diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml index 645b038df..78eb0cb07 100644 --- a/dependency-check-ant/pom.xml +++ b/dependency-check-ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.1-SNAPSHOT + 1.3.1 dependency-check-ant diff --git a/dependency-check-ant/src/main/assembly/release.xml b/dependency-check-ant/src/main/assembly/release.xml index 1d77fbdf7..7e40a244c 100644 --- a/dependency-check-ant/src/main/assembly/release.xml +++ b/dependency-check-ant/src/main/assembly/release.xml @@ -24,13 +24,13 @@ ${project.build.directory}/${project.artifactId}-${project.version}.jar - dependency-check + dependency-check-ant dependency-check-ant.jar - dependency-check/lib + dependency-check-ant/lib runtime diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java index 15b1430dc..821afff07 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java @@ -24,17 +24,12 @@ import org.slf4j.helpers.MarkerIgnoringBase; import org.slf4j.helpers.MessageFormatter; /** - * An instance of {@link org.slf4j.Logger} which simply calls the log method on the delegate Ant task + * An instance of {@link org.slf4j.Logger} which simply calls the log method on the delegate Ant task. * * @author colezlaw */ public class AntLoggerAdapter extends MarkerIgnoringBase { - /** - * The serial version UID for serialization. - */ - private static final long serialVersionUID = 1L; - /** * A reference to the Ant task used for logging. */ diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index dc08572cc..bb4c6a86f 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -138,6 +138,8 @@ public class Check extends Update { // END COPY from org.apache.tools.ant.taskdefs /** * The application name for the report. + * + * @deprecated use projectName instead. */ @Deprecated private String applicationName = null; @@ -146,6 +148,8 @@ public class Check extends Update { * Get the value of applicationName. * * @return the value of applicationName + * + * @deprecated use projectName instead. */ @Deprecated public String getApplicationName() { @@ -156,12 +160,15 @@ public class Check extends Update { * Set the value of applicationName. * * @param applicationName new value of applicationName + * @deprecated use projectName instead. */ @Deprecated public void setApplicationName(String applicationName) { this.applicationName = applicationName; } - + /** + * The name of the project being analyzed. + */ private String projectName = "dependency-check"; /** @@ -435,6 +442,184 @@ public class Check extends Update { public void setNuspecAnalyzerEnabled(boolean nuspecAnalyzerEnabled) { this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled; } + /** + * Whether or not the PHP Composer Analyzer is enabled. + */ + private boolean composerAnalyzerEnabled = true; + + /** + * Get the value of composerAnalyzerEnabled. + * + * @return the value of composerAnalyzerEnabled + */ + public boolean isComposerAnalyzerEnabled() { + return composerAnalyzerEnabled; + } + + /** + * Set the value of composerAnalyzerEnabled. + * + * @param composerAnalyzerEnabled new value of composerAnalyzerEnabled + */ + public void setComposerAnalyzerEnabled(boolean composerAnalyzerEnabled) { + this.composerAnalyzerEnabled = composerAnalyzerEnabled; + } + /** + * Whether the autoconf analyzer should be enabled. + */ + private boolean autoconfAnalyzerEnabled = true; + + /** + * Get the value of autoconfAnalyzerEnabled. + * + * @return the value of autoconfAnalyzerEnabled + */ + public boolean isAutoconfAnalyzerEnabled() { + return autoconfAnalyzerEnabled; + } + + /** + * Set the value of autoconfAnalyzerEnabled. + * + * @param autoconfAnalyzerEnabled new value of autoconfAnalyzerEnabled + */ + public void setAutoconfAnalyzerEnabled(boolean autoconfAnalyzerEnabled) { + this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled; + } + /** + * Whether the CMake analyzer should be enabled. + */ + private boolean cmakeAnalyzerEnabled = true; + + /** + * Get the value of cmakeAnalyzerEnabled. + * + * @return the value of cmakeAnalyzerEnabled + */ + public boolean isCMakeAnalyzerEnabled() { + return cmakeAnalyzerEnabled; + } + + /** + * Set the value of cmakeAnalyzerEnabled. + * + * @param cmakeAnalyzerEnabled new value of cmakeAnalyzerEnabled + */ + public void setCMakeAnalyzerEnabled(boolean cmakeAnalyzerEnabled) { + this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled; + } + /** + * Whether or not the openssl analyzer is enabled. + */ + private boolean opensslAnalyzerEnabled = true; + + /** + * Get the value of opensslAnalyzerEnabled. + * + * @return the value of opensslAnalyzerEnabled + */ + public boolean isOpensslAnalyzerEnabled() { + return opensslAnalyzerEnabled; + } + + /** + * Set the value of opensslAnalyzerEnabled. + * + * @param opensslAnalyzerEnabled new value of opensslAnalyzerEnabled + */ + public void setOpensslAnalyzerEnabled(boolean opensslAnalyzerEnabled) { + this.opensslAnalyzerEnabled = opensslAnalyzerEnabled; + } + /** + * Whether or not the Node.js Analyzer is enabled. + */ + private boolean nodeAnalyzerEnabled = true; + + /** + * Get the value of nodeAnalyzerEnabled. + * + * @return the value of nodeAnalyzerEnabled + */ + public boolean isNodeAnalyzerEnabled() { + return nodeAnalyzerEnabled; + } + + /** + * Set the value of nodeAnalyzerEnabled. + * + * @param nodeAnalyzerEnabled new value of nodeAnalyzerEnabled + */ + public void setNodeAnalyzerEnabled(boolean nodeAnalyzerEnabled) { + this.nodeAnalyzerEnabled = nodeAnalyzerEnabled; + } + /** + * Whether the ruby gemspec analyzer should be enabled. + */ + private boolean rubygemsAnalyzerEnabled = true; + + /** + * Get the value of rubygemsAnalyzerEnabled. + * + * @return the value of rubygemsAnalyzerEnabled + */ + public boolean isRubygemsAnalyzerEnabled() { + return rubygemsAnalyzerEnabled; + } + + /** + * Set the value of rubygemsAnalyzerEnabled. + * + * @param rubygemsAnalyzerEnabled new value of rubygemsAnalyzerEnabled + */ + public void setRubygemsAnalyzerEnabled(boolean rubygemsAnalyzerEnabled) { + this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled; + } + /** + * Whether the python package analyzer should be enabled. + */ + private boolean pyPackageAnalyzerEnabled = true; + + /** + * Get the value of pyPackageAnalyzerEnabled. + * + * @return the value of pyPackageAnalyzerEnabled + */ + public boolean isPyPackageAnalyzerEnabled() { + return pyPackageAnalyzerEnabled; + } + + /** + * Set the value of pyPackageAnalyzerEnabled. + * + * @param pyPackageAnalyzerEnabled new value of pyPackageAnalyzerEnabled + */ + public void setPyPackageAnalyzerEnabled(boolean pyPackageAnalyzerEnabled) { + this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled; + } + + /** + * Whether the python distribution analyzer should be enabled. + */ + private boolean pyDistributionAnalyzerEnabled = true; + + /** + * Get the value of pyDistributionAnalyzerEnabled. + * + * @return the value of pyDistributionAnalyzerEnabled + */ + public boolean isPyDistributionAnalyzerEnabled() { + return pyDistributionAnalyzerEnabled; + } + + /** + * Set the value of pyDistributionAnalyzerEnabled. + * + * @param pyDistributionAnalyzerEnabled new value of pyDistributionAnalyzerEnabled + */ + public void setPyDistributionAnalyzerEnabled(boolean pyDistributionAnalyzerEnabled) { + this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled; + } + /** * Whether or not the central analyzer is enabled. */ @@ -664,25 +849,28 @@ public class Check extends Update { Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile); } - //File Type Analyzer Settings - //JAR ANALYZER Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled); - //NUSPEC ANALYZER + + Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled); - //CENTRAL ANALYZER Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled); - //NEXUS ANALYZER Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled); if (nexusUrl != null && !nexusUrl.isEmpty()) { Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl); } Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy); - //ARCHIVE ANALYZER Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled); if (zipExtensions != null && !zipExtensions.isEmpty()) { Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions); } - //ASSEMBLY ANALYZER Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled); if (pathToMono != null && !pathToMono.isEmpty()) { Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono); diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index e7fa137e9..0f2f7d893 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -51,18 +51,26 @@ Note, that specific analyzers will automatically disable themselves if no file types that they support are detected - so specifically disabling them may not be needed. -Property | Description | Default Value -------------------------|---------------------------------------------------------------------------|------------------ -archiveAnalyzerEnabled | Sets whether the Archive Analyzer will be used. | true -zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   -jarAnalyzer | Sets whether the Jar Analyzer will be used. | true -centralAnalyzerEnabled | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true -nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true -nexusUrl | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |   -nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true -nuspecAnalyzerEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true -assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used. | true -pathToMono | The path to Mono for .NET assembly analysis on non-windows systems. |   +Property | Description | Default Value +------------------------------|---------------------------------------------------------------------------|------------------ +archiveAnalyzerEnabled | Sets whether the Archive Analyzer will be used. | true +zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   +jarAnalyzer | Sets whether the Jar Analyzer will be used. | true +centralAnalyzerEnabled | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true +nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true +nexusUrl | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |   +nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true +pyDistributionAnalyzerEnabled | Sets whether the Python Distribution Analyzer will be used. | true +pyPackageAnalyzerEnabled | Sets whether the Python Package Analyzer will be used. | true +rubygemsAnalyzerEnabled | Sets whether the Ruby Gemspec Analyzer will be used. | true +opensslAnalyzerEnabled | Sets whether or not the openssl Analyzer should be used. | true +cmakeAnalyzerEnabled | Sets whether or not the CMake Analyzer should be used. | true +autoconfAnalyzerEnabled | Sets whether or not the autoconf Analyzer should be used. | true +composerAnalyzerEnabled | Sets whether or not the PHP Composer Lock File Analyzer should be used. | true +nodeAnalyzerEnabled | Sets whether or not the Node.js Analyzer should be used. | true +nuspecAnalyzerEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true +assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used. | true +pathToMono | The path to Mono for .NET assembly analysis on non-windows systems. |   Advanced Configuration ==================== diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index a61b3a1d4..d79559436 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.1-SNAPSHOT + 1.3.1 dependency-check-cli diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 1087ce25d..5700d1e6c 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -268,17 +268,6 @@ public class App { final String dataDirectory = cli.getDataDirectory(); final File propertiesFile = cli.getPropertiesFile(); final String suppressionFile = cli.getSuppressionFile(); - final boolean jarDisabled = cli.isJarDisabled(); - final boolean archiveDisabled = cli.isArchiveDisabled(); - final boolean pyDistDisabled = cli.isPythonDistributionDisabled(); - final boolean cMakeDisabled = cli.isCmakeDisabled(); - final boolean pyPkgDisabled = cli.isPythonPackageDisabled(); - final boolean autoconfDisabled = cli.isAutoconfDisabled(); - final boolean bundleAuditDisabled = cli.isBundleAuditDisabled(); - final boolean assemblyDisabled = cli.isAssemblyDisabled(); - final boolean nuspecDisabled = cli.isNuspecDisabled(); - final boolean centralDisabled = cli.isCentralDisabled(); - final boolean nexusDisabled = cli.isNexusDisabled(); final String nexusUrl = cli.getNexusUrl(); final String databaseDriverName = cli.getDatabaseDriverName(); final String databaseDriverPath = cli.getDatabaseDriverPath(); @@ -340,21 +329,22 @@ public class App { } //File Type Analyzer Settings - Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !pyDistDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !pyPkgDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !autoconfDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, !cMakeDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, !bundleAuditDisabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !cli.isArchiveDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !cli.isPythonDistributionDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !cli.isPythonPackageDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.isAutoconfDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, !cli.isCmakeDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !cli.isNuspecDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !cli.isAssemblyDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, !cli.isBundleAuditDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled()); Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled()); - Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !centralDisabled); - Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled); + Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !cli.isCentralDisabled()); + Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !cli.isNexusDisabled()); if (nexusUrl != null && !nexusUrl.isEmpty()) { Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl); } diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 8954d4272..2dc56c75b 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -326,13 +326,13 @@ public final class CliParser { final Option pathToMono = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.PATH_TO_MONO) .desc("The path to Mono for .NET Assembly analysis on non-windows systems.") .build(); - + final Option pathToBundleAudit = Option.builder().argName("path").hasArg() .longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT) .desc("The path to bundle-audit for Gem bundle analysis.").build(); - final Option connectionTimeout = Option.builder(ARGUMENT.CONNECTION_TIMEOUT_SHORT).argName("timeout").hasArg().longOpt(ARGUMENT.CONNECTION_TIMEOUT) - .desc("The connection timeout (in milliseconds) to use when downloading resources.") + final Option connectionTimeout = Option.builder(ARGUMENT.CONNECTION_TIMEOUT_SHORT).argName("timeout").hasArg() + .longOpt(ARGUMENT.CONNECTION_TIMEOUT).desc("The connection timeout (in milliseconds) to use when downloading resources.") .build(); final Option proxyServer = Option.builder().argName("server").hasArg().longOpt(ARGUMENT.PROXY_SERVER) @@ -381,6 +381,9 @@ public final class CliParser { final Option disablePythonPackageAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_PY_PKG) .desc("Disable the Python Package Analyzer.").build(); + final Option disableComposerAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_COMPOSER) + .desc("Disable the PHP Composer Analyzer.").build(); + final Option disableAutoconfAnalyzer = Option.builder() .longOpt(ARGUMENT.DISABLE_AUTOCONF) .desc("Disable the Autoconf Analyzer.").build(); @@ -429,6 +432,7 @@ public final class CliParser { .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_BUNDLE_AUDIT) .desc("Disable the Ruby Bundler-Audit Analyzer.").build()) .addOption(disableAutoconfAnalyzer) + .addOption(disableComposerAnalyzer) .addOption(disableOpenSSLAnalyzer) .addOption(disableNuspecAnalyzer) .addOption(disableCentralAnalyzer) @@ -600,6 +604,15 @@ public final class CliParser { return (line != null) && line.hasOption(ARGUMENT.DISABLE_AUTOCONF); } + /** + * Returns true if the disableComposer command line argument was specified. + * + * @return true if the disableComposer command line argument was specified; otherwise false + */ + public boolean isComposerDisabled() { + return (line != null) && line.hasOption(ARGUMENT.DISABLE_COMPOSER); + } + /** * Returns true if the disableNexus command line argument was specified. * @@ -751,7 +764,7 @@ public final class CliParser { * @return the application name. */ public String getProjectName() { - String appName = line.getOptionValue(ARGUMENT.APP_NAME); + final String appName = line.getOptionValue(ARGUMENT.APP_NAME); String name = line.getOptionValue(ARGUMENT.PROJECT); if (name == null && appName != null) { name = appName; @@ -1035,11 +1048,15 @@ public final class CliParser { public static final String PROJECT = "project"; /** * The long CLI argument name specifying the name of the application to be scanned. + * + * @deprecated project should be used instead */ @Deprecated public static final String APP_NAME = "app"; /** * The short CLI argument name specifying the name of the application to be scanned. + * + * @deprecated project should be used instead */ @Deprecated public static final String APP_NAME_SHORT = "a"; @@ -1159,6 +1176,10 @@ public final class CliParser { * Disables the Python Package Analyzer. */ public static final String DISABLE_PY_PKG = "disablePyPkg"; + /** + * Disables the Python Package Analyzer. + */ + public static final String DISABLE_COMPOSER = "disableComposer"; /** * Disables the Ruby Gemspec Analyzer. */ diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index 1e6a5a461..3c3963877 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -30,15 +30,16 @@ Short | Argument Name        | Paramete | \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. |   | \-\-disablePyDist | | Sets whether the Python Distribution Analyzer will be used. | false | \-\-disablePyPkg | | Sets whether the Python Package Analyzer will be used. | false - | \-\-disableNodeJS | | Sets whehter the Node.js Package Analyzer will be used. | false + | \-\-disableNodeJS | | Sets whether the Node.js Package Analyzer will be used. | false | \-\-disableRubygems | | Sets whether the Ruby Gemspec Analyzer will be used. | false | \-\-disableBundleAudit | | Sets whether the Ruby Bundler Audit Analyzer will be used. | false | \-\-disableAutoconf | | Sets whether the Autoconf Analyzer will be used. | false | \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false - | \-\-disableCmake | | Sets whether the Cmake Analyzer will be used. | false - | \-\-disableArchive | | Sets whether the Archive Analyzer will be used. | false + | \-\-disableCmake | | Sets whether the Cmake Analyzer will be disabled. | false + | \-\-disableArchive | | Sets whether the Archive Analyzer will be disabled. | false | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |   - | \-\-disableJar | | Sets whether the Jar Analyzer will be used. | false + | \-\-disableJar | | Sets whether the Jar Analyzer will be disabled. | false + | \-\-disableComposer | | Sets whether the PHP Composer Lock File Analyzer will be disabled. | false | \-\-disableCentral | | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false | \-\-disableNexus | | Sets whether the Nexus Analyzer will be used. Note, this has been superceded by the Central Analyzer. However, you can configure the Nexus URL to utilize an internally hosted Nexus Pro server. | false | \-\-nexus | \ | The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |   diff --git a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java index c5ad2a211..515704c92 100644 --- a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java +++ b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java @@ -1,17 +1,19 @@ /* - * Copyright 2015 OWASP. + * This file is part of dependency-check-core. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. + * + * Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved. */ package org.owasp.dependencycheck; diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 818820549..00695017f 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.1-SNAPSHOT + 1.3.1 dependency-check-core diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index 12e8a8c1e..289b434ba 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -17,6 +17,21 @@ */ package org.owasp.dependencycheck.analyzer; +import java.io.BufferedInputStream; +import java.io.Closeable; +import java.io.File; +import java.io.FileFilter; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Enumeration; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + import org.apache.commons.compress.archivers.ArchiveEntry; import org.apache.commons.compress.archivers.ArchiveInputStream; import org.apache.commons.compress.archivers.tar.TarArchiveInputStream; @@ -29,6 +44,7 @@ import org.apache.commons.compress.compressors.bzip2.BZip2Utils; import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream; import org.apache.commons.compress.compressors.gzip.GzipUtils; import org.apache.commons.compress.utils.IOUtils; + import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException; @@ -36,12 +52,10 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.FileUtils; import org.owasp.dependencycheck.utils.Settings; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.io.*; -import java.util.*; - /** *

* An analyzer that extracts files from archives and ensures any supported files contained within the archive are added to the @@ -94,8 +108,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { /** * Detects files with extensions to remove from the engine's collection of dependencies. */ - private static final FileFilter REMOVE_FROM_ANALYSIS - = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build(); + private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2") + .build(); static { final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS); @@ -231,6 +245,13 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { Collections.sort(engine.getDependencies()); } + /** + * If a zip file was identified as a possible JAR, this method will add the zip to the list of dependencies. + * + * @param dependency the zip file + * @param engine the engine + * @throws AnalysisException thrown if there is an issue + */ private void addDisguisedJarsToDependencies(Dependency dependency, Engine engine) throws AnalysisException { if (ZIP_FILTER.accept(dependency.getActualFile()) && isZipFileActuallyJarFile(dependency)) { final File tdir = getNextTempDirectory(); @@ -257,7 +278,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { } } } - + /** + * An empty dependency set. + */ private static final Set EMPTY_DEPENDENCY_SET = Collections.emptySet(); /** @@ -380,6 +403,13 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { } } + /** + * Extracts a file from an archive. + * + * @param input the archives input stream + * @param file the file to extract + * @throws AnalysisException thrown if there is an error + */ private static void extractAcceptedFile(ArchiveInputStream input, File file) throws AnalysisException { LOGGER.debug("Extracting '{}'", file.getPath()); FileOutputStream fos = null; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java new file mode 100644 index 000000000..7e9f55fac --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -0,0 +1,162 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.data.composer.ComposerDependency; +import org.owasp.dependencycheck.data.composer.ComposerException; +import org.owasp.dependencycheck.data.composer.ComposerLockParser; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.Checksum; +import org.owasp.dependencycheck.utils.FileFilterBuilder; +import org.owasp.dependencycheck.utils.Settings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.FileFilter; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.nio.charset.Charset; +import java.security.MessageDigest; + +/** + * Used to analyze a composer.lock file for a composer PHP app. + * + * @author colezlaw + */ +public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { + + /** + * The logger + */ + private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockAnalyzer.class); + + /** + * The analyzer name + */ + private static final String ANALYZER_NAME = "Composer.lock analyzer"; + + /** + * composer.json + */ + private static final String COMPOSER_LOCK = "composer.lock"; + + /** + * The FileFilter + */ + private static final FileFilter FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(COMPOSER_LOCK).build(); + + /** + * Returns the FileFilter + * + * @return the FileFilter + */ + @Override + protected FileFilter getFileFilter() { + return FILE_FILTER; + } + + /** + * Initializes the analyzer + * + * @throws Exception + */ + @Override + protected void initializeFileTypeAnalyzer() throws Exception { + sha1 = MessageDigest.getInstance("SHA1"); + } + + /** + * The MessageDigest for calculating a new digest for the new dependencies added + */ + private MessageDigest sha1 = null; + + /** + * Entry point for the analyzer. + * + * @param dependency the dependency to analyze + * @param engine the engine scanning + * @throws AnalysisException if there's a failure during analysis + */ + @Override + protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { + FileInputStream fis = null; + try { + fis = new FileInputStream(dependency.getActualFile()); + final ComposerLockParser clp = new ComposerLockParser(fis); + LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath()); + clp.process(); + for (ComposerDependency dep : clp.getDependencies()) { + final Dependency d = new Dependency(dependency.getActualFile()); + d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject())); + final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject()); + d.setFilePath(filePath); + d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset())))); + d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST); + d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST); + d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST); + LOGGER.info("Adding dependency {}", d); + engine.getDependencies().add(d); + } + } catch (FileNotFoundException fnfe) { + LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath()); + } catch (ComposerException ce) { + LOGGER.warn("Error parsing composer.json {}", dependency.getActualFilePath(), ce); + } finally { + if (fis != null) { + try { + fis.close(); + } catch (Exception e) { + LOGGER.debug("Unable to close file", e); + } + } + } + } + + /** + * Gets the key to determine whether the analyzer is enabled. + * + * @return the key specifying whether the analyzer is enabled + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED; + } + + /** + * Returns the analyzer's name. + * + * @return the analyzer's name + */ + @Override + public String getName() { + return ANALYZER_NAME; + } + + /** + * Returns the phase this analyzer should run under. + * + * @return the analysis phase + */ + @Override + public AnalysisPhase getAnalysisPhase() { + return AnalysisPhase.INFORMATION_COLLECTION; + } +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java index fd9297ad5..bb9fa5a00 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java @@ -104,6 +104,21 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer { "spring-security-core", Confidence.HIGH); + final Evidence symfony = new Evidence("composer.lock", + "vendor", + "symfony", + Confidence.HIGHEST); + + final Evidence zendframeworkVendor = new Evidence("composer.lock", + "vendor", + "zendframework", + Confidence.HIGHEST); + + final Evidence zendframeworkProduct = new Evidence("composer.lock", + "product", + "zendframework", + Confidence.HIGHEST); + //springsource/vware problem final Set product = dependency.getProductEvidence().getEvidence(); final Set vendor = dependency.getVendorEvidence().getEvidence(); @@ -128,6 +143,18 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer { dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH); } + if (vendor.contains(symfony)) { + dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "sensiolabs", Confidence.HIGHEST); + } + + if (vendor.contains(zendframeworkVendor)) { + dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "zend", Confidence.HIGHEST); + } + + if (product.contains(zendframeworkProduct)) { + dependency.getProductEvidence().addEvidence("hint analyzer", "vendor", "zend_framework", Confidence.HIGHEST); + } + //sun/oracle problem final Iterator itr = dependency.getVendorEvidence().iterator(); final List newEntries = new ArrayList(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index 4345904ca..cf554b645 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -62,12 +62,15 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { */ private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; + /** + * The file name to scan. + */ public static final String PACKAGE_JSON = "package.json"; /** * Filter that detects files named "package.json". */ - private static final FileFilter PACKAGE_JSON_FILTER - = FileFilterBuilder.newInstance().addFilenames(PACKAGE_JSON).build(); + private static final FileFilter PACKAGE_JSON_FILTER = FileFilterBuilder.newInstance() + .addFilenames(PACKAGE_JSON).build(); /** * Returns the FileFilter @@ -150,6 +153,13 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { } } + /** + * Adds information to an evidence collection from the node json configuration. + * + * @param json information from node.js + * @param collection a set of evidence about a dependency + * @param key the key to obtain the data from the json information + */ private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) { if (json.containsKey(key)) { final JsonValue value = json.get(key); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerDependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerDependency.java new file mode 100644 index 000000000..09dd97d9a --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerDependency.java @@ -0,0 +1,110 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.composer; + +/** + * Reperesents a dependency (GAV, right now) from a Composer dependency. + * + * @author colezlaw + */ +public final class ComposerDependency { + + /** + * The group + */ + private final String group; + + /** + * The project + */ + private final String project; + + /** + * The version + */ + private final String version; + + /** + * Create a ComposerDependency from group, project, and version. + * + * @param group the group + * @param project the project + * @param version the version + */ + public ComposerDependency(String group, String project, String version) { + this.group = group; + this.project = project; + this.version = version; + } + + /** + * Get the group. + * + * @return the group + */ + public String getGroup() { + return group; + } + + /** + * Get the project. + * + * @return the project + */ + public String getProject() { + return project; + } + + /** + * Get the version. + * + * @return the version + */ + public String getVersion() { + return version; + } + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (!(o instanceof ComposerDependency)) { + return false; + } + + final ComposerDependency that = (ComposerDependency) o; + + if (group != null ? !group.equals(that.group) : that.group != null) { + return false; + } + if (project != null ? !project.equals(that.project) : that.project != null) { + return false; + } + return !(version != null ? !version.equals(that.version) : that.version != null); + + } + + @Override + public int hashCode() { + int result = group != null ? group.hashCode() : 0; + result = 31 * result + (project != null ? project.hashCode() : 0); + result = 31 * result + (version != null ? version.hashCode() : 0); + return result; + } +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerException.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerException.java new file mode 100644 index 000000000..8b4d841aa --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerException.java @@ -0,0 +1,52 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.composer; + +/** + * Represents an exception when handling a composer.json or composer.lock file. Generally used to wrap a downstream exception. + * + * @author colezlaw + */ +public class ComposerException extends RuntimeException { + + /** + * Creates a ComposerException with default message. + */ + public ComposerException() { + super(); + } + + /** + * Creates a ComposerException with the specified message. + * + * @param message the exception message + */ + public ComposerException(String message) { + super(message); + } + + /** + * Creates a Composer exception with the specified message and cause. + * + * @param message the message + * @param cause the underlying cause + */ + public ComposerException(String message, Throwable cause) { + super(message, cause); + } +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java new file mode 100644 index 000000000..289163763 --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java @@ -0,0 +1,124 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.composer; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.json.Json; +import javax.json.JsonArray; +import javax.json.JsonException; +import javax.json.JsonObject; +import javax.json.JsonReader; +import javax.json.stream.JsonParsingException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + +/** + * Parses a Composer.lock file from an input stream. In a separate class so it can hopefully be injected. + * + * @author colezlaw + */ +public class ComposerLockParser { + + /** + * The JsonReader for parsing JSON + */ + private final JsonReader jsonReader; + + /** + * The input stream we'll read + */ + private final InputStream inputStream; // NOPMD - it gets set in the constructor, read later + + /** + * The List of ComposerDependencies found + */ + private final List composerDependencies; + + /** + * The LOGGER + */ + private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockParser.class); + + /** + * Createas a ComposerLockParser from a JsonReader and an InputStream. + * + * @param inputStream the InputStream to parse + */ + public ComposerLockParser(InputStream inputStream) { + LOGGER.info("Creating a ComposerLockParser"); + this.inputStream = inputStream; + this.jsonReader = Json.createReader(inputStream); + this.composerDependencies = new ArrayList(); + } + + /** + * Process the input stream to create the list of dependencies. + */ + public void process() { + LOGGER.info("Beginning Composer lock processing"); + try { + final JsonObject composer = jsonReader.readObject(); + if (composer.containsKey("packages")) { + LOGGER.debug("Found packages"); + final JsonArray packages = composer.getJsonArray("packages"); + for (JsonObject pkg : packages.getValuesAs(JsonObject.class)) { + if (pkg.containsKey("name")) { + final String groupName = pkg.getString("name"); + if (groupName.indexOf('/') >= 0 && groupName.indexOf('/') <= groupName.length() - 1) { + if (pkg.containsKey("version")) { + final String group = groupName.substring(0, groupName.indexOf('/')); + final String project = groupName.substring(groupName.indexOf('/') + 1); + String version = pkg.getString("version"); + // Some version nubmers begin with v - which doesn't end up matching CPE's + if (version.startsWith("v")) { + version = version.substring(1); + } + LOGGER.debug("Got package {}/{}/{}", group, project, version); + composerDependencies.add(new ComposerDependency(group, project, version)); + } else { + LOGGER.debug("Group/package {} does not have a version", groupName); + } + } else { + LOGGER.debug("Got a dependency with no name"); + } + } + } + } + } catch (JsonParsingException jsonpe) { + throw new ComposerException("Error parsing stream", jsonpe); + } catch (JsonException jsone) { + throw new ComposerException("Error reading stream", jsone); + } catch (IllegalStateException ise) { + throw new ComposerException("Illegal state in composer stream", ise); + } catch (ClassCastException cce) { + throw new ComposerException("Not exactly composer lock", cce); + } + } + + /** + * Gets the list of dependencies. + * + * @return the list of dependencies + */ + public List getDependencies() { + return composerDependencies; + } +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/package-info.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/package-info.java new file mode 100644 index 000000000..42bd9f05a --- /dev/null +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/package-info.java @@ -0,0 +1,4 @@ +/** + * Model elements for PHP Composer files + */ +package org.owasp.dependencycheck.data.composer; \ No newline at end of file diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java index dc8a5edf5..15bbdcdb1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java @@ -151,7 +151,7 @@ public final class CpeMemoryIndex { */ @SuppressWarnings("unchecked") private Analyzer createIndexingAnalyzer() { - final Map fieldAnalyzers = new HashMap(); + final Map fieldAnalyzers = new HashMap(); fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer()); return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java index c99b1bcaa..58fbfbfdc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java @@ -75,8 +75,8 @@ public final class TokenPairConcatenatingFilter extends TokenFilter { } /** - * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by - * concatenating tokens with the previous token. + * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by concatenating + * tokens with the previous token. * * @return whether or not we have hit the end of the TokenStream * @throws IOException is thrown when an IOException occurs @@ -112,8 +112,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter { /** *

- * Resets the Filter and clears any internal state data that may have been left-over from previous uses of the - * Filter.

+ * Resets the Filter and clears any internal state data that may have been left-over from previous uses of the Filter.

*

* If this Filter is re-used this method must be called between uses.

*/ @@ -121,4 +120,46 @@ public final class TokenPairConcatenatingFilter extends TokenFilter { previousWord = null; words.clear(); } + + /** + * Standard hash code implementation. + * + * @return the hash code + */ + @Override + public int hashCode() { + int hash = 3; + hash = 31 * hash + (this.termAtt != null ? this.termAtt.hashCode() : 0); + hash = 31 * hash + (this.previousWord != null ? this.previousWord.hashCode() : 0); + hash = 31 * hash + (this.words != null ? this.words.hashCode() : 0); + return hash; + } + + /** + * Standard equals implementation. + * + * @param obj the object to compare + * @return true if the objects are equal; otherwise false. + */ + @Override + public boolean equals(Object obj) { + if (obj == null) { + return false; + } + if (getClass() != obj.getClass()) { + return false; + } + final TokenPairConcatenatingFilter other = (TokenPairConcatenatingFilter) obj; + if (this.termAtt != other.termAtt && (this.termAtt == null || !this.termAtt.equals(other.termAtt))) { + return false; + } + if ((this.previousWord == null) ? (other.previousWord != null) : !this.previousWord.equals(other.previousWord)) { + return false; + } + if (this.words != other.words && (this.words == null || !this.words.equals(other.words))) { + return false; + } + return true; + } + } diff --git a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index 760ecfa14..43d67c5fe 100644 --- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -20,3 +20,4 @@ org.owasp.dependencycheck.analyzer.CMakeAnalyzer org.owasp.dependencycheck.analyzer.NodePackageAnalyzer org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer +org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer diff --git a/dependency-check-core/src/main/resources/composer.lock b/dependency-check-core/src/main/resources/composer.lock new file mode 100644 index 000000000..29c47bb03 --- /dev/null +++ b/dependency-check-core/src/main/resources/composer.lock @@ -0,0 +1,1746 @@ +{ + "_readme": [ + "This file locks the dependencies of your project to a known state", + "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", + "This file is @generated automatically" + ], + "hash": "c0522252611c314f0e6914e872f42559", + "packages": [ + { + "name": "classpreloader/classpreloader", + "version": "2.0.0", + "source": { + "type": "git", + "url": "https://github.com/ClassPreloader/ClassPreloader.git", + "reference": "8c3c14b10309e3b40bce833913a6c0c0b8c8f962" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/ClassPreloader/ClassPreloader/zipball/8c3c14b10309e3b40bce833913a6c0c0b8c8f962", + "reference": "8c3c14b10309e3b40bce833913a6c0c0b8c8f962", + "shasum": "" + }, + "require": { + "nikic/php-parser": "~1.3", + "php": ">=5.5.9" + }, + "require-dev": { + "phpunit/phpunit": "~4.0" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.0-dev" + } + }, + "autoload": { + "psr-4": { + "ClassPreloader\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Michael Dowling", + "email": "mtdowling@gmail.com" + }, + { + "name": "Graham Campbell", + "email": "graham@alt-three.com" + } + ], + "description": "Helps class loading performance by generating a single PHP file containing all of the autoloaded files for a specific use case", + "keywords": [ + "autoload", + "class", + "preload" + ], + "time": "2015-06-28 21:39:13" + }, + { + "name": "danielstjules/stringy", + "version": "1.10.0", + "source": { + "type": "git", + "url": "https://github.com/danielstjules/Stringy.git", + "reference": "4749c205db47ee5b32e8d1adf6d9aff8db6caf3b" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/danielstjules/Stringy/zipball/4749c205db47ee5b32e8d1adf6d9aff8db6caf3b", + "reference": "4749c205db47ee5b32e8d1adf6d9aff8db6caf3b", + "shasum": "" + }, + "require": { + "ext-mbstring": "*", + "php": ">=5.3.0" + }, + "require-dev": { + "phpunit/phpunit": "~4.0" + }, + "type": "library", + "autoload": { + "psr-4": { + "Stringy\\": "src/" + }, + "files": [ + "src/Create.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Daniel St. Jules", + "email": "danielst.jules@gmail.com", + "homepage": "http://www.danielstjules.com" + } + ], + "description": "A string manipulation library with multibyte support", + "homepage": "https://github.com/danielstjules/Stringy", + "keywords": [ + "UTF", + "helpers", + "manipulation", + "methods", + "multibyte", + "string", + "utf-8", + "utility", + "utils" + ], + "time": "2015-07-23 00:54:12" + }, + { + "name": "dnoegel/php-xdg-base-dir", + "version": "0.1", + "source": { + "type": "git", + "url": "https://github.com/dnoegel/php-xdg-base-dir.git", + "reference": "265b8593498b997dc2d31e75b89f053b5cc9621a" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/dnoegel/php-xdg-base-dir/zipball/265b8593498b997dc2d31e75b89f053b5cc9621a", + "reference": "265b8593498b997dc2d31e75b89f053b5cc9621a", + "shasum": "" + }, + "require": { + "php": ">=5.3.2" + }, + "require-dev": { + "phpunit/phpunit": "@stable" + }, + "type": "project", + "autoload": { + "psr-4": { + "XdgBaseDir\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "description": "implementation of xdg base directory specification for php", + "time": "2014-10-24 07:27:01" + }, + { + "name": "doctrine/inflector", + "version": "v1.0.1", + "source": { + "type": "git", + "url": "https://github.com/doctrine/inflector.git", + "reference": "0bcb2e79d8571787f18b7eb036ed3d004908e604" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/doctrine/inflector/zipball/0bcb2e79d8571787f18b7eb036ed3d004908e604", + "reference": "0bcb2e79d8571787f18b7eb036ed3d004908e604", + "shasum": "" + }, + "require": { + "php": ">=5.3.2" + }, + "require-dev": { + "phpunit/phpunit": "4.*" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.0.x-dev" + } + }, + "autoload": { + "psr-0": { + "Doctrine\\Common\\Inflector\\": "lib/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Roman Borschel", + "email": "roman@code-factory.org" + }, + { + "name": "Benjamin Eberlei", + "email": "kontakt@beberlei.de" + }, + { + "name": "Guilherme Blanco", + "email": "guilhermeblanco@gmail.com" + }, + { + "name": "Jonathan Wage", + "email": "jonwage@gmail.com" + }, + { + "name": "Johannes Schmitt", + "email": "schmittjoh@gmail.com" + } + ], + "description": "Common String Manipulations with regard to casing and singular/plural rules.", + "homepage": "http://www.doctrine-project.org", + "keywords": [ + "inflection", + "pluralize", + "singularize", + "string" + ], + "time": "2014-12-20 21:24:13" + }, + { + "name": "jakub-onderka/php-console-color", + "version": "0.1", + "source": { + "type": "git", + "url": "https://github.com/JakubOnderka/PHP-Console-Color.git", + "reference": "e0b393dacf7703fc36a4efc3df1435485197e6c1" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/JakubOnderka/PHP-Console-Color/zipball/e0b393dacf7703fc36a4efc3df1435485197e6c1", + "reference": "e0b393dacf7703fc36a4efc3df1435485197e6c1", + "shasum": "" + }, + "require": { + "php": ">=5.3.2" + }, + "require-dev": { + "jakub-onderka/php-code-style": "1.0", + "jakub-onderka/php-parallel-lint": "0.*", + "jakub-onderka/php-var-dump-check": "0.*", + "phpunit/phpunit": "3.7.*", + "squizlabs/php_codesniffer": "1.*" + }, + "type": "library", + "autoload": { + "psr-0": { + "JakubOnderka\\PhpConsoleColor": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "BSD-2-Clause" + ], + "authors": [ + { + "name": "Jakub Onderka", + "email": "jakub.onderka@gmail.com", + "homepage": "http://www.acci.cz" + } + ], + "time": "2014-04-08 15:00:19" + }, + { + "name": "jakub-onderka/php-console-highlighter", + "version": "v0.3.2", + "source": { + "type": "git", + "url": "https://github.com/JakubOnderka/PHP-Console-Highlighter.git", + "reference": "7daa75df45242c8d5b75a22c00a201e7954e4fb5" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/JakubOnderka/PHP-Console-Highlighter/zipball/7daa75df45242c8d5b75a22c00a201e7954e4fb5", + "reference": "7daa75df45242c8d5b75a22c00a201e7954e4fb5", + "shasum": "" + }, + "require": { + "jakub-onderka/php-console-color": "~0.1", + "php": ">=5.3.0" + }, + "require-dev": { + "jakub-onderka/php-code-style": "~1.0", + "jakub-onderka/php-parallel-lint": "~0.5", + "jakub-onderka/php-var-dump-check": "~0.1", + "phpunit/phpunit": "~4.0", + "squizlabs/php_codesniffer": "~1.5" + }, + "type": "library", + "autoload": { + "psr-0": { + "JakubOnderka\\PhpConsoleHighlighter": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Jakub Onderka", + "email": "acci@acci.cz", + "homepage": "http://www.acci.cz/" + } + ], + "time": "2015-04-20 18:58:01" + }, + { + "name": "jeremeamia/SuperClosure", + "version": "2.1.0", + "source": { + "type": "git", + "url": "https://github.com/jeremeamia/super_closure.git", + "reference": "b712f39c671e5ead60c7ebfe662545456aade833" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/jeremeamia/super_closure/zipball/b712f39c671e5ead60c7ebfe662545456aade833", + "reference": "b712f39c671e5ead60c7ebfe662545456aade833", + "shasum": "" + }, + "require": { + "nikic/php-parser": "~1.0", + "php": ">=5.4" + }, + "require-dev": { + "codeclimate/php-test-reporter": "~0.1.2", + "phpunit/phpunit": "~4.0" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.1-dev" + } + }, + "autoload": { + "psr-4": { + "SuperClosure\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Jeremy Lindblom", + "email": "jeremeamia@gmail.com", + "homepage": "https://github.com/jeremeamia", + "role": "Developer" + } + ], + "description": "Serialize Closure objects, including their context and binding", + "homepage": "https://github.com/jeremeamia/super_closure", + "keywords": [ + "closure", + "function", + "lambda", + "parser", + "serializable", + "serialize", + "tokenizer" + ], + "time": "2015-03-11 20:06:43" + }, + { + "name": "laravel/framework", + "version": "v5.1.12", + "source": { + "type": "git", + "url": "https://github.com/laravel/framework.git", + "reference": "76a9816f37a58383f6ba093ccf08f253e5488555" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/laravel/framework/zipball/76a9816f37a58383f6ba093ccf08f253e5488555", + "reference": "76a9816f37a58383f6ba093ccf08f253e5488555", + "shasum": "" + }, + "require": { + "classpreloader/classpreloader": "~2.0", + "danielstjules/stringy": "~1.8", + "doctrine/inflector": "~1.0", + "ext-mbstring": "*", + "ext-openssl": "*", + "jeremeamia/superclosure": "~2.0", + "league/flysystem": "~1.0", + "monolog/monolog": "~1.11", + "mtdowling/cron-expression": "~1.0", + "nesbot/carbon": "~1.19", + "php": ">=5.5.9", + "psy/psysh": "~0.5.1", + "swiftmailer/swiftmailer": "~5.1", + "symfony/console": "2.7.*", + "symfony/css-selector": "2.7.*", + "symfony/debug": "2.7.*", + "symfony/dom-crawler": "2.7.*", + "symfony/finder": "2.7.*", + "symfony/http-foundation": "2.7.*", + "symfony/http-kernel": "2.7.*", + "symfony/process": "2.7.*", + "symfony/routing": "2.7.*", + "symfony/translation": "2.7.*", + "symfony/var-dumper": "2.7.*", + "vlucas/phpdotenv": "~1.0" + }, + "replace": { + "illuminate/auth": "self.version", + "illuminate/broadcasting": "self.version", + "illuminate/bus": "self.version", + "illuminate/cache": "self.version", + "illuminate/config": "self.version", + "illuminate/console": "self.version", + "illuminate/container": "self.version", + "illuminate/contracts": "self.version", + "illuminate/cookie": "self.version", + "illuminate/database": "self.version", + "illuminate/encryption": "self.version", + "illuminate/events": "self.version", + "illuminate/exception": "self.version", + "illuminate/filesystem": "self.version", + "illuminate/foundation": "self.version", + "illuminate/hashing": "self.version", + "illuminate/http": "self.version", + "illuminate/log": "self.version", + "illuminate/mail": "self.version", + "illuminate/pagination": "self.version", + "illuminate/pipeline": "self.version", + "illuminate/queue": "self.version", + "illuminate/redis": "self.version", + "illuminate/routing": "self.version", + "illuminate/session": "self.version", + "illuminate/support": "self.version", + "illuminate/translation": "self.version", + "illuminate/validation": "self.version", + "illuminate/view": "self.version" + }, + "require-dev": { + "aws/aws-sdk-php": "~3.0", + "iron-io/iron_mq": "~2.0", + "mockery/mockery": "~0.9.1", + "pda/pheanstalk": "~3.0", + "phpunit/phpunit": "~4.0", + "predis/predis": "~1.0" + }, + "suggest": { + "aws/aws-sdk-php": "Required to use the SQS queue driver and SES mail driver (~3.0).", + "doctrine/dbal": "Required to rename columns and drop SQLite columns (~2.4).", + "fzaninotto/faker": "Required to use the eloquent factory builder (~1.4).", + "guzzlehttp/guzzle": "Required to use the Mailgun and Mandrill mail drivers (~5.3|~6.0).", + "iron-io/iron_mq": "Required to use the iron queue driver (~2.0).", + "league/flysystem-aws-s3-v3": "Required to use the Flysystem S3 driver (~1.0).", + "league/flysystem-rackspace": "Required to use the Flysystem Rackspace driver (~1.0).", + "pda/pheanstalk": "Required to use the beanstalk queue driver (~3.0).", + "predis/predis": "Required to use the redis cache and queue drivers (~1.0).", + "pusher/pusher-php-server": "Required to use the Pusher broadcast driver (~2.0)." + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "5.1-dev" + } + }, + "autoload": { + "classmap": [ + "src/Illuminate/Queue/IlluminateQueueClosure.php" + ], + "files": [ + "src/Illuminate/Foundation/helpers.php", + "src/Illuminate/Support/helpers.php" + ], + "psr-4": { + "Illuminate\\": "src/Illuminate/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Taylor Otwell", + "email": "taylorotwell@gmail.com" + } + ], + "description": "The Laravel Framework.", + "homepage": "http://laravel.com", + "keywords": [ + "framework", + "laravel" + ], + "time": "2015-08-30 23:25:48" + }, + { + "name": "laravel/laravel", + "version": "v5.1.11", + "source": { + "type": "git", + "url": "https://github.com/laravel/laravel.git", + "reference": "716e65268ae088e5bd73e505acf9695c127aff66" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/laravel/laravel/zipball/716e65268ae088e5bd73e505acf9695c127aff66", + "reference": "716e65268ae088e5bd73e505acf9695c127aff66", + "shasum": "" + }, + "require": { + "laravel/framework": "5.1.*", + "php": ">=5.5.9" + }, + "require-dev": { + "fzaninotto/faker": "~1.4", + "mockery/mockery": "0.9.*", + "phpspec/phpspec": "~2.1", + "phpunit/phpunit": "~4.0" + }, + "type": "project", + "autoload": { + "classmap": [ + "database" + ], + "psr-4": { + "App\\": "app/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "description": "The Laravel Framework.", + "keywords": [ + "framework", + "laravel" + ], + "time": "2015-08-30 11:31:33" + }, + { + "name": "league/flysystem", + "version": "1.0.11", + "source": { + "type": "git", + "url": "https://github.com/thephpleague/flysystem.git", + "reference": "c16222fdc02467eaa12cb6d6d0e65527741f6040" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/thephpleague/flysystem/zipball/c16222fdc02467eaa12cb6d6d0e65527741f6040", + "reference": "c16222fdc02467eaa12cb6d6d0e65527741f6040", + "shasum": "" + }, + "require": { + "php": ">=5.4.0" + }, + "require-dev": { + "ext-fileinfo": "*", + "mockery/mockery": "~0.9", + "phpspec/phpspec": "^2.2", + "phpspec/prophecy-phpunit": "~1.0", + "phpunit/phpunit": "~4.1" + }, + "suggest": { + "ext-fileinfo": "Required for MimeType", + "league/flysystem-aws-s3-v2": "Allows you to use S3 storage with AWS SDK v2", + "league/flysystem-aws-s3-v3": "Allows you to use S3 storage with AWS SDK v3", + "league/flysystem-azure": "Allows you to use Windows Azure Blob storage", + "league/flysystem-cached-adapter": "Flysystem adapter decorator for metadata caching", + "league/flysystem-copy": "Allows you to use Copy.com storage", + "league/flysystem-dropbox": "Allows you to use Dropbox storage", + "league/flysystem-eventable-filesystem": "Allows you to use EventableFilesystem", + "league/flysystem-rackspace": "Allows you to use Rackspace Cloud Files", + "league/flysystem-sftp": "Allows you to use SFTP server storage via phpseclib", + "league/flysystem-webdav": "Allows you to use WebDAV storage", + "league/flysystem-ziparchive": "Allows you to use ZipArchive adapter" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.1-dev" + } + }, + "autoload": { + "psr-4": { + "League\\Flysystem\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Frank de Jonge", + "email": "info@frenky.net" + } + ], + "description": "Filesystem abstraction: Many filesystems, one API.", + "keywords": [ + "Cloud Files", + "WebDAV", + "abstraction", + "aws", + "cloud", + "copy.com", + "dropbox", + "file systems", + "files", + "filesystem", + "filesystems", + "ftp", + "rackspace", + "remote", + "s3", + "sftp", + "storage" + ], + "time": "2015-07-28 20:41:58" + }, + { + "name": "monolog/monolog", + "version": "1.11.0", + "source": { + "type": "git", + "url": "https://github.com/Seldaek/monolog.git", + "reference": "ec3961874c43840e96da3a8a1ed20d8c73d7e5aa" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/Seldaek/monolog/zipball/ec3961874c43840e96da3a8a1ed20d8c73d7e5aa", + "reference": "ec3961874c43840e96da3a8a1ed20d8c73d7e5aa", + "shasum": "" + }, + "require": { + "php": ">=5.3.0", + "psr/log": "~1.0" + }, + "provide": { + "psr/log-implementation": "1.0.0" + }, + "require-dev": { + "aws/aws-sdk-php": "~2.4, >2.4.8", + "doctrine/couchdb": "~1.0@dev", + "graylog2/gelf-php": "~1.0", + "phpunit/phpunit": "~3.7.0", + "raven/raven": "~0.5", + "ruflin/elastica": "0.90.*", + "videlalvaro/php-amqplib": "~2.4" + }, + "suggest": { + "aws/aws-sdk-php": "Allow sending log messages to AWS services like DynamoDB", + "doctrine/couchdb": "Allow sending log messages to a CouchDB server", + "ext-amqp": "Allow sending log messages to an AMQP server (1.0+ required)", + "ext-mongo": "Allow sending log messages to a MongoDB server", + "graylog2/gelf-php": "Allow sending log messages to a GrayLog2 server", + "raven/raven": "Allow sending log messages to a Sentry server", + "rollbar/rollbar": "Allow sending log messages to Rollbar", + "ruflin/elastica": "Allow sending log messages to an Elastic Search server", + "videlalvaro/php-amqplib": "Allow sending log messages to an AMQP server using php-amqplib" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.11.x-dev" + } + }, + "autoload": { + "psr-4": { + "Monolog\\": "src/Monolog" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Jordi Boggiano", + "email": "j.boggiano@seld.be", + "homepage": "http://seld.be" + } + ], + "description": "Sends your logs to files, sockets, inboxes, databases and various web services", + "homepage": "http://github.com/Seldaek/monolog", + "keywords": [ + "log", + "logging", + "psr-3" + ], + "time": "2014-09-30 13:30:58" + }, + { + "name": "mtdowling/cron-expression", + "version": "v1.0.4", + "source": { + "type": "git", + "url": "https://github.com/mtdowling/cron-expression.git", + "reference": "fd92e883195e5dfa77720b1868cf084b08be4412" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/mtdowling/cron-expression/zipball/fd92e883195e5dfa77720b1868cf084b08be4412", + "reference": "fd92e883195e5dfa77720b1868cf084b08be4412", + "shasum": "" + }, + "require": { + "php": ">=5.3.2" + }, + "require-dev": { + "phpunit/phpunit": "4.*" + }, + "type": "library", + "autoload": { + "psr-0": { + "Cron": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Michael Dowling", + "email": "mtdowling@gmail.com", + "homepage": "https://github.com/mtdowling" + } + ], + "description": "CRON for PHP: Calculate the next or previous run date and determine if a CRON expression is due", + "keywords": [ + "cron", + "schedule" + ], + "time": "2015-01-11 23:07:46" + }, + { + "name": "nesbot/carbon", + "version": "1.20.0", + "source": { + "type": "git", + "url": "https://github.com/briannesbitt/Carbon.git", + "reference": "bfd3eaba109c9a2405c92174c8e17f20c2b9caf3" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/briannesbitt/Carbon/zipball/bfd3eaba109c9a2405c92174c8e17f20c2b9caf3", + "reference": "bfd3eaba109c9a2405c92174c8e17f20c2b9caf3", + "shasum": "" + }, + "require": { + "php": ">=5.3.0", + "symfony/translation": "~2.6|~3.0" + }, + "require-dev": { + "phpunit/phpunit": "~4.0" + }, + "type": "library", + "autoload": { + "psr-0": { + "Carbon": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Brian Nesbitt", + "email": "brian@nesbot.com", + "homepage": "http://nesbot.com" + } + ], + "description": "A simple API extension for DateTime.", + "homepage": "http://carbon.nesbot.com", + "keywords": [ + "date", + "datetime", + "time" + ], + "time": "2015-06-25 04:19:39" + }, + { + "name": "nikic/php-parser", + "version": "v1.4.0", + "source": { + "type": "git", + "url": "https://github.com/nikic/PHP-Parser.git", + "reference": "196f177cfefa0f1f7166c0a05d8255889be12418" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/196f177cfefa0f1f7166c0a05d8255889be12418", + "reference": "196f177cfefa0f1f7166c0a05d8255889be12418", + "shasum": "" + }, + "require": { + "ext-tokenizer": "*", + "php": ">=5.3" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.4-dev" + } + }, + "autoload": { + "files": [ + "lib/bootstrap.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "BSD-3-Clause" + ], + "authors": [ + { + "name": "Nikita Popov" + } + ], + "description": "A PHP parser written in PHP", + "keywords": [ + "parser", + "php" + ], + "time": "2015-07-14 17:31:05" + }, + { + "name": "psr/log", + "version": "1.0.0", + "source": { + "type": "git", + "url": "https://github.com/php-fig/log.git", + "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278b", + "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b", + "shasum": "" + }, + "type": "library", + "autoload": { + "psr-0": { + "Psr\\Log\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "PHP-FIG", + "homepage": "http://www.php-fig.org/" + } + ], + "description": "Common interface for logging libraries", + "keywords": [ + "log", + "psr", + "psr-3" + ], + "time": "2012-12-21 11:40:51" + }, + { + "name": "psy/psysh", + "version": "v0.5.2", + "source": { + "type": "git", + "url": "https://github.com/bobthecow/psysh.git", + "reference": "aaf8772ade08b5f0f6830774a5d5c2f800415975" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/bobthecow/psysh/zipball/aaf8772ade08b5f0f6830774a5d5c2f800415975", + "reference": "aaf8772ade08b5f0f6830774a5d5c2f800415975", + "shasum": "" + }, + "require": { + "dnoegel/php-xdg-base-dir": "0.1", + "jakub-onderka/php-console-highlighter": "0.3.*", + "nikic/php-parser": "^1.2.1", + "php": ">=5.3.9", + "symfony/console": "~2.3.10|^2.4.2|~3.0", + "symfony/var-dumper": "~2.7|~3.0" + }, + "require-dev": { + "fabpot/php-cs-fixer": "~1.5", + "phpunit/phpunit": "~3.7|~4.0", + "squizlabs/php_codesniffer": "~2.0", + "symfony/finder": "~2.1|~3.0" + }, + "suggest": { + "ext-pcntl": "Enabling the PCNTL extension makes PsySH a lot happier :)", + "ext-pdo-sqlite": "The doc command requires SQLite to work.", + "ext-posix": "If you have PCNTL, you'll want the POSIX extension as well.", + "ext-readline": "Enables support for arrow-key history navigation, and showing and manipulating command history." + }, + "bin": [ + "bin/psysh" + ], + "type": "library", + "extra": { + "branch-alias": { + "dev-develop": "0.6.x-dev" + } + }, + "autoload": { + "files": [ + "src/Psy/functions.php" + ], + "psr-0": { + "Psy\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Justin Hileman", + "email": "justin@justinhileman.info", + "homepage": "http://justinhileman.com" + } + ], + "description": "An interactive shell for modern PHP.", + "homepage": "http://psysh.org", + "keywords": [ + "REPL", + "console", + "interactive", + "shell" + ], + "time": "2015-07-16 15:26:57" + }, + { + "name": "swiftmailer/swiftmailer", + "version": "v5.4.1", + "source": { + "type": "git", + "url": "https://github.com/swiftmailer/swiftmailer.git", + "reference": "0697e6aa65c83edf97bb0f23d8763f94e3f11421" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/swiftmailer/swiftmailer/zipball/0697e6aa65c83edf97bb0f23d8763f94e3f11421", + "reference": "0697e6aa65c83edf97bb0f23d8763f94e3f11421", + "shasum": "" + }, + "require": { + "php": ">=5.3.3" + }, + "require-dev": { + "mockery/mockery": "~0.9.1,<0.9.4" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "5.4-dev" + } + }, + "autoload": { + "files": [ + "lib/swift_required.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Chris Corbyn" + }, + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + } + ], + "description": "Swiftmailer, free feature-rich PHP mailer", + "homepage": "http://swiftmailer.org", + "keywords": [ + "email", + "mail", + "mailer" + ], + "time": "2015-06-06 14:19:39" + }, + { + "name": "symfony/console", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/Console.git", + "reference": "d6cf02fe73634c96677e428f840704bfbcaec29e" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/Console/zipball/d6cf02fe73634c96677e428f840704bfbcaec29e", + "reference": "d6cf02fe73634c96677e428f840704bfbcaec29e", + "shasum": "" + }, + "require": { + "php": ">=5.3.9" + }, + "require-dev": { + "psr/log": "~1.0", + "symfony/event-dispatcher": "~2.1", + "symfony/phpunit-bridge": "~2.7", + "symfony/process": "~2.1" + }, + "suggest": { + "psr/log": "For using the console logger", + "symfony/event-dispatcher": "", + "symfony/process": "" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\Console\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony Console Component", + "homepage": "https://symfony.com", + "time": "2015-07-28 15:18:12" + }, + { + "name": "symfony/css-selector", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/CssSelector.git", + "reference": "0b5c07b516226b7dd32afbbc82fe547a469c5092" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/CssSelector/zipball/0b5c07b516226b7dd32afbbc82fe547a469c5092", + "reference": "0b5c07b516226b7dd32afbbc82fe547a469c5092", + "shasum": "" + }, + "require": { + "php": ">=5.3.9" + }, + "require-dev": { + "symfony/phpunit-bridge": "~2.7" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\CssSelector\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Jean-François Simon", + "email": "jeanfrancois.simon@sensiolabs.com" + }, + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony CssSelector Component", + "homepage": "https://symfony.com", + "time": "2015-05-15 13:33:16" + }, + { + "name": "symfony/debug", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/Debug.git", + "reference": "9daa1bf9f7e615fa2fba30357e479a90141222e3" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/Debug/zipball/9daa1bf9f7e615fa2fba30357e479a90141222e3", + "reference": "9daa1bf9f7e615fa2fba30357e479a90141222e3", + "shasum": "" + }, + "require": { + "php": ">=5.3.9", + "psr/log": "~1.0" + }, + "conflict": { + "symfony/http-kernel": ">=2.3,<2.3.24|~2.4.0|>=2.5,<2.5.9|>=2.6,<2.6.2" + }, + "require-dev": { + "symfony/class-loader": "~2.2", + "symfony/http-foundation": "~2.1", + "symfony/http-kernel": "~2.3.24|~2.5.9|~2.6,>=2.6.2", + "symfony/phpunit-bridge": "~2.7" + }, + "suggest": { + "symfony/http-foundation": "", + "symfony/http-kernel": "" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\Debug\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony Debug Component", + "homepage": "https://symfony.com", + "time": "2015-07-09 16:07:40" + }, + { + "name": "symfony/dom-crawler", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/DomCrawler.git", + "reference": "9dabece63182e95c42b06967a0d929a5df78bc35" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/DomCrawler/zipball/9dabece63182e95c42b06967a0d929a5df78bc35", + "reference": "9dabece63182e95c42b06967a0d929a5df78bc35", + "shasum": "" + }, + "require": { + "php": ">=5.3.9" + }, + "require-dev": { + "symfony/css-selector": "~2.3", + "symfony/phpunit-bridge": "~2.7" + }, + "suggest": { + "symfony/css-selector": "" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\DomCrawler\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony DomCrawler Component", + "homepage": "https://symfony.com", + "time": "2015-07-09 16:07:40" + }, + { + "name": "symfony/event-dispatcher", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/EventDispatcher.git", + "reference": "9310b5f9a87ec2ea75d20fec0b0017c77c66dac3" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/EventDispatcher/zipball/9310b5f9a87ec2ea75d20fec0b0017c77c66dac3", + "reference": "9310b5f9a87ec2ea75d20fec0b0017c77c66dac3", + "shasum": "" + }, + "require": { + "php": ">=5.3.9" + }, + "require-dev": { + "psr/log": "~1.0", + "symfony/config": "~2.0,>=2.0.5", + "symfony/dependency-injection": "~2.6", + "symfony/expression-language": "~2.6", + "symfony/phpunit-bridge": "~2.7", + "symfony/stopwatch": "~2.3" + }, + "suggest": { + "symfony/dependency-injection": "", + "symfony/http-kernel": "" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\EventDispatcher\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony EventDispatcher Component", + "homepage": "https://symfony.com", + "time": "2015-06-18 19:21:56" + }, + { + "name": "symfony/finder", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/Finder.git", + "reference": "ae0f363277485094edc04c9f3cbe595b183b78e4" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/Finder/zipball/ae0f363277485094edc04c9f3cbe595b183b78e4", + "reference": "ae0f363277485094edc04c9f3cbe595b183b78e4", + "shasum": "" + }, + "require": { + "php": ">=5.3.9" + }, + "require-dev": { + "symfony/phpunit-bridge": "~2.7" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\Finder\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony Finder Component", + "homepage": "https://symfony.com", + "time": "2015-07-09 16:07:40" + }, + { + "name": "symfony/http-foundation", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/HttpFoundation.git", + "reference": "863af6898081b34c65d42100c370b9f3c51b70ca" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/HttpFoundation/zipball/863af6898081b34c65d42100c370b9f3c51b70ca", + "reference": "863af6898081b34c65d42100c370b9f3c51b70ca", + "shasum": "" + }, + "require": { + "php": ">=5.3.9" + }, + "require-dev": { + "symfony/expression-language": "~2.4", + "symfony/phpunit-bridge": "~2.7" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\HttpFoundation\\": "" + }, + "classmap": [ + "Resources/stubs" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony HttpFoundation Component", + "homepage": "https://symfony.com", + "time": "2015-07-22 10:11:00" + }, + { + "name": "symfony/http-kernel", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/HttpKernel.git", + "reference": "405d3e7a59ff7a28ec469441326a0ac79065ea98" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/HttpKernel/zipball/405d3e7a59ff7a28ec469441326a0ac79065ea98", + "reference": "405d3e7a59ff7a28ec469441326a0ac79065ea98", + "shasum": "" + }, + "require": { + "php": ">=5.3.9", + "psr/log": "~1.0", + "symfony/debug": "~2.6,>=2.6.2", + "symfony/event-dispatcher": "~2.6,>=2.6.7", + "symfony/http-foundation": "~2.5,>=2.5.4" + }, + "conflict": { + "symfony/config": "<2.7" + }, + "require-dev": { + "symfony/browser-kit": "~2.3", + "symfony/class-loader": "~2.1", + "symfony/config": "~2.7", + "symfony/console": "~2.3", + "symfony/css-selector": "~2.0,>=2.0.5", + "symfony/dependency-injection": "~2.2", + "symfony/dom-crawler": "~2.0,>=2.0.5", + "symfony/expression-language": "~2.4", + "symfony/finder": "~2.0,>=2.0.5", + "symfony/phpunit-bridge": "~2.7", + "symfony/process": "~2.0,>=2.0.5", + "symfony/routing": "~2.2", + "symfony/stopwatch": "~2.3", + "symfony/templating": "~2.2", + "symfony/translation": "~2.0,>=2.0.5", + "symfony/var-dumper": "~2.6" + }, + "suggest": { + "symfony/browser-kit": "", + "symfony/class-loader": "", + "symfony/config": "", + "symfony/console": "", + "symfony/dependency-injection": "", + "symfony/finder": "", + "symfony/var-dumper": "" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\HttpKernel\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony HttpKernel Component", + "homepage": "https://symfony.com", + "time": "2015-07-31 