diff --git a/src/main/java/org/owasp/dependencycheck/App.java b/src/main/java/org/owasp/dependencycheck/App.java
index f0648ed06..c9efc8f58 100644
--- a/src/main/java/org/owasp/dependencycheck/App.java
+++ b/src/main/java/org/owasp/dependencycheck/App.java
@@ -90,6 +90,7 @@ public class App {
in.close();
} catch (Exception ex) {
//ignore
+ in = null;
}
}
}
@@ -119,8 +120,8 @@ public class App {
if (cli.isGetVersion()) {
cli.printVersionInfo();
} else if (cli.isRunScan()) {
- runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(),
- cli.getScanFiles(), cli.isAutoUpdate(), cli.isDeepScan());
+ updateSettings(cli.isAutoUpdate(), cli.isDeepScan(), cli.getConnectionTimeout(), cli.getProxyUrl(), cli.getProxyPort());
+ runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
} else {
cli.printHelp();
}
@@ -135,12 +136,9 @@ public class App {
* @param outputFormat the output format of the report
* @param applicationName the application name for the report
* @param files the files/directories to scan
- * @param autoUpdate whether to auto-update the cached data from the Internet
- * @param deepScan whether to perform a deep scan of the evidence in the project dependencies
*/
- private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, boolean autoUpdate, boolean deepScan) {
- final Engine scanner = new Engine(autoUpdate);
- Settings.setBoolean(Settings.KEYS.PERFORM_DEEP_SCAN, deepScan);
+ private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
+ final Engine scanner = new Engine();
for (String file : files) {
scanner.scan(file);
@@ -158,4 +156,26 @@ public class App {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
}
}
+
+ /**
+ * Updates the global Settings.
+ * @param autoUpdate whether or not to update cached web data sources
+ * @param deepScan whether or not to perform a deep scan (increases false positives, but may reduce false negatives)
+ * @param connectionTimeout the timeout to use when downloading resources (null or blank will use default)
+ * @param proxyUrl the proxy url (null or blank means no proxy will be used)
+ * @param proxyPort the proxy port (null or blank means no port will be used)
+ */
+ private void updateSettings(boolean autoUpdate, boolean deepScan, String connectionTimeout, String proxyUrl, String proxyPort) {
+ Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+ Settings.setBoolean(Settings.KEYS.PERFORM_DEEP_SCAN, deepScan);
+ if (proxyUrl != null && !proxyUrl.isEmpty()) {
+ Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+ }
+ if (proxyPort != null && !proxyPort.isEmpty()) {
+ Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+ }
+ if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+ Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+ }
+ }
}
diff --git a/src/main/java/org/owasp/dependencycheck/Engine.java b/src/main/java/org/owasp/dependencycheck/Engine.java
index 43ee5696f..bb330c13b 100644
--- a/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -36,6 +36,8 @@ import org.owasp.dependencycheck.data.UpdateException;
import org.owasp.dependencycheck.data.UpdateService;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
/**
* Scans files, directories, etc. for Dependencies. Analyzers are loaded and
@@ -65,7 +67,15 @@ public class Engine {
* Creates a new Engine.
*/
public Engine() {
- doUpdates();
+ boolean autoupdate = true;
+ try {
+ autoupdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+ } catch (InvalidSettingException ex) {
+ Logger.getLogger(Engine.class.getName()).log(Level.WARNING, "Invalid setting for auto-update.");
+ }
+ if (autoupdate) {
+ doUpdates();
+ }
loadAnalyzers();
}
@@ -74,7 +84,10 @@ public class Engine {
*
* @param autoUpdate indicates whether or not data should be updated from
* the Internet.
+ * @deprecated this function should no longer be used; the autoupdate flag should be set using
+ * Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, value);
*/
+ @Deprecated
public Engine(boolean autoUpdate) {
if (autoUpdate) {
doUpdates();
diff --git a/src/main/java/org/owasp/dependencycheck/utils/CliParser.java b/src/main/java/org/owasp/dependencycheck/utils/CliParser.java
index 3f13cd1ea..689d0daa7 100644
--- a/src/main/java/org/owasp/dependencycheck/utils/CliParser.java
+++ b/src/main/java/org/owasp/dependencycheck/utils/CliParser.java
@@ -160,9 +160,6 @@ public final class CliParser {
final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
"print this message.");
- final Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false,
- "shows additional help regarding properties file.");
-
final Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
"extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
@@ -176,6 +173,18 @@ public final class CliParser {
.withDescription("the name of the application being scanned.")
.create(ArgumentName.APPNAME_SHORT);
+ final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
+ .withDescription("the connection timeout (in milliseconds) to use when downloading resources.")
+ .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
+
+ final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
+ .withDescription("the proxy url to use when downloading resources.")
+ .create(ArgumentName.PROXY_URL_SHORT);
+
+ final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
+ .withDescription("the proxy port to use when downloading resources.")
+ .create(ArgumentName.PROXY_PORT_SHORT);
+
final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
.withDescription("the path to scan - this option can be specified multiple times.")
.create(ArgumentName.SCAN_SHORT);
@@ -192,8 +201,6 @@ public final class CliParser {
.withDescription("the output format to write to (XML, HTML, ALL).")
