fixes for issue #63 and issue #65

Former-commit-id: 40e4da9fe17999748dd94ee91a1c9451576cab75

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java

@@ -20,8 +20,6 @@ package org.owasp.dependencycheck.taskdefs;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
-import java.util.Arrays;
-import java.util.HashSet;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -34,8 +32,6 @@ import org.apache.tools.ant.types.ResourceCollection;
 import org.apache.tools.ant.types.resources.FileProvider;
 import org.apache.tools.ant.types.resources.Resources;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.analyzer.Analyzer;
-import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
@@ -621,29 +617,29 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * File extensions to add to analysis next to jar, zip, ....
+     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
+     * like ZIP files.
      */
-    private String extraExtensions;
+    private String zipExtensions;
 
     /**
-     * Get the value of extraExtensions.
+     * Get the value of zipExtensions.
      *
-     * @return the value of extraExtensions
+     * @return the value of zipExtensions
      */
-    public String getExtraExtensions() {
+    public String getZipExtensions() {
-        return extraExtensions;
+        return zipExtensions;
     }
 
     /**
-     * Set the value of extraExtensions.
+     * Set the value of zipExtensions.
      *
-     * @param extraExtensions new value of extraExtensions
+     * @param zipExtensions new value of zipExtensions
      */
-    public void setExtraExtensions(String extraExtensions) {
+    public void setZipExtensions(String zipExtensions) {
-        this.extraExtensions = extraExtensions;
+        this.zipExtensions = zipExtensions;
     }
 
-
     @Override
     public void execute() throws BuildException {
         final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
@@ -655,11 +651,6 @@ public class DependencyCheckTask extends Task {
 
         final Engine engine = new Engine();
 
-        if (extraExtensions != null && ! extraExtensions.isEmpty())
-            for (Analyzer analyzer : engine.getAnalyzers())
-                if (analyzer instanceof ArchiveAnalyzer)
-                    ((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet<String>(Arrays.asList(extraExtensions.split("\\s*,\\s*"))));
-
         for (Resource resource : path) {
             final FileProvider provider = resource.as(FileProvider.class);
             if (provider != null) {
@@ -786,6 +777,9 @@ public class DependencyCheckTask extends Task {
         if (databasePassword != null && !databasePassword.isEmpty()) {
             Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
         }
+        if (zipExtensions != null && !zipExtensions.isEmpty()) {
+            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
+        }
     }
 
     /**

dependency-check-ant/src/site/markdown/configuration.md

@@ -42,6 +42,6 @@ databaseDriverPath    | The path to the database driver JAR file; only used if t
 connectionString      | The connection string used to connect to the database. | Optional
 databaseUser          | The username used when connecting to the database. | Optional
 databasePassword      | The password used when connecting to the database. | Optional
-extraExtensions       | List of extra extensions to be scanned, comma separated. | Optional
+zipExtensions         | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional
 
 

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -21,14 +21,10 @@ import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
-import java.util.Arrays;
-import java.util.HashSet;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.commons.cli.ParseException;
-import org.owasp.dependencycheck.analyzer.Analyzer;
-import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer;
 import org.owasp.dependencycheck.cli.CliParser;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -87,7 +83,7 @@ public class App {
             cli.printVersionInfo();
         } else if (cli.isRunScan()) {
             updateSettings(cli);
-            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getExtraExtensions());
+            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getAdditionalZipExtensions());
         } else {
             cli.printHelp();
         }
@@ -104,11 +100,6 @@ public class App {
     private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, String extraExtensions) {
         final Engine scanner = new Engine();
 
-        if (extraExtensions != null && ! extraExtensions.isEmpty())
-            for (Analyzer analyzer : scanner.getAnalyzers())
-                if (analyzer instanceof ArchiveAnalyzer)
-                    ((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet<String>(Arrays.asList(extraExtensions.split("\\s*,\\s*"))));
-
         for (String file : files) {
             scanner.scan(file);
         }
@@ -164,7 +155,7 @@ public class App {
         final String connectionString = cli.getConnectionString();
         final String databaseUser = cli.getDatabaseUser();
         final String databasePassword = cli.getDatabasePassword();
-        final String extraExtensions = cli.getExtraExtensions();
+        final String additionalZipExtensions = cli.getAdditionalZipExtensions();
 
         if (propertiesFile != null) {
             try {
@@ -230,8 +221,8 @@ public class App {
         if (databasePassword != null && !databasePassword.isEmpty()) {
             Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
         }
-        if (extraExtensions!= null && !extraExtensions.isEmpty()) {
+        if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) {
-            Settings.setString(Settings.KEYS.EXTRA_EXTENSIONS, extraExtensions);
+            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
         }
     }
 }

dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java

@@ -204,8 +204,10 @@ public final class CliParser {
                 .withDescription("The url to the Nexus Server.")
                 .create();
 
