github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-20 16:24:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

implementing the purge feature as requested in issue #328

Browse Source
This commit is contained in:
Jeremy Long
2015-08-30 07:02:26 -04:00
parent 29626666a7
commit e630c484ff
8 changed files with 191 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
View File

@@ -605,6 +605,29 @@ public class DependencyCheckTask extends Task {
this.centralAnalyzerEnabled = centralAnalyzerEnabled; this.centralAnalyzerEnabled = centralAnalyzerEnabled;
} }
/**
* Whether or not the local copy of the NVD should be purged.
*/
private boolean purge = false;
/**
* Used to determine if the local copy of the NVD should be purged.
*
* @return true if the local copy of the NVD should be purged
*/
public boolean isPurge() {
return purge;
}
/**
* Set whether or not the local copy of the NVD should be purged.
*
* @param purge setting to true will cause the local copy of the NVD to be deleted.
*/
public void setPurge(boolean purge) {
this.purge = purge;
}
/** /**
* Whether or not the nexus analyzer is enabled. * Whether or not the nexus analyzer is enabled.
*/ */
@@ -929,7 +952,23 @@ public class DependencyCheckTask extends Task {
dealWithReferences(); dealWithReferences();
validateConfiguration(); validateConfiguration();
populateSettings(); populateSettings();
if (purge) {
File db;
try {
db = new File(Settings.getDataDirectory(), "dc.h2.db");
if (db.exists()) {
if (db.delete()) {
log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO);
} else {
log(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()), Project.MSG_ERR);
}
} else {
log(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()), Project.MSG_ERR);
}
} catch (IOException ex) {
log("Unable to delete the database", Project.MSG_ERR);
}
}
Engine engine = null; Engine engine = null;
try { try {
engine = new Engine(DependencyCheckTask.class.getClassLoader()); engine = new Engine(DependencyCheckTask.class.getClassLoader());

1
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -76,3 +76,4 @@ databaseDriverPath | The path to the database driver JAR file; only used if th
connectionString | The connection string used to connect to the database. |   connectionString | The connection string used to connect to the database. |  
databaseUser | The username used when connecting to the database. |   databaseUser | The username used when connecting to the database. |  
databasePassword | The password used when connecting to the database. |   databasePassword | The password used when connecting to the database. |  
purge | Delete the local copy of the NVD. This is used to force a refresh of the data. |  

24
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -37,6 +37,7 @@ import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import ch.qos.logback.core.FileAppender; import ch.qos.logback.core.FileAppender;
import java.util.logging.Level;
import org.slf4j.impl.StaticLoggerBinder; import org.slf4j.impl.StaticLoggerBinder;
/** /**
@@ -90,7 +91,28 @@ public class App {
prepareLogger(cli.getVerboseLog()); prepareLogger(cli.getVerboseLog());
} }
if (cli.isGetVersion()) { if (cli.isPurge()) {
if (cli.getConnectionString() != null) {
LOGGER.error("Unable to purge the database when using a non-default connection string");
} else {
populateSettings(cli);
File db;
try {
db = new File(Settings.getDataDirectory(), "dc.h2.db");
if (db.exists()) {
if (db.delete()) {
LOGGER.info("Database file purged; local copy of the NVD has been removed");
} else {
LOGGER.error("Unable to delete '{}'; please delete the file manually", db.getAbsolutePath());
}
} else {
LOGGER.error("Unable to purge database; the database file does not exists: {}", db.getAbsolutePath());
}
} catch (IOException ex) {
LOGGER.error("Unable to delete the database");
}
}
} else if (cli.isGetVersion()) {
cli.printVersionInfo(); cli.printVersionInfo();
} else if (cli.isUpdateOnly()) { } else if (cli.isUpdateOnly()) {
populateSettings(cli); populateSettings(cli);

2
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -987,7 +987,7 @@ public final class CliParser {
/** /**
* The long CLI argument name specifying that only the update phase should be executed; no scan should be run. * The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
*/ */
public static final String PURGE_NVD = "purgelocalnvd"; public static final String PURGE_NVD = "purge";
/** /**
* The long CLI argument name specifying the directory to write the reports to. * The long CLI argument name specifying the directory to write the reports to.
*/ */

1
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -56,3 +56,4 @@ Short | Argument Name        | Paramete
| \-\-dbPassword | \<password\> | The password for connecting to the database. | &nbsp; | \-\-dbPassword | \<password\> | The password for connecting to the database. | &nbsp;
| \-\-dbUser | \<user\> | The username used to connect to the database. | &nbsp; | \-\-dbUser | \<user\> | The username used to connect to the database. | &nbsp;
\-d | \-\-data | \<path\> | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp; \-d | \-\-data | \<path\> | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;
| \-\-purge | | Delete the local copy of the NVD. This is used to force a refresh of the data. | &nbsp;

11
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -233,6 +233,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
*/ */
@Parameter(property = "connectionString", defaultValue = "", required = false) @Parameter(property = "connectionString", defaultValue = "", required = false)
private String connectionString; private String connectionString;
/**
* Returns the connection string.
*
* @return the connection string
*/
protected String getConnectionString() {
return connectionString;
}
/** /**
* The database driver name. An example would be org.h2.Driver. * The database driver name. An example would be org.h2.Driver.
*/ */
@@ -594,7 +603,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
* required to change the proxy url, port, and connection timeout. * required to change the proxy url, port, and connection timeout.
*/ */
private void populateSettings() { protected void populateSettings() {
Settings.initialize(); Settings.initialize();
InputStream mojoProperties = null; InputStream mojoProperties = null;
try { try {

107
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java Normal file
View File

@@ -0,0 +1,107 @@
/*
* This file is part of dependency-check-maven.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.maven;
import java.io.File;
import java.io.IOException;
import java.util.Locale;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.ResolutionScope;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.utils.Settings;
/**
* Maven Plugin that purges the local copy of the NVD data.
*
* @author Jeremy Long
*/
@Mojo(
name = "purge",
defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
threadSafe = true,
requiresDependencyResolution = ResolutionScope.NONE,
requiresOnline = true
)
public class PurgeMojo extends BaseDependencyCheckMojo {
/**
* Returns false; this mojo cannot generate a report.
*
* @return <code>false</code>
*/
@Override
public boolean canGenerateReport() {
return false;
}
/**
* Purges the local copy of the NVD.
*
* @throws MojoExecutionException thrown if there is an exception executing the goal
* @throws MojoFailureException thrown if dependency-check is configured to fail the build
*/
@Override
public void runCheck() throws MojoExecutionException, MojoFailureException {
if (getConnectionString() != null && !getConnectionString().isEmpty()) {
getLog().error("Unable to purge the local NVD when using a non-default connection string");
} else {
populateSettings();
File db;
try {
db = new File(Settings.getDataDirectory(), "dc.h2.db");
if (db.exists()) {
if (db.delete()) {
getLog().info("Database file purged; local copy of the NVD has been removed");
} else {
getLog().error(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()));
}
} else {
getLog().error(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()));
}
} catch (IOException ex) {
getLog().error("Unable to delete the database");
}
Settings.cleanup();
}
}
/**
* Returns the report name.
*
* @param locale the location
* @return the report name
*/
public String getName(Locale locale) {
return "dependency-check-purge";
}
/**
* Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
*
* @param locale The Locale to get the description for
* @return the description
*/
public String getDescription(Locale locale) {
return "Purges the local cache of the NVD dataT.";
}
}

15
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -6,6 +6,7 @@ Goal | Description
aggregate | Runs dependency-check against the child projects and aggregates the results into a single report. aggregate | Runs dependency-check against the child projects and aggregates the results into a single report.
check | Runs dependency-check against the project and generates a report. check | Runs dependency-check against the project and generates a report.
update-only | Updates the local cache of the NVD data from NIST. update-only | Updates the local cache of the NVD data from NIST.
purge | Deletes the local copy of the NVD. This is used to force a refresh of the data.
Configuration Configuration
==================== ====================
@@ -49,13 +50,13 @@ Advanced Configuration
The following properties can be configured in the plugin. However, they are less frequently changed. One exception The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
Property | Description | Default Value Property | Description | Default Value
---------------------|--------------------------------------------------------------------------|------------------ ---------------------|---------------------------------------------------------------------------------------------|------------------
cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
connectionTimeout | Sets the URL Connection Timeout used when downloading external data. | &nbsp; connectionTimeout | Sets the URL Connection Timeout used when downloading external data. | &nbsp;
dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | &nbsp; dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | &nbsp;
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp; databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp; databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;