From e954fa6478de67413ac2ba643bc6fbf55cfc7719 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Thu, 13 Feb 2014 20:20:19 -0500 Subject: [PATCH] fixes for issue #63 and issue #65 Former-commit-id: 40e4da9fe17999748dd94ee91a1c9451576cab75 --- .../taskdefs/DependencyCheckTask.java | 34 +++++++-------- .../src/site/markdown/configuration.md | 2 +- .../java/org/owasp/dependencycheck/App.java | 17 ++------ .../owasp/dependencycheck/cli/CliParser.java | 18 ++++---- .../src/site/markdown/arguments.md | 2 +- .../analyzer/ArchiveAnalyzer.java | 24 +++++------ .../owasp/dependencycheck/utils/Settings.java | 4 +- .../maven/DependencyCheckMojo.java | 25 +++++------ .../src/site/markdown/configuration.md | 42 +++++++++---------- 9 files changed, 76 insertions(+), 92 deletions(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java index cf92df0ef..28a186c5c 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java @@ -20,8 +20,6 @@ package org.owasp.dependencycheck.taskdefs; import java.io.File; import java.io.IOException; import java.io.InputStream; -import java.util.Arrays; -import java.util.HashSet; import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; @@ -34,8 +32,6 @@ import org.apache.tools.ant.types.ResourceCollection; import org.apache.tools.ant.types.resources.FileProvider; import org.apache.tools.ant.types.resources.Resources; import org.owasp.dependencycheck.Engine; -import org.owasp.dependencycheck.analyzer.Analyzer; -import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; @@ -621,29 +617,29 @@ public class DependencyCheckTask extends Task { } /** - * File extensions to add to analysis next to jar, zip, .... + * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat + * like ZIP files. */ - private String extraExtensions; + private String zipExtensions; /** - * Get the value of extraExtensions. + * Get the value of zipExtensions. * - * @return the value of extraExtensions + * @return the value of zipExtensions */ - public String getExtraExtensions() { - return extraExtensions; + public String getZipExtensions() { + return zipExtensions; } /** - * Set the value of extraExtensions. + * Set the value of zipExtensions. * - * @param extraExtensions new value of extraExtensions + * @param zipExtensions new value of zipExtensions */ - public void setExtraExtensions(String extraExtensions) { - this.extraExtensions = extraExtensions; + public void setZipExtensions(String zipExtensions) { + this.zipExtensions = zipExtensions; } - @Override public void execute() throws BuildException { final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE); @@ -655,11 +651,6 @@ public class DependencyCheckTask extends Task { final Engine engine = new Engine(); - if (extraExtensions != null && ! extraExtensions.isEmpty()) - for (Analyzer analyzer : engine.getAnalyzers()) - if (analyzer instanceof ArchiveAnalyzer) - ((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet(Arrays.asList(extraExtensions.split("\\s*,\\s*")))); - for (Resource resource : path) { final FileProvider provider = resource.as(FileProvider.class); if (provider != null) { @@ -786,6 +777,9 @@ public class DependencyCheckTask extends Task { if (databasePassword != null && !databasePassword.isEmpty()) { Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword); } + if (zipExtensions != null && !zipExtensions.isEmpty()) { + Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions); + } } /** diff --git a/dependency-check-ant/src/site/markdown/configuration.md b/dependency-check-ant/src/site/markdown/configuration.md index 2da5c7c70..e4dc678ad 100644 --- a/dependency-check-ant/src/site/markdown/configuration.md +++ b/dependency-check-ant/src/site/markdown/configuration.md @@ -42,6 +42,6 @@ databaseDriverPath | The path to the database driver JAR file; only used if t connectionString | The connection string used to connect to the database. | Optional databaseUser | The username used when connecting to the database. | Optional databasePassword | The password used when connecting to the database. | Optional -extraExtensions | List of extra extensions to be scanned, comma separated. | Optional +zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 733d8d7ad..b2d186775 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -21,14 +21,10 @@ import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; -import java.util.Arrays; -import java.util.HashSet; import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; import org.apache.commons.cli.ParseException; -import org.owasp.dependencycheck.analyzer.Analyzer; -import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer; import org.owasp.dependencycheck.cli.CliParser; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; @@ -87,7 +83,7 @@ public class App { cli.printVersionInfo(); } else if (cli.isRunScan()) { updateSettings(cli); - runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getExtraExtensions()); + runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getAdditionalZipExtensions()); } else { cli.printHelp(); } @@ -104,11 +100,6 @@ public class App { private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, String extraExtensions) { final Engine scanner = new Engine(); - if (extraExtensions != null && ! extraExtensions.isEmpty()) - for (Analyzer analyzer : scanner.getAnalyzers()) - if (analyzer instanceof ArchiveAnalyzer) - ((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet(Arrays.asList(extraExtensions.split("\\s*,\\s*")))); - for (String file : files) { scanner.scan(file); } @@ -164,7 +155,7 @@ public class App { final String connectionString = cli.getConnectionString(); final String databaseUser = cli.getDatabaseUser(); final String databasePassword = cli.getDatabasePassword(); - final String extraExtensions = cli.getExtraExtensions(); + final String additionalZipExtensions = cli.getAdditionalZipExtensions(); if (propertiesFile != null) { try { @@ -230,8 +221,8 @@ public class App { if (databasePassword != null && !databasePassword.isEmpty()) { Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword); } - if (extraExtensions!= null && !extraExtensions.isEmpty()) { - Settings.setString(Settings.KEYS.EXTRA_EXTENSIONS, extraExtensions); + if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) { + Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions); } } } diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java index 384855da8..fa01d0c97 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java @@ -204,8 +204,10 @@ public final class CliParser { .withDescription("The url to the Nexus Server.") .create(); - final Option extraExtensions = OptionBuilder.withArgName("extraExtensions").hasArg().withLongOpt(ArgumentName.EXTRA_EXTENSIONS) - .withDescription("List of extra extensions to be scanned") + final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg() + .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS) + .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files " + + "(ZIP, EAR, WAR are already treated as zip files)") .create(); //This is an option group because it can be specified more then once. @@ -225,7 +227,7 @@ public final class CliParser { .addOption(suppressionFile) .addOption(disableNexusAnalyzer) .addOption(nexusUrl) - .addOption(extraExtensions); + .addOption(additionalZipExtensions); } /** @@ -554,12 +556,12 @@ public final class CliParser { } /** - * Returns the extra Extensions if specified; otherwise null is returned. + * Returns the additional Extensions if specified; otherwise null is returned. * - * @return the extra Extensions; otherwise null is returned + * @return the additional Extensions; otherwise null is returned */ - public String getExtraExtensions() { - return line.getOptionValue(ArgumentName.EXTRA_EXTENSIONS); + public String getAdditionalZipExtensions() { + return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS); } /** @@ -718,6 +720,6 @@ public final class CliParser { /** * The CLI argument name for setting extra extensions. */ - public static final String EXTRA_EXTENSIONS = "extraExtension"; + public static final String ADDITIONAL_ZIP_EXTENSIONS = "zipExtensions"; } } diff --git a/dependency-check-cli/src/site/markdown/arguments.md b/dependency-check-cli/src/site/markdown/arguments.md index 7ffd9bdaa..756999048 100644 --- a/dependency-check-cli/src/site/markdown/arguments.md +++ b/dependency-check-cli/src/site/markdown/arguments.md @@ -28,4 +28,4 @@ Short | Argument Name | Parameter | Description | Requirement | \-\-dbUser | \ | The username used to connect to the database. | Optional | \-\-disableNexus | | Disable the Nexus Analyzer. | Optional | \-\-nexus | \ | The url to the Nexus Server. | Optional - | \-\-extraExtensions | \ | List of extensions to be scanned, comma separated. | Optional \ No newline at end of file + | \-\-zipExtensions | \ | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional \ No newline at end of file diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index 6dbe6edd6..5c80345e7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -17,8 +17,6 @@ */ package org.owasp.dependencycheck.analyzer; -import org.owasp.dependencycheck.analyzer.exception.AnalysisException; -import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException; import java.io.BufferedInputStream; import java.io.BufferedOutputStream; import java.io.File; @@ -27,6 +25,7 @@ import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.HashSet; import java.util.List; @@ -42,6 +41,8 @@ import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream; import org.apache.commons.compress.compressors.gzip.GzipUtils; import org.h2.store.fs.FileUtils; import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.utils.Settings; @@ -88,19 +89,18 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer { */ private static final Set ZIPPABLES = newHashSet("zip", "ear", "war", "nupkg"); /** - * The set of file extensions supported by this analyzer. + * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need + * to be explicitly handled in extractFiles(). */ private static final Set EXTENSIONS = newHashSet("tar", "gz", "tgz"); - static { - EXTENSIONS.addAll(ZIPPABLES); - } - /** - * Add a list of file EXTENSIONS to be supported by this analyzer. - * - */ - public void addSupportedExtensions(Set extraExtensions) { - EXTENSIONS.addAll(extraExtensions); + static { + String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS); + if (additionalZipExt != null) { + HashSet ext = new HashSet(Arrays.asList(additionalZipExt)); + ZIPPABLES.addAll(ext); + } + EXTENSIONS.addAll(ZIPPABLES); } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 7b5e33199..4fea0ae6b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -150,9 +150,9 @@ public final class Settings { */ public static final String ANALYZER_ASSEMBLY_MONO_PATH = "analyzer.assembly.mono.path"; /** - * The extra extensions, if available. + * The additional configured zip file extensions, if available. */ - public static final String EXTRA_EXTENSIONS = "extra.extensions"; + public static final String ADDITIONAL_ZIP_EXTENSIONS = "extensions.zip"; } /** * The properties file location. diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java index ff9d10116..9e806b1b8 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java @@ -23,7 +23,10 @@ import java.io.InputStream; import java.io.UnsupportedEncodingException; import java.net.URLEncoder; import java.text.DateFormat; -import java.util.*; +import java.util.Date; +import java.util.List; +import java.util.Locale; +import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; import org.apache.maven.artifact.Artifact; @@ -42,8 +45,6 @@ import org.apache.maven.reporting.MavenMultiPageReport; import org.apache.maven.reporting.MavenReport; import org.apache.maven.reporting.MavenReportException; import org.owasp.dependencycheck.Engine; -import org.owasp.dependencycheck.analyzer.Analyzer; -import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; @@ -227,12 +228,12 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"}) @Parameter(property = "databasePassword", defaultValue = "", required = false) private String databasePassword; - // /** - * File extensions to add to analysis next to jar, zip, .... + * A comma-separated list of file extensions to add to analysis next to jar, zip, .... */ - @Parameter(property = "extraExtensions", required = false) - private String[] extraExtensions; + @Parameter(property = "zipExtensions", required = false) + private String zipExtensions; + // /** * Executes the Dependency-Check on the dependent libraries. * @@ -245,13 +246,6 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR populateSettings(); final Engine engine = new Engine(); - - if (extraExtensions != null) { - for (Analyzer analyzer : engine.getAnalyzers()) - if (analyzer instanceof ArchiveAnalyzer) - ((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet(Arrays.asList(extraExtensions))); - } - final Set artifacts = project.getArtifacts(); for (Artifact a : artifacts) { if (!Artifact.SCOPE_TEST.equals(a.getScope()) && !Artifact.SCOPE_PROVIDED.equals(a.getScope()) && !Artifact.SCOPE_RUNTIME.equals(a.getScope())) { @@ -713,6 +707,9 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR if (databasePassword != null && !databasePassword.isEmpty()) { Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword); } + if (zipExtensions != null && !zipExtensions.isEmpty()) { + Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions); + } } /** diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md index ad56c3705..f1b753653 100644 --- a/dependency-check-maven/src/site/markdown/configuration.md +++ b/dependency-check-maven/src/site/markdown/configuration.md @@ -2,24 +2,24 @@ Configuration ==================== The following properties can be set on the dependency-check-maven plugin. -Property | Description | Default Value ---------------------|------------------------------------|------------------ -autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true -externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false -failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11 -format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML -logFile | The file path to write verbose logging information. | -suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | -connectionTimeout | The Connection Timeout. | -proxyUrl | The Proxy URL. | -proxyPort | The Proxy Port. | -proxyUsername | Defines the proxy user name. | -proxyPassword | Defines the proxy password. | -nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | -nexusUrl | The connection timeout used when downloading data files from the Internet. | -databaseDriverName | The name of the database driver. Example: org.h2.Driver. | -databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | -connectionString | The connection string used to connect to the database. | -databaseUser | The username used when connecting to the database. | -databasePassword | The password used when connecting to the database. | -extraExtensions | List of extra extensions to be scanned. | +Property | Description | Default Value +---------------------|------------------------------------|------------------ +autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true +externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false +failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11 +format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML +logFile | The file path to write verbose logging information. | +suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | +connectionTimeout | The Connection Timeout. | +proxyUrl | The Proxy URL. | +proxyPort | The Proxy Port. | +proxyUsername | Defines the proxy user name. | +proxyPassword | Defines the proxy password. | +nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | +nexusUrl | The connection timeout used when downloading data files from the Internet. | +databaseDriverName | The name of the database driver. Example: org.h2.Driver. | +databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | +connectionString | The connection string used to connect to the database. | +databaseUser | The username used when connecting to the database. | +databasePassword | The password used when connecting to the database. | +zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |