github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-13 23:33:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

fixes for issue #63 and issue #65

Browse Source 
Former-commit-id: 40e4da9fe17999748dd94ee91a1c9451576cab75
This commit is contained in:
Jeremy Long
2014-02-13 20:20:19 -05:00
parent a0fdfc0f39
commit e954fa6478
9 changed files with 76 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
View File

@@ -20,8 +20,6 @@ package org.owasp.dependencycheck.taskdefs;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -34,8 +32,6 @@ import org.apache.tools.ant.types.ResourceCollection;
import org.apache.tools.ant.types.resources.FileProvider;
import org.apache.tools.ant.types.resources.Resources;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.Analyzer;
import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
@@ -621,29 +617,29 @@ public class DependencyCheckTask extends Task {
}
/**
* File extensions to add to analysis next to jar, zip, ....
* Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
* like ZIP files.
*/
private String extraExtensions;
private String zipExtensions;
/**
* Get the value of extraExtensions.
* Get the value of zipExtensions.
*
* @return the value of extraExtensions
* @return the value of zipExtensions
*/
public String getExtraExtensions() {
return extraExtensions;
public String getZipExtensions() {
return zipExtensions;
}
/**
* Set the value of extraExtensions.
* Set the value of zipExtensions.
*
* @param extraExtensions new value of extraExtensions
* @param zipExtensions new value of zipExtensions
*/
public void setExtraExtensions(String extraExtensions) {
this.extraExtensions = extraExtensions;
public void setZipExtensions(String zipExtensions) {
this.zipExtensions = zipExtensions;
}
@Override
public void execute() throws BuildException {
final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
@@ -655,11 +651,6 @@ public class DependencyCheckTask extends Task {
final Engine engine = new Engine();
if (extraExtensions != null && ! extraExtensions.isEmpty())
for (Analyzer analyzer : engine.getAnalyzers())
if (analyzer instanceof ArchiveAnalyzer)
((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet<String>(Arrays.asList(extraExtensions.split("\\s*,\\s*"))));
for (Resource resource : path) {
final FileProvider provider = resource.as(FileProvider.class);
if (provider != null) {
@@ -786,6 +777,9 @@ public class DependencyCheckTask extends Task {
if (databasePassword != null && !databasePassword.isEmpty()) {
Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
}
if (zipExtensions != null && !zipExtensions.isEmpty()) {
Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
}
}
/**

2
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -42,6 +42,6 @@ databaseDriverPath | The path to the database driver JAR file; only used if t
connectionString | The connection string used to connect to the database. | Optional
databaseUser | The username used when connecting to the database. | Optional
databasePassword | The password used when connecting to the database. | Optional
extraExtensions | List of extra extensions to be scanned, comma separated. | Optional
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional

17
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -21,14 +21,10 @@ import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.cli.ParseException;
import org.owasp.dependencycheck.analyzer.Analyzer;
import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer;
import org.owasp.dependencycheck.cli.CliParser;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -87,7 +83,7 @@ public class App {
cli.printVersionInfo();
} else if (cli.isRunScan()) {
updateSettings(cli);
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getExtraExtensions());
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getAdditionalZipExtensions());
} else {
cli.printHelp();
}
@@ -104,11 +100,6 @@ public class App {
private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, String extraExtensions) {
final Engine scanner = new Engine();
if (extraExtensions != null && ! extraExtensions.isEmpty())
for (Analyzer analyzer : scanner.getAnalyzers())
if (analyzer instanceof ArchiveAnalyzer)
((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet<String>(Arrays.asList(extraExtensions.split("\\s*,\\s*"))));
for (String file : files) {
scanner.scan(file);
}
@@ -164,7 +155,7 @@ public class App {
final String connectionString = cli.getConnectionString();
final String databaseUser = cli.getDatabaseUser();
final String databasePassword = cli.getDatabasePassword();
final String extraExtensions = cli.getExtraExtensions();
final String additionalZipExtensions = cli.getAdditionalZipExtensions();
if (propertiesFile != null) {
try {
@@ -230,8 +221,8 @@ public class App {
if (databasePassword != null && !databasePassword.isEmpty()) {
Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
}
if (extraExtensions!= null && !extraExtensions.isEmpty()) {
Settings.setString(Settings.KEYS.EXTRA_EXTENSIONS, extraExtensions);
if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) {
Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
}
}
}

18
dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
View File

@@ -204,8 +204,10 @@ public final class CliParser {
.withDescription("The url to the Nexus Server.")
.create();
final Option extraExtensions = OptionBuilder.withArgName("extraExtensions").hasArg().withLongOpt(ArgumentName.EXTRA_EXTENSIONS)
.withDescription("List of extra extensions to be scanned")
final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
.withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
.withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
+ "(ZIP, EAR, WAR are already treated as zip files)")
.create();
//This is an option group because it can be specified more then once.
@@ -225,7 +227,7 @@ public final class CliParser {
.addOption(suppressionFile)
.addOption(disableNexusAnalyzer)
.addOption(nexusUrl)
.addOption(extraExtensions);
.addOption(additionalZipExtensions);
}
/**
@@ -554,12 +556,12 @@ public final class CliParser {
}
/**
* Returns the extra Extensions if specified; otherwise null is returned.
* Returns the additional Extensions if specified; otherwise null is returned.
*
* @return the extra Extensions; otherwise null is returned
* @return the additional Extensions; otherwise null is returned
*/
public String getExtraExtensions() {
return line.getOptionValue(ArgumentName.EXTRA_EXTENSIONS);
public String getAdditionalZipExtensions() {
return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS);
}
/**
@@ -718,6 +720,6 @@ public final class CliParser {
/**
* The CLI argument name for setting extra extensions.
*/
public static final String EXTRA_EXTENSIONS = "extraExtension";
public static final String ADDITIONAL_ZIP_EXTENSIONS = "zipExtensions";
}
}

2
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -28,4 +28,4 @@ Short | Argument Name | Parameter | Description | Requirement
| \-\-dbUser | \<user\> | The username used to connect to the database. | Optional
| \-\-disableNexus | | Disable the Nexus Analyzer. | Optional
| \-\-nexus | \<url\> | The url to the Nexus Server. | Optional
| \-\-extraExtensions | \<strings\> | List of extensions to be scanned, comma separated. | Optional
| \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -17,8 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
@@ -27,6 +25,7 @@ import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
@@ -42,6 +41,8 @@ import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
import org.apache.commons.compress.compressors.gzip.GzipUtils;
import org.h2.store.fs.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.Settings;
@@ -88,19 +89,18 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
*/
private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "nupkg");
/**
* The set of file extensions supported by this analyzer.
* The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
* to be explicitly handled in extractFiles().
*/
private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz");
static {
EXTENSIONS.addAll(ZIPPABLES);
}
/**
* Add a list of file EXTENSIONS to be supported by this analyzer.
*
*/
public void addSupportedExtensions(Set<String> extraExtensions) {
EXTENSIONS.addAll(extraExtensions);
static {
String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
if (additionalZipExt != null) {
HashSet ext = new HashSet<String>(Arrays.asList(additionalZipExt));
ZIPPABLES.addAll(ext);
}
EXTENSIONS.addAll(ZIPPABLES);
}
/**

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -150,9 +150,9 @@ public final class Settings {
*/
public static final String ANALYZER_ASSEMBLY_MONO_PATH = "analyzer.assembly.mono.path";
/**
* The extra extensions, if available.
* The additional configured zip file extensions, if available.
*/
public static final String EXTRA_EXTENSIONS = "extra.extensions";
public static final String ADDITIONAL_ZIP_EXTENSIONS = "extensions.zip";
}
/**
* The properties file location.

25
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
View File

@@ -23,7 +23,10 @@ import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.text.DateFormat;
import java.util.*;
import java.util.Date;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.maven.artifact.Artifact;
@@ -42,8 +45,6 @@ import org.apache.maven.reporting.MavenMultiPageReport;
import org.apache.maven.reporting.MavenReport;
import org.apache.maven.reporting.MavenReportException;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.Analyzer;
import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
@@ -227,12 +228,12 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "databasePassword", defaultValue = "", required = false)
private String databasePassword;
// </editor-fold>
/**
* File extensions to add to analysis next to jar, zip, ....
* A comma-separated list of file extensions to add to analysis next to jar, zip, ....
*/
@Parameter(property = "extraExtensions", required = false)
private String[] extraExtensions;
@Parameter(property = "zipExtensions", required = false)
private String zipExtensions;
// </editor-fold>
/**
* Executes the Dependency-Check on the dependent libraries.
*
@@ -245,13 +246,6 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
populateSettings();
final Engine engine = new Engine();
if (extraExtensions != null) {
for (Analyzer analyzer : engine.getAnalyzers())
if (analyzer instanceof ArchiveAnalyzer)
((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet<String>(Arrays.asList(extraExtensions)));
}
final Set<Artifact> artifacts = project.getArtifacts();
for (Artifact a : artifacts) {
if (!Artifact.SCOPE_TEST.equals(a.getScope()) && !Artifact.SCOPE_PROVIDED.equals(a.getScope()) && !Artifact.SCOPE_RUNTIME.equals(a.getScope())) {
@@ -713,6 +707,9 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
if (databasePassword != null && !databasePassword.isEmpty()) {
Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
}
if (zipExtensions != null && !zipExtensions.isEmpty()) {
Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
}
}
/**

42
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -2,24 +2,24 @@ Configuration
====================
The following properties can be set on the dependency-check-maven plugin.
Property | Description | Default Value
--------------------|------------------------------------|------------------
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
logFile | The file path to write verbose logging information. |
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) |
connectionTimeout | The Connection Timeout. |
proxyUrl | The Proxy URL. |
proxyPort | The Proxy Port. |
proxyUsername | Defines the proxy user name. |
proxyPassword | Defines the proxy password. |
nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. |
nexusUrl | The connection timeout used when downloading data files from the Internet. |
databaseDriverName | The name of the database driver. Example: org.h2.Driver. |
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |
connectionString | The connection string used to connect to the database. |
databaseUser | The username used when connecting to the database. |
databasePassword | The password used when connecting to the database. |
extraExtensions | List of extra extensions to be scanned. |
Property | Description | Default Value
---------------------|------------------------------------|------------------
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
logFile | The file path to write verbose logging information. |
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) |
connectionTimeout | The Connection Timeout. |
proxyUrl | The Proxy URL. |
proxyPort | The Proxy Port. |
proxyUsername | Defines the proxy user name. |
proxyPassword | Defines the proxy password. |
nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. |
nexusUrl | The connection timeout used when downloading data files from the Internet. |
databaseDriverName | The name of the database driver. Example: org.h2.Driver. |
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |
connectionString | The connection string used to connect to the database. |
databaseUser | The username used when connecting to the database. |
databasePassword | The password used when connecting to the database. |
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |