github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-13 23:33:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

updated the dependency-check-ant documentation

Browse Source
This commit is contained in:
Jeremy Long
2015-09-11 06:53:58 -04:00
parent 08c1b6879e
commit eb91152cfa
6 changed files with 94 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
dependency-check-ant/src/main/assembly/release.xml
View File

@@ -12,7 +12,7 @@
<format>zip</format>
</formats>
<includeBaseDirectory>false</includeBaseDirectory>
<fileSets>
<!--fileSets>
<fileSet>
<outputDirectory>dependency-check</outputDirectory>
<directory>${project.build.directory}</directory>
@@ -20,7 +20,14 @@
<include>dependency-check*.jar</include>
</includes>
</fileSet>
</fileSets>
</fileSets-->
<files>
<file>
<source>${project.build.directory}/${project.artifactId}-${project.version}.jar</source>
<outputDirectory>dependency-check</outputDirectory>
<destName>dependency-check-ant.jar</destName>
</file>
</files>
<dependencySets>
<dependencySet>
<outputDirectory>dependency-check/lib</outputDirectory>

19
dependency-check-ant/src/site/markdown/config-purge.md Normal file
View File

@@ -0,0 +1,19 @@
Configuration
====================
The dependency-check-purge task deletes the local copy of the NVD. This task
should rarely be used, if ever. This is included as a convenience method in
the rare circumstance that the local H2 database because corrupt.
```xml
<target name="dependency-check-purge" description="Dependency-Check purge">
<dependency-check-purge />
</target>
```
Configuration: dependency-check-purge Task
--------------------
The following properties can be set on the dependency-check-purge task.
Property | Description | Default Value
----------------------|----------------------------------------------------------------|------------------
dataDirectory | Data directory that is used to store the local copy of the NVD | data

39
dependency-check-ant/src/site/markdown/config-update.md Normal file
View File

@@ -0,0 +1,39 @@
Configuration
====================
The dependency-check-update task downloads and updates the local copy of the NVD.
There are several reasons that one may want to use this task; primarily, creating
an update that will be run only once a day or once every few days (but not greater
then 7 days) and then use the `autoUpdate="false"` setting on individual
dependency-check scans. See [Internet Access Required](https://jeremylong.github.io/DependencyCheck/data/index.html)
for more information on why this task would be used.
```xml
<target name="dependency-check-update" description="Dependency-Check Update">
<dependency-check-update />
</target>
```
Configuration: dependency-check-update Task
--------------------
The following properties can be set on the dependency-check task.
Property | Description | Default Value
----------------------|------------------------------------|------------------
proxyServer | The Proxy Server. | &nbsp;
proxyPort | The Proxy Port. | &nbsp;
proxyUsername | Defines the proxy user name. | &nbsp;
proxyPassword | Defines the proxy password. | &nbsp;
connectionTimeout | The URL Connection Timeout. | &nbsp;
Advanced Configuration
====================
The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
Property | Description | Default Value
---------------------|--------------------------------------------------------------------------|------------------
cveUrl12Modified | URL for the modified CVE 1.2. | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data

16
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -1,5 +1,11 @@
Configuration
====================
Once dependency-check-ant has been [installed](index.html) the defined tasks can be used.
* dependency-check - the primary task used to check the project dependencies. Configuration options are below.
* dependency-check-purge - deletes the local copy of the NVD; this should rarely be used (if ever). See the [purge configuration](config-purge.html) for more information.
* dependency-check-update - downloads and updates the local copy of the NVD. See the [update configuration](config-update.html) for more information.
To configure the dependency-check task you can add it to a target and include a
file based [resource collection](http://ant.apache.org/manual/Types/resources.html#collection)
such as a [FileSet](http://ant.apache.org/manual/Types/fileset.html), [DirSet](http://ant.apache.org/manual/Types/dirset.html),
@@ -19,14 +25,13 @@ the project's dependencies.
</target>
```
Configuration
====================
The following properties can be set on the dependency-check-maven plugin.
Configuration: dependency-check Task
--------------------
The following properties can be set on the dependency-check-update task.
Property | Description | Default Value
----------------------|------------------------------------|------------------
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
updateOnly | If set to true only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | false
projectName | The name of the project being scanned. | Dependency-Check
reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
@@ -70,10 +75,9 @@ cveUrl12Modified | URL for the modified CVE 1.2.
cveUrl20Modified | URL for the modified CVE 2.0. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. | &nbsp;
dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
connectionString | The connection string used to connect to the database. | &nbsp;
databaseUser | The username used when connecting to the database. | &nbsp;
databasePassword | The password used when connecting to the database. | &nbsp;
purge | Delete the local copy of the NVD. This is used to force a refresh of the data. | &nbsp;

32
dependency-check-ant/src/site/markdown/index.md.vm
View File

@@ -7,23 +7,25 @@ identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
Installation
====================
Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}.jar).
To install dependency-check-ant place the dependency-check-ant-${project.version}.jar into
the lib directory of your Ant instalation directory. Once installed you can add
the taskdef to you build.xml and add the task to a new or existing target:
1. Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}-release.zip).
2. Unzip the archive
3. Add the taskdef to your build.xml:
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
```
```xml
<!-- Set the value to the installation directory's path -->
<property name="dependency-check.home" value="C:/tools/dependency-check-ant"/>
<path id="dependency-check.path">
<pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
</path>
<taskdef resource="dependency-check-taskdefs.properties">
<classpath refid="dependency-check.path" />
</taskdef>
```
4. Use the defined taskdefs:
* [dependency-check](configuration.html) - the primary task used to check the project dependencies.
* [dependency-check-purge](config-purge.html) - deletes the local copy of the NVD; this should rarely be used (if ever).
* [dependency-check-update](config-update.html) - downloads and updates the local copy of the NVD.
If you do not want to install dependency-check-ant into your ant's lib directory when you define the task def you
must add the classpath to the taskdef:
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask">
<classpath path="[path]/[to]/dependency-check-ant-${project.version}.jar"/>
</taskdef>
```
It is important to understand that the first time this task is executed it may
take 10 minutes or more as it downloads and processes the data from the National

33
dependency-check-ant/src/site/markdown/usage.md.vm
View File

@@ -1,33 +0,0 @@
Usage
====================
First, add the dependency-check-ant taskdef to your build.xml (see the [installation guide](installation.html)):
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
```
Or
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask">
<classpath path="[path]/[to]/dependency-check-ant-${project.version}.jar"/>
</taskdef>
```
Next, add the task to a target of your choosing:
```xml
<target name="dependency-check" description="Dependency-Check Analysis">
<dependency-check applicationname="Hello World"
autoupdate="true"
reportoutputdirectory="${basedir}"
reportformat="HTML">
<fileset dir="lib">
<include name="**/*.jar"/>
</fileset>
</dependency-check>
</target>
```
See the [configuration guide](configuration.html) for more information.