github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 07:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

reverting back to v1.0.1

Browse Source 
Former-commit-id: 1000c0503272c412520a2b7f63c2f90dbcae9b5b
This commit is contained in:
Jeremy Long
2013-08-07 22:37:35 -04:00
parent 882e11f558
commit ffb3243bb6
18 changed files with 197 additions and 312 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@@ -3,23 +3,17 @@ Dependency-Check
Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
More information can be found on the [wiki].
Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/). Additionally, more information about the architecture and ways to extend dependency-check can be found on the [wiki].
Notice
Initial Usage
-
A very big release of new functionality and plugins will be made available during the BlackHat Arsenal on July 31st, 2013. If you are at BlackHat stop by and see the demos!
Usage
-
> $ mvn package
> $ cd target
> $ java -jar dependency-check-[version].jar -h
> $ java -jar dependency-check-[version].jar -a Testing -out . -scan ./test-classes -scan ./lib
```
$ mvn install
$ cd target
$ java -jar dependency-check-[version].jar -h
$ java -jar dependency-check-[version].jar -a Testing -out . -scan ./test-classes -scan ./lib
```
Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.

2
dependency-check-ant/pom.xml
View File

@@ -22,7 +22,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.0.2-SNAPSHOT</version>
<version>1.0.1</version>
</parent>
<artifactId>dependency-check-ant</artifactId>

3
dependency-check-ant/src/main/resources/task.properties
View File

@@ -1,5 +1,2 @@
application.name=${pom.name}
application.version=${pom.version}
# the path to the data directory
data.directory=dependency-check-data

4
dependency-check-ant/src/site/markdown/installation.md.vm
View File

@@ -1,7 +1,7 @@
Installation
====================
Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-1.0.1.jar).
To install dependency-check-ant place the dependency-check-ant-1.0.1.jar into
Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-1.0.0.jar).
To install dependency-check-ant place the dependency-check-ant-${project.version}.jar into
the lib directory of your Ant instalation directory. Once installed you can add
the taskdef to you build.xml and add the task to a new or existing target.

2
dependency-check-cli/pom.xml
View File

@@ -22,7 +22,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.0.2-SNAPSHOT</version>
<version>1.0.1</version>
</parent>
<artifactId>dependency-check-cli</artifactId>

2
dependency-check-cli/src/site/markdown/installation.md
View File

@@ -1,6 +1,6 @@
Installation & Usage
--------------------
Downlod the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-1.0.1-release.zip).
Downlod the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-1.0.0-release.zip).
Extract the zip file to a location on your computer and put the 'bin' directory into the
path environment variable. On \*nix systems you will likely need to make the shell
script executable:

2
dependency-check-core/pom.xml
View File

@@ -22,7 +22,7 @@ along with Dependency-Check. If not, see <http://www.gnu.org/licenses />.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.0.2-SNAPSHOT</version>
<version>1.0.1</version>
</parent>
<artifactId>dependency-check-core</artifactId>

