diff --git a/src/main/java/org/owasp/dependencycheck/App.java b/src/main/java/org/owasp/dependencycheck/App.java index 070cef936..3f06dd846 100644 --- a/src/main/java/org/owasp/dependencycheck/App.java +++ b/src/main/java/org/owasp/dependencycheck/App.java @@ -29,6 +29,7 @@ import org.apache.commons.cli.ParseException; import org.owasp.dependencycheck.reporting.ReportGenerator; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.utils.CliParser; +import org.owasp.dependencycheck.utils.Settings; /* * This file is part of App. @@ -112,11 +113,10 @@ public class App { if (cli.isGetVersion()) { cli.printVersionInfo(); } else if (cli.isRunScan()) { - runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.isAutoUpdate()); + runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.isAutoUpdate(), cli.isDeepScan()); } else { cli.printHelp(); } - } /** @@ -124,16 +124,21 @@ public class App { * reportDirectory. * * @param reportDirectory the path to the directory where the reports will - * be written. - * @param outputFormat the output format of the report. - * @param applicationName the application name for the report. - * @param files the files/directories to scan. + * be written + * @param outputFormat the output format of the report + * @param applicationName the application name for the report + * @param files the files/directories to scan + * @param autoUpdate whether to auto-update the cached data from the Internet + * @param deepScan whether to perform a deep scan of the evidence in the project dependencies */ - private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, boolean autoUpdate) { + private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, boolean autoUpdate, boolean deepScan) { Engine scanner = new Engine(autoUpdate); + Settings.setBoolean(Settings.KEYS.PERFORM_DEEP_SCAN, deepScan); + for (String file : files) { scanner.scan(file); } + scanner.analyzeDependencies(); List dependencies = scanner.getDependencies(); @@ -145,6 +150,5 @@ public class App { } catch (Exception ex) { Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex); } - } } diff --git a/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index d46ae4d66..0ed9077d9 100644 --- a/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -47,6 +47,7 @@ import org.owasp.dependencycheck.analyzer.pom.generated.License; import org.owasp.dependencycheck.analyzer.pom.generated.Model; import org.owasp.dependencycheck.analyzer.pom.generated.Organization; import org.owasp.dependencycheck.utils.NonClosingStream; +import org.owasp.dependencycheck.utils.Settings; /** * @@ -182,7 +183,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer { public void analyze(Dependency dependency, Engine engine) throws AnalysisException { try { parseManifest(dependency); - analyzePackageNames(dependency); + if (Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN)) { + analyzePackageNames(dependency); + } analyzePOM(dependency); //addPredefinedData(dependency); //this has been moved to its own analyzer (HintAnalyzer) } catch (IOException ex) { diff --git a/src/main/java/org/owasp/dependencycheck/utils/CliParser.java b/src/main/java/org/owasp/dependencycheck/utils/CliParser.java index 45d2d5f53..e1766a066 100644 --- a/src/main/java/org/owasp/dependencycheck/utils/CliParser.java +++ b/src/main/java/org/owasp/dependencycheck/utils/CliParser.java @@ -160,6 +160,9 @@ public final class CliParser { Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false, "shows additional help regarding properties file."); + Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false, + "extracts extra information from dependencies that may increase false positives, but also decrease false negatives."); + Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION, false, "print the version information."); @@ -199,6 +202,7 @@ public final class CliParser { opts.addOption(version); opts.addOption(help); opts.addOption(noupdate); + opts.addOption(deepScan); opts.addOption(props); opts.addOption(advancedHelp); return opts; @@ -238,7 +242,7 @@ public final class CliParser { HelpFormatter formatter = new HelpFormatter(); String nl = System.getProperty("line.separator"); String advancedHelp = null; - if (line.hasOption(ArgumentName.ADVANCED_HELP)) { + if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) { advancedHelp = nl + nl + "Additionally, the following properties are supported and can be specified either" + "using the -p argument or by passing them in as system properties." + nl @@ -323,6 +327,13 @@ public final class CliParser { return (line == null) || !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE); } + /** + * Checks if a deep scan of the dependencies was requested. + * @return whether a deep scan of the evidence within the dependencies was requested. + */ + public boolean isDeepScan() { + return (line != null) && line.hasOption(ArgumentName.PERFORM_DEEP_SCAN); + } /** * A collection of static final strings that represent the possible command * line arguments. @@ -401,6 +412,16 @@ public final class CliParser { * The short CLI argument name asking for advanced help. */ public static final String ADVANCED_HELP = "advancedhelp"; + /* + * The short CLI argument name indicating a deep scan of the dependencies + * should be performed. + */ + public static final String PERFORM_DEEP_SCAN_SHORT = "d"; + /* + * The CLI argument name indicating a deep scan of the dependencies + * should be performed. + */ + public static final String PERFORM_DEEP_SCAN = "deepscan"; /** * The short CLI argument name for setting the location of an additional * properties file. diff --git a/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 9e67ada4f..fff7149fc 100644 --- a/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -117,6 +117,10 @@ public class Settings { * The properties key for the connection timeout. */ public static final String CONNECTION_TIMEOUT = "connection.timeout"; + /** + * The properties key indicating a deep scan should be performed. + */ + public static final String PERFORM_DEEP_SCAN = "perform.deepscan"; } private static final String PROPERTIES_FILE = "configuration/dependencycheck.properties"; private static final Settings INSTANCE = new Settings(); @@ -145,6 +149,19 @@ public class Settings { public static void setString(String key, String value) { INSTANCE.props.setProperty(key, value); } + /** + * Sets a property value. + * + * @param key the key for the property. + * @param value the value for the property. + */ + public static void setBoolean(String key, boolean value) { + if (value) { + INSTANCE.props.setProperty(key, Boolean.TRUE.toString()); + } else { + INSTANCE.props.setProperty(key, Boolean.FALSE.toString()); + } + } /** * Merges a new properties file into the current properties. This method