github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
Ale Feltes
2017-11-30 14:04:26 -03:00
parent 38499898aa 4862811600
commit ebff547b6f
19 changed files with 81 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
RELEASE_NOTES.md Normal file
View File

@@ -0,0 +1,28 @@
# Release Notes
Please see the [dependency-check google group](https://groups.google.com/forum/#!forum/dependency-check) for the release notes on versions not listed below.
## [Version 3.0.2](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.2) (2017-11-13)
### Bug fixes
- Updated the query format for the CentralAnalyzer; the old format caused the CentralAnalyzer to fail
## [Version 3.0.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.1) (2017-10-20)
### Bug fixes
- Fixed a database connection issue that affected some usages.
## [Version 3.0.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.0) (2017-10-16)
- Several bug fixes and false positive reduction
- The 2.x branch introduced several new false positives but also reduced the false negatives
- Java 9 compatibility update
- Stability issues with the Central Analyzer resolved
- This comes at a cost of a longer analysis time
- The CSV report now includes the GAV and CPE
- The Hint Analyzer now supports regular expressions
- If show summary is disabled and vulnerable libraries are found that fail the build details are no longer displayed in the console only that vulnerable libraries were identified
- Resolved issues with threading and multiple connections to the embedded H2 database
- This allows the Jenkins pipeline, Maven Plugin, etc. to safely run parallel executions of dependency-check

2
build-reporting/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2017 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>3.0.2</version>
<version>3.0.3-SNAPSHOT</version>
</parent>
<name>Dependency-Check Build-Reporting</name>
<artifactId>build-reporting</artifactId>

2
dependency-check-ant/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>3.0.2</version>
<version>3.0.3-SNAPSHOT</version>
</parent>
<artifactId>dependency-check-ant</artifactId>

2
dependency-check-cli/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>3.0.2</version>
<version>3.0.3-SNAPSHOT</version>
</parent>
<artifactId>dependency-check-cli</artifactId>

8
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -205,10 +205,10 @@ public final class CliParser {
final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
throw new FileNotFoundException(msg);
}
} else if (path.startsWith("//") || path.startsWith("\\\\")) {
isValid = false;
final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
throw new FileNotFoundException(msg);
// } else if (path.startsWith("//") || path.startsWith("\\\\")) {
// isValid = false;
// final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
// throw new FileNotFoundException(msg);
} else if ((path.endsWith("/*") && !path.endsWith("**/*")) || (path.endsWith("\\*") && path.endsWith("**\\*"))) {
LOGGER.warn("Possibly incorrect path '{}' from argument '{}' because it ends with a slash star; "
+ "dependency-check uses ant-style paths", path, argumentName);

2
dependency-check-core/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>3.0.2</version>
<version>3.0.3-SNAPSHOT</version>
</parent>
<artifactId>dependency-check-core</artifactId>

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -471,6 +471,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
boolean stillLooking = true;
int chr;
int nxtChr;
//CSOFF: InnerAssignment
//CSOFF: NestedIfDepth
while (stillLooking && (chr = in.read()) != -1) {
if (chr == '\n' || chr == '\r') {
in.mark(4);
@@ -488,6 +490,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
}
}
}
//CSON: InnerAssignment
//CSON: NestedIfDepth
} else {
in.reset();
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java
View File

@@ -90,6 +90,7 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz
@Override
protected boolean evaluateDependencies(final Dependency dependency, final Dependency nextDependency, final Set<Dependency> dependenciesToRemove) {
Dependency main;
//CSOFF: InnerAssignment
if ((main = getMainGemspecDependency(dependency, nextDependency)) != null) {
if (main == dependency) {
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
@@ -105,6 +106,7 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz
return true; //since we merged into the next dependency - skip forward to the next in mainIterator
}
}
//CSON: InnerAssignment
return false;
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
View File

@@ -396,6 +396,7 @@ public final class ConnectionFactory {
final int c0 = Integer.parseInt(currentDbVersion.getVersionParts().get(0));
final int e1 = Integer.parseInt(appExpectedVersion.getVersionParts().get(1));
final int c1 = Integer.parseInt(currentDbVersion.getVersionParts().get(1));
//CSOFF: EmptyBlock
if (e0 == c0 && e1 < c1) {
LOGGER.warn("A new version of dependency-check is available; consider upgrading");
settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
@@ -406,6 +407,7 @@ public final class ConnectionFactory {
UPGRADE_HELP_URL);
throw new DatabaseException("Database schema is out of date");
}
//CSON: EmptyBlock
}
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/H2DBLock.java
View File

@@ -145,8 +145,8 @@ public class H2DBLock {
if (lock == null || !lock.isValid()) {
try {
final Timestamp timestamp = new Timestamp(System.currentTimeMillis());
LOGGER.debug("Sleeping thread {} ({}) for 10 seconds because an exclusive lock on the database could not be obtained ({})",
Thread.currentThread().getName(), magic, timestamp.toString());
LOGGER.debug("Sleeping thread {} ({}) for {} seconds because an exclusive lock on the database could not be obtained ({})",
Thread.currentThread().getName(), magic, SLEEP_DURATION / 1000, timestamp.toString());
Thread.sleep(SLEEP_DURATION);
} catch (InterruptedException ex) {
LOGGER.debug("sleep was interrupted.", ex);

15
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -855,4 +855,19 @@
<gav regex="true">^com\.unboundid:unboundid-ldapsdk:.*$</gav>
<cpe>cpe:/a:id:id-software</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
jaxb-xerces and jaxb-xerces2 are completely different dependencies.
]]></notes>
<gav regex="true">^activesoap:jaxb-xercesImpl:[01].*$</gav>
<cpe>cpe:/a:apache:xerces2_java</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
jaxb-xerces and jaxb-xerces2 are completely different dependencies - the sha1
is primarily for testing.
]]></notes>
<sha1>73a51faadb407dccdbd77234e0d5a0a648665692</sha1>
<cpe>cpe:/a:apache:xerces2_java</cpe>
</suppress>
</suppressions>

21
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
View File

@@ -103,13 +103,17 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
fp.initialize(getSettings());
fp.prepare(e);
callDetermineCPE_full("hazelcast-2.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("ehcache-core-2.2.0.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("xstream-1.4.8.jar", "cpe:/a:x-stream:xstream:1.4.8", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
CpeSuppressionAnalyzer cpeSuppression = new CpeSuppressionAnalyzer();
cpeSuppression.initialize(getSettings());
cpeSuppression.prepare(e);
callDetermineCPE_full("hazelcast-2.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
callDetermineCPE_full("ehcache-core-2.2.0.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
callDetermineCPE_full("xstream-1.4.8.jar", "cpe:/a:x-stream:xstream:1.4.8", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
} finally {
cpeAnalyzer.close();
}
@@ -121,7 +125,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
* @throws Exception is thrown when an exception occurs
*/
public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer cpeAnalyzer, FileNameAnalyzer fnAnalyzer,
JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp) throws Exception {
JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp, CpeSuppressionAnalyzer cpeSuppression) throws Exception {
//File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
File file = BaseTest.getResourceAsFile(this, depName);
@@ -133,6 +137,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
hAnalyzer.analyze(dep, null);
cpeAnalyzer.analyze(dep, null);
fp.analyze(dep, null);
cpeSuppression.analyze(dep, null);
if (expResult != null) {
boolean found = false;

3
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
View File

@@ -84,8 +84,7 @@ public class CentralAnalyzerTest {
new Expectations() {
{
centralSearch.searchSha1(SHA1_SUM);
result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
//result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
result = expectedMavenArtifacts;
}
};

2
dependency-check-maven/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>3.0.2</version>
<version>3.0.3-SNAPSHOT</version>
</parent>
<artifactId>dependency-check-maven</artifactId>
<packaging>maven-plugin</packaging>

2
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -80,7 +80,7 @@ cveUrl20Modified | URL for the modified CVE 2.0.
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
connectionTimeout | Sets the URL Connection Timeout used when downloading external data. | &nbsp;
dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | &nbsp;
dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | ~/.m2/repository/org/owasp/dependency-check-data/
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
connectionString | The connection string used to connect to the database. | &nbsp;

2
dependency-check-plugin/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>3.0.2</version>
<version>3.0.3-SNAPSHOT</version>
</parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-plugin</artifactId>

2
dependency-check-utils/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>3.0.2</version>
<version>3.0.3-SNAPSHOT</version>
</parent>
<artifactId>dependency-check-utils</artifactId>

2
pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>3.0.2</version>
<version>3.0.3-SNAPSHOT</version>
<packaging>pom</packaging>
<modules>

2
src/main/config/checkstyle-checks.xml
View File

@@ -114,7 +114,7 @@
</module>
<module name="MethodCount">
<property name="maxTotal" value="40"/>
<property name="maxTotal" value="80"/>
</module>
<module name="LocalFinalVariableName"/>