.org/jeremylong/DependencyCheck) [![Coverity Scan Build Status](https://scan.coverity.com/projects/1654/badge.svg)](https://scan.coverity.com/projects/dependencycheck) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/6b6021d481dc41a888c5da0d9ecf9494)](https://www.codacy.com/app/jeremylong/DependencyCheck?utm_source=github.com&utm_medium=referral&utm_content=jeremylong/DependencyCheck&utm_campaign=Badge_Grade) [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.txt)
[![Build Status](https://travis-ci.org/jeremylong/DependencyCheck.svg?branch=master)](https://travis-ci.org/jeremylong/DependencyCheck) [![Coverity Scan Build Status](https://scan.coverity.com/projects/1654/badge.svg)](https://scan.coverity.com/projects/dependencycheck) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/6b6021d481dc41a888c5da0d9ecf9494)](https://www.codacy.com/app/jeremylong/DependencyCheck?utm_source=github.com&utm_medium=referral&utm_content=jeremylong/DependencyCheck&utm_campaign=Badge_Grade) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/843/badge)](https://bestpractices.coreinfrastructure.org/projects/843) [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.txt)
[![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2015.svg)](https://www.toolswatch.org/2015/06/black-hat-arsenal-usa-2015-speakers-lineup/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2014.svg)](https://www.toolswatch.org/2014/06/black-hat-usa-2014-arsenal-tools-speaker-list/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2013.svg)](https://www.toolswatch.org/2013/06/announcement-blackhat-arsenal-usa-2013-selected-tools/)

12
coverity_scan.sh Executable file
View File

@@ -0,0 +1,12 @@
#!/bin/bash -e
if [ $TRAVIS_BRANCH = "master" ] && [ $TRAVIS_EVENT_TYPE = "cron" ] ; then
echo "Executing Coverity Scan"
export COVERITY_SCAN_PROJECT_NAME="jeremylong/DependencyCheck"
export COVERITY_SCAN_NOTIFICATION_EMAIL="jeremy.long@owasp.org"
export COVERITY_SCAN_BRANCH_PATTERN="master"
export COVERITY_SCAN_BUILD_COMMAND="mvn package -Dmaven.test.skip=true"
curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh | bash
fi

13
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
View File

@@ -28,16 +28,13 @@ import org.apache.tools.ant.types.ResourceCollection;
import org.apache.tools.ant.types.resources.FileProvider;
import org.apache.tools.ant.types.resources.Resources;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.exception.ExceptionCollection;
import org.owasp.dependencycheck.exception.ReportException;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.impl.StaticLoggerBinder;
@@ -146,8 +143,8 @@ public class Check extends Update {
private boolean updateOnly = false;
/**
* The report format to be generated (HTML, XML, VULN, CSV, JSON, ALL). Default is
* HTML.
* The report format to be generated (HTML, XML, VULN, CSV, JSON, ALL).
* Default is HTML.
*/
private String reportFormat = "HTML";
/**
@@ -940,7 +937,7 @@ public class Check extends Update {
throw new BuildException(ex);
}
}
engine.writeReports(getProjectName(),new File(reportOutputDirectory), reportFormat);
engine.writeReports(getProjectName(), new File(reportOutputDirectory), reportFormat);
if (this.failBuildOnCVSS <= 10) {
checkForFailure(engine.getDependencies());
@@ -1093,8 +1090,8 @@ public class Check extends Update {
}
/**
* An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV", "JSON", "VULN",
* etc..
* An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV",
* "JSON", "VULN", etc..
*/
public static class ReportFormats extends EnumeratedAttribute {

164
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -28,13 +28,10 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.commons.cli.ParseException;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.dependency.Dependency;
import org.apache.tools.ant.DirectoryScanner;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -220,56 +217,11 @@ public class App {
String[] excludes, int symLinkDepth, int cvssFailScore) throws InvalidScanPathException, DatabaseException,
ExceptionCollection, ReportException {
Engine engine = null;
int retCode = 0;
try {
final List<String> antStylePaths = getPaths(files);
final Set<File> paths = scanAntStylePaths(antStylePaths, symLinkDepth, excludes);
engine = new Engine();
final List<String> antStylePaths = new ArrayList<>();
for (String file : files) {
final String antPath = ensureCanonicalPath(file);
antStylePaths.add(antPath);
}
final Set<File> paths = new HashSet<>();
for (String file : antStylePaths) {
LOGGER.debug("Scanning {}", file);
final DirectoryScanner scanner = new DirectoryScanner();
String include = file.replace('\\', '/');
File baseDir;
if (include.startsWith("//")) {
throw new InvalidScanPathException("Unable to scan paths specified by //");
} else {
final int pos = getLastFileSeparator(include);
final String tmpBase = include.substring(0, pos);
final String tmpInclude = include.substring(pos + 1);
if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0
|| (new File(include)).isFile()) {
baseDir = new File(tmpBase);
include = tmpInclude;
} else {
baseDir = new File(tmpBase, tmpInclude);
include = "**/*";
}
}
scanner.setBasedir(baseDir);
final String[] includes = {include};
scanner.setIncludes(includes);
scanner.setMaxLevelsOfSymlinks(symLinkDepth);
if (symLinkDepth <= 0) {
scanner.setFollowSymlinks(false);
}
if (excludes != null && excludes.length > 0) {
scanner.addExcludes(excludes);
}
scanner.scan();
if (scanner.getIncludedFilesCount() > 0) {
for (String s : scanner.getIncludedFiles()) {
final File f = new File(baseDir, s);
LOGGER.debug("Found file {}", f.toString());
paths.add(f);
}
}
}
engine.scan(paths);
ExceptionCollection exCol = null;
@@ -295,19 +247,7 @@ public class App {
if (exCol != null && exCol.getExceptions().size() > 0) {
throw exCol;
}
//Set the exit code based on whether we found a high enough vulnerability
for (Dependency dep : engine.getDependencies()) {
if (!dep.getVulnerabilities().isEmpty()) {
for (Vulnerability vuln : dep.getVulnerabilities()) {
LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName());
if (vuln.getCvssScore() > cvssFailScore) {
retCode = 1;
}
}
}
}
return retCode;
return determineReturnCode(engine, cvssFailScore);
} finally {
if (engine != null) {
engine.cleanup();
@@ -315,6 +255,102 @@ public class App {
}
}
/**
* Determines the return code based on if one of the dependencies scanned
* has a vulnerability with a CVSS score above the cvssFailScore.
*
* @param engine the engine used during analysis
* @param cvssFailScore the max allowed CVSS score
* @return returns <code>1</code> if a severe enough vulnerability is
* identified; otherwise <code>0</code>
*/
private int determineReturnCode(Engine engine, int cvssFailScore) {
int retCode = 0;
//Set the exit code based on whether we found a high enough vulnerability
for (Dependency dep : engine.getDependencies()) {
if (!dep.getVulnerabilities().isEmpty()) {
for (Vulnerability vuln : dep.getVulnerabilities()) {
LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName());
if (vuln.getCvssScore() > cvssFailScore) {
retCode = 1;
}
}
}
}
return retCode;
}
/**
* Scans the give Ant Style paths and collects the actual files.
*
* @param antStylePaths a list of ant style paths to scan for actual files
* @param symLinkDepth the depth to traverse symbolic links
* @param excludes an array of ant style excludes
* @return returns the set of identified files
* @throws InvalidScanPathException thrown when the scan path is invalid
* @throws IllegalStateException
*/
private Set<File> scanAntStylePaths(List<String> antStylePaths, int symLinkDepth, String[] excludes)
throws InvalidScanPathException {
final Set<File> paths = new HashSet<>();
for (String file : antStylePaths) {
LOGGER.debug("Scanning {}", file);
final DirectoryScanner scanner = new DirectoryScanner();
String include = file.replace('\\', '/');
File baseDir;
if (include.startsWith("//")) {
throw new InvalidScanPathException("Unable to scan paths specified by //");
} else {
final int pos = getLastFileSeparator(include);
final String tmpBase = include.substring(0, pos);
final String tmpInclude = include.substring(pos + 1);
if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0
|| (new File(include)).isFile()) {
baseDir = new File(tmpBase);
include = tmpInclude;
} else {
baseDir = new File(tmpBase, tmpInclude);
include = "**/*";
}
}
scanner.setBasedir(baseDir);
final String[] includes = {include};
scanner.setIncludes(includes);
scanner.setMaxLevelsOfSymlinks(symLinkDepth);
if (symLinkDepth <= 0) {
scanner.setFollowSymlinks(false);
}
if (excludes != null && excludes.length > 0) {
scanner.addExcludes(excludes);
}
scanner.scan();
if (scanner.getIncludedFilesCount() > 0) {
for (String s : scanner.getIncludedFiles()) {
final File f = new File(baseDir, s);
LOGGER.debug("Found file {}", f.toString());
paths.add(f);
}
}
}
return paths;
}
/**
* Determines the ant style paths from the given array of files.
*
* @param files an array of file paths
* @return a list containing ant style paths
*/
private List<String> getPaths(String[] files) {
final List<String> antStylePaths = new ArrayList<>();
for (String file : files) {
final String antPath = ensureCanonicalPath(file);
antStylePaths.add(antPath);
}
return antStylePaths;
}
/**
* Only executes the update phase of dependency-check.
*

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -812,7 +812,7 @@ public class Engine implements FileFilter {
* @param format the report format (ALL, HTML, CSV, JSON, etc.)
* @throws ReportException thrown if there is an error generating the report
*/
public void writeReports(String applicationName, String groupId, String artifactId,
public synchronized void writeReports(String applicationName, String groupId, String artifactId,
String version, File outputDir, String format) throws ReportException {
final DatabaseProperties prop = database.getDatabaseProperties();

42
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -50,11 +50,30 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
* The Logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(FalsePositiveAnalyzer.class);
/**
* The file filter used to find DLL and EXE.
*/
private static final FileFilter DLL_EXE_FILTER = FileFilterBuilder.newInstance().addExtensions("dll", "exe").build();
/**
* Regex to identify core java libraries and a few other commonly
* misidentified ones.
*/
public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
+ "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+ "jdk|jre|jsse)($|:.*)");
/**
* Regex to identify core jsf libraries.
*/
public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
/**
* Regex to identify core java library files. This is currently incomplete.
*/
public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
/**
* Regex to identify core jsf java library files. This is currently
* incomplete.
*/
public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
@@ -214,27 +233,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
}
}
/**
* Regex to identify core java libraries and a few other commonly
* misidentified ones.
*/
public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
+ "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+ "jdk|jre|jsse)($|:.*)");
/**
* Regex to identify core jsf libraries.
*/
public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
/**
* Regex to identify core java library files. This is currently incomplete.
*/
public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
/**
* Regex to identify core jsf java library files. This is currently
* incomplete.
*/
public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");
/**
* Removes any CPE entries for the JDK/JRE unless the filename ends with

20
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
View File

@@ -37,6 +37,16 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public class FileNameAnalyzer extends AbstractAnalyzer {
/**
* Python init files
*/
//CSOFF: WhitespaceAfter
private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[]{
"__init__.py",
"__init__.pyc",
"__init__.pyo",});
//CSON: WhitespaceAfter
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
@@ -78,16 +88,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer {
}
//</editor-fold>
/**
* Python init files
*/
//CSOFF: WhitespaceAfter
private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[]{
"__init__.py",
"__init__.pyc",
"__init__.pyo",});
//CSON: WhitespaceAfter
/**
* Collects information about the file name.
*

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
View File

@@ -61,6 +61,10 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
* The types of files on which this will work.
*/
private static final String SUPPORTED_EXTENSIONS = "nuspec";
/**
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build();
/**
* Initializes the analyzer once before any analysis is performed.
@@ -69,6 +73,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
*/
@Override
public void initializeFileTypeAnalyzer() throws InitializationException {
//nothing to initialize
}
/**
@@ -102,12 +107,6 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
return ANALYSIS_PHASE;
}
/**
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(
SUPPORTED_EXTENSIONS).build();
/**
* Returns the FileFilter
*

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
View File

@@ -105,6 +105,11 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final FileFilter PY_FILTER = new SuffixFileFilter(".py");
/**
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
/**
* Returns the name of the Python Package Analyzer.
*
@@ -125,11 +130,6 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
return AnalysisPhase.INFORMATION_COLLECTION;
}
/**
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
/**
* Returns the FileFilter
*

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -802,10 +802,8 @@ public final class CveDB implements AutoCloseable {
try {
final PreparedStatement cs = getPreparedStatement(COUNT_CPE);
rs = cs.executeQuery();
if (rs.next()) {
if (rs.getInt(1) > 0) {
return true;
}
if (rs.next() && rs.getInt(1) > 0) {
return true;
}
} catch (Exception ex) {
String dd;
@@ -911,10 +909,9 @@ public final class CveDB implements AutoCloseable {
}
//this can't dereference a null 'identifiedVersion' because if it was null we would have exited
//in the above loop or just after loop (if matchesAnyPrevious return null).
if (entry.getValue() && identifiedVersion != null && identifiedVersion.compareTo(v) <= 0) {
if (!(isVersionTwoADifferentProduct && !identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0)))) {
return entry;
}
if (entry.getValue() && identifiedVersion != null && identifiedVersion.compareTo(v) <= 0
&& !(isVersionTwoADifferentProduct && !identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0)))) {
return entry;
}
}
}

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
View File

@@ -17,14 +17,22 @@
*/
package org.owasp.dependencycheck.reporting;
import java.io.*;
import java.util.List;
import com.google.gson.JsonSyntaxException;
import com.google.gson.stream.JsonReader;
import com.google.gson.stream.JsonToken;
import static com.google.gson.stream.JsonToken.*;
import com.google.gson.stream.JsonWriter;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.UnsupportedEncodingException;
import java.math.BigDecimal;
import java.nio.charset.StandardCharsets;
import org.apache.velocity.VelocityContext;

23
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java
View File

@@ -31,12 +31,6 @@ import java.util.regex.Pattern;
* @author Jeremy Long
*/
public final class UrlStringUtils {
/**
* Private constructor for a utility class.
*/
private UrlStringUtils() {
}
/**
* A regular expression to test if a string contains a URL.
*/
@@ -45,7 +39,18 @@ public final class UrlStringUtils {
* A regular expression to test if a string is a URL.
*/
private static final Pattern IS_URL_TEST = Pattern.compile("^(ht|f)tps?://.*", Pattern.CASE_INSENSITIVE);
/**
* A listing of domain parts that should not be used as evidence. Yes, this
* is an incomplete list.
*/
private static final Set<String> IGNORE_LIST = new HashSet<>(
Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx"));
/**
* Private constructor for a utility class.
*/
private UrlStringUtils() {
}
/**
* Tests if the text provided contains a URL. This is somewhat limited
* search in that it only looks for (ftp|http|https)://
@@ -66,12 +71,6 @@ public final class UrlStringUtils {
public static boolean isUrl(String text) {
return IS_URL_TEST.matcher(text).matches();
}
/**
* A listing of domain parts that should not be used as evidence. Yes, this
* is an incomplete list.
*/
private static final Set<String> IGNORE_LIST = new HashSet<>(
Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx"));
/**
* <p>

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlEntity.java
View File

@@ -12,7 +12,8 @@ import java.util.Map;
*
* @author https://stackoverflow.com/users/823393/oldcurmudgeon
*/
public class XmlEntity {
public final class XmlEntity {
/**
* The map of HTML entities.
*/
@@ -292,8 +293,8 @@ public class XmlEntity {
/**
* Converts a named XML entity into its HTML encoded Unicode code point.
*
* @param s the named entity (note, this should not include the leading '&amp;'
* or trailing ';'
* @param s the named entity (note, this should not include the leading
* '&amp;' or trailing ';'
* @return the HTML encoded Unicode code point representation of the named
* entity
*/

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlInputStream.java
View File

@@ -162,7 +162,7 @@ public class XmlInputStream extends FilterInputStream {
throw new IOException("Invalid/Unknown reference '&" + reference + ";'");
}
} else {
// Did not terminate properly!
// Did not terminate properly!
// Perhaps an & on its own or a malformed reference.
// Either way, escape the &
pushBack.append("&#38;").append(reference).append((char) ch);

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/Hints.java
View File

@@ -31,6 +31,11 @@ public class Hints {
*/
private List<HintRule> hintRules;
/**
* The duplicating hint rules.
*/
private List<VendorDuplicatingHintRule> vendorDuplicatingHintRules;
/**
* Get the value of hintRules.
*
@@ -49,11 +54,6 @@ public class Hints {
this.hintRules = hintRules;
}
/**
* The duplicating hint rules.
*/
private List<VendorDuplicatingHintRule> vendorDuplicatingHintRules;
/**
* Get the value of vendorDuplicatingHintRules.
*

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/package-info.java Normal file
View File

@@ -0,0 +1,4 @@
/**
* Contains classes used to fix XML prior to parsing.
*/
package org.owasp.dependencycheck.xml;

32
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java
View File

@@ -74,11 +74,22 @@ public class PomHandler extends DefaultHandler {
* The url element.
*/
public static final String URL = "url";
/**
* The pom model.
*/
private final Model model = new Model();
/**
* The stack of elements processed; used to determine the parent node.
*/
private final Deque<String> stack = new ArrayDeque<>();
/**
* The license object.
*/
private License license = null;
/**
* The current node text being extracted from the element.
*/
private StringBuilder currentText;
/**
* Returns the model obtained from the pom.xml.
@@ -88,19 +99,6 @@ public class PomHandler extends DefaultHandler {
public Model getModel() {
return model;
}
/**
* The stack of elements processed; used to determine the parent node.
*/
private final Deque<String> stack = new ArrayDeque<>();
/**
* The license object.
*/
private License license = null;
/**
* The current node text being extracted from the element.
*/
private StringBuilder currentText;
/**
* Handles the start element event.
@@ -194,10 +192,8 @@ public class PomHandler extends DefaultHandler {
}
break;
case LICENSES:
if (LICENSE.equals(qName)) {
if (license != null) {
model.addLicense(license);
}
if (LICENSE.equals(qName) && license != null) {
model.addLicense(license);
}
break;
default:

3
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -471,10 +471,11 @@
</suppress>
<suppress base="true">
<notes><![CDATA[
This CVE only affects jackson-dataformat-xml. See issue #517.
These CVEs only affect jackson-dataformat-xml. See issue #517 and #751.
]]></notes>
<gav regex="true">(org\.codehaus\.jackson|com\.fasterxml\.jackson\.core):jackson.*</gav>
<cve>CVE-2016-3720</cve>
<cve>CVE-2016-7051</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java
View File

@@ -21,15 +21,11 @@ import java.io.File;
import java.io.IOException;
import java.util.HashSet;
import java.util.Set;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.exception.ExceptionCollection;
import org.owasp.dependencycheck.exception.ReportException;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import static org.junit.Assert.assertTrue;

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
View File

@@ -58,7 +58,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
String vendor = "apache software foundation";
String product = "struts 2 core";
String version = "2.1.2";
CPEAnalyzer instance = new CPEAnalyzer();
String queryText = instance.buildSearch(vendor, product, null, null);

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java
View File

@@ -19,10 +19,6 @@ package org.owasp.dependencycheck.data.nvdcve;
import java.util.List;
import java.util.Set;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
View File

@@ -47,14 +47,10 @@ public class ReportGeneratorIT extends BaseDBTestCase {
/**
* Generates an XML report containing known vulnerabilities and realistic
* data and validates the generated XML document against the XSD.
*
* @throws Exception
*/
@Test
public void testGenerateReport() {
try {
String templateName = "XmlReport";
File f = new File("target/test-reports");
if (!f.exists()) {
f.mkdir();

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java
View File

@@ -56,17 +56,17 @@ public class UrlStringUtilsTest {
@Test
public void testExtractImportantUrlData() throws Exception {
String text = "http://github.com/jeremylong/DependencyCheck/index.html";
List<String> expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "index");;
List<String> expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "index");
List<String> result = UrlStringUtils.extractImportantUrlData(text);
assertEquals(expResult, result);
text = "http://github.com/jeremylong/DependencyCheck/.gitignore";
expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "gitignore");;
expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "gitignore");
result = UrlStringUtils.extractImportantUrlData(text);
assertEquals(expResult, result);
text = "http://github.com/jeremylong/DependencyCheck/something";
expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "something");;
expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "something");
result = UrlStringUtils.extractImportantUrlData(text);
assertEquals(expResult, result);
}

94
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java Normal file
View File

@@ -0,0 +1,94 @@
/*
* This file is part of dependency-check-maven.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2017 Josh Cain. All Rights Reserved.
*/
package org.owasp.dependencycheck.maven;
import org.owasp.dependencycheck.utils.Filter;
import static org.apache.maven.artifact.Artifact.SCOPE_COMPILE_PLUS_RUNTIME;
import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME;
import static org.apache.maven.artifact.Artifact.SCOPE_SYSTEM;
import static org.apache.maven.artifact.Artifact.SCOPE_TEST;
import static org.apache.maven.artifact.Artifact.SCOPE_PROVIDED;
/**
* Utility class to determine if an artifact should be excluded.
*
* @author Josh Cain
*/
public class ArtifactScopeExcluded extends Filter<String> {
/**
* Whether or not to skip the test scope.
*/
private final boolean skipTestScope;
/**
* Whether or not to skip the provided scope.
*/
private final boolean skipProvidedScope;
/**
* Whether or not to skip the system scope.
*/
private final boolean skipSystemScope;
/**
* Whether or not to skip the runtime scope.
*/
private final boolean skipRuntimeScope;
/**
* Constructs a new ArtifactScopeExcluded object.
*
* @param skipTestScope whether or not to skip the test scope
* @param skipProvidedScope whether or not to skip the provided scope
* @param skipSystemScope whether or not to skip the system scope
* @param skipRuntimeScope whether or not to skip the runtime scope
*/
public ArtifactScopeExcluded(final boolean skipTestScope, final boolean skipProvidedScope,
final boolean skipSystemScope, final boolean skipRuntimeScope) {
this.skipTestScope = skipTestScope;
this.skipProvidedScope = skipProvidedScope;
this.skipSystemScope = skipSystemScope;
this.skipRuntimeScope = skipRuntimeScope;
}
/**
* Tests is the artifact should be included in the scan (i.e. is the
* dependency in a scope that is being scanned).
*
* @param scope the scope of the artifact to test
* @return <code>true</code> if the artifact is in an excluded scope;
* otherwise <code>false</code>
*/
@Override
public boolean passes(final String scope) {
if (skipTestScope && SCOPE_TEST.equals(scope)) {
return true;
}
if (skipProvidedScope && SCOPE_PROVIDED.equals(scope)) {
return true;
}
if (skipSystemScope && SCOPE_SYSTEM.equals(scope)) {
return true;
}
if (skipRuntimeScope && SCOPE_RUNTIME.equals(scope)) {
return true;
}
if (skipRuntimeScope && skipSystemScope && SCOPE_COMPILE_PLUS_RUNTIME.equals(scope)) {
return true;
}
return false;
}
}

45
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -48,17 +48,14 @@ import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException;
import org.apache.maven.shared.dependency.graph.DependencyNode;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.exception.DependencyNotFoundException;
import org.owasp.dependencycheck.exception.ExceptionCollection;
import org.owasp.dependencycheck.exception.ReportException;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.Filter;
import org.owasp.dependencycheck.utils.Settings;
import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
@@ -468,6 +465,11 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@Deprecated
private String externalReport = null;
/**
* The artifact scope filter.
*/
private Filter<String> artifactScopeExcluded;
// </editor-fold>
//<editor-fold defaultstate="collapsed" desc="Base Maven implementation">
/**
@@ -639,7 +641,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest) {
ExceptionCollection exCol = null;
for (DependencyNode dependencyNode : nodes) {
if (excludeFromScan(dependencyNode.getArtifact().getScope())) {
if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope())) {
continue;
}
exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest);
@@ -651,7 +653,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
String version = null;
if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
for (org.apache.maven.model.Dependency d : project.getDependencies()) {
Artifact a = dependencyNode.getArtifact();
final Artifact a = dependencyNode.getArtifact();
if (d.getSystemPath() != null && artifactsMatch(d, a)) {
artifactFile = new File(d.getSystemPath());
@@ -987,6 +989,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
artifactScopeExcluded = new ArtifactScopeExcluded(skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope);
}
/**
@@ -1016,27 +1019,6 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
return null;
}
/**
* Tests is the artifact should be included in the scan (i.e. is the
* dependency in a scope that is being scanned).
*
* @param scope the scope of the artifact to test
* @return <code>true</code> if the artifact is in an excluded scope;
* otherwise <code>false</code>
*/
protected boolean excludeFromScan(String scope) {
if (skipTestScope && org.apache.maven.artifact.Artifact.SCOPE_TEST.equals(scope)) {
return true;
}
if (skipProvidedScope && org.apache.maven.artifact.Artifact.SCOPE_PROVIDED.equals(scope)) {
return true;
}
if (skipSystemScope && org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(scope)) {
return true;
}
return skipRuntimeScope && !org.apache.maven.artifact.Artifact.SCOPE_RUNTIME.equals(scope);
}
/**
* Returns a reference to the current project. This method is used instead
* of auto-binding the project via component annotation in concrete
@@ -1069,6 +1051,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
return format;
}
/**
* Returns the artifact scope excluded filter.
*
* @return the artifact scope excluded filter
*/
protected Filter<String> getArtifactScopeExcluded() {
return artifactScopeExcluded;
}
//<editor-fold defaultstate="collapsed" desc="Methods to fail build or show summary">
/**
* Checks to see if a vulnerability has been identified with a CVSS score

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java
View File

@@ -64,7 +64,7 @@ public class CheckMojo extends BaseDependencyCheckMojo {
public boolean canGenerateReport() {
boolean isCapable = false;
for (Artifact a : getProject().getArtifacts()) {
if (!excludeFromScan(a.getScope())) {
if (!getArtifactScopeExcluded().passes(a.getScope())) {
isCapable = true;
break;
}

140
dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactScopeExcludedTest.java Normal file
View File

@@ -0,0 +1,140 @@
/*
* This file is part of dependency-check-maven.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2017 Josh Cain. All Rights Reserved.
*/
package org.owasp.dependencycheck.maven;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.owasp.dependencycheck.utils.Filter;
import java.util.Arrays;
import java.util.Collection;
import static org.apache.maven.artifact.Artifact.SCOPE_COMPILE;
import static org.apache.maven.artifact.Artifact.SCOPE_COMPILE_PLUS_RUNTIME;
import static org.apache.maven.artifact.Artifact.SCOPE_IMPORT;
import static org.apache.maven.artifact.Artifact.SCOPE_PROVIDED;
import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME;
import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME_PLUS_SYSTEM;
import static org.apache.maven.artifact.Artifact.SCOPE_SYSTEM;
import static org.apache.maven.artifact.Artifact.SCOPE_TEST;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.core.Is.is;
import static org.hamcrest.core.IsEqual.equalTo;
import static org.owasp.dependencycheck.maven.ArtifactScopeExcludedTest.ArtifactScopeExcludedTestBuilder.pluginDefaults;
@RunWith(Parameterized.class)
public class ArtifactScopeExcludedTest {
private final boolean skipTestScope;
private final boolean skipProvidedScope;
private final boolean skipSystemScope;
private final boolean skipRuntimeScope;
private final String testString;
private final boolean expectedResult;
@Parameterized.Parameters(name = "{0}")
public static Collection<Object[]> getParameters() {
return Arrays.asList(new Object[][]{
{pluginDefaults().withTestString(SCOPE_COMPILE).withExpectedResult(false)},
{pluginDefaults().withTestString(SCOPE_COMPILE_PLUS_RUNTIME).withExpectedResult(false)},
{pluginDefaults().withTestString(SCOPE_TEST).withExpectedResult(true)},
{pluginDefaults().withTestString(SCOPE_RUNTIME).withExpectedResult(false)},
{pluginDefaults().withTestString(SCOPE_RUNTIME_PLUS_SYSTEM).withExpectedResult(false)},
{pluginDefaults().withTestString(SCOPE_PROVIDED).withExpectedResult(false)},
{pluginDefaults().withTestString(SCOPE_SYSTEM).withExpectedResult(false)},
{pluginDefaults().withTestString(SCOPE_IMPORT).withExpectedResult(false)},
// Runtime scope was having some issues... let's fix.
{pluginDefaults().withSkipRuntimeScope(true).withTestString(SCOPE_COMPILE).withExpectedResult(false)},
{pluginDefaults().withSkipRuntimeScope(true).withTestString(SCOPE_RUNTIME).withExpectedResult(true)},
});
}
public ArtifactScopeExcludedTest(final ArtifactScopeExcludedTestBuilder builder) {
this.skipTestScope = builder.skipTestScope;
this.skipProvidedScope = builder.skipProvidedScope;
this.skipSystemScope = builder.skipSystemScope;
this.skipRuntimeScope = builder.skipRuntimeScope;
this.testString = builder.testString;
this.expectedResult = builder.expectedResult;
}
@Test
public void shouldExcludeArtifact() {
final Filter<String> artifactScopeExcluded = new ArtifactScopeExcluded(skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope);
assertThat(expectedResult, is(equalTo(artifactScopeExcluded.passes(testString))));
}
public static final class ArtifactScopeExcludedTestBuilder {
private boolean skipTestScope;
private boolean skipProvidedScope;
private boolean skipSystemScope;
private boolean skipRuntimeScope;
private String testString;
private boolean expectedResult;
private ArtifactScopeExcludedTestBuilder() {
}
public static ArtifactScopeExcludedTestBuilder pluginDefaults() {
return new ArtifactScopeExcludedTestBuilder()
.withSkipTestScope(true)
.withSkipProvidedScope(false)
.withSkipRuntimeScope(false)
.withSkipSystemScope(false);
}
public ArtifactScopeExcludedTestBuilder withSkipTestScope(final boolean skipTestScope) {
this.skipTestScope = skipTestScope;
return this;
}
public ArtifactScopeExcludedTestBuilder withSkipProvidedScope(final boolean skipProvidedScope) {
this.skipProvidedScope = skipProvidedScope;
return this;
}
public ArtifactScopeExcludedTestBuilder withSkipSystemScope(final boolean skipSystemScope) {
this.skipSystemScope = skipSystemScope;
return this;
}
public ArtifactScopeExcludedTestBuilder withSkipRuntimeScope(final boolean skipRuntimeScope) {
this.skipRuntimeScope = skipRuntimeScope;
return this;
}
public ArtifactScopeExcludedTestBuilder withTestString(final String testString) {
this.testString = testString;
return this;
}
public ArtifactScopeExcludedTestBuilder withExpectedResult(final boolean expectedResult) {
this.expectedResult = expectedResult;
return this;
}
@Override
public String toString() {
return String.format("new ArtifactScopeExcluded(%s, %s, %s, %s).passes(\"%s\") == %s;",
skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope, testString, expectedResult);
}
}
}

3
dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java
View File

@@ -17,10 +17,7 @@
*/
package org.owasp.dependencycheck.maven;
import java.io.IOException;
import java.io.InputStream;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.owasp.dependencycheck.utils.Settings;

7
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java
View File

@@ -17,9 +17,6 @@
*/
package org.owasp.dependencycheck.utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@@ -36,10 +33,6 @@ import java.security.NoSuchAlgorithmException;
*/
public final class Checksum {
/**
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(Checksum.class);
/**
* Hex code characters used in getHex.
*/

20
pom.xml
View File

@@ -124,12 +124,10 @@ Copyright (c) 2012 - Jeremy Long
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<github.global.server>github</github.global.server>
<!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
thus, we cannot upgrade beyond 4.7.2 -->
<apache.lucene.version>4.7.2</apache.lucene.version>
<apache.ant.version>1.9.8</apache.ant.version>
<slf4j.version>1.7.23</slf4j.version>
<logback.version>1.1.9</logback.version>
<slf4j.version>1.7.24</slf4j.version>
<logback.version>1.2.0</logback.version>
<!-- Note that Maven will use classes from the distro, ignoring declared dependencies for Maven core... -->
<maven.api.version>3.0</maven.api.version>
<reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
@@ -199,7 +197,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>2.19.1</version>
<version>2.20</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -234,7 +232,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.19.1</version>
<version>2.20</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -670,7 +668,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.3.1</version>
<version>2.4</version>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
@@ -680,7 +678,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>commons-cli</groupId>
<artifactId>commons-cli</artifactId>
<version>1.3.1</version>
<version>1.4</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
@@ -691,7 +689,7 @@ Copyright (c) 2012 - Jeremy Long
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<!--upgrading beyond this may cause issues with the Jenkins plugin-->
<version>3.3.2</version>
<version>3.4</version>
</dependency>
<dependency>
<groupId>com.sun.mail</groupId>
@@ -717,7 +715,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.13</version>
<version>1.14</version>
</dependency>
<dependency>
<groupId>org.apache.ant</groupId>
@@ -815,7 +813,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>org.jmockit</groupId>
<artifactId>jmockit</artifactId>
<version>1.26</version>
<version>1.27</version>
<scope>test</scope>
</dependency>
<dependency>

2
src/main/config/checkstyle-header.txt
View File

@@ -13,6 +13,6 @@
^ \* See the License for the specific language governing permissions and\s*$
^ \* limitations under the License\.\s*$
^ \*\s*$
^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$
^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|Josh Cain|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$
^ \*/\s*$
^package

2
src/site/resources/general/dep-check-date.sh
View File

@@ -1,7 +1,7 @@
#!/bin/sh
CLI_LOCATION=~/.local/dependency-check-1.2.11
CLI_SCRIPT=$CLI_LOCATION/bin/dependency-check.sh
NVD_PATH=$1/`date -I -d $2`
NVD_PATH=$1/$(date -I -d $2)
NVD=file://$NVD_PATH
shift 2 # We've used the first two params. The rest go to CLI_SCRIPT.
$CLI_SCRIPT --cveUrl20Base $NVD/nvdcve-2.0-%d.xml.gz \

2
src/site/resources/general/nvd_download.sh
View File

@@ -1,5 +1,5 @@
#!/bin/sh
NVD_ROOT=$1/`date -I`
NVD_ROOT=$1/$(date -I)
JAR_PATH=$2/nist-data-mirror-1.0.0.jar
java -jar $JAR_PATH $NVD_ROOT
rm $NVD_ROOT/*.xml # D-C works directly with .gz files anyway.