-        final Option extraExtensions = OptionBuilder.withArgName("extraExtensions").hasArg().withLongOpt(ArgumentName.EXTRA_EXTENSIONS)
+        final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
-                .withDescription("List of extra extensions to be scanned")
+                .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
+                .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
+                        + "(ZIP, EAR, WAR are already treated as zip files)")
                 .create();
 
         //This is an option group because it can be specified more then once.
@@ -225,7 +227,7 @@ public final class CliParser {
                 .addOption(suppressionFile)
                 .addOption(disableNexusAnalyzer)
                 .addOption(nexusUrl)
-                .addOption(extraExtensions);
+                .addOption(additionalZipExtensions);
     }
 
     /**
@@ -554,12 +556,12 @@ public final class CliParser {
     }
 
     /**
-     * Returns the extra Extensions if specified; otherwise null is returned.
+     * Returns the additional Extensions if specified; otherwise null is returned.
      *
-     * @return the extra Extensions; otherwise null is returned
+     * @return the additional Extensions; otherwise null is returned
      */
-    public String getExtraExtensions() {
+    public String getAdditionalZipExtensions() {
-        return line.getOptionValue(ArgumentName.EXTRA_EXTENSIONS);
+        return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS);
     }
 
     /**
@@ -718,6 +720,6 @@ public final class CliParser {
         /**
          * The CLI argument name for setting extra extensions.
          */
-        public static final String EXTRA_EXTENSIONS = "extraExtension";
+        public static final String ADDITIONAL_ZIP_EXTENSIONS = "zipExtensions";
     }
 }

dependency-check-cli/src/site/markdown/arguments.md

@@ -28,4 +28,4 @@ Short  | Argument Name         | Parameter   | Description | Requirement
        | \-\-dbUser            | \<user\>    | The username used to connect to the database. | Optional
        | \-\-disableNexus      |             | Disable the Nexus Analyzer. | Optional
        | \-\-nexus             | \<url\>     | The url to the Nexus Server. | Optional
-       | \-\-extraExtensions   | \<strings\> | List of extensions to be scanned, comma separated. | Optional
+       | \-\-zipExtensions     | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -17,8 +17,6 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
-import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
@@ -27,6 +25,7 @@ import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
@@ -42,6 +41,8 @@ import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
 import org.apache.commons.compress.compressors.gzip.GzipUtils;
 import org.h2.store.fs.FileUtils;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
@@ -88,19 +89,18 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      */
     private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "nupkg");
     /**
-     * The set of file extensions supported by this analyzer.
+     * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
+     * to be explicitly handled in extractFiles().
      */
     private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz");
-    static {
-      EXTENSIONS.addAll(ZIPPABLES);
-    }
 
-    /**
+    static {
-     * Add a list of file EXTENSIONS to be supported by this analyzer.
+        String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
-     *
+        if (additionalZipExt != null) {
-     */
+            HashSet ext = new HashSet<String>(Arrays.asList(additionalZipExt));
-    public void addSupportedExtensions(Set<String> extraExtensions) {
+            ZIPPABLES.addAll(ext);
-        EXTENSIONS.addAll(extraExtensions);
+        }
+        EXTENSIONS.addAll(ZIPPABLES);
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -150,9 +150,9 @@ public final class Settings {
          */
         public static final String ANALYZER_ASSEMBLY_MONO_PATH = "analyzer.assembly.mono.path";
         /**
-         * The extra extensions, if available.
+         * The additional configured zip file extensions, if available.
          */
-        public static final String EXTRA_EXTENSIONS = "extra.extensions";
+        public static final String ADDITIONAL_ZIP_EXTENSIONS = "extensions.zip";
     }
     /**
      * The properties file location.

