Merge branch 'master' of github.com:jeremylong/DependencyCheck

src/site/markdown/analyzers/cmake.md

@@ -0,0 +1,11 @@
+CMake Analyzer
+==============
+
+OWASP dependency-check includes an analyzer that will scan CMake project
+configuration files. The analyzer will collect as much information it can
+about the project. The information collected is internally referred to as
+evidence and is grouped into vendor, product, and version buckets. Other
+analyzers later use this evidence to identify any Common Platform Enumeration
+(CPE) identifiers that apply.
+
+File names scanned: CMakeLists.txt, \*.cmake

src/site/markdown/analyzers/index.md

@@ -5,12 +5,15 @@ to extract identification information from the files analyzed.
 
 | Analyzer | File Types Scanned | Analysis Method |
 | -------- | ------------------ | --------------- |
-| [Archive Analyzer](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. |
-| [Assembly Analyzer](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. |
-| [Autoconf Analyzer](./autoconf-analyzer.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | Regex scan for AC_INIT metadata, including in generated configuration script. |
-| [Central Analyzer](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. |
-| [Jar Analyzer](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
-| [Nexus Analyzer](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central Analyzer. |
-| [Nuspec Analyzer](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. |
-| [OpenSSL Analyzer](./openssl-analyzer.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
-| [Python Analyzer](./python-analyzer.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. |
+| [Archive](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. |
+| [Assembly](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. |
+| [Autoconf](./autoconf.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | [Regex](https://en.wikipedia.org/wiki/Regular_expression) scan for AC_INIT metadata, including in generated configuration script. |
+| [Central](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. |
+| [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. |
+| [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
+| [Nexus](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central . |
+| [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parse JSON format for metadata. |
+| [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. |
+| [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
+| [Python](./python.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. |
+| [Ruby Gemspec](./ruby-gemspec.html) | Ruby makefiles (Rakefile); Ruby Gemspec files (\*.gemspec) | Regex scan Gemspec initialization blocks for metadata. |

src/site/markdown/analyzers/nodejs.md

@@ -0,0 +1,14 @@
+Node.js Analyzer
+================
+
+OWASP dependency-check includes an analyzer that will scan [Node Package Manager](https://www.npmjs.com/)
+package specification files. The analyzer will collect as much information as
+it can about the package. The information collected is internally referred to
+as evidence and is grouped into vendor, product, and version buckets. Other
+analyzers later use this evidence to identify any Common Platform Enumeration
+(CPE) identifiers that apply.
+
+__Note:__ Also consider using the Node Security Project auditing tool,
+[nsp](https://nodesecurity.io/tools).
+
+Files Types Scanned: [package.json](https://docs.npmjs.com/files/package.json)

src/site/markdown/analyzers/python-analyzer.md

@@ -1,10 +0,0 @@
-Python Analyzer
-==============
-
-OWASP dependency-check includes an analyzer that will scan Python artifacts. The
-analyzer(s) will collect as much information it can about the python artifacts.
-The information collected is internally referred to as evidence and is grouped into
-vendor, product, and version buckets. Other analyzers later use this evidence to
-identify any Common Platform Enumeration (CPE) identifiers that apply.
-
-Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA

src/site/markdown/analyzers/python.md

@@ -0,0 +1,11 @@
+Python Analyzer
+==============
+
+OWASP dependency-check includes an analyzer that will scan Python artifacts.
+The analyzer(s) will collect as much information it can about the Python
+artifacts. The information collected is internally referred to as evidence and
+is grouped into vendor, product, and version buckets. Other analyzers later
+use this evidence to identify any Common Platform Enumeration (CPE)
+identifiers that apply.
+
+Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA

src/site/markdown/analyzers/ruby-gemspec.md

@@ -0,0 +1,15 @@
+Ruby Gemspec Analyzer
+=====================
+
+OWASP dependency-check includes an analyzer that will scan [Ruby Gem](https://rubygems.org/)
+[specifications](http://guides.rubygems.org/specification-reference/). The
+analyzer will collect as much information as it can about the Gem. The
+information collected is internally referred to as evidence and is grouped
+into vendor, product, and version buckets. Other analyzers later use this
+evidence to identify any Common Platform Enumeration (CPE) identifiers that
+apply.
+
+__Note:__ Also consider using the Ruby 
+[bundler-audit](https://github.com/rubysec/bundler-audit#readme) tool.
+
+Files Types Scanned: Rakefile, \*.gemspec

src/site/markdown/index.md

@@ -2,11 +2,12 @@ About
 ====================
 OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry:
 [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
-Dependency-check can currently be used to scan Java, .NET, and Python
-applications (and their dependent libraries) to identify known vulnerable
-components. In addition, Dependency-check can be used to scan some source
-code, including OpenSSL source code and source code for projects that use
-Autoconf.
+Dependency-check can currently be used to scan Java, .NET, Python, Ruby and
+Node.js applications (and their dependent libraries) to identify known
+vulnerable components. In addition, Dependency-check can be used to scan some
+source code, including OpenSSL source code and source code for projects that
+use [Autoconf](https://www.gnu.org/software/autoconf/) or
+[CMake](http://www.cmake.org/overview/).
 
 The problem with using known vulnerable components was covered in a paper by
 Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of

src/site/site.xml

@@ -113,26 +113,35 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                 <item name="Assembly Analyzer" href="./analyzers/assembly-analyzer.html">
                     <description>Assembly Analyzer</description>
                 </item>
-                <item name="Autoconf Analyzer" href="./analyzers/autoconf-analyzer.html">
+                <item name="Autoconf Analyzer" href="./analyzers/autoconf.html">
                     <description>Autoconf Analyzer</description>
                 </item>
                 <item name="Central Analyzer" href="./analyzers/central-analyzer.html">
                     <description>Central Analyzer</description>
                 </item>
+                <item name="CMake Analyzer" href="./analyzers/cmake.html">
+                    <description>CMake Analyzer</description>
+                </item>
                 <item name="Jar Analyzer" href="./analyzers/jar-analyzer.html">
                     <description>Jar Analyzer</description>
                 </item>
                 <item name="Nexus Analyzer" href="./analyzers/nexus-analyzer.html">
                     <description>Nexus Analyzer</description>
                 </item>
+                <item name="Node.js Analyzer" href="./analyzers/nodejs.html">
+                    <description>Node.js Analyzer</description>
+                </item>
                 <item name="Nuspec Analyzer" href="./analyzers/nuspec-analyzer.html">
                     <description>Nuspec Analyzer</description>
                 </item>
-                <item name="Python Analyzer" href="./analyzers/python-analyzer.html">
+                <item name="OpenSSL Analyzer" href="./analyzers/openssl.html">
+                    <description>OpenSSL Analyzer</description>
+                </item>
+                <item name="Python Analyzer" href="./analyzers/python.html">
                     <description>Python Analyzer</description>
                 </item>
-                <item name="OpenSSL Analyzer" href="./analyzers/openssl-analyzer.html">
-                    <description>OpenSSL Analyzer</description>
+                <item name="Ruby Gemspec Analyzer" href="./analyzers/ruby-gemspec.html">
+                    <description>Ruby Gemspec Analyzer</description>
                 </item>
             </item>
             <item collapse="true" name="Modules" href="./modules.html">