github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-03 22:50:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'upmaster' into openssl-source-analyzer

Browse Source 
Conflicts:
	dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java

Former-commit-id: 6d92982227ad0ff7c4381d03eb1bf542dfe7697f
This commit is contained in:
Dale Visser
2015-07-09 16:14:54 -04:00
parent a3ad598004 b227cf890b
commit e5fdda60fc
90 changed files with 2301 additions and 13037 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -26,6 +26,12 @@ On Windows
> bin/dependency-check.bat -h
> bin/dependency-check.bat --app Testing --out . --scan [path to jar files to be scanned]
```
On Mac with [Homebrew](http://brew.sh)
```
$ brew update && brew install dependency-check
$ dependency-check -h
$ dependency-check --app Testing --out . --scan [path to jar files to be scanned]
```
### Maven Plugin

20
dependency-check-ant/pom.xml
View File

@@ -276,7 +276,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -290,7 +290,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
@@ -307,7 +307,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -320,17 +320,17 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -342,7 +342,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
@@ -366,7 +366,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<version>${reporting.checkstyle-plugin.version}</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary>
@@ -379,7 +379,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.0.1</version>
<version>${reporting.pmd-plugin.version}</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
@@ -398,7 +398,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins>
</reporting>

28
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -23,20 +23,20 @@ Configuration
====================
The following properties can be set on the dependency-check-maven plugin.
Property | Description | Default Value
---------------------|------------------------------------|------------------
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
updateOnly | If set to true only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | false
externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
outputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp;
proxyServer | The Proxy Server. | &nbsp;
proxyPort | The Proxy Port. | &nbsp;
proxyUsername | Defines the proxy user name. | &nbsp;
proxyPassword | Defines the proxy password. | &nbsp;
connectionTimeout | The URL Connection Timeout. | &nbsp;
Property | Description | Default Value
----------------------|------------------------------------|------------------
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
updateOnly | If set to true only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | false
externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
reportFormat | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp;
proxyServer | The Proxy Server. | &nbsp;
proxyPort | The Proxy Port. | &nbsp;
proxyUsername | Defines the proxy user name. | &nbsp;
proxyPassword | Defines the proxy password. | &nbsp;
connectionTimeout | The URL Connection Timeout. | &nbsp;
Analyzer Configuration
====================

20
dependency-check-cli/pom.xml
View File

@@ -181,7 +181,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -195,7 +195,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright<EFBFBD> 2012-15 Jeremy Long. All Rights Reserved.</bottom>
@@ -212,7 +212,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -225,17 +225,17 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -247,7 +247,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
@@ -271,7 +271,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<version>${reporting.checkstyle-plugin.version}</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary>
@@ -284,7 +284,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.1</version>
<version>${reporting.pmd-plugin.version}</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
@@ -303,7 +303,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins>
</reporting>

20
dependency-check-core/pom.xml
View File

@@ -226,7 +226,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -240,7 +240,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
@@ -257,7 +257,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -270,17 +270,17 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -299,7 +299,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
@@ -323,7 +323,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<version>${reporting.checkstyle-plugin.version}</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary>
@@ -336,7 +336,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.1</version>
<version>${reporting.pmd-plugin.version}</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
@@ -355,7 +355,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins>
</reporting>

21
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -37,6 +37,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileFilter;
import java.util.ArrayList;
import java.util.EnumMap;
import java.util.HashSet;
@@ -50,7 +51,7 @@ import java.util.Set;
*
* @author Jeremy Long
*/
public class Engine {
public class Engine implements FileFilter {
/**
* The list of dependencies.
@@ -317,7 +318,7 @@ public class Engine {
extension = fileName;
}
Dependency dependency = null;
if (supportsExtension(extension)) {
if (accept(file)) {
dependency = new Dependency(file);
if (extension.equals(fileName)) {
dependency.setFileExtension(extension);
@@ -330,8 +331,8 @@ public class Engine {
/**
* Runs the analyzers against all of the dependencies. Since the mutable dependencies list is exposed via
* {@link #getDependencies()}, this method iterates over a copy of the dependencies list. Thus, the potential for
* {@link java.util.ConcurrentModificationException}s is avoided, and analyzers may safely add or remove entries
* from the dependencies list.
* {@link java.util.ConcurrentModificationException}s is avoided, and analyzers may safely add or remove entries from the
* dependencies list.
*/
public void analyzeDependencies() {
boolean autoUpdate = true;
@@ -379,7 +380,7 @@ public class Engine {
boolean shouldAnalyze = true;
if (a instanceof FileTypeAnalyzer) {
final FileTypeAnalyzer fAnalyzer = (FileTypeAnalyzer) a;
shouldAnalyze = fAnalyzer.supportsExtension(d.getFileExtension());
shouldAnalyze = fAnalyzer.accept(d.getActualFile());
}
if (shouldAnalyze) {
LOGGER.debug("Begin Analysis of '{}'", d.getActualFilePath());
@@ -482,18 +483,18 @@ public class Engine {
/**
* Checks all analyzers to see if an extension is supported.
*
* @param ext a file extension
* @param file a file extension
* @return true or false depending on whether or not the file extension is supported
*/
public boolean supportsExtension(String ext) {
if (ext == null) {
public boolean accept(File file) {
if (file == null) {
return false;
}
boolean scan = false;
for (FileTypeAnalyzer a : this.fileTypeAnalyzers) {
/* note, we can't break early on this loop as the analyzers need to know if
they have files to work on prior to initialization */
scan |= a.supportsExtension(ext);
scan |= a.accept(file);
}
return scan;
}
@@ -510,7 +511,7 @@ public class Engine {
/**
* Checks the CPE Index to ensure documents exists. If none exist a NoDataException is thrown.
*
* @throws NoDataException thrown if no data exists in the CPE Index
* @throws NoDataException thrown if no data exists in the CPE Index
* @throws DatabaseException thrown if there is an exception opening the database
*/
private void ensureDataExists() throws NoDataException, DatabaseException {

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
View File

@@ -872,7 +872,7 @@ public class DependencyCheckScanAgent {
r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
} catch (IOException ex) {
LOGGER.error(
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
LOGGER.debug("", ex);
} catch (Throwable ex) {
LOGGER.error(
@@ -1058,8 +1058,9 @@ public class DependencyCheckScanAgent {
}
}
if (summary.length() > 0) {
LOGGER.warn("\n\nOne or more dependencies were identified with known vulnerabilities:\n\n{}\n\nSee the dependency-check report for more details.\n\n",
summary.toString());
LOGGER.warn("\n\nOne or more dependencies were identified with known vulnerabilities:\n\n{}\n\n"
+ "See the dependency-check report for more details.\n\n",
summary.toString());
}
}

77
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
View File

@@ -17,9 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -28,6 +25,12 @@ import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileFilter;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
/**
* The base FileTypeAnalyzer that all analyzers that have specific file types they analyze should extend.
*
@@ -37,8 +40,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
//<editor-fold defaultstate="collapsed" desc="Constructor">
/**
* Base constructor that all children must call. This checks the configuration to determine if the analyzer is
* enabled.
* Base constructor that all children must call. This checks the configuration to determine if the analyzer is enabled.
*/
public AbstractFileTypeAnalyzer() {
reset();
@@ -100,19 +102,16 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
//<editor-fold defaultstate="collapsed" desc="Abstract methods children must implement">
/**
* <p>
* Returns a list of supported file extensions. An example would be an analyzer that inspected java jar files. The
* getSupportedExtensions function would return a set with a single element "jar".</p>
* Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed. An example would be an analyzer
* that inspected Java jar files. Implementors may use {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
*
* @return the file filter used to determine which files are to be analyzed
* <p/>
* <p>
* <b>Note:</b> when implementing this the extensions returned MUST be lowercase.</p>
*
* @return The file extensions supported by this analyzer.
*
* <p>
* If the analyzer returns null it will not cause additional files to be analyzed but will be executed against every
* file loaded</p>
* If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against every file
* loaded.</p>
*/
protected abstract Set<String> getSupportedExtensions();
protected abstract FileFilter getFileFilter();
/**
* Initializes the file type analyzer.
@@ -122,8 +121,8 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
protected abstract void initializeFileTypeAnalyzer() throws Exception;
/**
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
* scanned, and added to the list of dependencies within the engine.
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned,
* and added to the list of dependencies within the engine.
*
* @param dependency the dependency to analyze
* @param engine the engine scanning
@@ -171,8 +170,8 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
}
/**
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
* scanned, and added to the list of dependencies within the engine.
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned,
* and added to the list of dependencies within the engine.
*
* @param dependency the dependency to analyze
* @param engine the engine scanning
@@ -185,38 +184,28 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
}
}
/**
* Returns whether or not this analyzer can process the given extension.
*
* @param extension the file extension to test for support.
* @return whether or not the specified file extension is supported by this analyzer.
*/
@Override
public final boolean supportsExtension(String extension) {
if (!enabled) {
return false;
}
final Set<String> ext = getSupportedExtensions();
if (ext == null) {
LOGGER.error("The '{}' analyzer is misconfigured and does not have any file extensions;"
+ " it will be disabled", getName());
return false;
} else {
final boolean match = ext.contains(extension);
if (match) {
filesMatched = match;
public boolean accept(File pathname) {
final FileFilter filter = getFileFilter();
boolean accepted = false;
if (null == filter) {
LOGGER.error("The '{}' analyzer is misconfigured and does not have a file filter; it will be disabled", getName());
} else if (enabled) {
accepted = filter.accept(pathname);
if (accepted) {
filesMatched = true;
}
return match;
}
return accepted;
}
//</editor-fold>
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Static utility methods">
/**
* <p>
* Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a
* final static declaration.</p>
*
* Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a final static
* declaration.</p>
* <p/>
* <p>
* This implementation was copied from
* http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>
@@ -226,9 +215,9 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
*/
protected static Set<String> newHashSet(String... strings) {
final Set<String> set = new HashSet<String>();
Collections.addAll(set, strings);
return set;
}
//</editor-fold>
}

39
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -20,6 +20,7 @@ package org.owasp.dependencycheck.analyzer;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileFilter;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
@@ -31,6 +32,7 @@ import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.commons.compress.archivers.ArchiveEntry;
import org.apache.commons.compress.archivers.ArchiveInputStream;
import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
@@ -44,6 +46,7 @@ import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
@@ -51,8 +54,8 @@ import org.slf4j.LoggerFactory;
/**
* <p>
* An analyzer that extracts files from archives and ensures any supported files contained within the archive are added
* to the dependency list.</p>
* An analyzer that extracts files from archives and ensures any supported files contained within the archive are added to the
* dependency list.</p>
*
* @author Jeremy Long
*/
@@ -97,8 +100,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
/**
* The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
* to be explicitly handled in extractFiles().
* The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need to be
* explicitly handled in extractFiles().
*/
private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz");
@@ -116,14 +119,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
EXTENSIONS.addAll(ZIPPABLES);
}
/**
* Returns a list of file EXTENSIONS supported by this analyzer.
*
* @return a list of file EXTENSIONS supported by this analyzer.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
@Override
public Set<String> getSupportedExtensions() {
return EXTENSIONS;
protected FileFilter getFileFilter() {
return FILTER;
}
/**
@@ -193,8 +193,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
* scanned, and added to the list of dependencies within the engine.
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned,
* and added to the list of dependencies within the engine.
*
* @param dependency the dependency to analyze
* @param engine the engine scanning
@@ -229,14 +229,14 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
//TODO - can we get more evidence from the parent? EAR contains module name, etc.
//analyze the dependency (i.e. extract files) if it is a supported type.
if (this.supportsExtension(d.getFileExtension()) && scanDepth < MAX_SCAN_DEPTH) {
if (this.accept(d.getActualFile()) && scanDepth < MAX_SCAN_DEPTH) {
scanDepth += 1;
analyze(d, engine);
scanDepth -= 1;
}
}
}
if (this.REMOVE_FROM_ANALYSIS.contains(dependency.getFileExtension())) {
if (REMOVE_FROM_ANALYSIS.contains(dependency.getFileExtension())) {
if ("zip".equals(dependency.getFileExtension()) && isZipFileActuallyJarFile(dependency)) {
final File tdir = getNextTempDirectory();
final String fileName = dependency.getFileName();
@@ -320,9 +320,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
} else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
final String uncompressedExt = FileUtils.getFileExtension(uncompressedName).toLowerCase();
if (engine.supportsExtension(uncompressedExt)) {
decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), new File(destination, uncompressedName));
File f = new File(destination, uncompressedName);
if (engine.accept(f)) {
decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), f);
}
}
} catch (ArchiveExtractionException ex) {
@@ -362,8 +362,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
}
} else {
final File file = new File(destination, entry.getName());
final String ext = FileUtils.getFileExtension(file.getName());
if (engine.supportsExtension(ext)) {
if (engine.accept(file)) {
LOGGER.debug("Extracting '{}'", file.getPath());
BufferedOutputStream bos = null;
FileOutputStream fos = null;

50
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -17,36 +17,37 @@
*/
package org.owasp.dependencycheck.analyzer;
import ch.qos.cal10n.IMessageConveyor;
import ch.qos.cal10n.MessageConveyor;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileFilter;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import ch.qos.cal10n.IMessageConveyor;
import ch.qos.cal10n.MessageConveyor;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.utils.DCResources;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.cal10n.LocLogger;
import org.slf4j.cal10n.LocLoggerFactory;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
/**
* Analyzer for getting company, product, and version information from a .NET assembly.
*
@@ -66,7 +67,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The list of supported extensions
*/
private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("dll", "exe");
private static final String[] SUPPORTED_EXTENSIONS = {"dll", "exe"};
/**
* The temp value for GrokAssembly.exe
*/
@@ -78,15 +79,15 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Message Conveyer
*/
private final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault());
private static final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault());
/**
* LocLoggerFactory for localized logger
*/
private final LocLoggerFactory LLFACTORY = new LocLoggerFactory(MESSAGE_CONVERYOR);
private static final LocLoggerFactory LLFACTORY = new LocLoggerFactory(MESSAGE_CONVERYOR);
/**
* Logger
*/
private final LocLogger LOGGER = LLFACTORY.getLocLogger(AssemblyAnalyzer.class);
private static final LocLogger LOGGER = LLFACTORY.getLocLogger(AssemblyAnalyzer.class);
/**
* Builds the beginnings of a List for ProcessBuilder
@@ -284,6 +285,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
}
/**
* Removes resources used from the local file system.
*
* @throws Exception thrown if there is a problem closing the analyzer
*/
@Override
public void close() throws Exception {
super.close();
@@ -296,14 +302,12 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
}
}
/**
* Gets the set of extensions supported by this analyzer.
*
* @return the list of supported extensions
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(
SUPPORTED_EXTENSIONS).build();
@Override
public Set<String> getSupportedExtensions() {
return SUPPORTED_EXTENSIONS;
protected FileFilter getFileFilter() {
return FILTER;
}
/**

35
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
View File

@@ -17,23 +17,24 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.UrlStringUtils;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* Used to analyze Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed,
* assuming they are generated by Autoconf, and contain certain special package descriptor variables.
@@ -71,8 +72,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The set of file extensions supported by this analyzer.
*/
private static final Set<String> EXTENSIONS = newHashSet("ac", "in",
CONFIGURE);
private static final String[] EXTENSIONS = {"ac", "in"};
/**
* Matches AC_INIT variables in the output configure script.
@@ -104,13 +104,19 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Returns a list of file EXTENSIONS supported by this analyzer.
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames(CONFIGURE).addExtensions(
EXTENSIONS).build();
/**
* Returns the FileFilter
*
* @return a list of file EXTENSIONS supported by this analyzer.
* @return the FileFilter
*/
@Override
public Set<String> getSupportedExtensions() {
return EXTENSIONS;
protected FileFilter getFileFilter() {
return FILTER;
}
/**
@@ -128,6 +134,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
*
* @return the phase that the analyzer is intended to run in.
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -511,8 +511,8 @@ public class CPEAnalyzer implements Analyzer {
}
for (VulnerableSoftware vs : cpes) {
DependencyVersion dbVer;
if (vs.getRevision() != null && !vs.getRevision().isEmpty()) {
dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + "." + vs.getRevision());
if (vs.getUpdate() != null && !vs.getUpdate().isEmpty()) {
dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + "." + vs.getUpdate());
} else {
dbVer = DependencyVersionUtil.parseVersion(vs.getVersion());
}

39
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
View File

@@ -17,12 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URL;
import java.util.List;
import java.util.Set;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -32,13 +26,21 @@ import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.xml.pom.PomUtils;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileFilter;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URL;
import java.util.List;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
/**
* Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
* digest.
@@ -65,7 +67,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The types of files on which this will work.
*/
private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
private static final String SUPPORTED_EXTENSIONS = "jar";
/**
* The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
@@ -164,13 +166,13 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Returns the extensions for which this Analyzer runs.
*
* @return the extensions for which this Analyzer runs
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build();
@Override
public Set<String> getSupportedExtensions() {
return SUPPORTED_EXTENSIONS;
protected FileFilter getFileFilter() {
return FILTER;
}
/**
@@ -206,7 +208,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
pomFile = File.createTempFile("pom", ".xml", baseDir);
if (!pomFile.delete()) {
LOGGER.warn("Unable to fetch pom.xml for {} from Central; "
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
LOGGER.debug("Unable to delete temp file");
}
LOGGER.debug("Downloading {}", ma.getPomUrl());
@@ -215,7 +217,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
} catch (DownloadFailedException ex) {
LOGGER.warn("Unable to download pom.xml for {} from Central; "
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
} finally {
if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
pomFile.deleteOnExit();
@@ -233,5 +235,4 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
errorFlag = true;
}
}
}

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java
View File

@@ -17,20 +17,14 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.FileFilter;
/**
* An Analyzer that scans specific file types.
*
* @author Jeremy Long
*/
public interface FileTypeAnalyzer extends Analyzer {
/**
* Returns whether or not this analyzer can process the given extension.
*
* @param extension the file extension to test for support.
* @return whether or not the specified file extension is supported by this analyzer.
*/
boolean supportsExtension(String extension);
public interface FileTypeAnalyzer extends Analyzer, FileFilter {
/**
* Resets the analyzers state.

27
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -17,14 +17,7 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.Reader;
import java.io.*;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
@@ -47,6 +40,7 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.xml.pom.License;
import org.owasp.dependencycheck.xml.pom.PomUtils;
import org.owasp.dependencycheck.xml.pom.Model;
@@ -168,16 +162,21 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The set of file extensions supported by this analyzer.
*/
private static final Set<String> EXTENSIONS = newHashSet("jar", "war");
private static final String[] EXTENSIONS = {"jar", "war"};
/**
* Returns a list of file EXTENSIONS supported by this analyzer.
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
/**
* Returns the FileFilter.
*
* @return a list of file EXTENSIONS supported by this analyzer.
* @return the FileFilter
*/
@Override
public Set<String> getSupportedExtensions() {
return EXTENSIONS;
protected FileFilter getFileFilter() {
return FILTER;
}
/**
@@ -388,7 +387,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @param dependency the dependency being analyzed
* @return returns the POM object
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
* {@link org.owasp.dependencycheck.xml.pom.Model} object
*/
private Model extractPom(String path, JarFile jar, Dependency dependency) throws AnalysisException {
InputStream input = null;

141
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
View File

@@ -1,141 +0,0 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.util.Set;
import java.util.regex.Pattern;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
*
* Used to analyze a JavaScript file to gather information to aid in identification of a CPE identifier.
*
* @author Jeremy Long
*/
public class JavaScriptAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(JavaScriptAnalyzer.class);
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/
private static final String ANALYZER_NAME = "JavaScript Analyzer";
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
/**
* The set of file extensions supported by this analyzer.
*/
private static final Set<String> EXTENSIONS = newHashSet("js");
/**
* Returns a list of file EXTENSIONS supported by this analyzer.
*
* @return a list of file EXTENSIONS supported by this analyzer.
*/
@Override
public Set<String> getSupportedExtensions() {
return EXTENSIONS;
}
/**
* Returns the name of the analyzer.
*
* @return the name of the analyzer.
*/
@Override
public String getName() {
return ANALYZER_NAME;
}
/**
* Returns the phase that the analyzer is intended to run in.
*
* @return the phase that the analyzer is intended to run in.
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
//</editor-fold>
/**
* Returns the key used in the properties file to reference the analyzer's enabled property.
*
* @return the analyzer's enabled property setting key
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_JAVASCRIPT_ENABLED;
}
/**
* Loads a specified JavaScript file and collects information from the copyright information contained within.
*
* @param dependency the dependency to analyze.
* @param engine the engine that is scanning the dependencies
* @throws AnalysisException is thrown if there is an error reading the JavaScript file.
*/
@Override
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
BufferedReader fin = null;
try {
// /\*([^\*][^/]|[\r\n\f])+?\*/
final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)", Pattern.MULTILINE);
File file = dependency.getActualFile();
fin = new BufferedReader(new FileReader(file));
StringBuilder sb = new StringBuilder(2000);
String text;
while ((text = fin.readLine()) != null) {
sb.append(text);
}
} catch (FileNotFoundException ex) {
final String msg = String.format("Dependency file not found: '%s'", dependency.getActualFilePath());
throw new AnalysisException(msg, ex);
} catch (IOException ex) {
LOGGER.error("", ex);
} finally {
if (fin != null) {
try {
fin.close();
} catch (IOException ex) {
LOGGER.trace("", ex);
}
}
}
}
@Override
protected void initializeFileTypeAnalyzer() throws Exception {
}
}

41
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -17,12 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Set;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -32,13 +26,21 @@ import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.xml.pom.PomUtils;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileFilter;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
/**
* Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
*
@@ -78,7 +80,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The types of files on which this will work.
*/
private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
private static final String SUPPORTED_EXTENSIONS = "jar";
/**
* The Nexus Search to be set up for this analyzer.
@@ -184,13 +186,18 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Returns the extensions for which this Analyzer runs.
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build();
/**
* Returns the FileFilter
*
* @return the extensions for which this Analyzer runs
* @return the FileFilter
*/
@Override
public Set<String> getSupportedExtensions() {
return SUPPORTED_EXTENSIONS;
protected FileFilter getFileFilter() {
return FILTER;
}
/**
@@ -223,7 +230,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
pomFile = File.createTempFile("pom", ".xml", baseDir);
if (!pomFile.delete()) {
LOGGER.warn("Unable to fetch pom.xml for {} from Nexus repository; "
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
LOGGER.debug("Unable to delete temp file");
}
LOGGER.debug("Downloading {}", ma.getPomUrl());
@@ -231,7 +238,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
PomUtils.analyzePOM(dependency, pomFile);
} catch (DownloadFailedException ex) {
LOGGER.warn("Unable to download pom.xml for {} from Nexus repository; "
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
} finally {
if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
pomFile.deleteOnExit();

26
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
View File

@@ -17,10 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.Set;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.nuget.NugetPackage;
@@ -29,10 +25,16 @@ import org.owasp.dependencycheck.data.nuget.NuspecParser;
import org.owasp.dependencycheck.data.nuget.XPathNuspecParser;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.FileFilter;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
/**
* Analyzer which will parse a Nuspec file to gather module information.
*
@@ -58,7 +60,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The types of files on which this will work.
*/
private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("nuspec");
private static final String SUPPORTED_EXTENSIONS = "nuspec";
/**
* Initializes the analyzer once before any analysis is performed.
@@ -100,13 +102,19 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Returns the extensions for which this Analyzer runs.
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(
SUPPORTED_EXTENSIONS).build();
/**
* Returns the FileFilter
*
* @return the extensions for which this Analyzer runs
* @return the FileFilter
*/
@Override
public Set<String> getSupportedExtensions() {
return SUPPORTED_EXTENSIONS;
protected FileFilter getFileFilter() {
return FILTER;
}
/**

44
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
View File

@@ -17,17 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FilenameFilter;
import java.util.Set;
import java.util.regex.Pattern;
import javax.mail.MessagingException;
import javax.mail.internet.InternetHeaders;
import org.apache.commons.io.filefilter.NameFileFilter;
import org.apache.commons.io.filefilter.SuffixFileFilter;
import org.apache.commons.io.input.AutoCloseInputStream;
@@ -37,13 +26,19 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.mail.MessagingException;
import javax.mail.internet.InternetHeaders;
import java.io.*;
import java.util.regex.Pattern;
import org.owasp.dependencycheck.utils.ExtractionException;
import org.owasp.dependencycheck.utils.ExtractionUtil;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.UrlStringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
@@ -86,11 +81,10 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The set of file extensions supported by this analyzer.
*/
private static final Set<String> EXTENSIONS = newHashSet("whl", "egg",
"zip", METADATA, PKG_INFO);
private static final String[] EXTENSIONS = {"whl", "egg", "zip"};
/**
* Used to match on egg archive candidate extenssions.
* Used to match on egg archive candidate extensions.
*/
private static final Pattern EGG_OR_ZIP = Pattern.compile("egg|zip");
@@ -114,23 +108,29 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Filter that detects files named "METADATA".
*/
private static final FilenameFilter METADATA_FILTER = new NameFileFilter(
private static final NameFileFilter METADATA_FILTER = new NameFileFilter(
METADATA);
/**
* Filter that detects files named "PKG-INFO".
*/
private static final FilenameFilter PKG_INFO_FILTER = new NameFileFilter(
private static final NameFileFilter PKG_INFO_FILTER = new NameFileFilter(
PKG_INFO);
/**
* Returns a list of file EXTENSIONS supported by this analyzer.
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFileFilters(
METADATA_FILTER, PKG_INFO_FILTER).addExtensions(EXTENSIONS).build();
/**
* Returns the FileFilter
*
* @return a list of file EXTENSIONS supported by this analyzer.
* @return the FileFilter
*/
@Override
public Set<String> getSupportedExtensions() {
return EXTENSIONS;
protected FileFilter getFileFilter() {
return FILTER;
}
/**

41
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
View File

@@ -17,17 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.filefilter.NameFileFilter;
import org.apache.commons.io.filefilter.SuffixFileFilter;
@@ -36,11 +25,21 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.UrlStringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* Used to analyze a Python package, and collect information that can be used to determine the associated CPE.
*
@@ -63,8 +62,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Filename extensions for files to be analyzed.
*/
private static final Set<String> EXTENSIONS = Collections
.unmodifiableSet(Collections.singleton("py"));
private static final String EXTENSIONS = "py";
/**
* Pattern for matching the module docstring in a source file.
@@ -135,13 +133,18 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Returns the set of supported file extensions.
* The file filter used to determine which files this analyzer supports.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
/**
* Returns the FileFilter
*
* @return the set of supported file extensions
* @return the FileFilter
*/
@Override
protected Set<String> getSupportedExtensions() {
return EXTENSIONS;
protected FileFilter getFileFilter() {
return FILTER;
}
/**
@@ -209,12 +212,12 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
*/
private boolean analyzeFileContents(Dependency dependency, File file)
throws AnalysisException {
String contents = "";
String contents;
try {
contents = FileUtils.readFileToString(file).trim();
} catch (IOException e) {
throw new AnalysisException(
"Problem occured while reading dependency file.", e);
"Problem occurred while reading dependency file.", e);
}
boolean found = false;
if (!contents.isEmpty()) {

92
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
View File

@@ -35,9 +35,8 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Loads the configured database driver and returns the database connection. If the embedded H2 database is used
* obtaining a connection will ensure the database file exists and that the appropriate table structure has been
* created.
* Loads the configured database driver and returns the database connection. If the embedded H2 database is used obtaining a
* connection will ensure the database file exists and that the appropriate table structure has been created.
*
* @author Jeremy Long
*/
@@ -55,6 +54,10 @@ public final class ConnectionFactory {
* Resource location for SQL file used to create the database schema.
*/
public static final String DB_STRUCTURE_RESOURCE = "data/initialize.sql";
/**
* Resource location for SQL file used to create the database schema.
*/
public static final String DB_STRUCTURE_UPDATE_RESOURCE = "data/upgrade_%s.sql";
/**
* The database driver used to connect to the database.
*/
@@ -79,8 +82,8 @@ public final class ConnectionFactory {
}
/**
* Initializes the connection factory. Ensuring that the appropriate drivers are loaded and that a connection can be
* made successfully.
* Initializes the connection factory. Ensuring that the appropriate drivers are loaded and that a connection can be made
* successfully.
*
* @throws DatabaseException thrown if we are unable to connect to the database
*/
@@ -114,8 +117,7 @@ public final class ConnectionFactory {
try {
connectionString = Settings.getConnectionString(
Settings.KEYS.DB_CONNECTION_STRING,
Settings.KEYS.DB_FILE_NAME,
Settings.KEYS.DB_VERSION);
Settings.KEYS.DB_FILE_NAME);
} catch (IOException ex) {
LOGGER.debug(
"Unable to retrieve the database connection string", ex);
@@ -162,13 +164,12 @@ public final class ConnectionFactory {
LOGGER.debug("", dex);
throw new DatabaseException("Unable to create the database structure");
}
} else {
try {
ensureSchemaVersion(conn);
} catch (DatabaseException dex) {
LOGGER.debug("", dex);
throw new DatabaseException("Database schema does not match this version of dependency-check");
}
}
try {
ensureSchemaVersion(conn);
} catch (DatabaseException dex) {
LOGGER.debug("", dex);
throw new DatabaseException("Database schema does not match this version of dependency-check", dex);
}
} finally {
if (conn != null) {
@@ -183,8 +184,8 @@ public final class ConnectionFactory {
/**
* Cleans up resources and unloads any registered database drivers. This needs to be called to ensure the driver is
* unregistered prior to the finalize method being called as during shutdown the class loader used to load the
* driver may be unloaded prior to the driver being de-registered.
* unregistered prior to the finalize method being called as during shutdown the class loader used to load the driver may be
* unloaded prior to the driver being de-registered.
*/
public static synchronized void cleanup() {
if (driver != null) {
@@ -229,8 +230,7 @@ public final class ConnectionFactory {
*/
private static boolean h2DataFileExists() throws IOException {
final File dir = Settings.getDataDirectory();
final String name = Settings.getString(Settings.KEYS.DB_FILE_NAME);
final String fileName = String.format(name, DB_SCHEMA_VERSION);
final String fileName = Settings.getString(Settings.KEYS.DB_FILE_NAME);
final File file = new File(dir, fileName);
return file.exists();
}
@@ -278,6 +278,55 @@ public final class ConnectionFactory {
}
}
/**
* Updates the database schema by loading the upgrade script for the version specified. The intended use is that if the
* current schema version is 2.9 then we would call updateSchema(conn, "2.9"). This would load the upgrade_2.9.sql file and
* execute it against the database. The upgrade script must update the 'version' in the properties table.
*
* @param conn the database connection object
* @param schema the current schema version that is being upgraded
* @throws DatabaseException thrown if there is an exception upgrading the database schema
*/
private static void updateSchema(Connection conn, String schema) throws DatabaseException {
LOGGER.debug("Updating database structure");
InputStream is;
InputStreamReader reader;
BufferedReader in = null;
String updateFile = null;
try {
updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
reader = new InputStreamReader(is, "UTF-8");
in = new BufferedReader(reader);
final StringBuilder sb = new StringBuilder(2110);
String tmp;
while ((tmp = in.readLine()) != null) {
sb.append(tmp);
}
Statement statement = null;
try {
statement = conn.createStatement();
statement.execute(sb.toString());
} catch (SQLException ex) {
LOGGER.debug("", ex);
throw new DatabaseException("Unable to update database schema", ex);
} finally {
DBUtils.closeStatement(statement);
}
} catch (IOException ex) {
final String msg = String.format("Upgrade SQL file does not exist: %s", updateFile);
throw new DatabaseException(msg, ex);
} finally {
if (in != null) {
try {
in.close();
} catch (IOException ex) {
LOGGER.trace("", ex);
}
}
}
}
/**
* Uses the provided connection to check the specified schema version within the database.
*
@@ -288,12 +337,13 @@ public final class ConnectionFactory {
ResultSet rs = null;
CallableStatement cs = null;
try {
//TODO convert this to use DatabaseProperties
cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
rs = cs.executeQuery();
if (rs.next()) {
final boolean isWrongSchema = !DB_SCHEMA_VERSION.equals(rs.getString(1));
if (isWrongSchema) {
throw new DatabaseException("Incorrect database schema; unable to continue");
if (!DB_SCHEMA_VERSION.equals(rs.getString(1))) {
LOGGER.debug("Updating from version: " + rs.getString(1));
updateSchema(conn, rs.getString(1));
}
} else {
throw new DatabaseException("Database schema is missing");

42
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.data.nvdcve;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.sql.CallableStatement;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
@@ -766,8 +767,8 @@ public class CveDB {
DependencyVersion cpeVersion;
if (cpe.getVersion() != null && !cpe.getVersion().isEmpty()) {
String versionText;
if (cpe.getRevision() != null && !cpe.getRevision().isEmpty()) {
versionText = String.format("%s.%s", cpe.getVersion(), cpe.getRevision());
if (cpe.getUpdate() != null && !cpe.getUpdate().isEmpty()) {
versionText = String.format("%s.%s", cpe.getVersion(), cpe.getUpdate());
} else {
versionText = cpe.getVersion();
}
@@ -777,4 +778,41 @@ public class CveDB {
}
return cpeVersion;
}
/**
* Deletes unused dictionary entries from the database.
*/
public void deleteUnusedCpe() {
CallableStatement cs = null;
try {
cs = getConnection().prepareCall(statementBundle.getString("DELETE_UNUSED_DICT_CPE"));
cs.executeUpdate();
} catch (SQLException ex) {
LOGGER.error("Unable to delete CPE dictionary entries", ex);
} finally {
DBUtils.closeStatement(cs);
}
}
/**
* Merges CPE entries into the database.
*
* @param cpe the CPE identifier
* @param vendor the CPE vendor
* @param product the CPE product
*/
public void addCpe(String cpe, String vendor, String product) {
PreparedStatement ps = null;
try {
ps = getConnection().prepareCall(statementBundle.getString("ADD_DICT_CPE"));
ps.setString(1, cpe);
ps.setString(2, vendor);
ps.setString(3, product);
ps.executeUpdate();
} catch (SQLException ex) {
LOGGER.error("Unable to add CPE dictionary entry", ex);
} finally {
DBUtils.closeStatement(ps);
}
}
}

33
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
View File

@@ -24,7 +24,7 @@ import java.util.Map;
import java.util.Map.Entry;
import java.util.Properties;
import java.util.TreeMap;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -41,20 +41,28 @@ public class DatabaseProperties {
*/
private static final Logger LOGGER = LoggerFactory.getLogger(DatabaseProperties.class);
/**
* Modified key word, used as a key to store information about the modified file (i.e. the containing the last 8
* days of updates)..
* Modified key word, used as a key to store information about the modified file (i.e. the containing the last 8 days of
* updates)..
*/
public static final String MODIFIED = "Modified";
/**
* The properties file key for the last updated field - used to store the last updated time of the Modified NVD CVE
* xml file.
* The properties file key for the last updated field - used to store the last updated time of the Modified NVD CVE xml file.
*/
public static final String LAST_UPDATED = "NVD CVE Modified";
/**
* Stores the last updated time for each of the NVD CVE files. These timestamps should be updated if we process the
* modified file within 7 days of the last update.
* Stores the last updated time for each of the NVD CVE files. These timestamps should be updated if we process the modified
* file within 7 days of the last update.
*/
public static final String LAST_UPDATED_BASE = "NVD CVE ";
/**
* The key for the last time the CPE data was updated.
*/
public static final String LAST_CPE_UPDATE = "LAST_CPE_UPDATE";
/**
* The key for the database schema version.
*/
public static final String VERSION = "version";
/**
* A collection of properties about the data.
*/
@@ -116,8 +124,7 @@ public class DatabaseProperties {
}
/**
* Returns the property value for the given key. If the key is not contained in the underlying properties null is
* returned.
* Returns the property value for the given key. If the key is not contained in the underlying properties null is returned.
*
* @param key the property key
* @return the value of the property
@@ -127,8 +134,8 @@ public class DatabaseProperties {
}
/**
* Returns the property value for the given key. If the key is not contained in the underlying properties the
* default value is returned.
* Returns the property value for the given key. If the key is not contained in the underlying properties the default value is
* returned.
*
* @param key the property key
* @param defaultValue the default value
@@ -148,8 +155,8 @@ public class DatabaseProperties {
}
/**
* Returns a map of the meta data from the database properties. This primarily contains timestamps of when the NVD
* CVE information was last updated.
* Returns a map of the meta data from the database properties. This primarily contains timestamps of when the NVD CVE
* information was last updated.
*
* @return a map of the database meta data
*/

86
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java Normal file
View File

@@ -0,0 +1,86 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
*
* @author Jeremy Long
*/
public abstract class BaseUpdater {
/**
* Static logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(BaseUpdater.class);
/**
* Information about the timestamps and URLs for data that needs to be updated.
*/
private DatabaseProperties properties;
/**
* Reference to the Cve Database.
*/
private CveDB cveDB = null;
protected CveDB getCveDB() {
return cveDB;
}
protected DatabaseProperties getProperties() {
return properties;
}
/**
* Closes the CVE and CPE data stores.
*/
protected void closeDataStores() {
if (cveDB != null) {
try {
cveDB.close();
} catch (Throwable ignore) {
LOGGER.trace("Error closing the database", ignore);
}
}
}
/**
* Opens the data store.
*
* @throws UpdateException thrown if a data store cannot be opened
*/
protected final void openDataStores() throws UpdateException {
if (cveDB != null) {
return;
}
try {
cveDB = new CveDB();
cveDB.open();
} catch (DatabaseException ex) {
closeDataStores();
LOGGER.debug("Database Exception opening databases", ex);
throw new UpdateException("Error updating the database, please see the log file for more details.");
}
properties = cveDB.getDatabaseProperties();
}
}

198
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java Normal file
View File

@@ -0,0 +1,198 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Date;
import java.util.List;
import java.util.zip.GZIPInputStream;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.apache.commons.io.FileUtils;
import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.LAST_CPE_UPDATE;
import org.owasp.dependencycheck.data.update.cpe.CPEHandler;
import org.owasp.dependencycheck.data.update.cpe.Cpe;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.DateUtil;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.SAXException;
/**
* The CpeUpdater is designed to download the CPE data file from NIST and import the data into the database. However, as this
* currently adds no beneficial data, compared to what is in the CPE data contained in the CVE data files, this class is not
* currently used. The code is being kept as a future update may utilize more data from the CPE xml files.
*
* @author Jeremy Long
*/
public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
/**
* Static logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(CpeUpdater.class);
@Override
public void update() throws UpdateException {
try {
openDataStores();
if (updateNeeded()) {
LOGGER.info("Updating the Common Platform Enumeration (CPE)");
final File xml = downloadCpe();
final List<Cpe> cpes = processXML(xml);
getCveDB().deleteUnusedCpe();
for (Cpe cpe : cpes) {
getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct());
}
final Date now = new Date();
getProperties().save(LAST_CPE_UPDATE, Long.toString(now.getTime()));
LOGGER.info("CPE update complete");
}
} finally {
closeDataStores();
}
}
/**
* Downloads the CPE XML file.
*
* @return the file reference to the CPE.xml file
* @throws UpdateException thrown if there is an issue downloading the XML file
*/
private File downloadCpe() throws UpdateException {
File xml;
final URL url;
try {
url = new URL(Settings.getString(Settings.KEYS.CPE_URL));
xml = File.createTempFile("cpe", ".xml", Settings.getTempDirectory());
Downloader.fetchFile(url, xml);
if (url.toExternalForm().endsWith(".xml.gz")) {
extractGzip(xml);
}
} catch (MalformedURLException ex) {
throw new UpdateException("Invalid CPE URL", ex);
} catch (DownloadFailedException ex) {
throw new UpdateException("Unable to download CPE XML file", ex);
} catch (IOException ex) {
throw new UpdateException("Unable to create temporary file to download CPE", ex);
}
return xml;
}
/**
* Parses the CPE XML file to return a list of CPE entries.
*
* @param xml the CPE data file
* @return the list of CPE entries
* @throws UpdateException thrown if there is an issue with parsing the XML file
*/
private List<Cpe> processXML(final File xml) throws UpdateException {
try {
final SAXParserFactory factory = SAXParserFactory.newInstance();
final SAXParser saxParser = factory.newSAXParser();
final CPEHandler handler = new CPEHandler();
saxParser.parse(xml, handler);
return handler.getData();
} catch (ParserConfigurationException ex) {
throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Issue", ex);
} catch (SAXException ex) {
throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Exception", ex);
} catch (IOException ex) {
throw new UpdateException("Unable to parse CPE XML file due to IO Failure", ex);
}
}
/**
* Checks to find the last time the CPE data was refreshed and if it needs to be updated.
*
* @return true if the CPE data should be refreshed
*/
private boolean updateNeeded() {
final Date now = new Date();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 30);
long timestamp = 0;
final String ts = getProperties().getProperty(LAST_CPE_UPDATE);
if (ts != null && ts.matches("^[0-9]+$")) {
timestamp = Long.parseLong(ts);
}
return !DateUtil.withinDateRange(timestamp, now.getTime(), days);
}
/**
* Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
*
* @param file the archive file
* @throws FileNotFoundException thrown if the file does not exist
* @throws IOException thrown if there is an error extracting the file.
*/
private void extractGzip(File file) throws FileNotFoundException, IOException {
//TODO - move this to a util class as it is duplicative of (copy of) code in the DownloadTask
final String originalPath = file.getPath();
final File gzip = new File(originalPath + ".gz");
if (gzip.isFile() && !gzip.delete()) {
gzip.deleteOnExit();
}
if (!file.renameTo(gzip)) {
throw new IOException("Unable to rename '" + file.getPath() + "'");
}
final File newfile = new File(originalPath);
final byte[] buffer = new byte[4096];
GZIPInputStream cin = null;
FileOutputStream out = null;
try {
cin = new GZIPInputStream(new FileInputStream(gzip));
out = new FileOutputStream(newfile);
int len;
while ((len = cin.read(buffer)) > 0) {
out.write(buffer, 0, len);
}
} finally {
if (cin != null) {
try {
cin.close();
} catch (IOException ex) {
LOGGER.trace("ignore", ex);
}
}
if (out != null) {
try {
out.close();
} catch (IOException ex) {
LOGGER.trace("ignore", ex);
}
}
if (gzip.isFile()) {
FileUtils.deleteQuietly(gzip);
}
}
}
}

229
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
View File

@@ -18,23 +18,44 @@
package org.owasp.dependencycheck.data.update;
import java.net.MalformedURLException;
import java.util.Calendar;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
import org.owasp.dependencycheck.utils.DateUtil;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Class responsible for updating the NVD CVE and CPE data stores.
* Class responsible for updating the NVD CVE data.
*
* @author Jeremy Long
*/
public class NvdCveUpdater implements CachedWebDataSource {
public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
/**
* The logger
*/
private static final Logger LOGGER = LoggerFactory.getLogger(NvdCveUpdater.class);
/**
* The max thread pool size to use when downloading files.
*/
public static final int MAX_THREAD_POOL_SIZE = Settings.getInt(Settings.KEYS.MAX_DOWNLOAD_THREAD_POOL_SIZE, 3);
/**
* <p>
@@ -45,9 +66,10 @@ public class NvdCveUpdater implements CachedWebDataSource {
@Override
public void update() throws UpdateException {
try {
final StandardUpdate task = new StandardUpdate();
if (task.isUpdateNeeded()) {
task.update();
openDataStores();
final UpdateableNvdCve updateable = getUpdatesNeeded();
if (updateable.isUpdateNeeded()) {
performUpdate(updateable);
}
} catch (MalformedURLException ex) {
LOGGER.warn(
@@ -61,6 +83,203 @@ public class NvdCveUpdater implements CachedWebDataSource {
"If you are behind a proxy you may need to configure dependency-check to use the proxy.");
}
LOGGER.debug("", ex);
} finally {
closeDataStores();
}
}
/**
* Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
*
* @param updateable a collection of NVD CVE data file references that need to be downloaded and processed to update the
* database
* @throws UpdateException is thrown if there is an error updating the database
*/
public void performUpdate(UpdateableNvdCve updateable) throws UpdateException {
int maxUpdates = 0;
try {
for (NvdCveInfo cve : updateable) {
if (cve.getNeedsUpdate()) {
maxUpdates += 1;
}
}
if (maxUpdates <= 0) {
return;
}
if (maxUpdates > 3) {
LOGGER.info(
"NVD CVE requires several updates; this could take a couple of minutes.");
}
if (maxUpdates > 0) {
openDataStores();
}
final int poolSize = (MAX_THREAD_POOL_SIZE < maxUpdates) ? MAX_THREAD_POOL_SIZE : maxUpdates;
final ExecutorService downloadExecutors = Executors.newFixedThreadPool(poolSize);
final ExecutorService processExecutor = Executors.newSingleThreadExecutor();
final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<Future<Future<ProcessTask>>>(maxUpdates);
for (NvdCveInfo cve : updateable) {
if (cve.getNeedsUpdate()) {
final DownloadTask call = new DownloadTask(cve, processExecutor, getCveDB(), Settings.getInstance());
downloadFutures.add(downloadExecutors.submit(call));
}
}
downloadExecutors.shutdown();
//next, move the future future processTasks to just future processTasks
final Set<Future<ProcessTask>> processFutures = new HashSet<Future<ProcessTask>>(maxUpdates);
for (Future<Future<ProcessTask>> future : downloadFutures) {
Future<ProcessTask> task = null;
try {
task = future.get();
} catch (InterruptedException ex) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
LOGGER.debug("Thread was interrupted during download", ex);
throw new UpdateException("The download was interrupted", ex);
} catch (ExecutionException ex) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
LOGGER.debug("Thread was interrupted during download execution", ex);
throw new UpdateException("The execution of the download was interrupted", ex);
}
if (task == null) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
LOGGER.debug("Thread was interrupted during download");
throw new UpdateException("The download was interrupted; unable to complete the update");
} else {
processFutures.add(task);
}
}
for (Future<ProcessTask> future : processFutures) {
try {
final ProcessTask task = future.get();
if (task.getException() != null) {
throw task.getException();
}
} catch (InterruptedException ex) {
processExecutor.shutdownNow();
LOGGER.debug("Thread was interrupted during processing", ex);
throw new UpdateException(ex);
} catch (ExecutionException ex) {
processExecutor.shutdownNow();
LOGGER.debug("Execution Exception during process", ex);
throw new UpdateException(ex);
} finally {
processExecutor.shutdown();
}
}
if (maxUpdates >= 1) { //ensure the modified file date gets written (we may not have actually updated it)
getProperties().save(updateable.get(MODIFIED));
LOGGER.info("Begin database maintenance.");
getCveDB().cleanupDatabase();
LOGGER.info("End database maintenance.");
}
} finally {
closeDataStores();
}
}
/**
* Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last update
* date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to be updated.
*
* @return the collection of files that need to be updated
* @throws MalformedURLException is thrown if the URL for the NVD CVE Meta data is incorrect
* @throws DownloadFailedException is thrown if there is an error. downloading the NVD CVE download data file
* @throws UpdateException Is thrown if there is an issue with the last updated properties file
*/
protected final UpdateableNvdCve getUpdatesNeeded() throws MalformedURLException, DownloadFailedException, UpdateException {
UpdateableNvdCve updates = null;
try {
updates = retrieveCurrentTimestampsFromWeb();
} catch (InvalidDataException ex) {
final String msg = "Unable to retrieve valid timestamp from nvd cve downloads page";
LOGGER.debug(msg, ex);
throw new DownloadFailedException(msg, ex);
} catch (InvalidSettingException ex) {
LOGGER.debug("Invalid setting found when retrieving timestamps", ex);
throw new DownloadFailedException("Invalid settings", ex);
}
if (updates == null) {
throw new DownloadFailedException("Unable to retrieve the timestamps of the currently published NVD CVE data");
}
if (!getProperties().isEmpty()) {
try {
final long lastUpdated = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED, "0"));
final Date now = new Date();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
if (lastUpdated == updates.getTimeStamp(MODIFIED)) {
updates.clear(); //we don't need to update anything.
} else if (DateUtil.withinDateRange(lastUpdated, now.getTime(), days)) {
for (NvdCveInfo entry : updates) {
if (MODIFIED.equals(entry.getId())) {
entry.setNeedsUpdate(true);
} else {
entry.setNeedsUpdate(false);
}
}
} else { //we figure out which of the several XML files need to be downloaded.
for (NvdCveInfo entry : updates) {
if (MODIFIED.equals(entry.getId())) {
entry.setNeedsUpdate(true);
} else {
long currentTimestamp = 0;
try {
currentTimestamp = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED_BASE
+ entry.getId(), "0"));
} catch (NumberFormatException ex) {
LOGGER.debug("Error parsing '{}' '{}' from nvdcve.lastupdated",
DatabaseProperties.LAST_UPDATED_BASE, entry.getId(), ex);
}
if (currentTimestamp == entry.getTimestamp()) {
entry.setNeedsUpdate(false);
}
}
}
}
} catch (NumberFormatException ex) {
LOGGER.warn("An invalid schema version or timestamp exists in the data.properties file.");
LOGGER.debug("", ex);
}
}
return updates;
}
/**
* Retrieves the timestamps from the NVD CVE meta data file.
*
* @return the timestamp from the currently published nvdcve downloads page
* @throws MalformedURLException thrown if the URL for the NVD CCE Meta data is incorrect.
* @throws DownloadFailedException thrown if there is an error downloading the nvd cve meta data file
* @throws InvalidDataException thrown if there is an exception parsing the timestamps
* @throws InvalidSettingException thrown if the settings are invalid
*/
private UpdateableNvdCve retrieveCurrentTimestampsFromWeb()
throws MalformedURLException, DownloadFailedException, InvalidDataException, InvalidSettingException {
final UpdateableNvdCve updates = new UpdateableNvdCve();
updates.add(MODIFIED, Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL),
Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL),
false);
final int start = Settings.getInt(Settings.KEYS.CVE_START_YEAR);
final int end = Calendar.getInstance().get(Calendar.YEAR);
final String baseUrl20 = Settings.getString(Settings.KEYS.CVE_SCHEMA_2_0);
final String baseUrl12 = Settings.getString(Settings.KEYS.CVE_SCHEMA_1_2);
for (int i = start; i <= end; i++) {
updates.add(Integer.toString(i), String.format(baseUrl20, i),
String.format(baseUrl12, i),
true);
}
return updates;
}
}

318
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
View File

@@ -1,318 +0,0 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import java.net.MalformedURLException;
import java.util.Calendar;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.data.update.task.DownloadTask;
import org.owasp.dependencycheck.data.update.task.ProcessTask;
import org.owasp.dependencycheck.utils.DateUtil;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Class responsible for updating the NVDCVE data store.
*
* @author Jeremy Long
*/
public class StandardUpdate {
/**
* Static logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(StandardUpdate.class);
/**
* The max thread pool size to use when downloading files.
*/
public static final int MAX_THREAD_POOL_SIZE = Settings.getInt(Settings.KEYS.MAX_DOWNLOAD_THREAD_POOL_SIZE, 3);
/**
* Information about the timestamps and URLs for data that needs to be updated.
*/
private DatabaseProperties properties;
/**
* A collection of updateable NVD CVE items.
*/
private UpdateableNvdCve updateable;
/**
* Reference to the Cve Database.
*/
private CveDB cveDB = null;
/**
* Gets whether or not an update is needed.
*
* @return true or false depending on whether an update is needed
*/
public boolean isUpdateNeeded() {
return updateable.isUpdateNeeded();
}
/**
* Constructs a new Standard Update Task.
*
* @throws MalformedURLException thrown if a configured URL is malformed
* @throws DownloadFailedException thrown if a timestamp cannot be checked on a configured URL
* @throws UpdateException thrown if there is an exception generating the update task
*/
public StandardUpdate() throws MalformedURLException, DownloadFailedException, UpdateException {
openDataStores();
properties = cveDB.getDatabaseProperties();
updateable = updatesNeeded();
}
/**
* <p>
* Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.</p>
*
* @throws UpdateException is thrown if there is an error updating the database
*/
public void update() throws UpdateException {
int maxUpdates = 0;
try {
for (NvdCveInfo cve : updateable) {
if (cve.getNeedsUpdate()) {
maxUpdates += 1;
}
}
if (maxUpdates <= 0) {
return;
}
if (maxUpdates > 3) {
LOGGER.info(
"NVD CVE requires several updates; this could take a couple of minutes.");
}
if (maxUpdates > 0) {
openDataStores();
}
final int poolSize = (MAX_THREAD_POOL_SIZE < maxUpdates) ? MAX_THREAD_POOL_SIZE : maxUpdates;
final ExecutorService downloadExecutors = Executors.newFixedThreadPool(poolSize);
final ExecutorService processExecutor = Executors.newSingleThreadExecutor();
final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<Future<Future<ProcessTask>>>(maxUpdates);
for (NvdCveInfo cve : updateable) {
if (cve.getNeedsUpdate()) {
final DownloadTask call = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
downloadFutures.add(downloadExecutors.submit(call));
}
}
downloadExecutors.shutdown();
//next, move the future future processTasks to just future processTasks
final Set<Future<ProcessTask>> processFutures = new HashSet<Future<ProcessTask>>(maxUpdates);
for (Future<Future<ProcessTask>> future : downloadFutures) {
Future<ProcessTask> task = null;
try {
task = future.get();
} catch (InterruptedException ex) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
LOGGER.debug("Thread was interrupted during download", ex);
throw new UpdateException("The download was interrupted", ex);
} catch (ExecutionException ex) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
LOGGER.debug("Thread was interrupted during download execution", ex);
throw new UpdateException("The execution of the download was interrupted", ex);
}
if (task == null) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
LOGGER.debug("Thread was interrupted during download");
throw new UpdateException("The download was interrupted; unable to complete the update");
} else {
processFutures.add(task);
}
}
for (Future<ProcessTask> future : processFutures) {
try {
final ProcessTask task = future.get();
if (task.getException() != null) {
throw task.getException();
}
} catch (InterruptedException ex) {
processExecutor.shutdownNow();
LOGGER.debug("Thread was interrupted during processing", ex);
throw new UpdateException(ex);
} catch (ExecutionException ex) {
processExecutor.shutdownNow();
LOGGER.debug("Execution Exception during process", ex);
throw new UpdateException(ex);
} finally {
processExecutor.shutdown();
}
}
if (maxUpdates >= 1) { //ensure the modified file date gets written (we may not have actually updated it)
properties.save(updateable.get(MODIFIED));
LOGGER.info("Begin database maintenance.");
cveDB.cleanupDatabase();
LOGGER.info("End database maintenance.");
}
} finally {
closeDataStores();
}
}
/**
* Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last update
* date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to be updated.
*
* @return the collection of files that need to be updated
* @throws MalformedURLException is thrown if the URL for the NVD CVE Meta data is incorrect
* @throws DownloadFailedException is thrown if there is an error. downloading the NVD CVE download data file
* @throws UpdateException Is thrown if there is an issue with the last updated properties file
*/
protected final UpdateableNvdCve updatesNeeded() throws MalformedURLException, DownloadFailedException, UpdateException {
UpdateableNvdCve updates = null;
try {
updates = retrieveCurrentTimestampsFromWeb();
} catch (InvalidDataException ex) {
final String msg = "Unable to retrieve valid timestamp from nvd cve downloads page";
LOGGER.debug(msg, ex);
throw new DownloadFailedException(msg, ex);
} catch (InvalidSettingException ex) {
LOGGER.debug("Invalid setting found when retrieving timestamps", ex);
throw new DownloadFailedException("Invalid settings", ex);
}
if (updates == null) {
throw new DownloadFailedException("Unable to retrieve the timestamps of the currently published NVD CVE data");
}
if (!properties.isEmpty()) {
try {
final long lastUpdated = Long.parseLong(properties.getProperty(DatabaseProperties.LAST_UPDATED, "0"));
final Date now = new Date();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
if (lastUpdated == updates.getTimeStamp(MODIFIED)) {
updates.clear(); //we don't need to update anything.
} else if (DateUtil.withinDateRange(lastUpdated, now.getTime(), days)) {
for (NvdCveInfo entry : updates) {
if (MODIFIED.equals(entry.getId())) {
entry.setNeedsUpdate(true);
} else {
entry.setNeedsUpdate(false);
}
}
} else { //we figure out which of the several XML files need to be downloaded.
for (NvdCveInfo entry : updates) {
if (MODIFIED.equals(entry.getId())) {
entry.setNeedsUpdate(true);
} else {
long currentTimestamp = 0;
try {
currentTimestamp = Long.parseLong(properties.getProperty(DatabaseProperties.LAST_UPDATED_BASE + entry.getId(), "0"));
} catch (NumberFormatException ex) {
LOGGER.debug("Error parsing '{}' '{}' from nvdcve.lastupdated",
DatabaseProperties.LAST_UPDATED_BASE, entry.getId(), ex);
}
if (currentTimestamp == entry.getTimestamp()) {
entry.setNeedsUpdate(false);
}
}
}
}
} catch (NumberFormatException ex) {
LOGGER.warn("An invalid schema version or timestamp exists in the data.properties file.");
LOGGER.debug("", ex);
}
}
return updates;
}
/**
* Retrieves the timestamps from the NVD CVE meta data file.
*
* @return the timestamp from the currently published nvdcve downloads page
* @throws MalformedURLException thrown if the URL for the NVD CCE Meta data is incorrect.
* @throws DownloadFailedException thrown if there is an error downloading the nvd cve meta data file
* @throws InvalidDataException thrown if there is an exception parsing the timestamps
* @throws InvalidSettingException thrown if the settings are invalid
*/
private UpdateableNvdCve retrieveCurrentTimestampsFromWeb()
throws MalformedURLException, DownloadFailedException, InvalidDataException, InvalidSettingException {
final UpdateableNvdCve updates = new UpdateableNvdCve();
updates.add(MODIFIED, Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL),
Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL),
false);
final int start = Settings.getInt(Settings.KEYS.CVE_START_YEAR);
final int end = Calendar.getInstance().get(Calendar.YEAR);
final String baseUrl20 = Settings.getString(Settings.KEYS.CVE_SCHEMA_2_0);
final String baseUrl12 = Settings.getString(Settings.KEYS.CVE_SCHEMA_1_2);
for (int i = start; i <= end; i++) {
updates.add(Integer.toString(i), String.format(baseUrl20, i),
String.format(baseUrl12, i),
true);
}
return updates;
}
/**
* Closes the CVE and CPE data stores.
*/
protected void closeDataStores() {
if (cveDB != null) {
try {
cveDB.close();
} catch (Throwable ignore) {
LOGGER.trace("Error closing the cveDB", ignore);
}
}
}
/**
* Opens the CVE and CPE data stores.
*
* @throws UpdateException thrown if a data store cannot be opened
*/
protected final void openDataStores() throws UpdateException {
if (cveDB != null) {
return;
}
try {
cveDB = new CveDB();
cveDB.open();
} catch (DatabaseException ex) {
closeDataStores();
LOGGER.debug("Database Exception opening databases", ex);
throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
}
}
}

364
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java Normal file
View File

@@ -0,0 +1,364 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.cpe;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.List;
import org.owasp.dependencycheck.data.update.NvdCveUpdater;
import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.Attributes;
import org.xml.sax.SAXException;
import org.xml.sax.helpers.DefaultHandler;
/**
* A SAX Handler that will parse the CPE XML and load it into the databse.
*
* @author Jeremy Long
*/
public class CPEHandler extends DefaultHandler {
/**
* The current CPE schema.
*/
private static final String CURRENT_SCHEMA_VERSION = "2.3";
/**
* The text content of the node being processed. This can be used during the end element event.
*/
private StringBuilder nodeText = null;
/**
* A reference to the current element.
*/
private Element current = new Element();
/**
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(NvdCveUpdater.class);
/**
* The list of CPE values.
*/
private List<Cpe> data = new ArrayList<Cpe>();
/**
* Returns the list of CPE values.
*
* @return the list of CPE values
*/
public List<Cpe> getData() {
return data;
}
/**
* Handles the start element event.
*
* @param uri the elements uri
* @param localName the local name
* @param qName the qualified name
* @param attributes the attributes
* @throws SAXException thrown if there is an exception processing the element
*/
@Override
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
nodeText = null;
current.setNode(qName);
if (current.isCpeItemNode()) {
final String temp = attributes.getValue("deprecated");
final String value = attributes.getValue("name");
final boolean delete = "true".equalsIgnoreCase(temp);
if (!delete && value.startsWith("cpe:/a:") && value.length() > 7) {
try {
final Cpe cpe = new Cpe(value);
data.add(cpe);
} catch (UnsupportedEncodingException ex) {
LOGGER.debug("Unable to parse the CPE", ex);
} catch (InvalidDataException ex) {
LOGGER.debug("CPE is not the correct format", ex);
}
}
} else if (current.isSchemaVersionNode()) {
nodeText = new StringBuilder(3);
}
// } else if (current.isTitleNode()) {
// //do nothing
// } else if (current.isMetaNode()) {
// //do nothing
// } else if (current.isTimestampNode()) {
// //do nothing
// } else if (current.isCpeListNode()) {
// //do nothing
// } else if (current.isNotesNode()) {
// //do nothing
// } else if (current.isNoteNode()) {
// //do nothing
// } else if (current.isCheckNode()) {
// //do nothing
// } else if (current.isGeneratorNode()) {
// //do nothing
// } else if (current.isProductNameNode()) {
// //do nothing
// } else if (current.isProductVersionNode()) {
// //do nothing
}
/**
* Reads the characters in the current node.
*
* @param ch the char array
* @param start the start position of the data read
* @param length the length of the data read
* @throws SAXException thrown if there is an exception processing the characters
*/
@Override
public void characters(char[] ch, int start, int length) throws SAXException {
if (nodeText != null) {
nodeText.append(ch, start, length);
}
}
/**
* Handles the end element event. Stores the CPE data in the Cve Database if the cpe item node is ending.
*
* @param uri the element's uri
* @param localName the local name
* @param qName the qualified name
* @throws SAXException thrown if there is an exception processing the element
*/
@Override
public void endElement(String uri, String localName, String qName) throws SAXException {
current.setNode(qName);
if (current.isSchemaVersionNode() && !CURRENT_SCHEMA_VERSION.equals(nodeText.toString())) {
throw new SAXException("ERROR: Unexpecgted CPE Schema Version, expected: "
+ CURRENT_SCHEMA_VERSION + ", file is: " + nodeText);
}
// } else if (current.isCpeItemNode()) {
// //do nothing
// } else if (current.isTitleNode()) {
// //do nothing
// } else if (current.isCpeListNode()) {
// //do nothing
// } else if (current.isMetaNode()) {
// //do nothing
// } else if (current.isNotesNode()) {
// //do nothing
// } else if (current.isNoteNode()) {
// //do nothing
// } else if (current.isCheckNode()) {
// //do nothing
// } else if (current.isGeneratorNode()) {
// //do nothing
// } else if (current.isProductNameNode()) {
// //do nothing
// } else if (current.isProductVersionNode()) {
// //do nothing
// else if (current.isTimestampNode()) {
// //do nothing
// } else {
// throw new SAXException("ERROR STATE: Unexpected qName '" + qName + "'");
// }
}
// <editor-fold defaultstate="collapsed" desc="The Element Class that maintains state information about the current node">
/**
* A simple class to maintain information about the current element while parsing the CPE XML.
*/
protected class Element {
/**
* A node type in the CPE Schema 2.2
*/
public static final String CPE_LIST = "cpe-list";
/**
* A node type in the CPE Schema 2.2
*/
public static final String CPE_ITEM = "cpe-item";
/**
* A node type in the CPE Schema 2.2
*/
public static final String TITLE = "title";
/**
* A node type in the CPE Schema 2.2
*/
public static final String NOTES = "notes";
/**
* A node type in the CPE Schema 2.2
*/
public static final String NOTE = "note";
/**
* A node type in the CPE Schema 2.2
*/
public static final String CHECK = "check";
/**
* A node type in the CPE Schema 2.2
*/
public static final String META = "meta:item-metadata";
/**
* A node type in the CPE Schema 2.2
*/
public static final String GENERATOR = "generator";
/**
* A node type in the CPE Schema 2.2
*/
public static final String PRODUCT_NAME = "product_name";
/**
* A node type in the CPE Schema 2.2
*/
public static final String PRODUCT_VERSION = "product_version";
/**
* A node type in the CPE Schema 2.2
*/
public static final String SCHEMA_VERSION = "schema_version";
/**
* A node type in the CPE Schema 2.2
*/
public static final String TIMESTAMP = "timestamp";
/**
* A reference to the current node.
*/
private String node = null;
/**
* Gets the value of node
*
* @return the value of node
*/
public String getNode() {
return this.node;
}
/**
* Sets the value of node
*
* @param node new value of node
*/
public void setNode(String node) {
this.node = node;
}
/**
* Checks if the handler is at the CPE_LIST node
*
* @return true or false
*/
public boolean isCpeListNode() {
return CPE_LIST.equals(node);
}
/**
* Checks if the handler is at the CPE_ITEM node
*
* @return true or false
*/
public boolean isCpeItemNode() {
return CPE_ITEM.equals(node);
}
/**
* Checks if the handler is at the TITLE node
*
* @return true or false
*/
public boolean isTitleNode() {
return TITLE.equals(node);
}
/**
* Checks if the handler is at the NOTES node
*
* @return true or false
*/
public boolean isNotesNode() {
return NOTES.equals(node);
}
/**
* Checks if the handler is at the NOTE node
*
* @return true or false
*/
public boolean isNoteNode() {
return NOTE.equals(node);
}
/**
* Checks if the handler is at the CHECK node
*
* @return true or false
*/
public boolean isCheckNode() {
return CHECK.equals(node);
}
/**
* Checks if the handler is at the META node
*
* @return true or false
*/
public boolean isMetaNode() {
return META.equals(node);
}
/**
* Checks if the handler is at the GENERATOR node
*
* @return true or false
*/
public boolean isGeneratorNode() {
return GENERATOR.equals(node);
}
/**
* Checks if the handler is at the PRODUCT_NAME node
*
* @return true or false
*/
public boolean isProductNameNode() {
return PRODUCT_NAME.equals(node);
}
/**
* Checks if the handler is at the PRODUCT_VERSION node
*
* @return true or false
*/
public boolean isProductVersionNode() {
return PRODUCT_VERSION.equals(node);
}
/**
* Checks if the handler is at the SCHEMA_VERSION node
*
* @return true or false
*/
public boolean isSchemaVersionNode() {
return SCHEMA_VERSION.equals(node);
}
/**
* Checks if the handler is at the TIMESTAMP node
*
* @return true or false
*/
public boolean isTimestampNode() {
return TIMESTAMP.equals(node);
}
}
// </editor-fold>
}

125
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/Cpe.java Normal file
View File

@@ -0,0 +1,125 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.cpe;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
/**
*
* @author Jeremy Long
*/
public class Cpe {
/**
* Constructs a new Cpe Object by parsing the vendor and product from the CPE identifier value.
*
* @param value the cpe identifier (cpe:/a:vendor:product:version:....)
* @throws UnsupportedEncodingException thrown if UTF-8 is not supported
* @throws InvalidDataException thrown if the CPE provided is not the correct format
*/
public Cpe(String value) throws UnsupportedEncodingException, InvalidDataException {
this.value = value;
final String[] data = value.substring(7).split(":");
if (data.length >= 2) {
vendor = URLDecoder.decode(data[0].replace("+", "%2B"), "UTF-8");
product = URLDecoder.decode(data[1].replace("+", "%2B"), "UTF-8");
} else {
throw new InvalidDataException(String.format("CPE has an invalid format: %s", value));
}
}
/**
* The CPE identifier string (cpe:/a:vendor:product:version).
*/
private String value;
/**
* Get the value of value.
*
* @return the value of value
*/
public String getValue() {
return value;
}
/**
* Set the value of value.
*
* @param value new value of value
*/
public void setValue(String value) {
this.value = value;
}
/**
* The vendor portion of the identifier.
*/
private String vendor;
/**
* Get the value of vendor.
*
* @return the value of vendor
*/
public String getVendor() {
return vendor;
}
/**
* Set the value of vendor.
*
* @param vendor new value of vendor
*/
public void setVendor(String vendor) {
this.vendor = vendor;
}
/**
* The product portion of the identifier.
*/
private String product;
/**
* Get the value of product.
*
* @return the value of product
*/
public String getProduct() {
return product;
}
/**
* Set the value of product.
*
* @param product new value of product
*/
public void setProduct(String product) {
this.product = product;
}
/**
* Returns the full CPE identifier.
*
* @return the full CPE identifier
*/
@Override
public String toString() {
return value;
}
}

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/package-info.java Normal file
View File

@@ -0,0 +1,7 @@
/**
* Contains classes used to parse the CPE XML file from NIST.<br/><br/>
*
* These classes are not used as they add no value over the existing CPE data contained within the CVE data from the NVD. However,
* we may consider pulling the more descriptive data from the CPE data in the future.
*/
package org.owasp.dependencycheck.data.update.cpe;

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java → dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
View File

@@ -15,7 +15,7 @@
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.task;
package org.owasp.dependencycheck.data.update.nvd;
import java.io.File;
import java.io.FileInputStream;
@@ -29,7 +29,6 @@ import java.util.concurrent.Future;
import java.util.zip.GZIPInputStream;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
@@ -55,8 +54,8 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
* @param nvdCveInfo the NVD CVE info
* @param processor the processor service to submit the downloaded files to
* @param cveDB the CVE DB to use to store the vulnerability data
* @param settings a reference to the global settings object; this is necessary so that when the thread is started
* the dependencies have a correct reference to the global settings.
* @param settings a reference to the global settings object; this is necessary so that when the thread is started the
* dependencies have a correct reference to the global settings.
* @throws UpdateException thrown if temporary files could not be created
*/
public DownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB, Settings settings) throws UpdateException {
@@ -248,8 +247,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
}
/**
* Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file
* specified.
* Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
*
* @param file the archive file
* @throws FileNotFoundException thrown if the file does not exist

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/NvdCve12Handler.java → dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java
View File

@@ -15,7 +15,7 @@
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.xml;
package org.owasp.dependencycheck.data.update.nvd;
import java.util.ArrayList;
import java.util.HashMap;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/NvdCve20Handler.java → dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java
View File

@@ -15,7 +15,7 @@
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.xml;
package org.owasp.dependencycheck.data.update.nvd;
import java.io.IOException;
import java.util.List;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveInfo.java → dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCveInfo.java
View File

@@ -15,7 +15,7 @@
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
package org.owasp.dependencycheck.data.update.nvd;
/**
* A pojo that contains the Url and timestamp of the current NvdCve XML files.

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java → dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java
View File

@@ -15,7 +15,7 @@
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.task;
package org.owasp.dependencycheck.data.update.nvd;
import java.io.File;
import java.io.FileNotFoundException;
@@ -31,8 +31,6 @@ import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.data.update.xml.NvdCve12Handler;
import org.owasp.dependencycheck.data.update.xml.NvdCve20Handler;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
@@ -94,8 +92,8 @@ public class ProcessTask implements Callable<ProcessTask> {
*
* @param cveDB the data store object
* @param filePair the download task that contains the URL references to download
* @param settings a reference to the global settings object; this is necessary so that when the thread is started
* the dependencies have a correct reference to the global settings.
* @param settings a reference to the global settings object; this is necessary so that when the thread is started the
* dependencies have a correct reference to the global settings.
*/
public ProcessTask(final CveDB cveDB, final DownloadTask filePair, Settings settings) {
this.cveDB = cveDB;
@@ -108,8 +106,8 @@ public class ProcessTask implements Callable<ProcessTask> {
* Implements the callable interface.
*
* @return this object
* @throws Exception thrown if there is an exception; note that any UpdateExceptions are simply added to the tasks
* exception collection
* @throws Exception thrown if there is an exception; note that any UpdateExceptions are simply added to the tasks exception
* collection
*/
@Override
public ProcessTask call() throws Exception {

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateableNvdCve.java → dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java
View File

@@ -15,7 +15,7 @@
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
package org.owasp.dependencycheck.data.update.nvd;
import java.net.MalformedURLException;
import java.net.URL;
@@ -27,8 +27,8 @@ import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
/**
* Contains a collection of updateable NvdCveInfo objects. This is used to determine which files need to be downloaded
* and processed.
* Contains a collection of updateable NvdCveInfo objects. This is used to determine which files need to be downloaded and
* processed.
*
* @author Jeremy Long
*/
@@ -67,8 +67,7 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
*
* @param id the key for the item to be added
* @param url the URL to download the item
* @param oldUrl the URL for the old version of the item (the NVD CVE old schema still contains useful data we
* need).
* @param oldUrl the URL for the old version of the item (the NVD CVE old schema still contains useful data we need).
* @throws MalformedURLException thrown if the URL provided is invalid
* @throws DownloadFailedException thrown if the download fails.
*/
@@ -81,8 +80,7 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
*
* @param id the key for the item to be added
* @param url the URL to download the item
* @param oldUrl the URL for the old version of the item (the NVD CVE old schema still contains useful data we
* need).
* @param oldUrl the URL for the old version of the item (the NVD CVE old schema still contains useful data we need).
* @param needsUpdate whether or not the data needs to be updated
* @throws MalformedURLException thrown if the URL provided is invalid
* @throws DownloadFailedException thrown if the download fails.
@@ -175,7 +173,7 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
* @param key the key to lookup the return value
* @return the NvdCveInfo object stored using the specified key
*/
NvdCveInfo get(String key) {
public NvdCveInfo get(String key) {
return collection.get(key);
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/package-info.java Normal file
View File

@@ -0,0 +1,4 @@
/**
* Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br/><br/>
*/
package org.owasp.dependencycheck.data.update.nvd;

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/package-info.java
View File

@@ -1,4 +0,0 @@
/**
* A collection of callable/runnable tasks used to speed up the update process.
*/
package org.owasp.dependencycheck.data.update.task;

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/package-info.java
View File

@@ -1,8 +0,0 @@
/**
* Contains classes used to parse the NVD CVE XML file.<br/><br/>
*
* The basic use is that the Importer is called to import an NVD CVE file. The Importer instantiates an Indexer object (which
* extends Index). The Indexer creates a partial-unmarshalling SAX parser (implemented in the NvdCveXmlFilter) that extracts
* VulnerabilityTypes (aka Entry) from the NVD CVE data file and stores these into a Lucene Index.
*/
package org.owasp.dependencycheck.data.update.xml;

31
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
View File

@@ -57,8 +57,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
/**
* <p>
* Parses a name attribute value, from the cpe.xml, into its corresponding parts: vendor, product, version,
* revision.</p>
* Parses a name attribute value, from the cpe.xml, into its corresponding parts: vendor, product, version, update.</p>
* <p>
* Example:</p>
* <code>&nbsp;&nbsp;&nbsp;cpe:/a:apache:struts:1.1:rc2</code>
@@ -85,7 +84,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
version = urlDecode(data[2]);
}
if (data.length >= 4) {
revision = urlDecode(data[3]);
update = urlDecode(data[3]);
}
if (data.length >= 5) {
edition = urlDecode(data[4]);
@@ -297,26 +296,26 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
this.version = version;
}
/**
* The product revision version.
* The product update version.
*/
private String revision;
private String update;
/**
* Get the value of revision.
* Get the value of update.
*
* @return the value of revision
* @return the value of update
*/
public String getRevision() {
return revision;
public String getUpdate() {
return update;
}
/**
* Set the value of revision.
* Set the value of update.
*
* @param revision new value of revision
* @param update new value of update
*/
public void setRevision(String revision) {
this.revision = revision;
public void setUpdate(String update) {
this.update = update;
}
/**
* The product edition.
@@ -363,11 +362,9 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
}
/**
* Call {@link java.net.URLDecoder#decode(String)} to URL decode using the
* default encoding.
* Call {@link java.net.URLDecoder#decode(String)} to URL decode using the default encoding.
*
* @param text
* www-form-encoded URL to decode
* @param text www-form-encoded URL to decode
* @return the newly decoded String
*/
@SuppressWarnings("deprecation")

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java
View File

@@ -22,7 +22,7 @@ import ch.qos.cal10n.Locale;
import ch.qos.cal10n.LocaleData;
/**
* Created by colezlaw on 6/13/15.
* @author colezlaw
*/
@BaseName("dependencycheck-resources")
@LocaleData(defaultCharset = "UTF-8",

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
View File

@@ -17,8 +17,6 @@
*/
package org.owasp.dependencycheck.utils;
import static org.owasp.dependencycheck.utils.FileUtils.getFileExtension;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.Closeable;
@@ -109,8 +107,7 @@ public final class ExtractionUtil {
}
} else {
final File file = new File(extractTo, entry.getName());
final String ext = getFileExtension(file.getName());
if (engine == null || engine.supportsExtension(ext)) {
if (engine == null || engine.accept(file)) {
BufferedOutputStream bos = null;
FileOutputStream fos;
try {
@@ -227,7 +224,7 @@ public final class ExtractionUtil {
final File file = new File(destination, entry.getName());
if (filter.accept(file.getParentFile(), file.getName())) {
LOGGER.debug("Extracting '{}'",
file.getPath());
file.getPath());
BufferedOutputStream bos = null;
FileOutputStream fos = null;
try {
@@ -303,5 +300,4 @@ public final class ExtractionUtil {
}
}
}
}

138
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java Normal file
View File

@@ -0,0 +1,138 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import org.apache.commons.io.IOCase;
import org.apache.commons.io.filefilter.IOFileFilter;
import org.apache.commons.io.filefilter.NameFileFilter;
import org.apache.commons.io.filefilter.OrFileFilter;
import org.apache.commons.io.filefilter.SuffixFileFilter;
import java.io.FileFilter;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
/**
* <p>
* Utility class for building useful {@link FileFilter} instances for
* {@link org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer} implementations. The built filter uses {@link OrFileFilter}
* to logically OR the given filter conditions. Example usage:</p>
*
* <pre>
* FileFilter filter = FileFilterBuilder.newInstance().addExtensions("jar", "war").build();
* </pre>
*
* @author Dale Visser <dvisser@ida.org>
* @see <a href="https://en.wikipedia.org/wiki/Builder_pattern">Builder pattern</a>
*/
public class FileFilterBuilder {
/**
* A set of filenames to filter.
*/
private final Set<String> filenames = new HashSet<String>();
/**
* A set of extensions to filter.
*/
private final Set<String> extensions = new HashSet<String>();
/**
* An array list of file filters.
*/
private final List<IOFileFilter> fileFilters = new ArrayList<IOFileFilter>();
/**
* Create a new instance and return it. This method is for convenience in using the builder pattern within a single statement.
*
* @return a new builder instance
*/
public static FileFilterBuilder newInstance() {
return new FileFilterBuilder();
}
/**
* Add to the set of filenames to accept for analysis. Case-sensitivity is assumed.
*
* @param names one or more filenames to accept for analysis
* @return this builder
*/
public FileFilterBuilder addFilenames(String... names) {
filenames.addAll(Arrays.asList(names));
return this;
}
/**
* Add to the set of file extensions to accept for analysis. Case-insensitivity is assumed.
*
* @param extensions one or more file extensions to accept for analysis
* @return this builder
*/
public FileFilterBuilder addExtensions(String... extensions) {
return this.addExtensions(Arrays.asList(extensions));
}
/**
* Add to the set of file extensions to accept for analysis. Case-insensitivity is assumed.
*
* @param extensions one or more file extensions to accept for analysis
* @return this builder
*/
public FileFilterBuilder addExtensions(Iterable<String> extensions) {
for (String extension : extensions) {
// Ultimately, SuffixFileFilter will be used, and the "." needs to be explicit.
this.extensions.add(extension.startsWith(".") ? extension : "." + extension);
}
return this;
}
/**
* Add to a list of {@link IOFileFilter} instances to consult for whether to accept a file for analysis.
*
* @param filters one or more file filters to consult for whether to accept for analysis
* @return this builder
*/
public FileFilterBuilder addFileFilters(IOFileFilter... filters) {
fileFilters.addAll(Arrays.asList(filters));
return this;
}
/**
* Builds the filter and returns it.
*
* @return a filter that is the logical OR of all the conditions provided by the add... methods
* @throws IllegalStateException if no add... method has been called with one or more arguments
*/
public FileFilter build() {
if (filenames.isEmpty() && extensions.isEmpty() && fileFilters.isEmpty()) {
throw new IllegalStateException("May only be invoked after at least one add... method has been invoked.");
}
final OrFileFilter filter = new OrFileFilter();
if (!filenames.isEmpty()) {
filter.addFileFilter(new NameFileFilter(new ArrayList<String>(filenames)));
}
if (!extensions.isEmpty()) {
filter.addFileFilter(new SuffixFileFilter(new ArrayList<String>(extensions), IOCase.INSENSITIVE));
}
for (IOFileFilter iof : fileFilters) {
filter.addFileFilter(iof);
}
return filter;
}
}

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomUtils.java
View File

@@ -48,8 +48,7 @@ public final class PomUtils {
*
* @param file the pom.xml file
* @return returns a
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM {@link Model} object
*/
public static Model readPom(File file) throws AnalysisException {
Model model = null;
@@ -78,8 +77,7 @@ public final class PomUtils {
* @param path the path to the pom.xml file within the jar file
* @param jar the jar file to extract the pom from
* @return returns a
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM {@link Model} object
*/
public static Model readPom(String path, JarFile jar) throws AnalysisException {
final ZipEntry entry = jar.getEntry(path);

3
dependency-check-core/src/main/resources/data/dbStatements.properties
View File

@@ -34,3 +34,6 @@ SELECT_PROPERTY=SELECT id, value FROM properties WHERE id = ?
INSERT_PROPERTY=INSERT INTO properties (id, value) VALUES (?, ?)
UPDATE_PROPERTY=UPDATE properties SET value = ? WHERE id = ?
DELETE_PROPERTY=DELETE FROM properties WHERE id = ?
DELETE_UNUSED_DICT_CPE=DELETE FROM cpeEntry WHERE dictionaryEntry=true AND id NOT IN (SELECT cpeEntryId FROM software)
ADD_DICT_CPE=MERGE INTO cpeEntry (cpe, vendor, product, dictionaryEntry) KEY(cpe) VALUES(?,?,?,true)

7
dependency-check-core/src/main/resources/data/upgrade_2.9.sql Normal file
View File

@@ -0,0 +1,7 @@
--the following is not currently used.
--ALTER TABLE cpeEntry ADD COLUMN IF NOT EXISTS dictionaryEntry BOOLEAN;
--ALTER TABLE cpeEntry ALTER COLUMN dictionaryEntry SET DEFAULT FALSE;
--UPDATE cpeEntry SET dictionaryEntry=false;
--UPDATE Properties SET value='3.0' WHERE ID='version';

4
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -17,7 +17,7 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
# below contains a %s then the data.directory will replace the %s.
data.directory=[JAR]/data
#if the filename has a %s it will be replaced with the current expected version
data.file_name=cve.%s.h2.db
data.file_name=dc.h2.db
data.version=2.9
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
@@ -53,6 +53,8 @@ cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cpe.validfordays=30
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
# file type analyzer settings:
analyzer.archive.enabled=true

41
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
View File

@@ -20,8 +20,7 @@ package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.util.HashSet;
import java.util.Set;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.*;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
@@ -39,7 +38,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
* Test of getSupportedExtensions method, of class ArchiveAnalyzer.
*/
@Test
public void testGetSupportedExtensions() {
public void testSupportsExtensions() {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
Set<String> expResult = new HashSet<String>();
expResult.add("zip");
@@ -52,8 +51,9 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
expResult.add("tar");
expResult.add("gz");
expResult.add("tgz");
Set result = instance.getSupportedExtensions();
assertEquals(expResult, result);
for (String ext : expResult) {
assertTrue(ext, instance.accept(new File("test." + ext)));
}
}
/**
@@ -72,28 +72,9 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
*/
@Test
public void testSupportsExtension() {
String extension = "7z"; //not supported
String extension = "test.7z"; //not supported
ArchiveAnalyzer instance = new ArchiveAnalyzer();
boolean expResult = false;
boolean result = instance.supportsExtension(extension);
assertEquals(expResult, result);
extension = "war"; //supported
expResult = true;
result = instance.supportsExtension(extension);
assertEquals(expResult, result);
extension = "ear"; //supported
result = instance.supportsExtension(extension);
assertEquals(expResult, result);
extension = "zip"; //supported
result = instance.supportsExtension(extension);
assertEquals(expResult, result);
extension = "nupkg"; //supported
result = instance.supportsExtension(extension);
assertEquals(expResult, result);
assertFalse(extension, instance.accept(new File(extension)));
}
/**
@@ -129,7 +110,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
public void testAnalyze() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
//trick the analyzer into thinking it is active.
instance.supportsExtension("ear");
instance.accept(new File("test.ear"));
try {
instance.initialize();
File file = BaseTest.getResourceAsFile(this, "daytrader-ear-2.1.7.ear");
@@ -160,7 +141,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
public void testAnalyzeTar() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
//trick the analyzer into thinking it is active so that it will initialize
instance.supportsExtension("tar");
instance.accept(new File("test.tar"));
try {
instance.initialize();
@@ -191,7 +172,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
@Test
public void testAnalyzeTarGz() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.supportsExtension("zip"); //ensure analyzer is "enabled"
instance.accept(new File("zip")); //ensure analyzer is "enabled"
try {
instance.initialize();
@@ -244,7 +225,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
@Test
public void testAnalyzeTgz() throws Exception {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
instance.supportsExtension("zip"); //ensure analyzer is "enabled"
instance.accept(new File("zip")); //ensure analyzer is "enabled"
try {
instance.initialize();

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
View File

@@ -58,7 +58,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
public void setUp() throws Exception {
try {
analyzer = new AssemblyAnalyzer();
analyzer.supportsExtension("dll");
analyzer.accept(new File("test.dll")); // trick into "thinking it is active"
analyzer.initialize();
} catch (Exception e) {
if (e.getMessage().contains("Could not execute .NET AssemblyAnalyzer")) {
@@ -155,7 +155,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
System.setProperty(LOG_KEY, "error");
// Have to make a NEW analyzer because during setUp, it would have gotten the correct one
AssemblyAnalyzer aanalyzer = new AssemblyAnalyzer();
aanalyzer.supportsExtension("dll");
aanalyzer.accept(new File("test.dll")); // trick into "thinking it is active"
aanalyzer.initialize();
fail("Expected an AnalysisException");
} catch (AnalysisException ae) {

34
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java
View File

@@ -17,13 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import java.util.Arrays;
import java.util.HashSet;
import org.apache.commons.lang.StringUtils;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -31,6 +24,11 @@ import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import java.io.File;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
/**
* Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were
* obtained from outside open source software projects. Links to those projects
@@ -164,27 +162,15 @@ public class AutoconfAnalyzerTest extends BaseTest {
}
/**
* Test of {@link AutoconfAnalyzer#getSupportedExtensions}.
* Test of {@link AutoconfAnalyzer#accept(File)}.
*/
@Test
public void testGetSupportedExtensions() {
final String[] expected = { "ac", "in", "configure" };
assertEquals("Supported extensions should just have the following: "
+ StringUtils.join(expected, ", "),
new HashSet<String>(Arrays.asList(expected)),
analyzer.getSupportedExtensions());
}
/**
* Test of {@link AutoconfAnalyzer#supportsExtension}.
*/
@Test
public void testSupportsExtension() {
public void testSupportsFileExtension() {
assertTrue("Should support \"ac\" extension.",
analyzer.supportsExtension("ac"));
analyzer.accept(new File("configure.ac")));
assertTrue("Should support \"in\" extension.",
analyzer.supportsExtension("in"));
analyzer.accept(new File("configure.in")));
assertTrue("Should support \"configure\" extension.",
analyzer.supportsExtension("configure"));
analyzer.accept(new File("configure")));
}
}

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
View File

@@ -149,7 +149,7 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
HintAnalyzer hintAnalyzer = new HintAnalyzer();
JarAnalyzer jarAnalyzer = new JarAnalyzer();
jarAnalyzer.supportsExtension("jar");
jarAnalyzer.accept(new File("test.jar"));//trick analyzer into "thinking it is active"
jarAnalyzer.analyze(struts, null);
hintAnalyzer.analyze(struts, null);

39
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
View File

@@ -17,19 +17,19 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.util.HashSet;
import java.util.Properties;
import java.util.Set;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import java.io.File;
import java.util.HashSet;
import java.util.Set;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
/**
*
* @author Jeremy Long
*/
public class JarAnalyzerTest extends BaseTest {
@@ -94,13 +94,14 @@ public class JarAnalyzerTest extends BaseTest {
* Test of getSupportedExtensions method, of class JarAnalyzer.
*/
@Test
public void testGetSupportedExtensions() {
public void testAcceptSupportedExtensions() throws Exception {
JarAnalyzer instance = new JarAnalyzer();
Set<String> expResult = new HashSet<String>();
expResult.add("jar");
expResult.add("war");
Set result = instance.getSupportedExtensions();
assertEquals(expResult, result);
instance.initialize();
instance.setEnabled(true);
String[] files = {"test.jar", "test.war"};
for (String name : files) {
assertTrue(name, instance.accept(new File(name)));
}
}
/**
@@ -114,16 +115,4 @@ public class JarAnalyzerTest extends BaseTest {
assertEquals(expResult, result);
}
/**
* Test of supportsExtension method, of class JarAnalyzer.
*/
@Test
public void testSupportsExtension() {
String extension = "jar";
JarAnalyzer instance = new JarAnalyzer();
boolean expResult = true;
boolean result = instance.supportsExtension(extension);
assertEquals(expResult, result);
}
}

126
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
View File

@@ -1,126 +0,0 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.util.HashSet;
import java.util.Set;
import static org.junit.Assert.assertEquals;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
/**
*
* @author Jeremy Long
*/
public class JavaScriptAnalyzerTest extends BaseTest {
/**
* Test of getSupportedExtensions method, of class JavaScriptAnalyzer.
*/
@Test
public void testGetSupportedExtensions() {
JavaScriptAnalyzer instance = new JavaScriptAnalyzer();
Set<String> expResult = new HashSet<String>();
expResult.add("js");
Set result = instance.getSupportedExtensions();
assertEquals(expResult, result);
}
/**
* Test of getName method, of class JavaScriptAnalyzer.
*/
@Test
public void testGetName() {
System.out.println("getName");
JavaScriptAnalyzer instance = new JavaScriptAnalyzer();
String expResult = "JavaScript Analyzer";
String result = instance.getName();
assertEquals(expResult, result);
}
/**
* Test of supportsExtension method, of class JavaScriptAnalyzer.
*/
@Test
public void testSupportsExtension() {
String extension = "js";
JavaScriptAnalyzer instance = new JavaScriptAnalyzer();
boolean expResult = true;
boolean result = instance.supportsExtension(extension);
assertEquals(expResult, result);
}
/**
* Test of getAnalysisPhase method, of class JavaScriptAnalyzer.
*/
@Test
public void testGetAnalysisPhase() {
JavaScriptAnalyzer instance = new JavaScriptAnalyzer();
AnalysisPhase expResult = AnalysisPhase.INFORMATION_COLLECTION;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
}
/**
* Test of analyze method, of class JavaScriptAnalyzer.
*/
@Test
public void testAnalyze() throws Exception {
//File jq6 = new File(this.getClass().getClassLoader().getResource("jquery-1.6.2.min.js").getPath());
File jq6 = BaseTest.getResourceAsFile(this, "jquery-1.6.2.min.js");
//File jq10 = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.js").getPath());
File jq10 = BaseTest.getResourceAsFile(this, "jquery-1.10.2.js");
//File jq10min = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.min.js").getPath());
File jq10min = BaseTest.getResourceAsFile(this, "jquery-1.10.2.min.js");
Dependency depJQ6 = new Dependency(jq6);
Dependency depJQ10 = new Dependency(jq10);
Dependency depJQ10min = new Dependency(jq10min);
Engine engine = null;
JavaScriptAnalyzer instance = new JavaScriptAnalyzer();
// assertTrue(depJQ6.getEvidence().size() == 0);
// assertTrue(depJQ10.getEvidence().size() == 0);
// assertTrue(depJQ10min.getEvidence().size() == 0);
//
// instance.analyze(depJQ6, engine);
// instance.analyze(depJQ10, engine);
// instance.analyze(depJQ10min, engine);
// //TODO improve the assertions
// assertTrue(depJQ6.getEvidence().size() > 0);
// assertTrue(depJQ10.getEvidence().size() > 0);
// assertTrue(depJQ10min.getEvidence().size() > 0);
}
/**
* Test of initialize method, of class JavaScriptAnalyzer.
*/
@Test
public void testInitialize() throws Exception {
}
/**
* Test of close method, of class JavaScriptAnalyzer.
*/
@Test
public void testClose() throws Exception {
}
}

15
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java
View File

@@ -24,6 +24,8 @@ import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import java.io.File;
public class NuspecAnalyzerTest extends BaseTest {
private NuspecAnalyzer instance;
@@ -31,6 +33,7 @@ public class NuspecAnalyzerTest extends BaseTest {
@Before
public void setUp() throws Exception {
instance = new NuspecAnalyzer();
instance.initialize();
instance.setEnabled(true);
}
@@ -40,15 +43,9 @@ public class NuspecAnalyzerTest extends BaseTest {
}
@Test
public void testGetSupportedExtensions() {
assertTrue(instance.getSupportedExtensions().contains("nuspec"));
assertFalse(instance.getSupportedExtensions().contains("nupkg"));
}
@Test
public void testSupportsExtension() {
assertTrue(instance.supportsExtension("nuspec"));
assertFalse(instance.supportsExtension("nupkg"));
public void testSupportsFileExtensions() {
assertTrue(instance.accept(new File("test.nuspec")));
assertFalse(instance.accept(new File("test.nupkg")));
}
@Test

38
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java
View File

@@ -17,13 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import java.util.Arrays;
import java.util.HashSet;
import org.apache.commons.lang.StringUtils;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -32,6 +25,11 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import java.io.File;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
/**
* Unit tests for PythonDistributionAnalyzer.
*
@@ -76,33 +74,21 @@ public class PythonDistributionAnalyzerTest extends BaseTest {
analyzer.getName());
}
/**
* Test of getSupportedExtensions method, of class PythonDistributionAnalyzer.
*/
@Test
public void testGetSupportedExtensions() {
final String[] expected = {"whl", "egg", "zip", "METADATA", "PKG-INFO"};
assertEquals("Supported extensions should just have the following: "
+ StringUtils.join(expected, ", "),
new HashSet<String>(Arrays.asList(expected)),
analyzer.getSupportedExtensions());
}
/**
* Test of supportsExtension method, of class PythonDistributionAnalyzer.
*/
@Test
public void testSupportsExtension() {
public void testSupportsFiles() {
assertTrue("Should support \"whl\" extension.",
analyzer.supportsExtension("whl"));
analyzer.accept(new File("test.whl")));
assertTrue("Should support \"egg\" extension.",
analyzer.supportsExtension("egg"));
analyzer.accept(new File("test.egg")));
assertTrue("Should support \"zip\" extension.",
analyzer.supportsExtension("zip"));
analyzer.accept(new File("test.zip")));
assertTrue("Should support \"METADATA\" extension.",
analyzer.supportsExtension("METADATA"));
analyzer.accept(new File("METADATA")));
assertTrue("Should support \"PKG-INFO\" extension.",
analyzer.supportsExtension("PKG-INFO"));
analyzer.accept(new File("PKG-INFO")));
}
/**
@@ -119,7 +105,7 @@ public class PythonDistributionAnalyzerTest extends BaseTest {
/**
* Test of inspect method, of class PythonDistributionAnalyzer.
*
* @throws Exception is thrown when an exception occurs.
* @throws AnalysisException is thrown when an exception occurs.
*/
@Test
public void testAnalyzeSitePackage() throws AnalysisException {

20
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java
View File

@@ -17,7 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.apache.commons.lang.StringUtils;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -26,8 +25,7 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import java.util.Arrays;
import java.util.HashSet;
import java.io.File;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
@@ -76,25 +74,13 @@ public class PythonPackageAnalyzerTest extends BaseTest {
analyzer.getName());
}
/**
* Test of getSupportedExtensions method, of class PythonPackageAnalyzer.
*/
@Test
public void testGetSupportedExtensions() {
final String[] expected = {"py"};
assertEquals("Supported extensions should just have the following: "
+ StringUtils.join(expected, ", "),
new HashSet<String>(Arrays.asList(expected)),
analyzer.getSupportedExtensions());
}
/**
* Test of supportsExtension method, of class PythonPackageAnalyzer.
*/
@Test
public void testSupportsExtension() {
public void testSupportsFileExtension() {
assertTrue("Should support \"py\" extension.",
analyzer.supportsExtension("py"));
analyzer.accept(new File("test.py")));
}
@Test

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java
View File

@@ -45,7 +45,7 @@ public abstract class BaseDBTestCase extends BaseTest {
public static void ensureDBExists() throws Exception {
java.io.File dataPath = Settings.getDataDirectory();
String fileName = String.format(Settings.getString(Settings.KEYS.DB_FILE_NAME), Settings.getString(Settings.KEYS.DB_VERSION));
String fileName = Settings.getString(Settings.KEYS.DB_FILE_NAME);
java.io.File dataFile = new File(dataPath, fileName);
if (!dataPath.exists() || !dataFile.exists()) {
dataPath.mkdirs();

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
View File

@@ -21,7 +21,7 @@ import java.util.Properties;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
/**
*

98
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java Normal file
View File

@@ -0,0 +1,98 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import org.junit.Test;
import static org.junit.Assert.*;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
/**
*
* @author Jeremy Long
*/
public class BaseUpdaterTest extends BaseTest {
/**
* Test of getCveDB method, of class BaseUpdater.
*/
@Test
public void testGetCveDB() {
BaseUpdater instance = new BaseUpdaterImpl();
CveDB expResult = null;
CveDB result = instance.getCveDB();
assertEquals(expResult, result);
}
/**
* Test of getProperties method, of class BaseUpdater.
*/
@Test
public void testGetProperties() throws UpdateException {
BaseUpdater instance = null;
try {
instance = new BaseUpdaterImpl();
instance.openDataStores();
DatabaseProperties result = instance.getProperties();
assertTrue(result.getProperties().keySet().size() > 1);
} finally {
if (instance != null) {
instance.closeDataStores();
}
}
}
/**
* Test of closeDataStores method, of class BaseUpdater.
*/
@Test
public void testCloseDataStores() throws UpdateException {
BaseUpdater instance = null;
try {
instance = new BaseUpdaterImpl();
instance.openDataStores();
} finally {
if (instance != null) {
instance.closeDataStores();
}
}
}
/**
* Test of openDataStores method, of class BaseUpdater.
*/
@Test
public void testOpenDataStores() throws Exception {
BaseUpdater instance = null;
try {
instance = new BaseUpdaterImpl();
instance.openDataStores();
} finally {
if (instance != null) {
instance.closeDataStores();
}
}
}
public class BaseUpdaterImpl extends BaseUpdater {
}
}

43
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/CpeUpdaterIntegrationTest.java Normal file
View File

@@ -0,0 +1,43 @@
/*
* Copyright 2015 OWASP.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.owasp.dependencycheck.data.update;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
import org.owasp.dependencycheck.BaseTest;
/**
*
* @author jeremy
*/
public class CpeUpdaterIntegrationTest extends BaseTest {
/**
* Test of update method, of class CpeUpdater.
*/
@Test
public void testUpdate() throws Exception {
//commented out as the current code base does not utilize the CpeU[pdater.
// CpeUpdater instance = new CpeUpdater();
// instance.update();
}
}

61
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveUpdaterIntegrationTest.java
View File

@@ -17,12 +17,13 @@
*/
package org.owasp.dependencycheck.data.update;
import java.io.File;
import java.util.Calendar;
import org.junit.Before;
import java.net.MalformedURLException;
import static org.junit.Assert.assertNotNull;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
import org.owasp.dependencycheck.utils.DownloadFailedException;
/**
*
@@ -30,39 +31,33 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public class NvdCveUpdaterIntegrationTest extends BaseTest {
@Before
public void setUp() throws Exception {
int year = Calendar.getInstance().get(Calendar.YEAR);
if (year <= 2014) {
//File f = new File(NvdCveUpdaterIntegrationTest.class.getClassLoader().getResource("nvdcve-2.0-2014.xml").getPath());
File f = BaseTest.getResourceAsFile(this, "nvdcve-2.0-2014.xml");
String baseURL = f.toURI().toURL().toString();
String modified12 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-modified.xml");
String modified20 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-2.0-modified.xml");
String full12 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-%d.xml");
String full20 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-2.0-%d.xml");
// cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
// cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
// cve.startyear=2014
// cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
// cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, modified12);
Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, modified20);
Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, full12);
Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, full20);
Settings.setString(Settings.KEYS.CVE_START_YEAR, "2014");
} else {
System.err.println("Consider updating the local data files to make the NvdCveUpdaterIntegrationTest perform faster");
}
public NvdCveUpdater getUpdater() throws MalformedURLException, DownloadFailedException, UpdateException {
NvdCveUpdater instance = new NvdCveUpdater();
return instance;
}
// test removed as it is duplicative of the EngineIntegrationTest and the NvdCveUpdaterIntergraionTest
// /**
// * Test of update method, of class StandardUpdate.
// */
// @Test
// public void testUpdate() throws Exception {
// StandardUpdate instance = getStandardUpdateTask();
// instance.update();
// //TODO make this an actual test
// }
/**
* Test of update method, of class NvdCveUpdater.
* Test of updatesNeeded method, of class StandardUpdate.
*/
@Test
public void testUpdate() throws Exception {
NvdCveUpdater instance = new NvdCveUpdater();
instance.update();
public void testUpdatesNeeded() throws Exception {
NvdCveUpdater instance = getUpdater();
try {
instance.openDataStores();
UpdateableNvdCve result = instance.getUpdatesNeeded();
assertNotNull(result);
} finally {
instance.closeDataStores();
}
}
}

67
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/StandardUpdateIntegrationTest.java
View File

@@ -1,67 +0,0 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
import java.net.MalformedURLException;
import static org.junit.Assert.assertNotNull;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.DownloadFailedException;
/**
*
* @author Jeremy Long
*/
public class StandardUpdateIntegrationTest extends BaseTest {
public StandardUpdate getStandardUpdateTask() throws MalformedURLException, DownloadFailedException, UpdateException {
StandardUpdate instance = new StandardUpdate();
return instance;
}
/**
* Test of openDataStores method, of class StandardUpdate.
*/
@Test
public void testOpenDataStores() throws Exception {
StandardUpdate instance = getStandardUpdateTask();
instance.openDataStores();
instance.closeDataStores();
}
// test removed as it is duplicative of the EngineIntegrationTest and the NvdCveUpdaterIntergraionTest
// /**
// * Test of update method, of class StandardUpdate.
// */
// @Test
// public void testUpdate() throws Exception {
// StandardUpdate instance = getStandardUpdateTask();
// instance.update();
// //TODO make this an actual test
// }
/**
* Test of updatesNeeded method, of class StandardUpdate.
*/
@Test
public void testUpdatesNeeded() throws Exception {
StandardUpdate instance = getStandardUpdateTask();
UpdateableNvdCve result = instance.updatesNeeded();
assertNotNull(result);
}
}

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java
View File

@@ -15,8 +15,10 @@
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.task;
package org.owasp.dependencycheck.data.update.nvd;
import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future;
import org.junit.After;
@@ -26,7 +28,7 @@ import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
import org.owasp.dependencycheck.utils.Settings;
/**

3
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveInfoTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCveInfoTest.java
View File

@@ -15,8 +15,9 @@
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
package org.owasp.dependencycheck.data.update.nvd;
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
import static org.junit.Assert.assertEquals;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;

69
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCveUpdaterIntegrationTest.java Normal file
View File

@@ -0,0 +1,69 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.nvd;
import java.io.File;
import java.util.Calendar;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.data.update.NvdCveUpdater;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long
*/
public class NvdCveUpdaterIntegrationTest extends BaseTest {
@Before
public void setUp() throws Exception {
int year = Calendar.getInstance().get(Calendar.YEAR);
if (year <= 2014) {
//File f = new File(NvdCveUpdaterIntegrationTest.class.getClassLoader().getResource("nvdcve-2.0-2014.xml").getPath());
File f = BaseTest.getResourceAsFile(this, "nvdcve-2.0-2014.xml");
String baseURL = f.toURI().toURL().toString();
String modified12 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-modified.xml");
String modified20 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-2.0-modified.xml");
String full12 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-%d.xml");
String full20 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-2.0-%d.xml");
// cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
// cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
// cve.startyear=2014
// cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
// cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, modified12);
Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, modified20);
Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, full12);
Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, full20);
Settings.setString(Settings.KEYS.CVE_START_YEAR, "2014");
} else {
System.err.println("Consider updating the local data files to make the NvdCveUpdaterIntegrationTest perform faster");
}
}
/**
* Test of update method, of class NvdCveUpdater.
*/
@Test
public void testUpdate() throws Exception {
NvdCveUpdater instance = new NvdCveUpdater();
instance.update();
}
}

3
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/xml/NvdCve_1_2_HandlerTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_1_2_HandlerTest.java
View File

@@ -15,8 +15,9 @@
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.xml;
package org.owasp.dependencycheck.data.update.nvd;
import org.owasp.dependencycheck.data.update.nvd.NvdCve12Handler;
import java.io.File;
import java.util.List;
import java.util.Map;

3
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/xml/NvdCve_2_0_HandlerTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/NvdCve_2_0_HandlerTest.java
View File

@@ -15,8 +15,9 @@
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update.xml;
package org.owasp.dependencycheck.data.update.nvd;
import org.owasp.dependencycheck.data.update.nvd.NvdCve20Handler;
import java.io.File;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/UpdateableNvdCveTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCveTest.java
View File

@@ -15,8 +15,10 @@
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.update;
package org.owasp.dependencycheck.data.update.nvd;
import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;

5
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -19,7 +19,7 @@ data.directory=[JAR]/data
# if the filename has a %s it will be replaced with the current expected version. For file
# based databases the below filename will be added to the data directory above and then
# if the connection string has a %s it will be replaced by the directory/filename path.
data.file_name=cve.%s.h2.db
data.file_name=dc.h2.db
data.version=2.9
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
@@ -60,6 +60,9 @@ cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cpe.validfordays=30
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=true

9789
dependency-check-core/src/test/resources/jquery-1.10.2.js vendored
View File

File diff suppressed because it is too large Load Diff

6
dependency-check-core/src/test/resources/jquery-1.10.2.min.js vendored
View File

File diff suppressed because one or more lines are too long

18
dependency-check-core/src/test/resources/jquery-1.6.2.min.js vendored
View File

File diff suppressed because one or more lines are too long

911
dependency-check-core/src/test/resources/jquery.prettyPhoto.js
View File

@@ -1,911 +0,0 @@
/* ------------------------------------------------------------------------
Class: prettyPhoto
Use: Lightbox clone for jQuery
Author: Stephane Caron (http://www.no-margin-for-errors.com)
Version: 3.1.5
------------------------------------------------------------------------- */
(function($) {
$.prettyPhoto = {version: '3.1.5'};
$.fn.prettyPhoto = function(pp_settings) {
pp_settings = jQuery.extend({
hook: 'rel', /* the attribute tag to use for prettyPhoto hooks. default: 'rel'. For HTML5, use "data-rel" or similar. */
animation_speed: 'fast', /* fast/slow/normal */
ajaxcallback: function() {},
slideshow: 5000, /* false OR interval time in ms */
autoplay_slideshow: false, /* true/false */
opacity: 0.80, /* Value between 0 and 1 */
show_title: true, /* true/false */
allow_resize: true, /* Resize the photos bigger than viewport. true/false */
allow_expand: true, /* Allow the user to expand a resized image. true/false */
default_width: 500,
default_height: 344,
counter_separator_label: '/', /* The separator for the gallery counter 1 "of" 2 */
theme: 'pp_default', /* light_rounded / dark_rounded / light_square / dark_square / facebook */
horizontal_padding: 20, /* The padding on each side of the picture */
hideflash: false, /* Hides all the flash object on a page, set to TRUE if flash appears over prettyPhoto */
wmode: 'opaque', /* Set the flash wmode attribute */
autoplay: true, /* Automatically start videos: True/False */
modal: false, /* If set to true, only the close button will close the window */
deeplinking: true, /* Allow prettyPhoto to update the url to enable deeplinking. */
overlay_gallery: true, /* If set to true, a gallery will overlay the fullscreen image on mouse over */
overlay_gallery_max: 30, /* Maximum number of pictures in the overlay gallery */
keyboard_shortcuts: true, /* Set to false if you open forms inside prettyPhoto */
changepicturecallback: function(){}, /* Called everytime an item is shown/changed */
callback: function(){}, /* Called when prettyPhoto is closed */
ie6_fallback: true,
markup: '<div class="pp_pic_holder"> \
<div class="ppt">&nbsp;</div> \
<div class="pp_top"> \
<div class="pp_left"></div> \
<div class="pp_middle"></div> \
<div class="pp_right"></div> \
</div> \
<div class="pp_content_container"> \
<div class="pp_left"> \
<div class="pp_right"> \
<div class="pp_content"> \
<div class="pp_loaderIcon"></div> \
<div class="pp_fade"> \
<a href="#" class="pp_expand" title="Expand the image">Expand</a> \
<div class="pp_hoverContainer"> \
<a class="pp_next" href="#">next</a> \
<a class="pp_previous" href="#">previous</a> \
</div> \
<div id="pp_full_res"></div> \
<div class="pp_details"> \
<div class="pp_nav"> \
<a href="#" class="pp_arrow_previous">Previous</a> \
<p class="currentTextHolder">0/0</p> \
<a href="#" class="pp_arrow_next">Next</a> \
</div> \
<p class="pp_description"></p> \
<div class="pp_social">{pp_social}</div> \
<a class="pp_close" href="#">Close</a> \
</div> \
</div> \
</div> \
</div> \
</div> \
</div> \
<div class="pp_bottom"> \
<div class="pp_left"></div> \
<div class="pp_middle"></div> \
<div class="pp_right"></div> \
</div> \
</div> \
<div class="pp_overlay"></div>',
gallery_markup: '<div class="pp_gallery"> \
<a href="#" class="pp_arrow_previous">Previous</a> \
<div> \
<ul> \
{gallery} \
</ul> \
</div> \
<a href="#" class="pp_arrow_next">Next</a> \
</div>',
image_markup: '<img id="fullResImage" src="{path}" />',
flash_markup: '<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="{width}" height="{height}"><param name="wmode" value="{wmode}" /><param name="allowfullscreen" value="true" /><param name="allowscriptaccess" value="always" /><param name="movie" value="{path}" /><embed src="{path}" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="{width}" height="{height}" wmode="{wmode}"></embed></object>',
quicktime_markup: '<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" codebase="http://www.apple.com/qtactivex/qtplugin.cab" height="{height}" width="{width}"><param name="src" value="{path}"><param name="autoplay" value="{autoplay}"><param name="type" value="video/quicktime"><embed src="{path}" height="{height}" width="{width}" autoplay="{autoplay}" type="video/quicktime" pluginspage="http://www.apple.com/quicktime/download/"></embed></object>',
iframe_markup: '<iframe src ="{path}" width="{width}" height="{height}" frameborder="no"></iframe>',
inline_markup: '<div class="pp_inline">{content}</div>',
custom_markup: '',
social_tools: '<div class="twitter"><a href="http://twitter.com/share" class="twitter-share-button" data-count="none">Tweet</a><script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script></div><div class="facebook"><iframe src="//www.facebook.com/plugins/like.php?locale=en_US&href={location_href}&amp;layout=button_count&amp;show_faces=true&amp;width=500&amp;action=like&amp;font&amp;colorscheme=light&amp;height=23" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:23px;" allowTransparency="true"></iframe></div>' /* html or false to disable */
}, pp_settings);
// Global variables accessible only by prettyPhoto
var matchedObjects = this, percentBased = false, pp_dimensions, pp_open,
// prettyPhoto container specific
pp_contentHeight, pp_contentWidth, pp_containerHeight, pp_containerWidth,
// Window size
windowHeight = $(window).height(), windowWidth = $(window).width(),
// Global elements
pp_slideshow;
doresize = true, scroll_pos = _get_scroll();
// Window/Keyboard events
$(window).unbind('resize.prettyphoto').bind('resize.prettyphoto',function(){ _center_overlay(); _resize_overlay(); });
if(pp_settings.keyboard_shortcuts) {
$(document).unbind('keydown.prettyphoto').bind('keydown.prettyphoto',function(e){
if(typeof $pp_pic_holder != 'undefined'){
if($pp_pic_holder.is(':visible')){
switch(e.keyCode){
case 37:
$.prettyPhoto.changePage('previous');
e.preventDefault();
break;
case 39:
$.prettyPhoto.changePage('next');
e.preventDefault();
break;
case 27:
if(!settings.modal)
$.prettyPhoto.close();
e.preventDefault();
break;
};
// return false;
};
};
});
};
/**
* Initialize prettyPhoto.
*/
$.prettyPhoto.initialize = function() {
settings = pp_settings;
if(settings.theme == 'pp_default') settings.horizontal_padding = 16;
// Find out if the picture is part of a set
theRel = $(this).attr(settings.hook);
galleryRegExp = /\[(?:.*)\]/;
isSet = (galleryRegExp.exec(theRel)) ? true : false;
// Put the SRCs, TITLEs, ALTs into an array.
pp_images = (isSet) ? jQuery.map(matchedObjects, function(n, i){ if($(n).attr(settings.hook).indexOf(theRel) != -1) return $(n).attr('href'); }) : $.makeArray($(this).attr('href'));
pp_titles = (isSet) ? jQuery.map(matchedObjects, function(n, i){ if($(n).attr(settings.hook).indexOf(theRel) != -1) return ($(n).find('img').attr('alt')) ? $(n).find('img').attr('alt') : ""; }) : $.makeArray($(this).find('img').attr('alt'));
pp_descriptions = (isSet) ? jQuery.map(matchedObjects, function(n, i){ if($(n).attr(settings.hook).indexOf(theRel) != -1) return ($(n).attr('title')) ? $(n).attr('title') : ""; }) : $.makeArray($(this).attr('title'));
if(pp_images.length > settings.overlay_gallery_max) settings.overlay_gallery = false;
set_position = jQuery.inArray($(this).attr('href'), pp_images); // Define where in the array the clicked item is positionned
rel_index = (isSet) ? set_position : $("a["+settings.hook+"^='"+theRel+"']").index($(this));
_build_overlay(this); // Build the overlay {this} being the caller
if(settings.allow_resize)
$(window).bind('scroll.prettyphoto',function(){ _center_overlay(); });
$.prettyPhoto.open();
return false;
}
/**
* Opens the prettyPhoto modal box.
* @param image {String,Array} Full path to the image to be open, can also be an array containing full images paths.
* @param title {String,Array} The title to be displayed with the picture, can also be an array containing all the titles.
* @param description {String,Array} The description to be displayed with the picture, can also be an array containing all the descriptions.
*/
$.prettyPhoto.open = function(event) {
if(typeof settings == "undefined"){ // Means it's an API call, need to manually get the settings and set the variables
settings = pp_settings;
pp_images = $.makeArray(arguments[0]);
pp_titles = (arguments[1]) ? $.makeArray(arguments[1]) : $.makeArray("");
pp_descriptions = (arguments[2]) ? $.makeArray(arguments[2]) : $.makeArray("");
isSet = (pp_images.length > 1) ? true : false;
set_position = (arguments[3])? arguments[3]: 0;
_build_overlay(event.target); // Build the overlay {this} being the caller
}
if(settings.hideflash) $('object,embed,iframe[src*=youtube],iframe[src*=vimeo]').css('visibility','hidden'); // Hide the flash
_checkPosition($(pp_images).size()); // Hide the next/previous links if on first or last images.
$('.pp_loaderIcon').show();
if(settings.deeplinking)
setHashtag();
// Rebuild Facebook Like Button with updated href
if(settings.social_tools){
facebook_like_link = settings.social_tools.replace('{location_href}', encodeURIComponent(location.href));
$pp_pic_holder.find('.pp_social').html(facebook_like_link);
}
// Fade the content in
if($ppt.is(':hidden')) $ppt.css('opacity',0).show();
$pp_overlay.show().fadeTo(settings.animation_speed,settings.opacity);
// Display the current position
$pp_pic_holder.find('.currentTextHolder').text((set_position+1) + settings.counter_separator_label + $(pp_images).size());
// Set the description
if(typeof pp_descriptions[set_position] != 'undefined' && pp_descriptions[set_position] != ""){
$pp_pic_holder.find('.pp_description').show().html(unescape(pp_descriptions[set_position]));
}else{
$pp_pic_holder.find('.pp_description').hide();
}
// Get the dimensions
movie_width = ( parseFloat(getParam('width',pp_images[set_position])) ) ? getParam('width',pp_images[set_position]) : settings.default_width.toString();
movie_height = ( parseFloat(getParam('height',pp_images[set_position])) ) ? getParam('height',pp_images[set_position]) : settings.default_height.toString();
// If the size is % based, calculate according to window dimensions
percentBased=false;
if(movie_height.indexOf('%') != -1) { movie_height = parseFloat(($(window).height() * parseFloat(movie_height) / 100) - 150); percentBased = true; }
if(movie_width.indexOf('%') != -1) { movie_width = parseFloat(($(window).width() * parseFloat(movie_width) / 100) - 150); percentBased = true; }
// Fade the holder
$pp_pic_holder.fadeIn(function(){
// Set the title
(settings.show_title && pp_titles[set_position] != "" && typeof pp_titles[set_position] != "undefined") ? $ppt.html(unescape(pp_titles[set_position])) : $ppt.html('&nbsp;');
imgPreloader = "";
skipInjection = false;
// Inject the proper content
switch(_getFileType(pp_images[set_position])){
case 'image':
imgPreloader = new Image();
// Preload the neighbour images
nextImage = new Image();
if(isSet && set_position < $(pp_images).size() -1) nextImage.src = pp_images[set_position + 1];
prevImage = new Image();
if(isSet && pp_images[set_position - 1]) prevImage.src = pp_images[set_position - 1];
$pp_pic_holder.find('#pp_full_res')[0].innerHTML = settings.image_markup.replace(/{path}/g,pp_images[set_position]);
imgPreloader.onload = function(){
// Fit item to viewport
pp_dimensions = _fitToViewport(imgPreloader.width,imgPreloader.height);
_showContent();
};
imgPreloader.onerror = function(){
alert('Image cannot be loaded. Make sure the path is correct and image exist.');
$.prettyPhoto.close();
};
imgPreloader.src = pp_images[set_position];
break;
case 'youtube':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
// Regular youtube link
movie_id = getParam('v',pp_images[set_position]);
// youtu.be link
if(movie_id == ""){
movie_id = pp_images[set_position].split('youtu.be/');
movie_id = movie_id[1];
if(movie_id.indexOf('?') > 0)
movie_id = movie_id.substr(0,movie_id.indexOf('?')); // Strip anything after the ?
if(movie_id.indexOf('&') > 0)
movie_id = movie_id.substr(0,movie_id.indexOf('&')); // Strip anything after the &
}
movie = 'http://www.youtube.com/embed/'+movie_id;
(getParam('rel',pp_images[set_position])) ? movie+="?rel="+getParam('rel',pp_images[set_position]) : movie+="?rel=1";
if(settings.autoplay) movie += "&autoplay=1";
toInject = settings.iframe_markup.replace(/{width}/g,pp_dimensions['width']).replace(/{height}/g,pp_dimensions['height']).replace(/{wmode}/g,settings.wmode).replace(/{path}/g,movie);
break;
case 'vimeo':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
movie_id = pp_images[set_position];
var regExp = /http(s?):\/\/(www\.)?vimeo.com\/(\d+)/;
var match = movie_id.match(regExp);
movie = 'http://player.vimeo.com/video/'+ match[3] +'?title=0&amp;byline=0&amp;portrait=0';
if(settings.autoplay) movie += "&autoplay=1;";
vimeo_width = pp_dimensions['width'] + '/embed/?moog_width='+ pp_dimensions['width'];
toInject = settings.iframe_markup.replace(/{width}/g,vimeo_width).replace(/{height}/g,pp_dimensions['height']).replace(/{path}/g,movie);
break;
case 'quicktime':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
pp_dimensions['height']+=15; pp_dimensions['contentHeight']+=15; pp_dimensions['containerHeight']+=15; // Add space for the control bar
toInject = settings.quicktime_markup.replace(/{width}/g,pp_dimensions['width']).replace(/{height}/g,pp_dimensions['height']).replace(/{wmode}/g,settings.wmode).replace(/{path}/g,pp_images[set_position]).replace(/{autoplay}/g,settings.autoplay);
break;
case 'flash':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
flash_vars = pp_images[set_position];
flash_vars = flash_vars.substring(pp_images[set_position].indexOf('flashvars') + 10,pp_images[set_position].length);
filename = pp_images[set_position];
filename = filename.substring(0,filename.indexOf('?'));
toInject = settings.flash_markup.replace(/{width}/g,pp_dimensions['width']).replace(/{height}/g,pp_dimensions['height']).replace(/{wmode}/g,settings.wmode).replace(/{path}/g,filename+'?'+flash_vars);
break;
case 'iframe':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
frame_url = pp_images[set_position];
frame_url = frame_url.substr(0,frame_url.indexOf('iframe')-1);
toInject = settings.iframe_markup.replace(/{width}/g,pp_dimensions['width']).replace(/{height}/g,pp_dimensions['height']).replace(/{path}/g,frame_url);
break;
case 'ajax':
doresize = false; // Make sure the dimensions are not resized.
pp_dimensions = _fitToViewport(movie_width,movie_height);
doresize = true; // Reset the dimensions
skipInjection = true;
$.get(pp_images[set_position],function(responseHTML){
toInject = settings.inline_markup.replace(/{content}/g,responseHTML);
$pp_pic_holder.find('#pp_full_res')[0].innerHTML = toInject;
_showContent();
});
break;
case 'custom':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
toInject = settings.custom_markup;
break;
case 'inline':
// to get the item height clone it, apply default width, wrap it in the prettyPhoto containers , then delete
myClone = $(pp_images[set_position]).clone().append('<br clear="all" />').css({'width':settings.default_width}).wrapInner('<div id="pp_full_res"><div class="pp_inline"></div></div>').appendTo($('body')).show();
doresize = false; // Make sure the dimensions are not resized.
pp_dimensions = _fitToViewport($(myClone).width(),$(myClone).height());
doresize = true; // Reset the dimensions
$(myClone).remove();
toInject = settings.inline_markup.replace(/{content}/g,$(pp_images[set_position]).html());
break;
};
if(!imgPreloader && !skipInjection){
$pp_pic_holder.find('#pp_full_res')[0].innerHTML = toInject;
// Show content
_showContent();
};
});
return false;
};
/**
* Change page in the prettyPhoto modal box
* @param direction {String} Direction of the paging, previous or next.
*/
$.prettyPhoto.changePage = function(direction){
currentGalleryPage = 0;
if(direction == 'previous') {
set_position--;
if (set_position < 0) set_position = $(pp_images).size()-1;
}else if(direction == 'next'){
set_position++;
if(set_position > $(pp_images).size()-1) set_position = 0;
}else{
set_position=direction;
};
rel_index = set_position;
if(!doresize) doresize = true; // Allow the resizing of the images
if(settings.allow_expand) {
$('.pp_contract').removeClass('pp_contract').addClass('pp_expand');
}
_hideContent(function(){ $.prettyPhoto.open(); });
};
/**
* Change gallery page in the prettyPhoto modal box
* @param direction {String} Direction of the paging, previous or next.
*/
$.prettyPhoto.changeGalleryPage = function(direction){
if(direction=='next'){
currentGalleryPage ++;
if(currentGalleryPage > totalPage) currentGalleryPage = 0;
}else if(direction=='previous'){
currentGalleryPage --;
if(currentGalleryPage < 0) currentGalleryPage = totalPage;
}else{
currentGalleryPage = direction;
};
slide_speed = (direction == 'next' || direction == 'previous') ? settings.animation_speed : 0;
slide_to = currentGalleryPage * (itemsPerPage * itemWidth);
$pp_gallery.find('ul').animate({left:-slide_to},slide_speed);
};
/**
* Start the slideshow...
*/
$.prettyPhoto.startSlideshow = function(){
if(typeof pp_slideshow == 'undefined'){
$pp_pic_holder.find('.pp_play').unbind('click').removeClass('pp_play').addClass('pp_pause').click(function(){
$.prettyPhoto.stopSlideshow();
return false;
});
pp_slideshow = setInterval($.prettyPhoto.startSlideshow,settings.slideshow);
}else{
$.prettyPhoto.changePage('next');
};
}
/**
* Stop the slideshow...
*/
$.prettyPhoto.stopSlideshow = function(){
$pp_pic_holder.find('.pp_pause').unbind('click').removeClass('pp_pause').addClass('pp_play').click(function(){
$.prettyPhoto.startSlideshow();
return false;
});
clearInterval(pp_slideshow);
pp_slideshow=undefined;
}
/**
* Closes prettyPhoto.
*/
$.prettyPhoto.close = function(){
if($pp_overlay.is(":animated")) return;
$.prettyPhoto.stopSlideshow();
$pp_pic_holder.stop().find('object,embed').css('visibility','hidden');
$('div.pp_pic_holder,div.ppt,.pp_fade').fadeOut(settings.animation_speed,function(){ $(this).remove(); });
$pp_overlay.fadeOut(settings.animation_speed, function(){
if(settings.hideflash) $('object,embed,iframe[src*=youtube],iframe[src*=vimeo]').css('visibility','visible'); // Show the flash
$(this).remove(); // No more need for the prettyPhoto markup
$(window).unbind('scroll.prettyphoto');
clearHashtag();
settings.callback();
doresize = true;
pp_open = false;
delete settings;
});
};
/**
* Set the proper sizes on the containers and animate the content in.
*/
function _showContent(){
$('.pp_loaderIcon').hide();
// Calculate the opened top position of the pic holder
projectedTop = scroll_pos['scrollTop'] + ((windowHeight/2) - (pp_dimensions['containerHeight']/2));
if(projectedTop < 0) projectedTop = 0;
$ppt.fadeTo(settings.animation_speed,1);
// Resize the content holder
$pp_pic_holder.find('.pp_content')
.animate({
height:pp_dimensions['contentHeight'],
width:pp_dimensions['contentWidth']
},settings.animation_speed);
// Resize picture the holder
$pp_pic_holder.animate({
'top': projectedTop,
'left': ((windowWidth/2) - (pp_dimensions['containerWidth']/2) < 0) ? 0 : (windowWidth/2) - (pp_dimensions['containerWidth']/2),
width:pp_dimensions['containerWidth']
},settings.animation_speed,function(){
$pp_pic_holder.find('.pp_hoverContainer,#fullResImage').height(pp_dimensions['height']).width(pp_dimensions['width']);
$pp_pic_holder.find('.pp_fade').fadeIn(settings.animation_speed); // Fade the new content
// Show the nav
if(isSet && _getFileType(pp_images[set_position])=="image") { $pp_pic_holder.find('.pp_hoverContainer').show(); }else{ $pp_pic_holder.find('.pp_hoverContainer').hide(); }
if(settings.allow_expand) {
if(pp_dimensions['resized']){ // Fade the resizing link if the image is resized
$('a.pp_expand,a.pp_contract').show();
}else{
$('a.pp_expand').hide();
}
}
if(settings.autoplay_slideshow && !pp_slideshow && !pp_open) $.prettyPhoto.startSlideshow();
settings.changepicturecallback(); // Callback!
pp_open = true;
});
_insert_gallery();
pp_settings.ajaxcallback();
};
/**
* Hide the content...DUH!
*/
function _hideContent(callback){
// Fade out the current picture
$pp_pic_holder.find('#pp_full_res object,#pp_full_res embed').css('visibility','hidden');
$pp_pic_holder.find('.pp_fade').fadeOut(settings.animation_speed,function(){
$('.pp_loaderIcon').show();
callback();
});
};
/**
* Check the item position in the gallery array, hide or show the navigation links
* @param setCount {integer} The total number of items in the set
*/
function _checkPosition(setCount){
(setCount > 1) ? $('.pp_nav').show() : $('.pp_nav').hide(); // Hide the bottom nav if it's not a set.
};
/**
* Resize the item dimensions if it's bigger than the viewport
* @param width {integer} Width of the item to be opened
* @param height {integer} Height of the item to be opened
* @return An array containin the "fitted" dimensions
*/
function _fitToViewport(width,height){
resized = false;
_getDimensions(width,height);
// Define them in case there's no resize needed
imageWidth = width, imageHeight = height;
if( ((pp_containerWidth > windowWidth) || (pp_containerHeight > windowHeight)) && doresize && settings.allow_resize && !percentBased) {
resized = true, fitting = false;
while (!fitting){
if((pp_containerWidth > windowWidth)){
imageWidth = (windowWidth - 200);
imageHeight = (height/width) * imageWidth;
}else if((pp_containerHeight > windowHeight)){
imageHeight = (windowHeight - 200);
imageWidth = (width/height) * imageHeight;
}else{
fitting = true;
};
pp_containerHeight = imageHeight, pp_containerWidth = imageWidth;
};
if((pp_containerWidth > windowWidth) || (pp_containerHeight > windowHeight)){
_fitToViewport(pp_containerWidth,pp_containerHeight)
};
_getDimensions(imageWidth,imageHeight);
};
return {
width:Math.floor(imageWidth),
height:Math.floor(imageHeight),
containerHeight:Math.floor(pp_containerHeight),
containerWidth:Math.floor(pp_containerWidth) + (settings.horizontal_padding * 2),
contentHeight:Math.floor(pp_contentHeight),
contentWidth:Math.floor(pp_contentWidth),
resized:resized
};
};
/**
* Get the containers dimensions according to the item size
* @param width {integer} Width of the item to be opened
* @param height {integer} Height of the item to be opened
*/
function _getDimensions(width,height){
width = parseFloat(width);
height = parseFloat(height);
// Get the details height, to do so, I need to clone it since it's invisible
$pp_details = $pp_pic_holder.find('.pp_details');
$pp_details.width(width);
detailsHeight = parseFloat($pp_details.css('marginTop')) + parseFloat($pp_details.css('marginBottom'));
$pp_details = $pp_details.clone().addClass(settings.theme).width(width).appendTo($('body')).css({
'position':'absolute',
'top':-10000
});
detailsHeight += $pp_details.height();
detailsHeight = (detailsHeight <= 34) ? 36 : detailsHeight; // Min-height for the details
$pp_details.remove();
// Get the titles height, to do so, I need to clone it since it's invisible
$pp_title = $pp_pic_holder.find('.ppt');
$pp_title.width(width);
titleHeight = parseFloat($pp_title.css('marginTop')) + parseFloat($pp_title.css('marginBottom'));
$pp_title = $pp_title.clone().appendTo($('body')).css({
'position':'absolute',
'top':-10000
});
titleHeight += $pp_title.height();
$pp_title.remove();
// Get the container size, to resize the holder to the right dimensions
pp_contentHeight = height + detailsHeight;
pp_contentWidth = width;
pp_containerHeight = pp_contentHeight + titleHeight + $pp_pic_holder.find('.pp_top').height() + $pp_pic_holder.find('.pp_bottom').height();
pp_containerWidth = width;
}
function _getFileType(itemSrc){
if (itemSrc.match(/youtube\.com\/watch/i) || itemSrc.match(/youtu\.be/i)) {
return 'youtube';
}else if (itemSrc.match(/vimeo\.com/i)) {
return 'vimeo';
}else if(itemSrc.match(/\b.mov\b/i)){
return 'quicktime';
}else if(itemSrc.match(/\b.swf\b/i)){
return 'flash';
}else if(itemSrc.match(/\biframe=true\b/i)){
return 'iframe';
}else if(itemSrc.match(/\bajax=true\b/i)){
return 'ajax';
}else if(itemSrc.match(/\bcustom=true\b/i)){
return 'custom';
}else if(itemSrc.substr(0,1) == '#'){
return 'inline';
}else{
return 'image';
};
};
function _center_overlay(){
if(doresize && typeof $pp_pic_holder != 'undefined') {
scroll_pos = _get_scroll();
contentHeight = $pp_pic_holder.height(), contentwidth = $pp_pic_holder.width();
projectedTop = (windowHeight/2) + scroll_pos['scrollTop'] - (contentHeight/2);
if(projectedTop < 0) projectedTop = 0;
if(contentHeight > windowHeight)
return;
$pp_pic_holder.css({
'top': projectedTop,
'left': (windowWidth/2) + scroll_pos['scrollLeft'] - (contentwidth/2)
});
};
};
function _get_scroll(){
if (self.pageYOffset) {
return {scrollTop:self.pageYOffset,scrollLeft:self.pageXOffset};
} else if (document.documentElement && document.documentElement.scrollTop) { // Explorer 6 Strict
return {scrollTop:document.documentElement.scrollTop,scrollLeft:document.documentElement.scrollLeft};
} else if (document.body) {// all other Explorers
return {scrollTop:document.body.scrollTop,scrollLeft:document.body.scrollLeft};
};
};
function _resize_overlay() {
windowHeight = $(window).height(), windowWidth = $(window).width();
if(typeof $pp_overlay != "undefined") $pp_overlay.height($(document).height()).width(windowWidth);
};
function _insert_gallery(){
if(isSet && settings.overlay_gallery && _getFileType(pp_images[set_position])=="image") {
itemWidth = 52+5; // 52 beign the thumb width, 5 being the right margin.
navWidth = (settings.theme == "facebook" || settings.theme == "pp_default") ? 50 : 30; // Define the arrow width depending on the theme
itemsPerPage = Math.floor((pp_dimensions['containerWidth'] - 100 - navWidth) / itemWidth);
itemsPerPage = (itemsPerPage < pp_images.length) ? itemsPerPage : pp_images.length;
totalPage = Math.ceil(pp_images.length / itemsPerPage) - 1;
// Hide the nav in the case there's no need for links
if(totalPage == 0){
navWidth = 0; // No nav means no width!
$pp_gallery.find('.pp_arrow_next,.pp_arrow_previous').hide();
}else{
$pp_gallery.find('.pp_arrow_next,.pp_arrow_previous').show();
};
galleryWidth = itemsPerPage * itemWidth;
fullGalleryWidth = pp_images.length * itemWidth;
// Set the proper width to the gallery items
$pp_gallery
.css('margin-left',-((galleryWidth/2) + (navWidth/2)))
.find('div:first').width(galleryWidth+5)
.find('ul').width(fullGalleryWidth)
.find('li.selected').removeClass('selected');
goToPage = (Math.floor(set_position/itemsPerPage) < totalPage) ? Math.floor(set_position/itemsPerPage) : totalPage;
$.prettyPhoto.changeGalleryPage(goToPage);
$pp_gallery_li.filter(':eq('+set_position+')').addClass('selected');
}else{
$pp_pic_holder.find('.pp_content').unbind('mouseenter mouseleave');
// $pp_gallery.hide();
}
}
function _build_overlay(caller){
// Inject Social Tool markup into General markup
if(settings.social_tools)
facebook_like_link = settings.social_tools.replace('{location_href}', encodeURIComponent(location.href));
settings.markup = settings.markup.replace('{pp_social}','');
$('body').append(settings.markup); // Inject the markup
$pp_pic_holder = $('.pp_pic_holder') , $ppt = $('.ppt'), $pp_overlay = $('div.pp_overlay'); // Set my global selectors
// Inject the inline gallery!
if(isSet && settings.overlay_gallery) {
currentGalleryPage = 0;
toInject = "";
for (var i=0; i < pp_images.length; i++) {
if(!pp_images[i].match(/\b(jpg|jpeg|png|gif)\b/gi)){
classname = 'default';
img_src = '';
}else{
classname = '';
img_src = pp_images[i];
}
toInject += "<li class='"+classname+"'><a href='#'><img src='" + img_src + "' width='50' alt='' /></a></li>";
};
toInject = settings.gallery_markup.replace(/{gallery}/g,toInject);
$pp_pic_holder.find('#pp_full_res').after(toInject);
$pp_gallery = $('.pp_pic_holder .pp_gallery'), $pp_gallery_li = $pp_gallery.find('li'); // Set the gallery selectors
$pp_gallery.find('.pp_arrow_next').click(function(){
$.prettyPhoto.changeGalleryPage('next');
$.prettyPhoto.stopSlideshow();
return false;
});
$pp_gallery.find('.pp_arrow_previous').click(function(){
$.prettyPhoto.changeGalleryPage('previous');
$.prettyPhoto.stopSlideshow();
return false;
});
$pp_pic_holder.find('.pp_content').hover(
function(){
$pp_pic_holder.find('.pp_gallery:not(.disabled)').fadeIn();
},
function(){
$pp_pic_holder.find('.pp_gallery:not(.disabled)').fadeOut();
});
itemWidth = 52+5; // 52 beign the thumb width, 5 being the right margin.
$pp_gallery_li.each(function(i){
$(this)
.find('a')
.click(function(){
$.prettyPhoto.changePage(i);
$.prettyPhoto.stopSlideshow();
return false;
});
});
};
// Inject the play/pause if it's a slideshow
if(settings.slideshow){
$pp_pic_holder.find('.pp_nav').prepend('<a href="#" class="pp_play">Play</a>')
$pp_pic_holder.find('.pp_nav .pp_play').click(function(){
$.prettyPhoto.startSlideshow();
return false;
});
}
$pp_pic_holder.attr('class','pp_pic_holder ' + settings.theme); // Set the proper theme
$pp_overlay
.css({
'opacity':0,
'height':$(document).height(),
'width':$(window).width()
})
.bind('click',function(){
if(!settings.modal) $.prettyPhoto.close();
});
$('a.pp_close').bind('click',function(){ $.prettyPhoto.close(); return false; });
if(settings.allow_expand) {
$('a.pp_expand').bind('click',function(e){
// Expand the image
if($(this).hasClass('pp_expand')){
$(this).removeClass('pp_expand').addClass('pp_contract');
doresize = false;
}else{
$(this).removeClass('pp_contract').addClass('pp_expand');
doresize = true;
};
_hideContent(function(){ $.prettyPhoto.open(); });
return false;
});
}
$pp_pic_holder.find('.pp_previous, .pp_nav .pp_arrow_previous').bind('click',function(){
$.prettyPhoto.changePage('previous');
$.prettyPhoto.stopSlideshow();
return false;
});
$pp_pic_holder.find('.pp_next, .pp_nav .pp_arrow_next').bind('click',function(){
$.prettyPhoto.changePage('next');
$.prettyPhoto.stopSlideshow();
return false;
});
_center_overlay(); // Center it
};
if(!pp_alreadyInitialized && getHashtag()){
pp_alreadyInitialized = true;
// Grab the rel index to trigger the click on the correct element
hashIndex = getHashtag();
hashRel = hashIndex;
hashIndex = hashIndex.substring(hashIndex.indexOf('/')+1,hashIndex.length-1);
hashRel = hashRel.substring(0,hashRel.indexOf('/'));
// Little timeout to make sure all the prettyPhoto initialize scripts has been run.
// Useful in the event the page contain several init scripts.
setTimeout(function(){ $("a["+pp_settings.hook+"^='"+hashRel+"']:eq("+hashIndex+")").trigger('click'); },50);
}
return this.unbind('click.prettyphoto').bind('click.prettyphoto',$.prettyPhoto.initialize); // Return the jQuery object for chaining. The unbind method is used to avoid click conflict when the plugin is called more than once
};
function getHashtag(){
var url = location.href;
hashtag = (url.indexOf('#prettyPhoto') !== -1) ? decodeURI(url.substring(url.indexOf('#prettyPhoto')+1,url.length)) : false;
return hashtag;
};
function setHashtag(){
if(typeof theRel == 'undefined') return; // theRel is set on normal calls, it's impossible to deeplink using the API
location.hash = theRel + '/'+rel_index+'/';
};
function clearHashtag(){
if ( location.href.indexOf('#prettyPhoto') !== -1 ) location.hash = "prettyPhoto";
}
function getParam(name,url){
name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
var regexS = "[\\?&]"+name+"=([^&#]*)";
var regex = new RegExp( regexS );
var results = regex.exec( url );
return ( results == null ) ? "" : results[1];
}
})(jQuery);
var pp_alreadyInitialized = false; // Used for the deep linking to make sure not to call the same function several times.

905
dependency-check-core/src/test/resources/jquery.prettyPhoto_.js
View File

@@ -1,905 +0,0 @@
/* ------------------------------------------------------------------------
Class: prettyPhoto
Use: Lightbox clone for jQuery
Author: Stephane Caron (http://www.no-margin-for-errors.com)
Version: 3.1.3
------------------------------------------------------------------------- */
(function($) {
$.prettyPhoto = {version: '3.1.3'};
$.fn.prettyPhoto = function(pp_settings) {
pp_settings = jQuery.extend({
animation_speed: 'fast', /* fast/slow/normal */
slideshow: 5000, /* false OR interval time in ms */
autoplay_slideshow: false, /* true/false */
opacity: 0.80, /* Value between 0 and 1 */
show_title: true, /* true/false */
allow_resize: true, /* Resize the photos bigger than viewport. true/false */
default_width: 500,
default_height: 344,
counter_separator_label: '/', /* The separator for the gallery counter 1 "of" 2 */
theme: 'pp_default', /* light_rounded / dark_rounded / light_square / dark_square / facebook */
horizontal_padding: 20, /* The padding on each side of the picture */
hideflash: false, /* Hides all the flash object on a page, set to TRUE if flash appears over prettyPhoto */
wmode: 'opaque', /* Set the flash wmode attribute */
autoplay: true, /* Automatically start videos: True/False */
modal: false, /* If set to true, only the close button will close the window */
deeplinking: true, /* Allow prettyPhoto to update the url to enable deeplinking. */
overlay_gallery: true, /* If set to true, a gallery will overlay the fullscreen image on mouse over */
keyboard_shortcuts: true, /* Set to false if you open forms inside prettyPhoto */
changepicturecallback: function(){}, /* Called everytime an item is shown/changed */
callback: function(){}, /* Called when prettyPhoto is closed */
ie6_fallback: true,
markup: '<div class="pp_pic_holder"> \
<div class="ppt">&nbsp;</div> \
<div class="pp_top"> \
<div class="pp_left"></div> \
<div class="pp_middle"></div> \
<div class="pp_right"></div> \
</div> \
<div class="pp_content_container"> \
<div class="pp_left"> \
<div class="pp_right"> \
<div class="pp_content"> \
<div class="pp_loaderIcon"></div> \
<div class="pp_fade"> \
<a href="#" class="pp_expand" title="Expand the image">Expand</a> \
<div class="pp_hoverContainer"> \
<a class="pp_next" href="#">next</a> \
<a class="pp_previous" href="#">previous</a> \
</div> \
<div id="pp_full_res"></div> \
<div class="pp_details"> \
<div class="pp_nav"> \
<a href="#" class="pp_arrow_previous">Previous</a> \
<p class="currentTextHolder">0/0</p> \
<a href="#" class="pp_arrow_next">Next</a> \
</div> \
<p class="pp_description"></p> \
<div class="pp_social">{pp_social}</div> \
<a class="pp_close" href="#">Close</a> \
</div> \
</div> \
</div> \
</div> \
</div> \
</div> \
<div class="pp_bottom"> \
<div class="pp_left"></div> \
<div class="pp_middle"></div> \
<div class="pp_right"></div> \
</div> \
</div> \
<div class="pp_overlay"></div>',
gallery_markup: '<div class="pp_gallery"> \
<a href="#" class="pp_arrow_previous">Previous</a> \
<div> \
<ul> \
{gallery} \
</ul> \
</div> \
<a href="#" class="pp_arrow_next">Next</a> \
</div>',
image_markup: '<img id="fullResImage" src="{path}" />',
flash_markup: '<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="{width}" height="{height}"><param name="wmode" value="{wmode}" /><param name="allowfullscreen" value="true" /><param name="allowscriptaccess" value="always" /><param name="movie" value="{path}" /><embed src="{path}" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="{width}" height="{height}" wmode="{wmode}"></embed></object>',
quicktime_markup: '<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" codebase="http://www.apple.com/qtactivex/qtplugin.cab" height="{height}" width="{width}"><param name="src" value="{path}"><param name="autoplay" value="{autoplay}"><param name="type" value="video/quicktime"><embed src="{path}" height="{height}" width="{width}" autoplay="{autoplay}" type="video/quicktime" pluginspage="http://www.apple.com/quicktime/download/"></embed></object>',
iframe_markup: '<iframe src ="{path}" width="{width}" height="{height}" frameborder="no"></iframe>',
inline_markup: '<div class="pp_inline">{content}</div>',
custom_markup: '',
social_tools: '<div class="twitter"><a href="http://twitter.com/share" class="twitter-share-button" data-count="none">Tweet</a><script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script></div><div class="facebook"><iframe src="http://www.facebook.com/plugins/like.php?locale=en_US&href={location_href}&amp;layout=button_count&amp;show_faces=true&amp;width=500&amp;action=like&amp;font&amp;colorscheme=light&amp;height=23" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:500px; height:23px;" allowTransparency="true"></iframe></div>' /* html or false to disable */
}, pp_settings);
// Global variables accessible only by prettyPhoto
var matchedObjects = this, percentBased = false, pp_dimensions, pp_open,
// prettyPhoto container specific
pp_contentHeight, pp_contentWidth, pp_containerHeight, pp_containerWidth,
// Window size
windowHeight = $(window).height(), windowWidth = $(window).width(),
// Global elements
pp_slideshow;
doresize = true, scroll_pos = _get_scroll();
// Window/Keyboard events
$(window).unbind('resize.prettyphoto').bind('resize.prettyphoto',function(){ _center_overlay(); _resize_overlay(); });
if(pp_settings.keyboard_shortcuts) {
$(document).unbind('keydown.prettyphoto').bind('keydown.prettyphoto',function(e){
if(typeof $pp_pic_holder != 'undefined'){
if($pp_pic_holder.is(':visible')){
switch(e.keyCode){
case 37:
$.prettyPhoto.changePage('previous');
e.preventDefault();
break;
case 39:
$.prettyPhoto.changePage('next');
e.preventDefault();
break;
case 27:
if(!settings.modal)
$.prettyPhoto.close();
e.preventDefault();
break;
};
// return false;
};
};
});
};
/**
* Initialize prettyPhoto.
*/
$.prettyPhoto.initialize = function() {
settings = pp_settings;
if(settings.theme == 'pp_default') settings.horizontal_padding = 16;
if(settings.ie6_fallback && $.browser.msie && parseInt($.browser.version) == 6) settings.theme = "light_square"; // Fallback to a supported theme for IE6
// Find out if the picture is part of a set
theRel = $(this).attr('rel');
galleryRegExp = /\[(?:.*)\]/;
isSet = (galleryRegExp.exec(theRel)) ? true : false;
// Put the SRCs, TITLEs, ALTs into an array.
pp_images = (isSet) ? jQuery.map(matchedObjects, function(n, i){ if($(n).attr('rel').indexOf(theRel) != -1) return $(n).attr('href'); }) : $.makeArray($(this).attr('href'));
pp_titles = (isSet) ? jQuery.map(matchedObjects, function(n, i){ if($(n).attr('rel').indexOf(theRel) != -1) return ($(n).find('img').attr('alt')) ? $(n).find('img').attr('alt') : ""; }) : $.makeArray($(this).find('img').attr('alt'));
pp_descriptions = (isSet) ? jQuery.map(matchedObjects, function(n, i){ if($(n).attr('rel').indexOf(theRel) != -1) return ($(n).attr('title')) ? $(n).attr('title') : ""; }) : $.makeArray($(this).attr('title'));
if(pp_images.length > 30) settings.overlay_gallery = false;
set_position = jQuery.inArray($(this).attr('href'), pp_images); // Define where in the array the clicked item is positionned
rel_index = (isSet) ? set_position : $("a[rel^='"+theRel+"']").index($(this));
_build_overlay(this); // Build the overlay {this} being the caller
if(settings.allow_resize)
$(window).bind('scroll.prettyphoto',function(){ _center_overlay(); });
$.prettyPhoto.open();
return false;
}
/**
* Opens the prettyPhoto modal box.
* @param image {String,Array} Full path to the image to be open, can also be an array containing full images paths.
* @param title {String,Array} The title to be displayed with the picture, can also be an array containing all the titles.
* @param description {String,Array} The description to be displayed with the picture, can also be an array containing all the descriptions.
*/
$.prettyPhoto.open = function(event) {
if(typeof settings == "undefined"){ // Means it's an API call, need to manually get the settings and set the variables
settings = pp_settings;
if($.browser.msie && $.browser.version == 6) settings.theme = "light_square"; // Fallback to a supported theme for IE6
pp_images = $.makeArray(arguments[0]);
pp_titles = (arguments[1]) ? $.makeArray(arguments[1]) : $.makeArray("");
pp_descriptions = (arguments[2]) ? $.makeArray(arguments[2]) : $.makeArray("");
isSet = (pp_images.length > 1) ? true : false;
set_position = 0;
_build_overlay(event.target); // Build the overlay {this} being the caller
}
if($.browser.msie && $.browser.version == 6) $('select').css('visibility','hidden'); // To fix the bug with IE select boxes
if(settings.hideflash) $('object,embed,iframe[src*=youtube],iframe[src*=vimeo]').css('visibility','hidden'); // Hide the flash
_checkPosition($(pp_images).size()); // Hide the next/previous links if on first or last images.
$('.pp_loaderIcon').show();
if(settings.deeplinking)
setHashtag();
// Rebuild Facebook Like Button with updated href
if(settings.social_tools){
facebook_like_link = settings.social_tools.replace('{location_href}', encodeURIComponent(location.href));
$pp_pic_holder.find('.pp_social').html(facebook_like_link);
}
// Fade the content in
if($ppt.is(':hidden')) $ppt.css('opacity',0).show();
$pp_overlay.show().fadeTo(settings.animation_speed,settings.opacity);
// Display the current position
$pp_pic_holder.find('.currentTextHolder').text((set_position+1) + settings.counter_separator_label + $(pp_images).size());
// Set the description
if(pp_descriptions[set_position] != ""){
$pp_pic_holder.find('.pp_description').show().html(unescape(pp_descriptions[set_position]));
}else{
$pp_pic_holder.find('.pp_description').hide();
}
// Get the dimensions
movie_width = ( parseFloat(getParam('width',pp_images[set_position])) ) ? getParam('width',pp_images[set_position]) : settings.default_width.toString();
movie_height = ( parseFloat(getParam('height',pp_images[set_position])) ) ? getParam('height',pp_images[set_position]) : settings.default_height.toString();
// If the size is % based, calculate according to window dimensions
percentBased=false;
if(movie_height.indexOf('%') != -1) { movie_height = parseFloat(($(window).height() * parseFloat(movie_height) / 100) - 150); percentBased = true; }
if(movie_width.indexOf('%') != -1) { movie_width = parseFloat(($(window).width() * parseFloat(movie_width) / 100) - 150); percentBased = true; }
// Fade the holder
$pp_pic_holder.fadeIn(function(){
// Set the title
(settings.show_title && pp_titles[set_position] != "" && typeof pp_titles[set_position] != "undefined") ? $ppt.html(unescape(pp_titles[set_position])) : $ppt.html('&nbsp;');
imgPreloader = "";
skipInjection = false;
// Inject the proper content
switch(_getFileType(pp_images[set_position])){
case 'image':
imgPreloader = new Image();
// Preload the neighbour images
nextImage = new Image();
if(isSet && set_position < $(pp_images).size() -1) nextImage.src = pp_images[set_position + 1];
prevImage = new Image();
if(isSet && pp_images[set_position - 1]) prevImage.src = pp_images[set_position - 1];
$pp_pic_holder.find('#pp_full_res')[0].innerHTML = settings.image_markup.replace(/{path}/g,pp_images[set_position]);
imgPreloader.onload = function(){
// Fit item to viewport
pp_dimensions = _fitToViewport(imgPreloader.width,imgPreloader.height);
_showContent();
};
imgPreloader.onerror = function(){
alert('Image cannot be loaded. Make sure the path is correct and image exist.');
$.prettyPhoto.close();
};
imgPreloader.src = pp_images[set_position];
break;
case 'youtube':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
// Regular youtube link
movie_id = getParam('v',pp_images[set_position]);
// youtu.be link
if(movie_id == ""){
movie_id = pp_images[set_position].split('youtu.be/');
movie_id = movie_id[1];
if(movie_id.indexOf('?') > 0)
movie_id = movie_id.substr(0,movie_id.indexOf('?')); // Strip anything after the ?
if(movie_id.indexOf('&') > 0)
movie_id = movie_id.substr(0,movie_id.indexOf('&')); // Strip anything after the &
}
movie = 'http://www.youtube.com/embed/'+movie_id;
(getParam('rel',pp_images[set_position])) ? movie+="?rel="+getParam('rel',pp_images[set_position]) : movie+="?rel=1";
if(settings.autoplay) movie += "&autoplay=1";
toInject = settings.iframe_markup.replace(/{width}/g,pp_dimensions['width']).replace(/{height}/g,pp_dimensions['height']).replace(/{wmode}/g,settings.wmode).replace(/{path}/g,movie);
break;
case 'vimeo':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
movie_id = pp_images[set_position];
var regExp = /http:\/\/(www\.)?vimeo.com\/(\d+)/;
var match = movie_id.match(regExp);
movie = 'http://player.vimeo.com/video/'+ match[2] +'?title=0&amp;byline=0&amp;portrait=0';
if(settings.autoplay) movie += "&autoplay=1;";
vimeo_width = pp_dimensions['width'] + '/embed/?moog_width='+ pp_dimensions['width'];
toInject = settings.iframe_markup.replace(/{width}/g,vimeo_width).replace(/{height}/g,pp_dimensions['height']).replace(/{path}/g,movie);
break;
case 'quicktime':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
pp_dimensions['height']+=15; pp_dimensions['contentHeight']+=15; pp_dimensions['containerHeight']+=15; // Add space for the control bar
toInject = settings.quicktime_markup.replace(/{width}/g,pp_dimensions['width']).replace(/{height}/g,pp_dimensions['height']).replace(/{wmode}/g,settings.wmode).replace(/{path}/g,pp_images[set_position]).replace(/{autoplay}/g,settings.autoplay);
break;
case 'flash':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
flash_vars = pp_images[set_position];
flash_vars = flash_vars.substring(pp_images[set_position].indexOf('flashvars') + 10,pp_images[set_position].length);
filename = pp_images[set_position];
filename = filename.substring(0,filename.indexOf('?'));
toInject = settings.flash_markup.replace(/{width}/g,pp_dimensions['width']).replace(/{height}/g,pp_dimensions['height']).replace(/{wmode}/g,settings.wmode).replace(/{path}/g,filename+'?'+flash_vars);
break;
case 'iframe':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
frame_url = pp_images[set_position];
frame_url = frame_url.substr(0,frame_url.indexOf('iframe')-1);
toInject = settings.iframe_markup.replace(/{width}/g,pp_dimensions['width']).replace(/{height}/g,pp_dimensions['height']).replace(/{path}/g,frame_url);
break;
case 'ajax':
doresize = false; // Make sure the dimensions are not resized.
pp_dimensions = _fitToViewport(movie_width,movie_height);
doresize = true; // Reset the dimensions
skipInjection = true;
$.get(pp_images[set_position],function(responseHTML){
toInject = settings.inline_markup.replace(/{content}/g,responseHTML);
$pp_pic_holder.find('#pp_full_res')[0].innerHTML = toInject;
_showContent();
});
break;
case 'custom':
pp_dimensions = _fitToViewport(movie_width,movie_height); // Fit item to viewport
toInject = settings.custom_markup;
break;
case 'inline':
// to get the item height clone it, apply default width, wrap it in the prettyPhoto containers , then delete
myClone = $(pp_images[set_position]).clone().append('<br clear="all" />').css({'width':settings.default_width}).wrapInner('<div id="pp_full_res"><div class="pp_inline"></div></div>').appendTo($('body')).show();
doresize = false; // Make sure the dimensions are not resized.
pp_dimensions = _fitToViewport($(myClone).width(),$(myClone).height());
doresize = true; // Reset the dimensions
$(myClone).remove();
toInject = settings.inline_markup.replace(/{content}/g,$(pp_images[set_position]).html());
break;
};
if(!imgPreloader && !skipInjection){
$pp_pic_holder.find('#pp_full_res')[0].innerHTML = toInject;
// Show content
_showContent();
};
});
return false;
};
/**
* Change page in the prettyPhoto modal box
* @param direction {String} Direction of the paging, previous or next.
*/
$.prettyPhoto.changePage = function(direction){
currentGalleryPage = 0;
if(direction == 'previous') {
set_position--;
if (set_position < 0) set_position = $(pp_images).size()-1;
}else if(direction == 'next'){
set_position++;
if(set_position > $(pp_images).size()-1) set_position = 0;
}else{
set_position=direction;
};
rel_index = set_position;
if(!doresize) doresize = true; // Allow the resizing of the images
$('.pp_contract').removeClass('pp_contract').addClass('pp_expand');
_hideContent(function(){ $.prettyPhoto.open(); });
};
/**
* Change gallery page in the prettyPhoto modal box
* @param direction {String} Direction of the paging, previous or next.
*/
$.prettyPhoto.changeGalleryPage = function(direction){
if(direction=='next'){
currentGalleryPage ++;
if(currentGalleryPage > totalPage) currentGalleryPage = 0;
}else if(direction=='previous'){
currentGalleryPage --;
if(currentGalleryPage < 0) currentGalleryPage = totalPage;
}else{
currentGalleryPage = direction;
};
slide_speed = (direction == 'next' || direction == 'previous') ? settings.animation_speed : 0;
slide_to = currentGalleryPage * (itemsPerPage * itemWidth);
$pp_gallery.find('ul').animate({left:-slide_to},slide_speed);
};
/**
* Start the slideshow...
*/
$.prettyPhoto.startSlideshow = function(){
if(typeof pp_slideshow == 'undefined'){
$pp_pic_holder.find('.pp_play').unbind('click').removeClass('pp_play').addClass('pp_pause').click(function(){
$.prettyPhoto.stopSlideshow();
return false;
});
pp_slideshow = setInterval($.prettyPhoto.startSlideshow,settings.slideshow);
}else{
$.prettyPhoto.changePage('next');
};
}
/**
* Stop the slideshow...
*/
$.prettyPhoto.stopSlideshow = function(){
$pp_pic_holder.find('.pp_pause').unbind('click').removeClass('pp_pause').addClass('pp_play').click(function(){
$.prettyPhoto.startSlideshow();
return false;
});
clearInterval(pp_slideshow);
pp_slideshow=undefined;
}
/**
* Closes prettyPhoto.
*/
$.prettyPhoto.close = function(){
if($pp_overlay.is(":animated")) return;
$.prettyPhoto.stopSlideshow();
$pp_pic_holder.stop().find('object,embed').css('visibility','hidden');
$('div.pp_pic_holder,div.ppt,.pp_fade').fadeOut(settings.animation_speed,function(){ $(this).remove(); });
$pp_overlay.fadeOut(settings.animation_speed, function(){
if($.browser.msie && $.browser.version == 6) $('select').css('visibility','visible'); // To fix the bug with IE select boxes
if(settings.hideflash) $('object,embed,iframe[src*=youtube],iframe[src*=vimeo]').css('visibility','visible'); // Show the flash
$(this).remove(); // No more need for the prettyPhoto markup
$(window).unbind('scroll.prettyphoto');
clearHashtag();
settings.callback();
doresize = true;
pp_open = false;
delete settings;
});
};
/**
* Set the proper sizes on the containers and animate the content in.
*/
function _showContent(){
$('.pp_loaderIcon').hide();
// Calculate the opened top position of the pic holder
projectedTop = scroll_pos['scrollTop'] + ((windowHeight/2) - (pp_dimensions['containerHeight']/2));
if(projectedTop < 0) projectedTop = 0;
$ppt.fadeTo(settings.animation_speed,1);
// Resize the content holder
$pp_pic_holder.find('.pp_content')
.animate({
height:pp_dimensions['contentHeight'],
width:pp_dimensions['contentWidth']
},settings.animation_speed);
// Resize picture the holder
$pp_pic_holder.animate({
'top': projectedTop,
'left': (windowWidth/2) - (pp_dimensions['containerWidth']/2),
width:pp_dimensions['containerWidth']
},settings.animation_speed,function(){
$pp_pic_holder.find('.pp_hoverContainer,#fullResImage').height(pp_dimensions['height']).width(pp_dimensions['width']);
$pp_pic_holder.find('.pp_fade').fadeIn(settings.animation_speed); // Fade the new content
// Show the nav
if(isSet && _getFileType(pp_images[set_position])=="image") { $pp_pic_holder.find('.pp_hoverContainer').show(); }else{ $pp_pic_holder.find('.pp_hoverContainer').hide(); }
if(pp_dimensions['resized']){ // Fade the resizing link if the image is resized
$('a.pp_expand,a.pp_contract').show();
}else{
$('a.pp_expand').hide();
}
if(settings.autoplay_slideshow && !pp_slideshow && !pp_open) $.prettyPhoto.startSlideshow();
settings.changepicturecallback(); // Callback!
pp_open = true;
});
_insert_gallery();
};
/**
* Hide the content...DUH!
*/
function _hideContent(callback){
// Fade out the current picture
$pp_pic_holder.find('#pp_full_res object,#pp_full_res embed').css('visibility','hidden');
$pp_pic_holder.find('.pp_fade').fadeOut(settings.animation_speed,function(){
$('.pp_loaderIcon').show();
callback();
});
};
/**
* Check the item position in the gallery array, hide or show the navigation links
* @param setCount {integer} The total number of items in the set
*/
function _checkPosition(setCount){
(setCount > 1) ? $('.pp_nav').show() : $('.pp_nav').hide(); // Hide the bottom nav if it's not a set.
};
/**
* Resize the item dimensions if it's bigger than the viewport
* @param width {integer} Width of the item to be opened
* @param height {integer} Height of the item to be opened
* @return An array containin the "fitted" dimensions
*/
function _fitToViewport(width,height){
resized = false;
_getDimensions(width,height);
// Define them in case there's no resize needed
imageWidth = width, imageHeight = height;
if( ((pp_containerWidth > windowWidth) || (pp_containerHeight > windowHeight)) && doresize && settings.allow_resize && !percentBased) {
resized = true, fitting = false;
while (!fitting){
if((pp_containerWidth > windowWidth)){
imageWidth = (windowWidth - 200);
imageHeight = (height/width) * imageWidth;
}else if((pp_containerHeight > windowHeight)){
imageHeight = (windowHeight - 200);
imageWidth = (width/height) * imageHeight;
}else{
fitting = true;
};
pp_containerHeight = imageHeight, pp_containerWidth = imageWidth;
};
_getDimensions(imageWidth,imageHeight);
if((pp_containerWidth > windowWidth) || (pp_containerHeight > windowHeight)){
_fitToViewport(pp_containerWidth,pp_containerHeight)
};
};
return {
width:Math.floor(imageWidth),
height:Math.floor(imageHeight),
containerHeight:Math.floor(pp_containerHeight),
containerWidth:Math.floor(pp_containerWidth) + (settings.horizontal_padding * 2),
contentHeight:Math.floor(pp_contentHeight),
contentWidth:Math.floor(pp_contentWidth),
resized:resized
};
};
/**
* Get the containers dimensions according to the item size
* @param width {integer} Width of the item to be opened
* @param height {integer} Height of the item to be opened
*/
function _getDimensions(width,height){
width = parseFloat(width);
height = parseFloat(height);
// Get the details height, to do so, I need to clone it since it's invisible
$pp_details = $pp_pic_holder.find('.pp_details');
$pp_details.width(width);
detailsHeight = parseFloat($pp_details.css('marginTop')) + parseFloat($pp_details.css('marginBottom'));
$pp_details = $pp_details.clone().addClass(settings.theme).width(width).appendTo($('body')).css({
'position':'absolute',
'top':-10000
});
detailsHeight += $pp_details.height();
detailsHeight = (detailsHeight <= 34) ? 36 : detailsHeight; // Min-height for the details
if($.browser.msie && $.browser.version==7) detailsHeight+=8;
$pp_details.remove();
// Get the titles height, to do so, I need to clone it since it's invisible
$pp_title = $pp_pic_holder.find('.ppt');
$pp_title.width(width);
titleHeight = parseFloat($pp_title.css('marginTop')) + parseFloat($pp_title.css('marginBottom'));
$pp_title = $pp_title.clone().appendTo($('body')).css({
'position':'absolute',
'top':-10000
});
titleHeight += $pp_title.height();
$pp_title.remove();
// Get the container size, to resize the holder to the right dimensions
pp_contentHeight = height + detailsHeight;
pp_contentWidth = width;
pp_containerHeight = pp_contentHeight + titleHeight + $pp_pic_holder.find('.pp_top').height() + $pp_pic_holder.find('.pp_bottom').height();
pp_containerWidth = width;
}
function _getFileType(itemSrc){
if (itemSrc.match(/youtube\.com\/watch/i) || itemSrc.match(/youtu\.be/i)) {
return 'youtube';
}else if (itemSrc.match(/vimeo\.com/i)) {
return 'vimeo';
}else if(itemSrc.match(/\b.mov\b/i)){
return 'quicktime';
}else if(itemSrc.match(/\b.swf\b/i)){
return 'flash';
}else if(itemSrc.match(/\biframe=true\b/i)){
return 'iframe';
}else if(itemSrc.match(/\bajax=true\b/i)){
return 'ajax';
}else if(itemSrc.match(/\bcustom=true\b/i)){
return 'custom';
}else if(itemSrc.substr(0,1) == '#'){
return 'inline';
}else{
return 'image';
};
};
function _center_overlay(){
if(doresize && typeof $pp_pic_holder != 'undefined') {
scroll_pos = _get_scroll();
contentHeight = $pp_pic_holder.height(), contentwidth = $pp_pic_holder.width();
projectedTop = (windowHeight/2) + scroll_pos['scrollTop'] - (contentHeight/2);
if(projectedTop < 0) projectedTop = 0;
if(contentHeight > windowHeight)
return;
$pp_pic_holder.css({
'top': projectedTop,
'left': (windowWidth/2) + scroll_pos['scrollLeft'] - (contentwidth/2)
});
};
};
function _get_scroll(){
if (self.pageYOffset) {
return {scrollTop:self.pageYOffset,scrollLeft:self.pageXOffset};
} else if (document.documentElement && document.documentElement.scrollTop) { // Explorer 6 Strict
return {scrollTop:document.documentElement.scrollTop,scrollLeft:document.documentElement.scrollLeft};
} else if (document.body) {// all other Explorers
return {scrollTop:document.body.scrollTop,scrollLeft:document.body.scrollLeft};
};
};
function _resize_overlay() {
windowHeight = $(window).height(), windowWidth = $(window).width();
if(typeof $pp_overlay != "undefined") $pp_overlay.height($(document).height()).width(windowWidth);
};
function _insert_gallery(){
if(isSet && settings.overlay_gallery && _getFileType(pp_images[set_position])=="image" && (settings.ie6_fallback && !($.browser.msie && parseInt($.browser.version) == 6))) {
itemWidth = 52+5; // 52 beign the thumb width, 5 being the right margin.
navWidth = (settings.theme == "facebook" || settings.theme == "pp_default") ? 50 : 30; // Define the arrow width depending on the theme
itemsPerPage = Math.floor((pp_dimensions['containerWidth'] - 100 - navWidth) / itemWidth);
itemsPerPage = (itemsPerPage < pp_images.length) ? itemsPerPage : pp_images.length;
totalPage = Math.ceil(pp_images.length / itemsPerPage) - 1;
// Hide the nav in the case there's no need for links
if(totalPage == 0){
navWidth = 0; // No nav means no width!
$pp_gallery.find('.pp_arrow_next,.pp_arrow_previous').hide();
}else{
$pp_gallery.find('.pp_arrow_next,.pp_arrow_previous').show();
};
galleryWidth = itemsPerPage * itemWidth;
fullGalleryWidth = pp_images.length * itemWidth;
// Set the proper width to the gallery items
$pp_gallery
.css('margin-left',-((galleryWidth/2) + (navWidth/2)))
.find('div:first').width(galleryWidth+5)
.find('ul').width(fullGalleryWidth)
.find('li.selected').removeClass('selected');
goToPage = (Math.floor(set_position/itemsPerPage) < totalPage) ? Math.floor(set_position/itemsPerPage) : totalPage;
$.prettyPhoto.changeGalleryPage(goToPage);
$pp_gallery_li.filter(':eq('+set_position+')').addClass('selected');
}else{
$pp_pic_holder.find('.pp_content').unbind('mouseenter mouseleave');
// $pp_gallery.hide();
}
}
function _build_overlay(caller){
// Inject Social Tool markup into General markup
if(settings.social_tools)
facebook_like_link = settings.social_tools.replace('{location_href}', encodeURIComponent(location.href));
settings.markup=settings.markup.replace('{pp_social}',(settings.social_tools)?facebook_like_link:'');
$('body').append(settings.markup); // Inject the markup
$pp_pic_holder = $('.pp_pic_holder') , $ppt = $('.ppt'), $pp_overlay = $('div.pp_overlay'); // Set my global selectors
// Inject the inline gallery!
if(isSet && settings.overlay_gallery) {
currentGalleryPage = 0;
toInject = "";
for (var i=0; i < pp_images.length; i++) {
if(!pp_images[i].match(/\b(jpg|jpeg|png|gif)\b/gi)){
classname = 'default';
img_src = '';
}else{
classname = '';
img_src = pp_images[i];
}
toInject += "<li class='"+classname+"'><a href='#'><img src='" + img_src + "' width='50' alt='' /></a></li>";
};
toInject = settings.gallery_markup.replace(/{gallery}/g,toInject);
$pp_pic_holder.find('#pp_full_res').after(toInject);
$pp_gallery = $('.pp_pic_holder .pp_gallery'), $pp_gallery_li = $pp_gallery.find('li'); // Set the gallery selectors
$pp_gallery.find('.pp_arrow_next').click(function(){
$.prettyPhoto.changeGalleryPage('next');
$.prettyPhoto.stopSlideshow();
return false;
});
$pp_gallery.find('.pp_arrow_previous').click(function(){
$.prettyPhoto.changeGalleryPage('previous');
$.prettyPhoto.stopSlideshow();
return false;
});
$pp_pic_holder.find('.pp_content').hover(
function(){
$pp_pic_holder.find('.pp_gallery:not(.disabled)').fadeIn();
},
function(){
$pp_pic_holder.find('.pp_gallery:not(.disabled)').fadeOut();
});
itemWidth = 52+5; // 52 beign the thumb width, 5 being the right margin.
$pp_gallery_li.each(function(i){
$(this)
.find('a')
.click(function(){
$.prettyPhoto.changePage(i);
$.prettyPhoto.stopSlideshow();
return false;
});
});
};
// Inject the play/pause if it's a slideshow
if(settings.slideshow){
$pp_pic_holder.find('.pp_nav').prepend('<a href="#" class="pp_play">Play</a>')
$pp_pic_holder.find('.pp_nav .pp_play').click(function(){
$.prettyPhoto.startSlideshow();
return false;
});
}
$pp_pic_holder.attr('class','pp_pic_holder ' + settings.theme); // Set the proper theme
$pp_overlay
.css({
'opacity':0,
'height':$(document).height(),
'width':$(window).width()
})
.bind('click',function(){
if(!settings.modal) $.prettyPhoto.close();
});
$('a.pp_close').bind('click',function(){ $.prettyPhoto.close(); return false; });
$('a.pp_expand').bind('click',function(e){
// Expand the image
if($(this).hasClass('pp_expand')){
$(this).removeClass('pp_expand').addClass('pp_contract');
doresize = false;
}else{
$(this).removeClass('pp_contract').addClass('pp_expand');
doresize = true;
};
_hideContent(function(){ $.prettyPhoto.open(); });
return false;
});
$pp_pic_holder.find('.pp_previous, .pp_nav .pp_arrow_previous').bind('click',function(){
$.prettyPhoto.changePage('previous');
$.prettyPhoto.stopSlideshow();
return false;
});
$pp_pic_holder.find('.pp_next, .pp_nav .pp_arrow_next').bind('click',function(){
$.prettyPhoto.changePage('next');
$.prettyPhoto.stopSlideshow();
return false;
});
_center_overlay(); // Center it
};
if(!pp_alreadyInitialized && getHashtag()){
pp_alreadyInitialized = true;
// Grab the rel index to trigger the click on the correct element
hashIndex = getHashtag();
hashRel = hashIndex;
hashIndex = hashIndex.substring(hashIndex.indexOf('/')+1,hashIndex.length-1);
hashRel = hashRel.substring(0,hashRel.indexOf('/'));
// Little timeout to make sure all the prettyPhoto initialize scripts has been run.
// Useful in the event the page contain several init scripts.
setTimeout(function(){ $("a[rel^='"+hashRel+"']:eq("+hashIndex+")").trigger('click'); },50);
}
return this.unbind('click.prettyphoto').bind('click.prettyphoto',$.prettyPhoto.initialize); // Return the jQuery object for chaining. The unbind method is used to avoid click conflict when the plugin is called more than once
};
function getHashtag(){
url = location.href;
hashtag = (url.indexOf('#!') != -1) ? decodeURI(url.substring(url.indexOf('#!')+2,url.length)) : false;
return hashtag;
};
function setHashtag(){
if(typeof theRel == 'undefined') return; // theRel is set on normal calls, it's impossible to deeplink using the API
location.hash = '!' + theRel + '/'+rel_index+'/';
};
function clearHashtag(){
// Clear the hashtag only if it was set by prettyPhoto
url = location.href;
hashtag = (url.indexOf('#!prettyPhoto')) ? true : false;
if(hashtag) location.hash = "!prettyPhoto";
}
function getParam(name,url){
name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
var regexS = "[\\?&]"+name+"=([^&#]*)";
var regex = new RegExp( regexS );
var results = regex.exec( url );
return ( results == null ) ? "" : results[1];
}
})(jQuery);
var pp_alreadyInitialized = false; // Used for the deep linking to make sure not to call the same function several times.

206
dependency-check-gradle/README.md
View File

@@ -15,9 +15,53 @@ Dependency-Check is a utility that attempts to detect publicly disclosed vulnera
Please refer to either one of the solution
#### Solution 1Bintray
#### Solution 1Install from Maven Central
```groovy
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'com.thoughtworks.tools:dependency-check:0.0.4'
}
}
```
apply plugin: 'dependency.check'
#### Solution 2Install from Gradle Plugin Portal
[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check)
**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:**
```groovy
plugins {
id "dependency.check" version "0.0.4"
}
```
**Build script snippet for use in all Gradle versions:**
```groovy
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4"
}
}
apply plugin: "dependency.check"
```
#### Solution 3Install from Bintray
```groovy
apply plugin: "dependency-check"
buildscript {
@@ -29,105 +73,12 @@ buildscript {
}
dependencies {
classpath(
'com.tools.security:dependency-check:0.0.3'
'com.tools.security:dependency-check:0.0.4'
)
}
}
```
#### Solution 2Gradle Plugin Portal
[dependency check gradle plugin on Gradle Plugin Portal](https://plugins.gradle.org/plugin/dependency.check)
**Build script snippet for new, incubating, plugin mechanism introduced in Gradle 2.1:**
```
// buildscript {
// ...
// }
plugins {
id "dependency.check" version "0.0.3"
}
// apply plugin: ...
```
**Build script snippet for use in all Gradle versions:**
```
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
}
}
apply plugin: "dependency.check"
```
**If your project includes multiple sub-project, configure build script this way:**
```
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
}
}
allprojects {
//other plugins you may use
//apply plugin: "java"
apply plugin: "dependency-check"
repositories {
mavenCentral()
}
}
```
or
```
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.3"
}
}
subprojects {
//other plugins you may use
//apply plugin: "java"
apply plugin: "dependency-check"
repositories {
mavenCentral()
}
}
```
In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
#### Solution 3Maven Central
working in progress
### Step 2, Run gradle task
Once gradle plugin applied, run following gradle task to check the dependencies:
@@ -140,11 +91,18 @@ The reports will be generated automatically under `./reports` folder.
If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
### What if you are behind a proxy?
## FAQ
> **Questions List:**
> - What if I'm behind a proxy?
> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
> - How to customize the report directory?
### What if I'm behind a proxy?
Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
```
```groovy
dependencyCheck {
proxyServer = "127.0.0.1" // required, the server name or IP address of the proxy
proxyPort = 3128 // required, the port number of the proxy
@@ -156,3 +114,57 @@ dependencyCheck {
// proxyPassword = "password"
}
```
### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:
(1) For all projects including root project:
```groovy
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4"
}
}
allprojects {
apply plugin: "dependency-check"
}
```
(2) For all sub-projects:
```groovy
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.4"
}
}
subprojects {
apply plugin: "dependency-check"
}
```
In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
### How to customize the report directory?
By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this:
```groovy
subprojects {
apply plugin: "dependency-check"
dependencyCheck {
outputDirectory = "./customized-path/security-report"
}
}
```

59
dependency-check-gradle/build.gradle
View File

@@ -35,6 +35,7 @@ plugins {
apply plugin: 'idea'
apply plugin: 'groovy'
apply plugin: 'maven'
apply plugin: 'signing'
apply plugin: "com.gradle.plugin-publish"
repositories {
@@ -50,56 +51,10 @@ dependencies {
)
}
group = 'com.tools.security'
version = '0.0.3'
group = 'com.thoughtworks.tools'
version = '0.0.5'
//-------------------------------
// Local debug use only
//
uploadArchives {
repositories {
mavenDeployer {
repository(url: uri('../../../repo'))
}
}
}
//-------------------------------
// publish to Bintray
plugindev {
pluginId = 'dependency.check'
pluginName = 'dependency-check'
pluginImplementationClass 'com.tools.security.plugin.DependencyCheckGradlePlugin'
pluginDescription 'This is dependency check gradle plugin.'
pluginLicenses 'Apache-2.0'
pluginTags 'dependency check', 'security'
authorId 'wmaintw'
authorName 'Wei Ma'
authorEmail 'wma@thoughtworks.com'
projectUrl 'https://github.com/wmaintw/DependencyCheck'
projectIssuesUrl 'https://github.com/wmaintw/DependencyCheck/issues'
projectVcsUrl 'git@github.com:wmaintw/DependencyCheck.git'
projectInceptionYear '2015'
done()
}
bintray {
user = bintrayUser
key = bintrayUserKey
pkg.repo = bintrayRepo
}
// publish to gradle plugin portal
pluginBundle {
website = 'https://github.com/wmaintw/DependencyCheck'
vcsUrl = 'git@github.com:wmaintw/DependencyCheck.git'
description = 'This is dependency check gradle plugin.'
tags = ['dependency check', 'security']
plugins {
dependencyCheckPlugin {
id = 'dependency.check'
displayName = 'dependency-check'
}
}
}
apply from: 'conf/publish/local.gradle'
//apply from: 'conf/publish/maven.gradle'
apply from: 'conf/publish/gradlePluginsPortal.gradle'
apply from: 'conf/publish/bintray.gradle' // according to the documentation of plugindev, this line has to be placed and the very end of the build file

41
dependency-check-gradle/conf/publish/bintray.gradle Normal file
View File

@@ -0,0 +1,41 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
// publish to Bintray
plugindev {
pluginId = 'dependency.check'
pluginName = 'dependency-check'
pluginImplementationClass 'com.tools.security.plugin.DependencyCheckGradlePlugin'
pluginDescription 'This is dependency check gradle plugin.'
pluginLicenses 'Apache-2.0'
pluginTags 'dependency check', 'security'
authorId 'wmaintw'
authorName 'Wei Ma'
authorEmail 'wma@thoughtworks.com'
projectUrl 'https://github.com/wmaintw/DependencyCheck'
projectIssuesUrl 'https://github.com/wmaintw/DependencyCheck/issues'
projectVcsUrl 'git@github.com:wmaintw/DependencyCheck.git'
projectInceptionYear '2015'
done()
}
bintray {
user = bintrayUser
key = bintrayUserKey
pkg.repo = bintrayRepo
}

32
dependency-check-gradle/conf/publish/gradlePluginsPortal.gradle Normal file
View File

@@ -0,0 +1,32 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
// publish to gradle plugin portal
pluginBundle {
website = 'https://github.com/wmaintw/DependencyCheck'
vcsUrl = 'git@github.com:wmaintw/DependencyCheck.git'
description = 'This is dependency check gradle plugin.'
tags = ['dependency check', 'security']
plugins {
dependencyCheckPlugin {
id = 'dependency.check'
displayName = 'dependency-check'
}
}
}

26
dependency-check-gradle/conf/publish/local.gradle Normal file
View File

@@ -0,0 +1,26 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
//Local debug use only
uploadArchives {
repositories {
mavenDeployer {
repository(url: uri('../../../repo'))
}
}
}

75
dependency-check-gradle/conf/publish/maven.gradle Normal file
View File

@@ -0,0 +1,75 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Wei Ma. All Rights Reserved.
*/
//upload to maven central
uploadArchives {
repositories {
mavenDeployer {
beforeDeployment { MavenDeployment deployment -> signing.signPom(deployment) }
repository(url: "https://oss.sonatype.org/service/local/staging/deploy/maven2/") {
authentication(userName: sonatypeUsername, password: sonatypePassword)
}
snapshotRepository(url: "https://oss.sonatype.org/content/repositories/snapshots/") {
authentication(userName: sonatypeUsername, password: sonatypePassword)
}
pom.project {
name 'Dependency Check Gradle Plugin'
packaging 'jar'
description 'Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies.'
url 'https://github.com/wmaintw/DependencyCheck/tree/master/dependency-check-gradle'
scm {
connection 'git@github.com:wmaintw/DependencyCheck.git'
developerConnection 'git@github.com:wmaintw/DependencyCheck.git'
url 'https://github.com/wmaintw/DependencyCheck'
}
licenses {
license {
name 'The Apache License, Version 2.0'
url 'http://www.apache.org/licenses/LICENSE-2.0.txt'
}
}
developers {
developer {
id 'wmaintw'
name 'Wei Ma'
email 'wma@thoughtworks.com'
}
}
}
}
}
}
task javadocJar(type: Jar) {
classifier = 'javadoc'
from javadoc
}
artifacts {
archives javadocJar, sourcesJar
}
signing {
sign configurations.archives
}

8
dependency-check-gradle/src/main/groovy/com/tools/security/extension/DependencyCheckConfigurationExtension.groovy
View File

@@ -23,4 +23,12 @@ class DependencyCheckConfigurationExtension {
Integer proxyPort
String proxyUsername = ""
String proxyPassword = ""
String cveUrl12Modified = "https://nvd.nist.gov/download/nvdcve-Modified.xml.gz"
String cveUrl20Modified = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz"
Integer cveStartYear = 2002
String cveUrl12Base = "https://nvd.nist.gov/download/nvdcve-%d.xml.gz"
String cveUrl20Base = "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz"
String outputDirectory = "./reports"
}

16
dependency-check-gradle/src/main/groovy/com/tools/security/tasks/DependencyCheckTask.groovy
View File

@@ -52,6 +52,7 @@ class DependencyCheckTask extends DefaultTask {
def initializeSettings() {
Settings.initialize()
overrideProxySetting()
overrideCveUrlSetting()
}
def verifyDependencies(engine) {
@@ -76,7 +77,12 @@ class DependencyCheckTask extends DefaultTask {
logger.lifecycle("Generating report for project ${currentProjectName}")
def reportGenerator = new ReportGenerator(currentProjectName, engine.dependencies, engine.analyzers,
new CveDB().databaseProperties)
reportGenerator.generateReports("./reports/${currentProjectName}", ReportGenerator.Format.ALL)
reportGenerator.generateReports(generateReportDirectory(currentProjectName), ReportGenerator.Format.ALL)
}
def generateReportDirectory(String currentProjectName) {
"${project.dependencyCheck.outputDirectory}/${currentProjectName}"
}
def overrideProxySetting() {
@@ -101,4 +107,12 @@ class DependencyCheckTask extends DefaultTask {
}
}.flatten();
}
def overrideCveUrlSetting() {
setString(Settings.KEYS.CVE_MODIFIED_20_URL, project.dependencyCheck.cveUrl20Modified)
setString(Settings.KEYS.CVE_MODIFIED_12_URL, project.dependencyCheck.cveUrl12Modified)
setString(Settings.KEYS.CVE_START_YEAR, "${project.dependencyCheck.cveStartYear}")
setString(Settings.KEYS.CVE_SCHEMA_2_0, project.dependencyCheck.cveUrl20Base)
setString(Settings.KEYS.CVE_SCHEMA_1_2, project.dependencyCheck.cveUrl12Base)
}
}

2
dependency-check-jenkins/pom.xml
View File

@@ -76,7 +76,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.6</version>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>

22
dependency-check-maven/pom.xml
View File

@@ -130,7 +130,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -144,7 +144,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>3.2</version>
<version>${reporting.maven-plugin-plugin.version}</version>
<configuration>
<goalPrefix>dependency-check</goalPrefix>
</configuration>
@@ -152,7 +152,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
@@ -169,7 +169,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -182,17 +182,17 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -204,7 +204,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
@@ -228,7 +228,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<version>${reporting.checkstyle-plugin.version}</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary>
@@ -241,7 +241,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.1</version>
<version>${reporting.pmd-plugin.version}</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
@@ -261,7 +261,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
<version>${reporting.findbugs-plugin.version}</version>
</plugin>
</plugins>
</reporting>

18
dependency-check-utils/pom.xml
View File

@@ -104,7 +104,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<version>${reporting.javadoc-plugin.version}</version>
<configuration>
<failOnError>false</failOnError>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
@@ -121,7 +121,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<version>${reporting.versions-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -134,17 +134,17 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
<version>${reporting.jxr-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
<version>${reporting.cobertura-plugin.version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<version>${reporting.surefire-report-plugin.version}</version>
<reportSets>
<reportSet>
<reports>
@@ -156,7 +156,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<version>${reporting.taglist-plugin.version}</version>
<configuration>
<tagListOptions>
<tagClasses>
@@ -180,7 +180,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<version>${reporting.checkstyle-plugin.version}</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary>
@@ -193,7 +193,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.0.1</version>
<version>${reporting.pmd-plugin.version}</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
@@ -212,7 +212,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
<version>${reporting.findbugs-plugin.version}</version>
<configuration>
<onlyAnalyze>org.owasp.dependencycheck.utils.*</onlyAnalyze>
</configuration>

16
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java
View File

@@ -78,7 +78,7 @@ public final class FileUtils {
boolean success = true;
if (!org.apache.commons.io.FileUtils.deleteQuietly(file)) {
success = false;
LOGGER.info("Failed to delete file: {}; attempting to delete on exit.", file.getPath());
LOGGER.debug("Failed to delete file: {}; attempting to delete on exit.", file.getPath());
file.deleteOnExit();
}
return success;
@@ -103,16 +103,16 @@ public final class FileUtils {
}
/**
* Returns the data directory. If a path was specified in dependencycheck.properties or was specified using the
* Settings object, and the path exists, that path will be returned as a File object. If it does not exist, then a
* File object will be created based on the file location of the JAR containing the specified class.
* Returns the data directory. If a path was specified in dependencycheck.properties or was specified using the Settings
* object, and the path exists, that path will be returned as a File object. If it does not exist, then a File object will be
* created based on the file location of the JAR containing the specified class.
*
* @param configuredFilePath the configured relative or absolute path
* @param clazz the class to resolve the path
* @return a File object
* @throws IOException is thrown if the path could not be decoded
* @deprecated This method should no longer be used. See the implementation in dependency-check-cli/App.java to see
* how the data directory should be set.
* @deprecated This method should no longer be used. See the implementation in dependency-check-cli/App.java to see how the
* data directory should be set.
*/
@java.lang.Deprecated
public static File getDataDirectory(String configuredFilePath, Class clazz) throws IOException {
@@ -126,8 +126,8 @@ public final class FileUtils {
}
/**
* Retrieves the physical path to the parent directory containing the provided class. For example, if a JAR file
* contained a class org.something.clazz this method would return the parent directory of the JAR file.
* Retrieves the physical path to the parent directory containing the provided class. For example, if a JAR file contained a
* class org.something.clazz this method would return the parent directory of the JAR file.
*
* @param clazz the class to determine the parent directory of
* @return the parent directory of the file containing the specified class.

25
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -130,6 +130,14 @@ public final class Settings {
* The properties key for the CVE schema version 2.0.
*/
public static final String CVE_SCHEMA_2_0 = "cve.url-2.0.base";
/**
* The properties key that indicates how often the CPE data needs to be updated.
*/
public static final String CPE_MODIFIED_VALID_FOR_DAYS = "cpe.validfordays";
/**
* The properties key for the URL to retrieve the CPE.
*/
public static final String CPE_URL = "cpe.url";
/**
* The properties key for the proxy server.
*
@@ -732,16 +740,15 @@ public final class Settings {
*
* @param connectionStringKey the property file key for the connection string
* @param dbFileNameKey the settings key for the db filename
* @param dbVersionKey the settings key for the dbVersion
* @return the connection string
* @throws IOException thrown the data directory cannot be created
* @throws InvalidSettingException thrown if there is an invalid setting
*/
public static String getConnectionString(String connectionStringKey, String dbFileNameKey, String dbVersionKey)
public static String getConnectionString(String connectionStringKey, String dbFileNameKey)
throws IOException, InvalidSettingException {
final String connStr = Settings.getString(connectionStringKey);
if (connStr == null) {
final String msg = String.format("Invalid properties file to get the connection string; '%s' must be defined.",
final String msg = String.format("Invalid properties file; data.connection_string is missing.",
connectionStringKey);
throw new InvalidSettingException(msg);
}
@@ -756,18 +763,6 @@ public final class Settings {
dbFileNameKey);
throw new InvalidSettingException(msg);
}
if (fileName.contains("%s")) {
String version = null;
if (dbVersionKey != null) {
version = Settings.getString(dbVersionKey);
}
if (version == null) {
final String msg = String.format("Invalid properties file to get a file based connection string; '%s' must be defined.",
dbFileNameKey);
throw new InvalidSettingException(msg);
}
fileName = String.format(fileName, version);
}
if (connStr.startsWith("jdbc:h2:file:") && fileName.endsWith(".h2.db")) {
fileName = fileName.substring(0, fileName.length() - 6);
}

12
dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java
View File

@@ -163,21 +163,15 @@ public class SettingsTest extends BaseTest {
*/
@Test
public void testGetConnectionString() throws Exception {
String value = Settings.getConnectionString(Settings.KEYS.DB_CONNECTION_STRING, Settings.KEYS.DB_FILE_NAME, Settings.KEYS.DB_VERSION);
String value = Settings.getConnectionString(Settings.KEYS.DB_CONNECTION_STRING, Settings.KEYS.DB_FILE_NAME);
Assert.assertNotNull(value);
String msg = null;
try {
value = Settings.getConnectionString(Settings.KEYS.DB_CONNECTION_STRING, Settings.KEYS.DB_FILE_NAME, null);
value = Settings.getConnectionString("invalidKey", null);
} catch (InvalidSettingException e) {
msg = e.getMessage();
}
Assert.assertNotNull(msg, msg);
try {
value = Settings.getConnectionString("invalidKey", null, null);
} catch (InvalidSettingException e) {
msg = e.getMessage();
}
Assert.assertNotNull(msg, msg);
Assert.assertNotNull(msg);
}
/**

2
dependency-check-utils/src/test/resources/dependencycheck.properties
View File

@@ -16,7 +16,7 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
# will not be used. The data.directory will be resolved and if the connection string
# below contains a %s then the data.directory will replace the %s.
data.directory=[JAR]/data
data.file_name=cve.%s.h2.db
data.file_name=dc.h2.db
data.version=2.9
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
#data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;

15
pom.xml
View File

@@ -129,6 +129,19 @@ Copyright (c) 2012 - Jeremy Long
<apache.lucene.version>4.7.2</apache.lucene.version>
<slf4j.version>1.7.12</slf4j.version>
<logback.version>1.1.3</logback.version>
<reporting.checkstyle-plugin.version>2.11</reporting.checkstyle-plugin.version>
<reporting.cobertura-plugin.version>2.6</reporting.cobertura-plugin.version>
<reporting.findbugs-plugin.version>2.5.3</reporting.findbugs-plugin.version>
<reporting.javadoc-plugin.version>2.9.1</reporting.javadoc-plugin.version>
<reporting.jxr-plugin.version>2.4</reporting.jxr-plugin.version>
<!-- todo(code review): only used in maven module? Not needed elsewhere -->
<reporting.maven-plugin-plugin.version>3.2</reporting.maven-plugin-plugin.version>
<reporting.pmd-plugin.version>3.0.1</reporting.pmd-plugin.version>
<!-- TODO(code review) project-info-reports-plugin was/is not used in utils. Expected/intended? -->
<reporting.project-info-reports-plugin.version>2.7</reporting.project-info-reports-plugin.version>
<reporting.surefire-report-plugin.version>2.16</reporting.surefire-report-plugin.version>
<reporting.taglist-plugin.version>2.4</reporting.taglist-plugin.version>
<reporting.versions-plugin.version>2.1</reporting.versions-plugin.version>
</properties>
<distributionManagement>
<site>
@@ -330,7 +343,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<version>${reporting.project-info-reports-plugin.version}</version>
<reportSets>
<reportSet>
<reports>