13:24:45" + }, + { + "name": "symfony/process", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/Process.git", + "reference": "48aeb0e48600321c272955132d7606ab0a49adb3" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/Process/zipball/48aeb0e48600321c272955132d7606ab0a49adb3", + "reference": "48aeb0e48600321c272955132d7606ab0a49adb3", + "shasum": "" + }, + "require": { + "php": ">=5.3.9" + }, + "require-dev": { + "symfony/phpunit-bridge": "~2.7" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\Process\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony Process Component", + "homepage": "https://symfony.com", + "time": "2015-07-01 11:25:50" + }, + { + "name": "symfony/routing", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/Routing.git", + "reference": "ea9134f277162b02e5f80ac058b75a77637b0d26" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/Routing/zipball/ea9134f277162b02e5f80ac058b75a77637b0d26", + "reference": "ea9134f277162b02e5f80ac058b75a77637b0d26", + "shasum": "" + }, + "require": { + "php": ">=5.3.9" + }, + "conflict": { + "symfony/config": "<2.7" + }, + "require-dev": { + "doctrine/annotations": "~1.0", + "doctrine/common": "~2.2", + "psr/log": "~1.0", + "symfony/config": "~2.7", + "symfony/expression-language": "~2.4", + "symfony/http-foundation": "~2.3", + "symfony/phpunit-bridge": "~2.7", + "symfony/yaml": "~2.0,>=2.0.5" + }, + "suggest": { + "doctrine/annotations": "For using the annotation loader", + "symfony/config": "For using the all-in-one router or any loader", + "symfony/expression-language": "For using expression matching", + "symfony/yaml": "For using the YAML loader" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\Routing\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony Routing Component", + "homepage": "https://symfony.com", + "keywords": [ + "router", + "routing", + "uri", + "url" + ], + "time": "2015-07-09 16:07:40" + }, + { + "name": "symfony/translation", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/Translation.git", + "reference": "c8dc34cc936152c609cdd722af317e4239d10dd6" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/Translation/zipball/c8dc34cc936152c609cdd722af317e4239d10dd6", + "reference": "c8dc34cc936152c609cdd722af317e4239d10dd6", + "shasum": "" + }, + "require": { + "php": ">=5.3.9" + }, + "conflict": { + "symfony/config": "<2.7" + }, + "require-dev": { + "psr/log": "~1.0", + "symfony/config": "~2.7", + "symfony/intl": "~2.3", + "symfony/phpunit-bridge": "~2.7", + "symfony/yaml": "~2.2" + }, + "suggest": { + "psr/log": "To use logging capability in translator", + "symfony/config": "", + "symfony/yaml": "" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\Translation\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony Translation Component", + "homepage": "https://symfony.com", + "time": "2015-07-09 16:07:40" + }, + { + "name": "symfony/var-dumper", + "version": "v2.7.3", + "source": { + "type": "git", + "url": "https://github.com/symfony/var-dumper.git", + "reference": "e8903ebba5eb019f5886ffce739ea9e3b7519579" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/var-dumper/zipball/e8903ebba5eb019f5886ffce739ea9e3b7519579", + "reference": "e8903ebba5eb019f5886ffce739ea9e3b7519579", + "shasum": "" + }, + "require": { + "php": ">=5.3.9" + }, + "require-dev": { + "symfony/phpunit-bridge": "~2.7" + }, + "suggest": { + "ext-symfony_debug": "" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "files": [ + "Resources/functions/dump.php" + ], + "psr-4": { + "Symfony\\Component\\VarDumper\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Nicolas Grekas", + "email": "p@tchwork.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony mechanism for exploring and dumping PHP variables", + "homepage": "https://symfony.com", + "keywords": [ + "debug", + "dump" + ], + "time": "2015-07-28 15:18:12" + }, + { + "name": "vlucas/phpdotenv", + "version": "v1.1.1", + "source": { + "type": "git", + "url": "https://github.com/vlucas/phpdotenv.git", + "reference": "0cac554ce06277e33ddf9f0b7ade4b8bbf2af3fa" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/vlucas/phpdotenv/zipball/0cac554ce06277e33ddf9f0b7ade4b8bbf2af3fa", + "reference": "0cac554ce06277e33ddf9f0b7ade4b8bbf2af3fa", + "shasum": "" + }, + "require": { + "php": ">=5.3.2" + }, + "require-dev": { + "phpunit/phpunit": "~4.0" + }, + "type": "library", + "autoload": { + "psr-0": { + "Dotenv": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "BSD" + ], + "authors": [ + { + "name": "Vance Lucas", + "email": "vance@vancelucas.com", + "homepage": "http://www.vancelucas.com" + } + ], + "description": "Loads environment variables from `.env` to `getenv()`, `$_ENV` and `$_SERVER` automagically.", + "homepage": "http://github.com/vlucas/phpdotenv", + "keywords": [ + "dotenv", + "env", + "environment" + ], + "time": "2015-05-30 15:59:26" + } + ], + "packages-dev": [], + "aliases": [], + "minimum-stability": "stable", + "stability-flags": [], + "prefer-stable": false, + "prefer-lowest": false, + "platform": [], + "platform-dev": [] +} diff --git a/dependency-check-core/src/main/resources/data/dbStatements.properties b/dependency-check-core/src/main/resources/data/dbStatements.properties index 886e41ad5..6849503d1 100644 --- a/dependency-check-core/src/main/resources/data/dbStatements.properties +++ b/dependency-check-core/src/main/resources/data/dbStatements.properties @@ -1,16 +1,19 @@ -# Copyright 2015 OWASP. +# +# This file is part of dependency-check-core. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +# +# Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved. DELETE_REFERENCE=DELETE FROM reference WHERE cveid = ? DELETE_SOFTWARE=DELETE FROM software WHERE cveid = ? diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index ab178a0f3..9a45d8f3f 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -61,6 +61,7 @@ analyzer.archive.enabled=true analyzer.jar.enabled=true analyzer.nuspec.enabled=true analyzer.assembly.enabled=true +analyzer.composer.lock.enabled=true # the URL for searching Nexus for SHA-1 hashes and whether it's enabled analyzer.nexus.enabled=true diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java new file mode 100644 index 000000000..593f9b2c4 --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java @@ -0,0 +1,101 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.Evidence; + +import java.io.File; + +import static org.hamcrest.CoreMatchers.containsString; +import static org.hamcrest.CoreMatchers.is; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; + +/** + * Unit tests for NodePackageAnalyzer. + * + * @author Dale Visser + */ +public class ComposerLockAnalyzerTest extends BaseTest { + + /** + * The analyzer to test. + */ + ComposerLockAnalyzer analyzer; + + /** + * Correctly setup the analyzer for testing. + * + * @throws Exception thrown if there is a problem + */ + @Before + public void setUp() throws Exception { + analyzer = new ComposerLockAnalyzer(); + analyzer.setFilesMatched(true); + analyzer.initialize(); + } + + /** + * Cleanup the analyzer's temp files, etc. + * + * @throws Exception thrown if there is a problem + */ + @After + public void tearDown() throws Exception { + analyzer.close(); + analyzer = null; + } + + /** + * Test of getName method, of class ComposerLockAnalyzer. + */ + @Test + public void testGetName() { + assertEquals("Composer.lock analyzer", analyzer.getName()); + } + + /** + * Test of supportsExtension method, of class ComposerLockAnalyzer. + */ + @Test + public void testSupportsFiles() { + assertTrue(analyzer.accept(new File("composer.lock"))); + } + + /** + * Test of inspect method, of class PythonDistributionAnalyzer. + * + * @throws AnalysisException is thrown when an exception occurs. + */ + @Test + public void testAnalyzePackageJson() throws Exception { + final Engine engine = new Engine(); + final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, + "composer.lock")); + analyzer.analyze(result, engine); + } +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/composer/ComposerLockParserTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/composer/ComposerLockParserTest.java new file mode 100644 index 000000000..444788659 --- /dev/null +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/composer/ComposerLockParserTest.java @@ -0,0 +1,69 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.composer; + +import org.junit.Before; +import org.junit.Test; + +import java.io.ByteArrayInputStream; +import java.io.InputStream; +import java.nio.charset.Charset; + +import static org.junit.Assert.*; + +/** + * Created by colezlaw on 9/5/15. + */ +public class ComposerLockParserTest { + + private InputStream inputStream; + + @Before + public void setUp() { + inputStream = this.getClass().getClassLoader().getResourceAsStream("composer.lock"); + } + + @Test + public void testValidComposerLock() { + ComposerLockParser clp = new ComposerLockParser(inputStream); + clp.process(); + assertEquals(30, clp.getDependencies().size()); + assertTrue(clp.getDependencies().contains(new ComposerDependency("symfony", "translation", "2.7.3"))); + } + + @Test(expected = ComposerException.class) + public void testNotJSON() throws Exception { + String input = "NOT VALID JSON"; + ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset()))); + clp.process(); + } + + @Test(expected = ComposerException.class) + public void testNotComposer() throws Exception { + String input = "[\"ham\",\"eggs\"]"; + ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset()))); + clp.process(); + } + + @Test(expected = ComposerException.class) + public void testNotPackagesArray() throws Exception { + String input = "{\"packages\":\"eleventy\"}"; + ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset()))); + clp.process(); + } +} diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/CpeUpdaterIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/CpeUpdaterIntegrationTest.java index 66296edcf..1f9dcf89d 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/CpeUpdaterIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/CpeUpdaterIntegrationTest.java @@ -1,17 +1,19 @@ /* - * Copyright 2015 OWASP. + * This file is part of dependency-check-core. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. + * + * Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved. */ package org.owasp.dependencycheck.data.update; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java index c8127634a..d99ed4712 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java @@ -1,17 +1,19 @@ /* - * Copyright 2015 OWASP. + * This file is part of dependency-check-core. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. + * + * Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved. */ package org.owasp.dependencycheck.xml.pom; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java index 85b22580a..67f047712 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java @@ -1,17 +1,19 @@ /* - * Copyright 2015 OWASP. + * This file is part of dependency-check-core. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. + * + * Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved. */ package org.owasp.dependencycheck.xml.pom; diff --git a/dependency-check-gradle/README.md b/dependency-check-gradle/README.md index 6c931ecf1..a1d37491e 100644 --- a/dependency-check-gradle/README.md +++ b/dependency-check-gradle/README.md @@ -10,9 +10,7 @@ Dependency-Check is a utility that attempts to detect publicly disclosed vulnera ========= ## What's New -Current latest version is `0.0.7` -- Implement nested configuration for proxy settings -- Bug fix: Remove duplicated configuration items +Current latest version is `0.0.8` ## Usage @@ -26,11 +24,11 @@ buildscript { mavenCentral() } dependencies { - classpath 'com.thoughtworks.tools:dependency-check:0.0.7' + classpath 'com.thoughtworks.tools:dependency-check:0.0.8' } } -apply plugin: 'dependency.check' +apply plugin: 'dependency-check' ``` ### Step 2, Run gradle task @@ -38,7 +36,7 @@ apply plugin: 'dependency.check' Once gradle plugin applied, run following gradle task to check dependencies: ``` -gradle dependencyCheck +gradle dependencyCheck --info ``` The reports will be generated automatically under `./reports` folder. @@ -93,7 +91,7 @@ buildscript { mavenCentral() } dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.7" + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8" } } @@ -110,7 +108,7 @@ buildscript { mavenCentral() } dependencies { - classpath "gradle.plugin.com.tools.security:dependency-check:0.0.7" + classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8" } } diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index aaaf3813c..1bf6714bc 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -49,8 +49,8 @@ dependencies { compile( localGroovy(), gradleApi(), - 'org.owasp:dependency-check-core:1.3.0', - 'org.owasp:dependency-check-utils:1.3.0' + 'org.owasp:dependency-check-core:1.3.1', + 'org.owasp:dependency-check-utils:1.3.1' ) testCompile ('com.netflix.nebula:nebula-test:2.2.2'){ @@ -76,11 +76,11 @@ task integTest(type: Test) { } group = 'com.thoughtworks.tools' -version = '0.0.7' +version = '0.0.8' targetCompatibility = 1.7 apply from: 'conf/publish/local.gradle' //apply from: 'conf/publish/maven.gradle' -apply from: 'conf/publish/gradlePluginsPortal.gradle' +//apply from: 'conf/publish/gradlePluginsPortal.gradle' //apply from: 'conf/publish/bintray.gradle' // according to the documentation of plugindev, this line has to be placed and the very end of the build file \ No newline at end of file diff --git a/dependency-check-gradle/pom.xml b/dependency-check-gradle/pom.xml index 372562a66..17b65e0a7 100644 --- a/dependency-check-gradle/pom.xml +++ b/dependency-check-gradle/pom.xml @@ -22,7 +22,7 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved. org.owasp dependency-check-parent - 1.3.1-SNAPSHOT + 1.3.1 dependency-check-gradle @@ -39,7 +39,7 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved. github-pages-site Deployment through GitHub's site deployment plugin - ${basedir}/../target/site/${project.version}/dependency-check-gradle + ${basedir}/../target/site/dependency-check-gradle diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml index e8020175e..8a013f002 100644 --- a/dependency-check-jenkins/pom.xml +++ b/dependency-check-jenkins/pom.xml @@ -3,7 +3,7 @@ org.owasp dependency-check-parent - 1.3.1-SNAPSHOT + 1.3.1 dependency-check-jenkins Dependency-Check Jenkins Plugin diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index 5634ff81e..b18d81a04 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -22,7 +22,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.1-SNAPSHOT + 1.3.1 dependency-check-maven diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java index 6f2b9054f..f1ab7b953 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java @@ -28,11 +28,6 @@ import org.slf4j.helpers.MessageFormatter; */ public class MavenLoggerAdapter extends MarkerIgnoringBase { - /** - * The serial version UID for serialization. - */ - private static final long serialVersionUID = 1L; - /** * A reference to the Maven log. */ diff --git a/dependency-check-utils/pom.xml b/dependency-check-utils/pom.xml index 05a26506d..4e1f1ce52 100644 --- a/dependency-check-utils/pom.xml +++ b/dependency-check-utils/pom.xml @@ -21,7 +21,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 1.3.1-SNAPSHOT + 1.3.1 dependency-check-utils diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 5c4c9a739..5edec7187 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -185,6 +185,14 @@ public final class Settings { * The properties key for whether the Archive analyzer is enabled. */ public static final String ANALYZER_ARCHIVE_ENABLED = "analyzer.archive.enabled"; + /** + * The properties key for whether the node.js package analyzer is enabled. + */ + public static final String ANALYZER_NODE_PACKAGE_ENABLED = "analyzer.node.package.enabled"; + /** + * The properties key for whether the composer lock file analyzer is enabled. + */ + public static final String ANALYZER_COMPOSER_LOCK_ENABLED = "analyzer.composer.lock.enabled"; /** * The properties key for whether the Python Distribution analyzer is enabled. */ @@ -217,18 +225,10 @@ public final class Settings { * The properties key for whether the .NET Nuspec analyzer is enabled. */ public static final String ANALYZER_NUSPEC_ENABLED = "analyzer.nuspec.enabled"; - /** - * The properties key for whether the JavaScript analyzer is enabled. - */ - public static final String ANALYZER_JAVASCRIPT_ENABLED = "analyzer.javascript.enabled"; /** * The properties key for whether the Nexus analyzer is enabled. */ public static final String ANALYZER_NEXUS_ENABLED = "analyzer.nexus.enabled"; - /** - * The properties key for whether the node.js package analyzer is enabled. - */ - public static final String ANALYZER_NODE_PACKAGE_ENABLED = "analyzer.node.package.enabled"; /** * The properties key for the Nexus search URL. */ diff --git a/pom.xml b/pom.xml index 58a411ce8..e6ea7a499 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 1.3.1-SNAPSHOT + 1.3.1 pom diff --git a/src/site/markdown/analyzers/composer-lock.md b/src/site/markdown/analyzers/composer-lock.md new file mode 100644 index 000000000..64c88808d --- /dev/null +++ b/src/site/markdown/analyzers/composer-lock.md @@ -0,0 +1,7 @@ +Composer Lock Analyzer +============== + +OWASP dependency-check includes an analyzer that scans composer.lock files to get exact dependency +version information from PHP projects which are managed with [Composer](http://getcomposer.org/). +If you're using Composer to manage your project, this will only analyze the `composer.lock` file +currently, so you'll need to run `composer install` to have Composer generate this file. diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index b2384f102..a4ffedb4b 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -10,6 +10,7 @@ to extract identification information from the files analyzed. | [Autoconf](./autoconf.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | [Regex](https://en.wikipedia.org/wiki/Regular_expression) scan for AC_INIT metadata, including in generated configuration script. | | [Central](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. | | [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. | +| [Composer Lock](./composer-lock.html) | PHP [Composer](http://getcomposer.org) Lock files (composer.lock) | Parses PHP [Composer](http://getcomposer.org) lock files for exact versions of dependencies. | | [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | | [Nexus](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central . | | [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parse JSON format for metadata. | diff --git a/src/site/markdown/analyzers/nodejs.md b/src/site/markdown/analyzers/nodejs.md index 103a0354f..3920ba7bb 100644 --- a/src/site/markdown/analyzers/nodejs.md +++ b/src/site/markdown/analyzers/nodejs.md @@ -8,7 +8,8 @@ as evidence and is grouped into vendor, product, and version buckets. Other analyzers later use this evidence to identify any Common Platform Enumeration (CPE) identifiers that apply. -__Note:__ Also consider using the Node Security Project auditing tool, -[nsp](https://nodesecurity.io/tools). +Note:_Consider using [Retire.js](http://retirejs.github.io/retire.js/) or the +Node Security Project auditing tool, [nsp](https://nodesecurity.io/tools) instead +of, or in addition to OWASP dependency-check to analyze Node.js packages. Files Types Scanned: [package.json](https://docs.npmjs.com/files/package.json) diff --git a/src/site/markdown/analyzers/ruby-gemspec.md b/src/site/markdown/analyzers/ruby-gemspec.md index ece5d3bb8..04116f442 100644 --- a/src/site/markdown/analyzers/ruby-gemspec.md +++ b/src/site/markdown/analyzers/ruby-gemspec.md @@ -9,7 +9,7 @@ into vendor, product, and version buckets. Other analyzers later use this evidence to identify any Common Platform Enumeration (CPE) identifiers that apply. -__Note:__ Also consider using the Ruby -[bundler-audit](https://github.com/rubysec/bundler-audit#readme) tool. +Note: It is highly recommended that Ruby projects use +[bundler-audit](https://github.com/rubysec/bundler-audit#readme). Files Types Scanned: Rakefile, \*.gemspec \ No newline at end of file diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md index ac5e186e8..fb1931477 100644 --- a/src/site/markdown/index.md +++ b/src/site/markdown/index.md @@ -2,11 +2,11 @@ About ==================== OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry: [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities). -Dependency-check can currently be used to scan Java, .NET, Python, Ruby and +Dependency-check can currently be used to scan Java, .NET, Python, Ruby (gemspec), PHP (composer), and Node.js applications (and their dependent libraries) to identify known vulnerable components. In addition, Dependency-check can be used to scan some -source code, including OpenSSL source code and source code for projects that -use [Autoconf](https://www.gnu.org/software/autoconf/) or +source code, including OpenSSL source code and projects that use +[Autoconf](https://www.gnu.org/software/autoconf/) or [CMake](http://www.cmake.org/overview/). The problem with using known vulnerable components was covered in a paper by