.create(ArgumentName.OUTPUT_FORMAT_SHORT);
- //TODO add the ability to load a properties file to override the defaults...
-
final OptionGroup og = new OptionGroup();
og.addOption(path);
@@ -207,7 +214,9 @@ public final class CliParser {
opts.addOption(noupdate);
opts.addOption(deepScan);
opts.addOption(props);
- opts.addOption(advancedHelp);
+ opts.addOption(proxyPort);
+ opts.addOption(proxyUrl);
+ opts.addOption(connectionTimeout);
return opts;
}
@@ -245,16 +254,6 @@ public final class CliParser {
public void printHelp() {
final HelpFormatter formatter = new HelpFormatter();
final String nl = System.getProperty("line.separator");
- String advancedHelp = null;
- if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
- advancedHelp = nl + nl
- + "Additionally, the following properties are supported and can be specified either"
- + "using the -p argument or by passing them in as system properties." + nl
- + nl + " " + Settings.KEYS.PROXY_URL + "\t\t the proxy URL to use when downloading resources."
- + nl + " " + Settings.KEYS.PROXY_PORT + "\t\t the proxy port to use when downloading resources."
- + nl + " " + Settings.KEYS.CONNECTION_TIMEOUT + "\t the connection timeout (in milliseconds) to use"
- + nl + "\t\t\t when downloading resources.";
- }
formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
nl + Settings.getString("application.name", "DependencyCheck")
@@ -264,9 +263,6 @@ public final class CliParser {
options,
"",
true);
- if (advancedHelp != null) {
- System.out.println(advancedHelp);
- }
}
/**
@@ -308,6 +304,30 @@ public final class CliParser {
return line.getOptionValue(ArgumentName.APPNAME);
}
+ /**
+ * Returns the connection timeout.
+ * @return the connection timeout
+ */
+ public String getConnectionTimeout() {
+ return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
+ }
+
+ /**
+ * Returns the proxy url.
+ * @return the proxy url
+ */
+ public String getProxyUrl() {
+ return line.getOptionValue(ArgumentName.PROXY_URL);
+ }
+
+ /**
+ * Returns the proxy port.
+ * @return the proxy port
+ */
+ public String getProxyPort() {
+ return line.getOptionValue(ArgumentName.PROXY_PORT);
+ }
+
/**
* Prints the manifest information to standard output.
* - Implementation-Title: ${pom.name}
@@ -408,13 +428,29 @@ public final class CliParser {
*/
public static final String VERSION = "version";
/**
- * The CLI argument name asking for advanced help.
+ * The short CLI argument name indicating the proxy port.
*/
- public static final String ADVANCED_HELP_SHORT = "ah";
+ public static final String PROXY_PORT_SHORT = "p";
/**
- * The short CLI argument name asking for advanced help.
+ * The CLI argument name indicating the proxy port.
*/
- public static final String ADVANCED_HELP = "advancedhelp";
+ public static final String PROXY_PORT = "proxyport";
+ /**
+ * The short CLI argument name indicating the proxy url.
+ */
+ public static final String PROXY_URL_SHORT = "u";
+ /**
+ * The CLI argument name indicating the proxy url.
+ */
+ public static final String PROXY_URL = "proxyurl";
+ /**
+ * The short CLI argument name indicating the proxy url.
+ */
+ public static final String CONNECTION_TIMEOUT_SHORT = "c";
+ /**
+ * The CLI argument name indicating the proxy url.
+ */
+ public static final String CONNECTION_TIMEOUT = "connectiontimeout";
/**
* The short CLI argument name indicating a deep scan of the dependencies
* should be performed.
diff --git a/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/src/main/java/org/owasp/dependencycheck/utils/Settings.java
index dd80b49f5..af9cdbad1 100644
--- a/src/main/java/org/owasp/dependencycheck/utils/Settings.java
+++ b/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -37,7 +37,6 @@ public final class Settings {
* The collection of keys used within the properties file.
*/
public static final class KEYS {
-
/**
* private constructor because this is a "utility" class containing constants
*/
@@ -45,6 +44,12 @@ public final class Settings {
//do nothing
}
+ /**
+ * The properties key indicating whether or not the cached data sources
+ * should be updated.
+ */
+ public static final String AUTO_UPDATE = "autoupdate";
+
/**
* The properties key for the path where the CPE Lucene Index will be
* stored.
diff --git a/src/main/resources/configuration/dependencycheck.properties b/src/main/resources/configuration/dependencycheck.properties
index 615b9052f..8ef8c686c 100644
--- a/src/main/resources/configuration/dependencycheck.properties
+++ b/src/main/resources/configuration/dependencycheck.properties
@@ -1,5 +1,6 @@
application.name=${pom.name}
application.version=${pom.version}
+autoupdate=true
# the path to the lucene index to store the cpe data
cpe=data/cpe
@@ -8,7 +9,6 @@ cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction
# the path to the cpe meta data file.
cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
-
# the path to the lucene index to store the nvd cve data
cve=data/cve
# the path to the nvd cve "meta" page where the timestamps for the last update files can be found.