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java

@@ -23,7 +23,10 @@ import java.io.InputStream;
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.text.DateFormat;
-import java.util.*;
+import java.util.Date;
+import java.util.List;
+import java.util.Locale;
+import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.maven.artifact.Artifact;
@@ -42,8 +45,6 @@ import org.apache.maven.reporting.MavenMultiPageReport;
 import org.apache.maven.reporting.MavenReport;
 import org.apache.maven.reporting.MavenReportException;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.analyzer.Analyzer;
-import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
@@ -227,12 +228,12 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
     @Parameter(property = "databasePassword", defaultValue = "", required = false)
     private String databasePassword;
-    // </editor-fold>
     /**
-     * File extensions to add to analysis next to jar, zip, ....
+     * A comma-separated list of file extensions to add to analysis next to jar, zip, ....
      */
-    @Parameter(property = "extraExtensions", required = false)
+    @Parameter(property = "zipExtensions", required = false)
-    private String[] extraExtensions;
+    private String zipExtensions;
+    // </editor-fold>
     /**
      * Executes the Dependency-Check on the dependent libraries.
      *
@@ -245,13 +246,6 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
 
         populateSettings();
         final Engine engine = new Engine();
-
-        if (extraExtensions != null) {
-            for (Analyzer analyzer : engine.getAnalyzers())
-              if (analyzer instanceof ArchiveAnalyzer)
-                  ((ArchiveAnalyzer)analyzer).addSupportedExtensions(new HashSet<String>(Arrays.asList(extraExtensions)));
-        }
-
         final Set<Artifact> artifacts = project.getArtifacts();
         for (Artifact a : artifacts) {
             if (!Artifact.SCOPE_TEST.equals(a.getScope()) && !Artifact.SCOPE_PROVIDED.equals(a.getScope()) && !Artifact.SCOPE_RUNTIME.equals(a.getScope())) {
@@ -713,6 +707,9 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
         if (databasePassword != null && !databasePassword.isEmpty()) {
             Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
         }
+        if (zipExtensions != null && !zipExtensions.isEmpty()) {
+            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
+        }
     }
 
     /**

dependency-check-maven/src/site/markdown/configuration.md

@@ -2,24 +2,24 @@ Configuration
 ====================
 The following properties can be set on the dependency-check-maven plugin.
 
-Property            | Description                        | Default Value
+Property             | Description                        | Default Value
---------------------|------------------------------------|------------------
+---------------------|------------------------------------|------------------
-autoUpdate          | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
+autoUpdate           | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
-externalReport      | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
+externalReport       | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
-failBuildOnCVSS     | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
+failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
-format              | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
+format               | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
-logFile             | The file path to write verbose logging information. |
+logFile              | The file path to write verbose logging information. |
-suppressionFile     | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) |
+suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) |
-connectionTimeout   | The Connection Timeout.            |
+connectionTimeout    | The Connection Timeout.            |
-proxyUrl            | The Proxy URL.                     |
+proxyUrl             | The Proxy URL.                     |
-proxyPort           | The Proxy Port.                    |
+proxyPort            | The Proxy Port.                    |
-proxyUsername       | Defines the proxy user name.       |
+proxyUsername        | Defines the proxy user name.       |
-proxyPassword       | Defines the proxy password.        |
+proxyPassword        | Defines the proxy password.        |
-nexusAnalyzerEnabled  | The connection timeout used when downloading data files from the Internet. |
+nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. |
-nexusUrl              | The connection timeout used when downloading data files from the Internet. |
+nexusUrl             | The connection timeout used when downloading data files from the Internet. |
-databaseDriverName    | The name of the database driver. Example: org.h2.Driver. |
+databaseDriverName   | The name of the database driver. Example: org.h2.Driver. |
-databaseDriverPath    | The path to the database driver JAR file; only used if the driver is not in the class path. |
+databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. |
-connectionString      | The connection string used to connect to the database. |
+connectionString     | The connection string used to connect to the database. |
-databaseUser          | The username used when connecting to the database. |
+databaseUser         | The username used when connecting to the database. |
-databasePassword      | The password used when connecting to the database. |
+databasePassword     | The password used when connecting to the database. |
-extraExtensions      | List of extra extensions to be scanned. |
+zipExtensions        | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |