From 69f39d4dfe3e679ee9f723d9ea9c5a260a3c2e75 Mon Sep 17 00:00:00 2001 From: Josh Cain Date: Tue, 30 May 2017 14:58:47 -0500 Subject: [PATCH 01/13] Fix #752 where skipping runtime-scoped maven artifacts also skipped compile-time artifacts --- .../maven/ArtifactScopeExcluded.java | 61 ++++++++ .../maven/BaseDependencyCheckMojo.java | 31 +--- .../dependencycheck/maven/CheckMojo.java | 2 +- .../maven/ArtifactScopeExcludedTest.java | 140 ++++++++++++++++++ 4 files changed, 207 insertions(+), 27 deletions(-) create mode 100644 dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java create mode 100644 dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactScopeExcludedTest.java diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java new file mode 100644 index 000000000..d1afd71c7 --- /dev/null +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java @@ -0,0 +1,61 @@ +/* + * This file is part of dependency-check-maven. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2017 Josh Cain. All Rights Reserved. + */ +package org.owasp.dependencycheck.maven; + +import org.owasp.dependencycheck.utils.Filter; + +/** + * Tests is the artifact should be included in the scan (i.e. is the + * dependency in a scope that is being scanned). + * + * @param scope the scope of the artifact to test + * @return true if the artifact is in an excluded scope; + * otherwise false + */ +public class ArtifactScopeExcluded extends Filter { + + private final boolean skipTestScope; + private final boolean skipProvidedScope; + private final boolean skipSystemScope; + private final boolean skipRuntimeScope; + + public ArtifactScopeExcluded(final boolean skipTestScope, final boolean skipProvidedScope, final boolean skipSystemScope, final boolean skipRuntimeScope) { + this.skipTestScope = skipTestScope; + this.skipProvidedScope = skipProvidedScope; + this.skipSystemScope = skipSystemScope; + this.skipRuntimeScope = skipRuntimeScope; + } + + @Override + public boolean passes(final String scope) { + if (skipTestScope && org.apache.maven.artifact.Artifact.SCOPE_TEST.equals(scope)) { + return true; + } + if (skipProvidedScope && org.apache.maven.artifact.Artifact.SCOPE_PROVIDED.equals(scope)) { + return true; + } + if (skipSystemScope && org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(scope)) { + return true; + } + if (skipRuntimeScope && org.apache.maven.artifact.Artifact.SCOPE_RUNTIME.equals(scope)) { + return true; + } + + return false; + } +} diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index e7cf5f937..a91d5224d 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -48,17 +48,14 @@ import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException; import org.apache.maven.shared.dependency.graph.DependencyNode; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.data.nexus.MavenArtifact; -import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; -import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.exception.DependencyNotFoundException; import org.owasp.dependencycheck.exception.ExceptionCollection; -import org.owasp.dependencycheck.exception.ReportException; -import org.owasp.dependencycheck.reporting.ReportGenerator; +import org.owasp.dependencycheck.utils.Filter; import org.owasp.dependencycheck.utils.Settings; import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher; import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher; @@ -468,6 +465,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @Deprecated private String externalReport = null; + protected Filter artifactScopeExcluded; + // // /** @@ -639,7 +638,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma List nodes, ProjectBuildingRequest buildingRequest) { ExceptionCollection exCol = null; for (DependencyNode dependencyNode : nodes) { - if (excludeFromScan(dependencyNode.getArtifact().getScope())) { + if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope())) { continue; } exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest); @@ -987,6 +986,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base); Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours); + artifactScopeExcluded = new ArtifactScopeExcluded(skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope); } /** @@ -1016,27 +1016,6 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma return null; } - /** - * Tests is the artifact should be included in the scan (i.e. is the - * dependency in a scope that is being scanned). - * - * @param scope the scope of the artifact to test - * @return true if the artifact is in an excluded scope; - * otherwise false - */ - protected boolean excludeFromScan(String scope) { - if (skipTestScope && org.apache.maven.artifact.Artifact.SCOPE_TEST.equals(scope)) { - return true; - } - if (skipProvidedScope && org.apache.maven.artifact.Artifact.SCOPE_PROVIDED.equals(scope)) { - return true; - } - if (skipSystemScope && org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(scope)) { - return true; - } - return skipRuntimeScope && !org.apache.maven.artifact.Artifact.SCOPE_RUNTIME.equals(scope); - } - /** * Returns a reference to the current project. This method is used instead * of auto-binding the project via component annotation in concrete diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java index 1b6a30d55..2540fd280 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java @@ -64,7 +64,7 @@ public class CheckMojo extends BaseDependencyCheckMojo { public boolean canGenerateReport() { boolean isCapable = false; for (Artifact a : getProject().getArtifacts()) { - if (!excludeFromScan(a.getScope())) { + if (!artifactScopeExcluded.passes(a.getScope())) { isCapable = true; break; } diff --git a/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactScopeExcludedTest.java b/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactScopeExcludedTest.java new file mode 100644 index 000000000..e286c61c7 --- /dev/null +++ b/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactScopeExcludedTest.java @@ -0,0 +1,140 @@ +/* + * This file is part of dependency-check-maven. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2017 Josh Cain. All Rights Reserved. + */ +package org.owasp.dependencycheck.maven; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.owasp.dependencycheck.utils.Filter; + +import java.util.Arrays; +import java.util.Collection; + +import static org.apache.maven.artifact.Artifact.SCOPE_COMPILE; +import static org.apache.maven.artifact.Artifact.SCOPE_COMPILE_PLUS_RUNTIME; +import static org.apache.maven.artifact.Artifact.SCOPE_IMPORT; +import static org.apache.maven.artifact.Artifact.SCOPE_PROVIDED; +import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME; +import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME_PLUS_SYSTEM; +import static org.apache.maven.artifact.Artifact.SCOPE_SYSTEM; +import static org.apache.maven.artifact.Artifact.SCOPE_TEST; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.core.Is.is; +import static org.hamcrest.core.IsEqual.equalTo; +import static org.owasp.dependencycheck.maven.ArtifactScopeExcludedTest.ArtifactScopeExcludedTestBuilder.pluginDefaults; + +@RunWith(Parameterized.class) +public class ArtifactScopeExcludedTest { + + private final boolean skipTestScope; + private final boolean skipProvidedScope; + private final boolean skipSystemScope; + private final boolean skipRuntimeScope; + private final String testString; + private final boolean expectedResult; + + @Parameterized.Parameters(name = "{0}") + public static Collection getParameters() { + return Arrays.asList(new Object[][]{ + {pluginDefaults().withTestString(SCOPE_COMPILE).withExpectedResult(false)}, + {pluginDefaults().withTestString(SCOPE_COMPILE_PLUS_RUNTIME).withExpectedResult(false)}, + {pluginDefaults().withTestString(SCOPE_TEST).withExpectedResult(true)}, + {pluginDefaults().withTestString(SCOPE_RUNTIME).withExpectedResult(false)}, + {pluginDefaults().withTestString(SCOPE_RUNTIME_PLUS_SYSTEM).withExpectedResult(false)}, + {pluginDefaults().withTestString(SCOPE_PROVIDED).withExpectedResult(false)}, + {pluginDefaults().withTestString(SCOPE_SYSTEM).withExpectedResult(false)}, + {pluginDefaults().withTestString(SCOPE_IMPORT).withExpectedResult(false)}, + + // Runtime scope was having some issues... let's fix. + {pluginDefaults().withSkipRuntimeScope(true).withTestString(SCOPE_COMPILE).withExpectedResult(false)}, + {pluginDefaults().withSkipRuntimeScope(true).withTestString(SCOPE_RUNTIME).withExpectedResult(true)}, + }); + } + + public ArtifactScopeExcludedTest(final ArtifactScopeExcludedTestBuilder builder) { + this.skipTestScope = builder.skipTestScope; + this.skipProvidedScope = builder.skipProvidedScope; + this.skipSystemScope = builder.skipSystemScope; + this.skipRuntimeScope = builder.skipRuntimeScope; + this.testString = builder.testString; + this.expectedResult = builder.expectedResult; + } + + @Test + public void shouldExcludeArtifact() { + final Filter artifactScopeExcluded = new ArtifactScopeExcluded(skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope); + assertThat(expectedResult, is(equalTo(artifactScopeExcluded.passes(testString)))); + } + + public static final class ArtifactScopeExcludedTestBuilder { + + private boolean skipTestScope; + private boolean skipProvidedScope; + private boolean skipSystemScope; + private boolean skipRuntimeScope; + private String testString; + private boolean expectedResult; + + private ArtifactScopeExcludedTestBuilder() { + } + + public static ArtifactScopeExcludedTestBuilder pluginDefaults() { + return new ArtifactScopeExcludedTestBuilder() + .withSkipTestScope(true) + .withSkipProvidedScope(false) + .withSkipRuntimeScope(false) + .withSkipSystemScope(false); + } + + public ArtifactScopeExcludedTestBuilder withSkipTestScope(final boolean skipTestScope) { + this.skipTestScope = skipTestScope; + return this; + } + + public ArtifactScopeExcludedTestBuilder withSkipProvidedScope(final boolean skipProvidedScope) { + this.skipProvidedScope = skipProvidedScope; + return this; + } + + public ArtifactScopeExcludedTestBuilder withSkipSystemScope(final boolean skipSystemScope) { + this.skipSystemScope = skipSystemScope; + return this; + } + + public ArtifactScopeExcludedTestBuilder withSkipRuntimeScope(final boolean skipRuntimeScope) { + this.skipRuntimeScope = skipRuntimeScope; + return this; + } + + public ArtifactScopeExcludedTestBuilder withTestString(final String testString) { + this.testString = testString; + return this; + } + + public ArtifactScopeExcludedTestBuilder withExpectedResult(final boolean expectedResult) { + this.expectedResult = expectedResult; + return this; + } + + @Override + public String toString() { + return String.format("new ArtifactScopeExcluded(%s, %s, %s, %s).passes(\"%s\") == %s;", + skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope, testString, expectedResult); + } + } +} From ed09242cb7fa1ddf0845ad9462d8430738b274f5 Mon Sep 17 00:00:00 2001 From: Josh Cain Date: Fri, 2 Jun 2017 10:57:38 -0500 Subject: [PATCH 02/13] include checking for maven scope COMPILE_PLUS_RUNTIME on artifact omission predicate --- .../owasp/dependencycheck/maven/ArtifactScopeExcluded.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java index d1afd71c7..0ee4e83d4 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java @@ -19,6 +19,8 @@ package org.owasp.dependencycheck.maven; import org.owasp.dependencycheck.utils.Filter; +import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME_PLUS_SYSTEM; + /** * Tests is the artifact should be included in the scan (i.e. is the * dependency in a scope that is being scanned). @@ -55,6 +57,9 @@ public class ArtifactScopeExcluded extends Filter { if (skipRuntimeScope && org.apache.maven.artifact.Artifact.SCOPE_RUNTIME.equals(scope)) { return true; } + if (skipRuntimeScope && skipSystemScope && org.apache.maven.artifact.Artifact.SCOPE_COMPILE_PLUS_RUNTIME.equals(SCOPE_RUNTIME_PLUS_SYSTEM)) { + return true; + } return false; } From bbf0b295ce4190bb7c4a15bc51a500fd4e5b6869 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 3 Jun 2017 06:57:59 -0400 Subject: [PATCH 03/13] attempting to get travis to run a coverity scan --- .travis.yml | 21 ++++++--------------- coverity_scan.sh | 13 +++++++++++++ 2 files changed, 19 insertions(+), 15 deletions(-) create mode 100644 coverity_scan.sh diff --git a/.travis.yml b/.travis.yml index ed2f38e1a..ea4ed6220 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,24 +1,15 @@ language: java jdk: oraclejdk7 script: mvn install -DreleaseTesting + env: global: - secure: ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs= - secure: pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A= + before_install: -- wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar + - wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar + after_success: -- java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter - -l Java -r build-reporting/target/coverage-reports/jacoco.xml -matrix: - include: - - env: CRON_ONLY=1 - addons: - coverity_scan: - project: - name: OWASP dependency-check - version: 1.0 - description: A software composition analsis tools that detects publicly - disclosed vulnerabilities in application dependencies. - build_command: mvn -DskipTests=true package - branch_pattern: master + - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml + - ./coverity_scan.sh diff --git a/coverity_scan.sh b/coverity_scan.sh new file mode 100644 index 000000000..a83d6b76d --- /dev/null +++ b/coverity_scan.sh @@ -0,0 +1,13 @@ + + +if [ $TRAVIS_BRANCH = "master" ] && [ $TRAVIS_EVENT_TYPE = "cron" ] ; then + echo "Executing Coverity Scan" +fi + +export COVERITY_SCAN_PROJECT_NAME="jeremylong/DependencyCheck" +export COVERITY_SCAN_NOTIFICATION_EMAIL="jeremy.long@owasp.org" +export COVERITY_SCAN_BRANCH_PATTERN="master" +export COVERITY_SCAN_BUILD_COMMAND="mvn package -Dmaven.test.skip=true" + +# Run the Coverity scan +curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh | bash \ No newline at end of file From a07ab11f9fac75017ed0c7fedd3271fcedd1726a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 3 Jun 2017 07:10:27 -0400 Subject: [PATCH 04/13] temporary change --- .travis.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index ea4ed6220..8c00b0a16 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,7 @@ language: java jdk: oraclejdk7 -script: mvn install -DreleaseTesting +script: mvn install -Dmaven.test.skip=true +# -DreleaseTesting env: global: @@ -11,5 +12,6 @@ before_install: - wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar after_success: - - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml + - chmod +x coverity_scan.sh - ./coverity_scan.sh +# - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml From c3ff5bac5426a76cd59471ae1a2e38ee355100f4 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 3 Jun 2017 07:23:57 -0400 Subject: [PATCH 05/13] added coverity scans via cron --- .travis.yml | 5 ++--- coverity_scan.sh | 17 ++++++++--------- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/.travis.yml b/.travis.yml index 8c00b0a16..3260a07cb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,6 @@ language: java jdk: oraclejdk7 -script: mvn install -Dmaven.test.skip=true -# -DreleaseTesting +script: mvn install -DreleaseTesting env: global: @@ -12,6 +11,6 @@ before_install: - wget -O ~/codacy-coverage-reporter-assembly.jar https://oss.sonatype.org/service/local/repositories/releases/content/com/codacy/codacy-coverage-reporter/1.0.13/codacy-coverage-reporter-1.0.13-assembly.jar after_success: + - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml - chmod +x coverity_scan.sh - ./coverity_scan.sh -# - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml diff --git a/coverity_scan.sh b/coverity_scan.sh index a83d6b76d..368af917a 100644 --- a/coverity_scan.sh +++ b/coverity_scan.sh @@ -1,13 +1,12 @@ - +#!/bin/bash -e if [ $TRAVIS_BRANCH = "master" ] && [ $TRAVIS_EVENT_TYPE = "cron" ] ; then echo "Executing Coverity Scan" -fi - -export COVERITY_SCAN_PROJECT_NAME="jeremylong/DependencyCheck" -export COVERITY_SCAN_NOTIFICATION_EMAIL="jeremy.long@owasp.org" -export COVERITY_SCAN_BRANCH_PATTERN="master" -export COVERITY_SCAN_BUILD_COMMAND="mvn package -Dmaven.test.skip=true" + + export COVERITY_SCAN_PROJECT_NAME="jeremylong/DependencyCheck" + export COVERITY_SCAN_NOTIFICATION_EMAIL="jeremy.long@owasp.org" + export COVERITY_SCAN_BRANCH_PATTERN="master" + export COVERITY_SCAN_BUILD_COMMAND="mvn package -Dmaven.test.skip=true" -# Run the Coverity scan -curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh | bash \ No newline at end of file + curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh | bash +fi \ No newline at end of file From ca4da60dc1993653023ae1d549a3b3b0ec23d9da Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 3 Jun 2017 08:07:55 -0400 Subject: [PATCH 06/13] fixed coverity reported unguarded read --- .../src/main/java/org/owasp/dependencycheck/Engine.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index 6d7915e15..d102b752c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -812,7 +812,7 @@ public class Engine implements FileFilter { * @param format the report format (ALL, HTML, CSV, JSON, etc.) * @throws ReportException thrown if there is an error generating the report */ - public void writeReports(String applicationName, String groupId, String artifactId, + public synchronized void writeReports(String applicationName, String groupId, String artifactId, String version, File outputDir, String format) throws ReportException { final DatabaseProperties prop = database.getDatabaseProperties(); From 1fff0db18cc19339c1f93312af0c83c598e90888 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 3 Jun 2017 20:17:33 -0400 Subject: [PATCH 07/13] added CII badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eca8c088d..c924b00c2 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Build Status](https://travis-ci.org/jeremylong/DependencyCheck.svg?branch=master)](https://travis-ci.org/jeremylong/DependencyCheck) [![Coverity Scan Build Status](https://scan.coverity.com/projects/1654/badge.svg)](https://scan.coverity.com/projects/dependencycheck) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/6b6021d481dc41a888c5da0d9ecf9494)](https://www.codacy.com/app/jeremylong/DependencyCheck?utm_source=github.com&utm_medium=referral&utm_content=jeremylong/DependencyCheck&utm_campaign=Badge_Grade) [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.txt) +[![Build Status](https://travis-ci.org/jeremylong/DependencyCheck.svg?branch=master)](https://travis-ci.org/jeremylong/DependencyCheck) [![Coverity Scan Build Status](https://scan.coverity.com/projects/1654/badge.svg)](https://scan.coverity.com/projects/dependencycheck) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/6b6021d481dc41a888c5da0d9ecf9494)](https://www.codacy.com/app/jeremylong/DependencyCheck?utm_source=github.com&utm_medium=referral&utm_content=jeremylong/DependencyCheck&utm_campaign=Badge_Grade) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/843/badge)](https://bestpractices.coreinfrastructure.org/projects/843) [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.txt) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2015.svg)](https://www.toolswatch.org/2015/06/black-hat-arsenal-usa-2015-speakers-lineup/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2014.svg)](https://www.toolswatch.org/2014/06/black-hat-usa-2014-arsenal-tools-speaker-list/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2013.svg)](https://www.toolswatch.org/2013/06/announcement-blackhat-arsenal-usa-2013-selected-tools/) From 6b359a71383d1c4eb911c792c64c97a047749784 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 4 Jun 2017 06:41:30 -0400 Subject: [PATCH 08/13] codacy, checkstyle, upgrades, etc. --- .../owasp/dependencycheck/taskdefs/Check.java | 13 +- .../java/org/owasp/dependencycheck/App.java | 164 +++++++++++------- .../analyzer/FalsePositiveAnalyzer.java | 42 +++-- .../analyzer/NuspecAnalyzer.java | 10 +- .../analyzer/PythonPackageAnalyzer.java | 10 +- .../reporting/ReportGenerator.java | 12 +- .../dependencycheck/utils/UrlStringUtils.java | 23 ++- .../owasp/dependencycheck/xml/XmlEntity.java | 7 +- .../dependencycheck/xml/XmlInputStream.java | 2 +- .../dependencycheck/xml/hints/Hints.java | 10 +- .../dependencycheck/xml/package-info.java | 4 + .../dependencycheck/xml/pom/PomHandler.java | 32 ++-- .../org/owasp/dependencycheck/EngineIT.java | 4 - .../analyzer/CPEAnalyzerIT.java | 2 +- .../data/nvdcve/CveDBMySqlIT.java | 4 - .../reporting/ReportGeneratorIT.java | 4 - .../utils/UrlStringUtilsTest.java | 2 +- .../maven/ArtifactScopeExcluded.java | 102 +++++++---- .../maven/BaseDependencyCheckMojo.java | 16 +- .../dependencycheck/maven/CheckMojo.java | 2 +- .../owasp/dependencycheck/utils/Checksum.java | 7 - pom.xml | 22 ++- src/main/config/checkstyle-header.txt | 2 +- src/site/resources/general/dep-check-date.sh | 2 +- src/site/resources/general/nvd_download.sh | 2 +- 25 files changed, 278 insertions(+), 222 deletions(-) create mode 100644 dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/package-info.java diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index 05bab0aae..9841a0830 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -28,16 +28,13 @@ import org.apache.tools.ant.types.ResourceCollection; import org.apache.tools.ant.types.resources.FileProvider; import org.apache.tools.ant.types.resources.Resources; import org.owasp.dependencycheck.Engine; -import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; -import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.data.update.exception.UpdateException; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.exception.ExceptionCollection; import org.owasp.dependencycheck.exception.ReportException; -import org.owasp.dependencycheck.reporting.ReportGenerator; import org.owasp.dependencycheck.reporting.ReportGenerator.Format; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.impl.StaticLoggerBinder; @@ -146,8 +143,8 @@ public class Check extends Update { private boolean updateOnly = false; /** - * The report format to be generated (HTML, XML, VULN, CSV, JSON, ALL). Default is - * HTML. + * The report format to be generated (HTML, XML, VULN, CSV, JSON, ALL). + * Default is HTML. */ private String reportFormat = "HTML"; /** @@ -940,7 +937,7 @@ public class Check extends Update { throw new BuildException(ex); } } - engine.writeReports(getProjectName(),new File(reportOutputDirectory), reportFormat); + engine.writeReports(getProjectName(), new File(reportOutputDirectory), reportFormat); if (this.failBuildOnCVSS <= 10) { checkForFailure(engine.getDependencies()); @@ -1093,8 +1090,8 @@ public class Check extends Update { } /** - * An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV", "JSON", "VULN", - * etc.. + * An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV", + * "JSON", "VULN", etc.. */ public static class ReportFormats extends EnumeratedAttribute { diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 8b7b709f3..0612c0781 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -28,13 +28,10 @@ import java.util.HashSet; import java.util.List; import java.util.Set; import org.apache.commons.cli.ParseException; -import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; -import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.dependency.Dependency; import org.apache.tools.ant.DirectoryScanner; import org.owasp.dependencycheck.dependency.Vulnerability; -import org.owasp.dependencycheck.reporting.ReportGenerator; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -220,56 +217,11 @@ public class App { String[] excludes, int symLinkDepth, int cvssFailScore) throws InvalidScanPathException, DatabaseException, ExceptionCollection, ReportException { Engine engine = null; - int retCode = 0; try { + final List antStylePaths = getPaths(files); + final Set paths = scanAntStylePaths(antStylePaths, symLinkDepth, excludes); + engine = new Engine(); - final List antStylePaths = new ArrayList<>(); - for (String file : files) { - final String antPath = ensureCanonicalPath(file); - antStylePaths.add(antPath); - } - - final Set paths = new HashSet<>(); - for (String file : antStylePaths) { - LOGGER.debug("Scanning {}", file); - final DirectoryScanner scanner = new DirectoryScanner(); - String include = file.replace('\\', '/'); - File baseDir; - - if (include.startsWith("//")) { - throw new InvalidScanPathException("Unable to scan paths specified by //"); - } else { - final int pos = getLastFileSeparator(include); - final String tmpBase = include.substring(0, pos); - final String tmpInclude = include.substring(pos + 1); - if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0 - || (new File(include)).isFile()) { - baseDir = new File(tmpBase); - include = tmpInclude; - } else { - baseDir = new File(tmpBase, tmpInclude); - include = "**/*"; - } - } - scanner.setBasedir(baseDir); - final String[] includes = {include}; - scanner.setIncludes(includes); - scanner.setMaxLevelsOfSymlinks(symLinkDepth); - if (symLinkDepth <= 0) { - scanner.setFollowSymlinks(false); - } - if (excludes != null && excludes.length > 0) { - scanner.addExcludes(excludes); - } - scanner.scan(); - if (scanner.getIncludedFilesCount() > 0) { - for (String s : scanner.getIncludedFiles()) { - final File f = new File(baseDir, s); - LOGGER.debug("Found file {}", f.toString()); - paths.add(f); - } - } - } engine.scan(paths); ExceptionCollection exCol = null; @@ -295,19 +247,7 @@ public class App { if (exCol != null && exCol.getExceptions().size() > 0) { throw exCol; } - - //Set the exit code based on whether we found a high enough vulnerability - for (Dependency dep : engine.getDependencies()) { - if (!dep.getVulnerabilities().isEmpty()) { - for (Vulnerability vuln : dep.getVulnerabilities()) { - LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName()); - if (vuln.getCvssScore() > cvssFailScore) { - retCode = 1; - } - } - } - } - return retCode; + return determineReturnCode(engine, cvssFailScore); } finally { if (engine != null) { engine.cleanup(); @@ -315,6 +255,102 @@ public class App { } } + /** + * Determines the return code based on if one of the dependencies scanned + * has a vulnerability with a CVSS score above the cvssFailScore. + * + * @param engine the engine used during analysis + * @param cvssFailScore the max allowed CVSS score + * @return returns 1 if a severe enough vulnerability is + * identified; otherwise 0 + */ + private int determineReturnCode(Engine engine, int cvssFailScore) { + int retCode = 0; + //Set the exit code based on whether we found a high enough vulnerability + for (Dependency dep : engine.getDependencies()) { + if (!dep.getVulnerabilities().isEmpty()) { + for (Vulnerability vuln : dep.getVulnerabilities()) { + LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName()); + if (vuln.getCvssScore() > cvssFailScore) { + retCode = 1; + } + } + } + } + return retCode; + } + + /** + * Scans the give Ant Style paths and collects the actual files. + * + * @param antStylePaths a list of ant style paths to scan for actual files + * @param symLinkDepth the depth to traverse symbolic links + * @param excludes an array of ant style excludes + * @return returns the set of identified files + * @throws InvalidScanPathException thrown when the scan path is invalid + * @throws IllegalStateException + */ + private Set scanAntStylePaths(List antStylePaths, int symLinkDepth, String[] excludes) + throws InvalidScanPathException { + final Set paths = new HashSet<>(); + for (String file : antStylePaths) { + LOGGER.debug("Scanning {}", file); + final DirectoryScanner scanner = new DirectoryScanner(); + String include = file.replace('\\', '/'); + File baseDir; + + if (include.startsWith("//")) { + throw new InvalidScanPathException("Unable to scan paths specified by //"); + } else { + final int pos = getLastFileSeparator(include); + final String tmpBase = include.substring(0, pos); + final String tmpInclude = include.substring(pos + 1); + if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0 + || (new File(include)).isFile()) { + baseDir = new File(tmpBase); + include = tmpInclude; + } else { + baseDir = new File(tmpBase, tmpInclude); + include = "**/*"; + } + } + scanner.setBasedir(baseDir); + final String[] includes = {include}; + scanner.setIncludes(includes); + scanner.setMaxLevelsOfSymlinks(symLinkDepth); + if (symLinkDepth <= 0) { + scanner.setFollowSymlinks(false); + } + if (excludes != null && excludes.length > 0) { + scanner.addExcludes(excludes); + } + scanner.scan(); + if (scanner.getIncludedFilesCount() > 0) { + for (String s : scanner.getIncludedFiles()) { + final File f = new File(baseDir, s); + LOGGER.debug("Found file {}", f.toString()); + paths.add(f); + } + } + } + return paths; + } + + /** + * Determines the ant style paths from the given array of files. + * + * @param files an array of file paths + * @return a list containing ant style paths + */ + private List getPaths(String[] files) { + final List antStylePaths = new ArrayList<>(); + for (String file : files) { + final String antPath = ensureCanonicalPath(file); + antStylePaths.add(antPath); + } + return antStylePaths; + } + /** * Only executes the update phase of dependency-check. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index 588536842..90390234c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -50,11 +50,30 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { * The Logger. */ private static final Logger LOGGER = LoggerFactory.getLogger(FalsePositiveAnalyzer.class); - /** * The file filter used to find DLL and EXE. */ private static final FileFilter DLL_EXE_FILTER = FileFilterBuilder.newInstance().addExtensions("dll", "exe").build(); + /** + * Regex to identify core java libraries and a few other commonly + * misidentified ones. + */ + public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|" + + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|" + + "jdk|jre|jsse)($|:.*)"); + /** + * Regex to identify core jsf libraries. + */ + public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)"); + /** + * Regex to identify core java library files. This is currently incomplete. + */ + public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$"); + /** + * Regex to identify core jsf java library files. This is currently + * incomplete. + */ + public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$"); // /** @@ -214,27 +233,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } } } - /** - * Regex to identify core java libraries and a few other commonly - * misidentified ones. - */ - public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|" - + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|" - + "jdk|jre|jsse)($|:.*)"); - - /** - * Regex to identify core jsf libraries. - */ - public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)"); - /** - * Regex to identify core java library files. This is currently incomplete. - */ - public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$"); - /** - * Regex to identify core jsf java library files. This is currently - * incomplete. - */ - public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$"); /** * Removes any CPE entries for the JDK/JRE unless the filename ends with diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 20e46663a..1260fa3e2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -61,6 +61,10 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { * The types of files on which this will work. */ private static final String SUPPORTED_EXTENSIONS = "nuspec"; + /** + * The file filter used to determine which files this analyzer supports. + */ + private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build(); /** * Initializes the analyzer once before any analysis is performed. @@ -102,12 +106,6 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { return ANALYSIS_PHASE; } - /** - * The file filter used to determine which files this analyzer supports. - */ - private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions( - SUPPORTED_EXTENSIONS).build(); - /** * Returns the FileFilter * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 7d9bf88e9..12e58d3f4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -105,6 +105,11 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { */ private static final FileFilter PY_FILTER = new SuffixFileFilter(".py"); + /** + * The file filter used to determine which files this analyzer supports. + */ + private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build(); + /** * Returns the name of the Python Package Analyzer. * @@ -125,11 +130,6 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { return AnalysisPhase.INFORMATION_COLLECTION; } - /** - * The file filter used to determine which files this analyzer supports. - */ - private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build(); - /** * Returns the FileFilter * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java index d31705519..c92d8c9f7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java @@ -17,14 +17,22 @@ */ package org.owasp.dependencycheck.reporting; -import java.io.*; import java.util.List; import com.google.gson.JsonSyntaxException; import com.google.gson.stream.JsonReader; import com.google.gson.stream.JsonToken; -import static com.google.gson.stream.JsonToken.*; import com.google.gson.stream.JsonWriter; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.OutputStream; +import java.io.OutputStreamWriter; +import java.io.UnsupportedEncodingException; import java.math.BigDecimal; import java.nio.charset.StandardCharsets; import org.apache.velocity.VelocityContext; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java index 45308b9e6..5adf36d05 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java @@ -31,12 +31,6 @@ import java.util.regex.Pattern; * @author Jeremy Long */ public final class UrlStringUtils { - - /** - * Private constructor for a utility class. - */ - private UrlStringUtils() { - } /** * A regular expression to test if a string contains a URL. */ @@ -45,7 +39,18 @@ public final class UrlStringUtils { * A regular expression to test if a string is a URL. */ private static final Pattern IS_URL_TEST = Pattern.compile("^(ht|f)tps?://.*", Pattern.CASE_INSENSITIVE); + /** + * A listing of domain parts that should not be used as evidence. Yes, this + * is an incomplete list. + */ + private static final Set IGNORE_LIST = new HashSet<>( + Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx")); + /** + * Private constructor for a utility class. + */ + private UrlStringUtils() { + } /** * Tests if the text provided contains a URL. This is somewhat limited * search in that it only looks for (ftp|http|https):// @@ -66,12 +71,6 @@ public final class UrlStringUtils { public static boolean isUrl(String text) { return IS_URL_TEST.matcher(text).matches(); } - /** - * A listing of domain parts that should not be used as evidence. Yes, this - * is an incomplete list. - */ - private static final Set IGNORE_LIST = new HashSet<>( - Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx")); /** *

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlEntity.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlEntity.java index acad80fa7..9e436d9bc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlEntity.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlEntity.java @@ -12,7 +12,8 @@ import java.util.Map; * * @author https://stackoverflow.com/users/823393/oldcurmudgeon */ -public class XmlEntity { +public final class XmlEntity { + /** * The map of HTML entities. */ @@ -292,8 +293,8 @@ public class XmlEntity { /** * Converts a named XML entity into its HTML encoded Unicode code point. * - * @param s the named entity (note, this should not include the leading '&' - * or trailing ';' + * @param s the named entity (note, this should not include the leading + * '&' or trailing ';' * @return the HTML encoded Unicode code point representation of the named * entity */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlInputStream.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlInputStream.java index 2879c2baf..f981c228b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlInputStream.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/XmlInputStream.java @@ -162,7 +162,7 @@ public class XmlInputStream extends FilterInputStream { throw new IOException("Invalid/Unknown reference '&" + reference + ";'"); } } else { - // Did not terminate properly! + // Did not terminate properly! // Perhaps an & on its own or a malformed reference. // Either way, escape the & pushBack.append("&").append(reference).append((char) ch); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/Hints.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/Hints.java index 34e465004..d44ed7984 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/Hints.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/Hints.java @@ -31,6 +31,11 @@ public class Hints { */ private List hintRules; + /** + * The duplicating hint rules. + */ + private List vendorDuplicatingHintRules; + /** * Get the value of hintRules. * @@ -49,11 +54,6 @@ public class Hints { this.hintRules = hintRules; } - /** - * The duplicating hint rules. - */ - private List vendorDuplicatingHintRules; - /** * Get the value of vendorDuplicatingHintRules. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/package-info.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/package-info.java new file mode 100644 index 000000000..73efcac63 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/package-info.java @@ -0,0 +1,4 @@ +/** + * Contains classes used to fix XML prior to parsing. + */ +package org.owasp.dependencycheck.xml; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java index 014d8043e..a073b5ff6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java @@ -74,11 +74,22 @@ public class PomHandler extends DefaultHandler { * The url element. */ public static final String URL = "url"; - /** * The pom model. */ private final Model model = new Model(); + /** + * The stack of elements processed; used to determine the parent node. + */ + private final Deque stack = new ArrayDeque<>(); + /** + * The license object. + */ + private License license = null; + /** + * The current node text being extracted from the element. + */ + private StringBuilder currentText; /** * Returns the model obtained from the pom.xml. @@ -88,19 +99,6 @@ public class PomHandler extends DefaultHandler { public Model getModel() { return model; } - /** - * The stack of elements processed; used to determine the parent node. - */ - private final Deque stack = new ArrayDeque<>(); - /** - * The license object. - */ - private License license = null; - - /** - * The current node text being extracted from the element. - */ - private StringBuilder currentText; /** * Handles the start element event. @@ -194,10 +192,8 @@ public class PomHandler extends DefaultHandler { } break; case LICENSES: - if (LICENSE.equals(qName)) { - if (license != null) { - model.addLicense(license); - } + if (LICENSE.equals(qName) && license != null) { + model.addLicense(license); } break; default: diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java index a85d34793..df0d58ecb 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIT.java @@ -19,15 +19,11 @@ package org.owasp.dependencycheck; import java.io.File; import java.io.IOException; -import static org.junit.Assert.assertTrue; import org.junit.Test; -import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; -import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.exception.ExceptionCollection; import org.owasp.dependencycheck.exception.ReportException; -import org.owasp.dependencycheck.reporting.ReportGenerator; import org.owasp.dependencycheck.utils.InvalidSettingException; import org.owasp.dependencycheck.utils.Settings; import static org.junit.Assert.assertTrue; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java index 562a5bff3..d0eee79c7 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java @@ -58,7 +58,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase { String vendor = "apache software foundation"; String product = "struts 2 core"; - String version = "2.1.2"; + CPEAnalyzer instance = new CPEAnalyzer(); String queryText = instance.buildSearch(vendor, product, null, null); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java index e37fecafb..f3e6657c8 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java @@ -19,10 +19,6 @@ package org.owasp.dependencycheck.data.nvdcve; import java.util.List; import java.util.Set; -import static org.junit.Assert.assertFalse; - -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; import org.junit.Test; import org.owasp.dependencycheck.BaseTest; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java index c0392df31..719ba17b6 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java @@ -47,14 +47,10 @@ public class ReportGeneratorIT extends BaseDBTestCase { /** * Generates an XML report containing known vulnerabilities and realistic * data and validates the generated XML document against the XSD. - * - * @throws Exception */ @Test public void testGenerateReport() { try { - String templateName = "XmlReport"; - File f = new File("target/test-reports"); if (!f.exists()) { f.mkdir(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java index 8107aa31d..0a4cc5980 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java @@ -66,7 +66,7 @@ public class UrlStringUtilsTest { assertEquals(expResult, result); text = "http://github.com/jeremylong/DependencyCheck/something"; - expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "something");; + expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "something"); result = UrlStringUtils.extractImportantUrlData(text); assertEquals(expResult, result); } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java index 0ee4e83d4..ab373f13d 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/ArtifactScopeExcluded.java @@ -18,49 +18,77 @@ package org.owasp.dependencycheck.maven; import org.owasp.dependencycheck.utils.Filter; - -import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME_PLUS_SYSTEM; +import static org.apache.maven.artifact.Artifact.SCOPE_COMPILE_PLUS_RUNTIME; +import static org.apache.maven.artifact.Artifact.SCOPE_RUNTIME; +import static org.apache.maven.artifact.Artifact.SCOPE_SYSTEM; +import static org.apache.maven.artifact.Artifact.SCOPE_TEST; +import static org.apache.maven.artifact.Artifact.SCOPE_PROVIDED; /** - * Tests is the artifact should be included in the scan (i.e. is the - * dependency in a scope that is being scanned). + * Utility class to determine if an artifact should be excluded. * - * @param scope the scope of the artifact to test - * @return true if the artifact is in an excluded scope; - * otherwise false + * @author Josh Cain */ public class ArtifactScopeExcluded extends Filter { - private final boolean skipTestScope; - private final boolean skipProvidedScope; - private final boolean skipSystemScope; - private final boolean skipRuntimeScope; + /** + * Whether or not to skip the test scope. + */ + private final boolean skipTestScope; + /** + * Whether or not to skip the provided scope. + */ + private final boolean skipProvidedScope; + /** + * Whether or not to skip the system scope. + */ + private final boolean skipSystemScope; + /** + * Whether or not to skip the runtime scope. + */ + private final boolean skipRuntimeScope; - public ArtifactScopeExcluded(final boolean skipTestScope, final boolean skipProvidedScope, final boolean skipSystemScope, final boolean skipRuntimeScope) { - this.skipTestScope = skipTestScope; - this.skipProvidedScope = skipProvidedScope; - this.skipSystemScope = skipSystemScope; - this.skipRuntimeScope = skipRuntimeScope; - } + /** + * Constructs a new ArtifactScopeExcluded object. + * + * @param skipTestScope whether or not to skip the test scope + * @param skipProvidedScope whether or not to skip the provided scope + * @param skipSystemScope whether or not to skip the system scope + * @param skipRuntimeScope whether or not to skip the runtime scope + */ + public ArtifactScopeExcluded(final boolean skipTestScope, final boolean skipProvidedScope, + final boolean skipSystemScope, final boolean skipRuntimeScope) { + this.skipTestScope = skipTestScope; + this.skipProvidedScope = skipProvidedScope; + this.skipSystemScope = skipSystemScope; + this.skipRuntimeScope = skipRuntimeScope; + } - @Override - public boolean passes(final String scope) { - if (skipTestScope && org.apache.maven.artifact.Artifact.SCOPE_TEST.equals(scope)) { - return true; - } - if (skipProvidedScope && org.apache.maven.artifact.Artifact.SCOPE_PROVIDED.equals(scope)) { - return true; - } - if (skipSystemScope && org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(scope)) { - return true; - } - if (skipRuntimeScope && org.apache.maven.artifact.Artifact.SCOPE_RUNTIME.equals(scope)) { - return true; - } - if (skipRuntimeScope && skipSystemScope && org.apache.maven.artifact.Artifact.SCOPE_COMPILE_PLUS_RUNTIME.equals(SCOPE_RUNTIME_PLUS_SYSTEM)) { - return true; - } - - return false; - } + /** + * Tests is the artifact should be included in the scan (i.e. is the + * dependency in a scope that is being scanned). + * + * @param scope the scope of the artifact to test + * @return true if the artifact is in an excluded scope; + * otherwise false + */ + @Override + public boolean passes(final String scope) { + if (skipTestScope && SCOPE_TEST.equals(scope)) { + return true; + } + if (skipProvidedScope && SCOPE_PROVIDED.equals(scope)) { + return true; + } + if (skipSystemScope && SCOPE_SYSTEM.equals(scope)) { + return true; + } + if (skipRuntimeScope && SCOPE_RUNTIME.equals(scope)) { + return true; + } + if (skipRuntimeScope && skipSystemScope && SCOPE_COMPILE_PLUS_RUNTIME.equals(scope)) { + return true; + } + return false; + } } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index a91d5224d..692bf2eec 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -465,7 +465,10 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @Deprecated private String externalReport = null; - protected Filter artifactScopeExcluded; + /** + * The artifact scope filter. + */ + private Filter artifactScopeExcluded; // // @@ -650,7 +653,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma String version = null; if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) { for (org.apache.maven.model.Dependency d : project.getDependencies()) { - Artifact a = dependencyNode.getArtifact(); + final Artifact a = dependencyNode.getArtifact(); if (d.getSystemPath() != null && artifactsMatch(d, a)) { artifactFile = new File(d.getSystemPath()); @@ -1048,6 +1051,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma return format; } + /** + * Returns the artifact scope excluded filter. + * + * @return the artifact scope excluded filter + */ + protected Filter getArtifactScopeExcluded() { + return artifactScopeExcluded; + } + // /** * Checks to see if a vulnerability has been identified with a CVSS score diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java index 2540fd280..75b20e8e4 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java @@ -64,7 +64,7 @@ public class CheckMojo extends BaseDependencyCheckMojo { public boolean canGenerateReport() { boolean isCapable = false; for (Artifact a : getProject().getArtifacts()) { - if (!artifactScopeExcluded.passes(a.getScope())) { + if (!getArtifactScopeExcluded().passes(a.getScope())) { isCapable = true; break; } diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java index 643b83aea..fa4565946 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java @@ -17,9 +17,6 @@ */ package org.owasp.dependencycheck.utils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -36,10 +33,6 @@ import java.security.NoSuchAlgorithmException; */ public final class Checksum { - /** - * The logger. - */ - private static final Logger LOGGER = LoggerFactory.getLogger(Checksum.class); /** * Hex code characters used in getHex. */ diff --git a/pom.xml b/pom.xml index c76264c30..71fd29339 100644 --- a/pom.xml +++ b/pom.xml @@ -124,12 +124,10 @@ Copyright (c) 2012 - Jeremy Long UTF-8 UTF-8 github - 4.7.2 1.9.8 - 1.7.23 - 1.1.9 + 1.7.24 + 1.2.0 3.0 2.17 @@ -199,7 +197,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-failsafe-plugin - 2.19.1 + 2.20 org.apache.maven.plugins @@ -234,7 +232,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-surefire-plugin - 2.19.1 + 2.20 org.apache.maven.plugins @@ -670,7 +668,7 @@ Copyright (c) 2012 - Jeremy Long com.google.code.gson gson - 2.3.1 + 2.4 com.h2database @@ -680,7 +678,7 @@ Copyright (c) 2012 - Jeremy Long commons-cli commons-cli - 1.3.1 + 1.4 commons-io @@ -691,7 +689,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.commons commons-lang3 - 3.3.2 + 3.4 com.sun.mail @@ -717,7 +715,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.commons commons-compress - 1.13 + 1.14 org.apache.ant @@ -804,7 +802,7 @@ Copyright (c) 2012 - Jeremy Long org.glassfish javax.json - 1.0.4 + 1.1 org.hamcrest @@ -815,7 +813,7 @@ Copyright (c) 2012 - Jeremy Long org.jmockit jmockit - 1.26 + 1.27 test diff --git a/src/main/config/checkstyle-header.txt b/src/main/config/checkstyle-header.txt index ac81f0010..8d34b1ad4 100644 --- a/src/main/config/checkstyle-header.txt +++ b/src/main/config/checkstyle-header.txt @@ -13,6 +13,6 @@ ^ \* See the License for the specific language governing permissions and\s*$ ^ \* limitations under the License\.\s*$ ^ \*\s*$ -^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$ +^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|Josh Cain|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$ ^ \*/\s*$ ^package diff --git a/src/site/resources/general/dep-check-date.sh b/src/site/resources/general/dep-check-date.sh index 21130bf8d..24a5c484b 100755 --- a/src/site/resources/general/dep-check-date.sh +++ b/src/site/resources/general/dep-check-date.sh @@ -1,7 +1,7 @@ #!/bin/sh CLI_LOCATION=~/.local/dependency-check-1.2.11 CLI_SCRIPT=$CLI_LOCATION/bin/dependency-check.sh -NVD_PATH=$1/`date -I -d $2` +NVD_PATH=$1/$(date -I -d $2) NVD=file://$NVD_PATH shift 2 # We've used the first two params. The rest go to CLI_SCRIPT. $CLI_SCRIPT --cveUrl20Base $NVD/nvdcve-2.0-%d.xml.gz \ diff --git a/src/site/resources/general/nvd_download.sh b/src/site/resources/general/nvd_download.sh index 5af32b5b9..062cd8e4f 100755 --- a/src/site/resources/general/nvd_download.sh +++ b/src/site/resources/general/nvd_download.sh @@ -1,5 +1,5 @@ #!/bin/sh -NVD_ROOT=$1/`date -I` +NVD_ROOT=$1/$(date -I) JAR_PATH=$2/nist-data-mirror-1.0.0.jar java -jar $JAR_PATH $NVD_ROOT rm $NVD_ROOT/*.xml # D-C works directly with .gz files anyway. \ No newline at end of file From 789a57b4304e485fbca07021b737180427431d95 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 4 Jun 2017 06:52:09 -0400 Subject: [PATCH 09/13] reverted version due to java 8 requirement --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 71fd29339..6601a294b 100644 --- a/pom.xml +++ b/pom.xml @@ -802,7 +802,7 @@ Copyright (c) 2012 - Jeremy Long org.glassfish javax.json - 1.1 + 1.0.4 org.hamcrest From a47d46914a5b4c20eace4bff369140ee17bd6b13 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 4 Jun 2017 07:07:36 -0400 Subject: [PATCH 10/13] made coverity scan executable --- .travis.yml | 1 - coverity_scan.sh | 0 2 files changed, 1 deletion(-) mode change 100644 => 100755 coverity_scan.sh diff --git a/.travis.yml b/.travis.yml index 3260a07cb..ea4ed6220 100644 --- a/.travis.yml +++ b/.travis.yml @@ -12,5 +12,4 @@ before_install: after_success: - java -cp ~/codacy-coverage-reporter-assembly.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml - - chmod +x coverity_scan.sh - ./coverity_scan.sh diff --git a/coverity_scan.sh b/coverity_scan.sh old mode 100644 new mode 100755 From 060cfd625e9333f5925b873979db6da4961ea851 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 4 Jun 2017 07:49:55 -0400 Subject: [PATCH 11/13] removed unused imports --- .../test/java/org/owasp/dependencycheck/maven/BaseTest.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java b/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java index ef23a50ce..4181facd0 100644 --- a/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java +++ b/dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java @@ -17,10 +17,7 @@ */ package org.owasp.dependencycheck.maven; -import java.io.IOException; import java.io.InputStream; -import java.util.logging.Level; -import java.util.logging.Logger; import org.junit.AfterClass; import org.junit.BeforeClass; import org.owasp.dependencycheck.utils.Settings; From 31ad7adadd580e247c7ae9f4fbf1cfb46dba47db Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 4 Jun 2017 08:03:11 -0400 Subject: [PATCH 12/13] fix issue #751 --- .../src/main/resources/dependencycheck-base-suppression.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml index e210335ca..d96ac3e08 100644 --- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml +++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml @@ -471,10 +471,11 @@ (org\.codehaus\.jackson|com\.fasterxml\.jackson\.core):jackson.* CVE-2016-3720 + CVE-2016-7051 Date: Sun, 4 Jun 2017 08:13:59 -0400 Subject: [PATCH 13/13] minor codacy suggested changes --- .../analyzer/FileNameAnalyzer.java | 20 +++++++++---------- .../analyzer/NuspecAnalyzer.java | 1 + .../dependencycheck/data/nvdcve/CveDB.java | 13 +++++------- .../utils/UrlStringUtilsTest.java | 4 ++-- 4 files changed, 18 insertions(+), 20 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java index 21b1d186a..709423512 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java @@ -37,6 +37,16 @@ import org.owasp.dependencycheck.utils.Settings; */ public class FileNameAnalyzer extends AbstractAnalyzer { + /** + * Python init files + */ + //CSOFF: WhitespaceAfter + private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[]{ + "__init__.py", + "__init__.pyc", + "__init__.pyo",}); + //CSON: WhitespaceAfter + // /** * The name of the analyzer. @@ -78,16 +88,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer { } // - /** - * Python init files - */ - //CSOFF: WhitespaceAfter - private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[]{ - "__init__.py", - "__init__.pyc", - "__init__.pyo",}); - //CSON: WhitespaceAfter - /** * Collects information about the file name. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 1260fa3e2..1aefe1129 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -73,6 +73,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { */ @Override public void initializeFileTypeAnalyzer() throws InitializationException { + //nothing to initialize } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index d88a25119..802d02076 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -802,10 +802,8 @@ public final class CveDB implements AutoCloseable { try { final PreparedStatement cs = getPreparedStatement(COUNT_CPE); rs = cs.executeQuery(); - if (rs.next()) { - if (rs.getInt(1) > 0) { - return true; - } + if (rs.next() && rs.getInt(1) > 0) { + return true; } } catch (Exception ex) { String dd; @@ -911,10 +909,9 @@ public final class CveDB implements AutoCloseable { } //this can't dereference a null 'identifiedVersion' because if it was null we would have exited //in the above loop or just after loop (if matchesAnyPrevious return null). - if (entry.getValue() && identifiedVersion != null && identifiedVersion.compareTo(v) <= 0) { - if (!(isVersionTwoADifferentProduct && !identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0)))) { - return entry; - } + if (entry.getValue() && identifiedVersion != null && identifiedVersion.compareTo(v) <= 0 + && !(isVersionTwoADifferentProduct && !identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0)))) { + return entry; } } } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java index 0a4cc5980..4477992a2 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java @@ -56,12 +56,12 @@ public class UrlStringUtilsTest { @Test public void testExtractImportantUrlData() throws Exception { String text = "http://github.com/jeremylong/DependencyCheck/index.html"; - List expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "index");; + List expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "index"); List result = UrlStringUtils.extractImportantUrlData(text); assertEquals(expResult, result); text = "http://github.com/jeremylong/DependencyCheck/.gitignore"; - expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "gitignore");; + expResult = Arrays.asList("github", "jeremylong", "DependencyCheck", "gitignore"); result = UrlStringUtils.extractImportantUrlData(text); assertEquals(expResult, result);