103
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -18,16 +18,25 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import org.h2.store.fs.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.ExtractionException;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.Settings;
/**
@@ -48,6 +57,10 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
/**
* The buffer size to use when extracting files from the archive.
*/
private static final int BUFFER_SIZE = 4096;
/**
* The count of directories created during analysis. This is used for
* creating temporary directories.
@@ -147,7 +160,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
@Override
public void close() throws Exception {
if (tempFileLocation != null && tempFileLocation.exists()) {
FileUtils.delete(tempFileLocation, true);
FileUtils.deleteRecursive(tempFileLocation.getAbsolutePath(), true);
}
}
@@ -164,12 +177,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
final File f = new File(dependency.getActualFilePath());
final File tmpDir = getNextTempDirectory();
try {
org.owasp.dependencycheck.utils.FileUtils.extractFiles(f, tmpDir, engine);
} catch (ExtractionException ex) {
final String msg = String.format("Unable to extract files from '%s'; this file is being skipped.", dependency.getActualFilePath());
throw new AnalysisException(msg, ex);
}
extractFiles(f, tmpDir, engine);
//make a copy
final List<Dependency> dependencies = new ArrayList<Dependency>(engine.getDependencies());
@@ -220,4 +228,81 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
}
return directory;
}
/**
* Extracts the contents of an archive into the specified directory.
*
* @param archive an archive file such as a WAR or EAR
* @param extractTo a directory to extract the contents to
* @param engine the scanning engine
* @throws AnalysisException thrown if the archive is not found
*/
private void extractFiles(File archive, File extractTo, Engine engine) throws AnalysisException {
if (archive == null || extractTo == null) {
return;
}
FileInputStream fis = null;
ZipInputStream zis = null;
try {
fis = new FileInputStream(archive);
} catch (FileNotFoundException ex) {
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.INFO, null, ex);
throw new AnalysisException("Archive file was not found.", ex);
}
zis = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;
try {
while ((entry = zis.getNextEntry()) != null) {
if (entry.isDirectory()) {
final File d = new File(extractTo, entry.getName());
if (!d.mkdirs()) {
throw new AnalysisException("Unable to create '" + d.getAbsolutePath() + "'.");
}
} else {
final File file = new File(extractTo, entry.getName());
final String ext = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(file.getName());
if (engine.supportsExtension(ext)) {
BufferedOutputStream bos = null;
FileOutputStream fos;
try {
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
int count;
final byte data[] = new byte[BUFFER_SIZE];
while ((count = zis.read(data, 0, BUFFER_SIZE)) != -1) {
bos.write(data, 0, count);
}
bos.flush();
} catch (FileNotFoundException ex) {
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
throw new AnalysisException("Unable to find file '" + file.getName() + "'.", ex);
} catch (IOException ex) {
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
throw new AnalysisException("IO Exception while parsing file '" + file.getName() + "'.", ex);
} finally {
if (bos != null) {
try {
bos.close();
} catch (IOException ex) {
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
}
}
}
}
}
}
} catch (IOException ex) {
final String msg = String.format("Exception reading archive '%s'.", archive.getName());
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, msg, ex);
throw new AnalysisException(msg, ex);
} finally {
try {
zis.close();
} catch (IOException ex) {
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
}
}
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/Index.java
View File

@@ -65,7 +65,7 @@ public class Index extends AbstractIndex {
* @return the data directory for this index.
* @throws IOException is thrown if an IOException occurs of course...
*/
public static File getDataDirectory() throws IOException {
public File getDataDirectory() throws IOException {
final File path = Settings.getFile(Settings.KEYS.CPE_DATA_DIRECTORY);
if (!path.exists()) {
if (!path.mkdirs()) {

99
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -27,7 +27,6 @@ import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.SocketAddress;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -47,6 +46,33 @@ public final class Downloader {
private Downloader() {
}
/**
* Retrieves a file from a given URL and saves it to the outputPath.
*
* @param url the URL of the file to download.
* @param outputPath the path to the save the file to.
* @throws DownloadFailedException is thrown if there is an error
* downloading the file.
*/
public static void fetchFile(URL url, String outputPath) throws DownloadFailedException {
fetchFile(url, outputPath, false);
}
/**
* Retrieves a file from a given URL and saves it to the outputPath.
*
* @param url the URL of the file to download.
* @param outputPath the path to the save the file to.
* @param unzip true/false indicating that the file being retrieved is
* gzipped and if true, should be uncompressed before writing to the file.
* @throws DownloadFailedException is thrown if there is an error
* downloading the file.
*/
public static void fetchFile(URL url, String outputPath, boolean unzip) throws DownloadFailedException {
final File f = new File(outputPath);
fetchFile(url, f, unzip);
}
/**
* Retrieves a file from a given URL and saves it to the outputPath.
*
@@ -56,6 +82,20 @@ public final class Downloader {
* downloading the file.
*/
public static void fetchFile(URL url, File outputPath) throws DownloadFailedException {
fetchFile(url, outputPath, false);
}
/**
* Retrieves a file from a given URL and saves it to the outputPath.
*
* @param url the URL of the file to download.
* @param outputPath the path to the save the file to.
* @param unzip true/false indicating that the file being retrieved is
* gzipped and if true, should be uncompressed before writing to the file.
* @throws DownloadFailedException is thrown if there is an error
* downloading the file.
*/
public static void fetchFile(URL url, File outputPath, boolean unzip) throws DownloadFailedException {
HttpURLConnection conn = null;
try {
conn = Downloader.getConnection(url);
@@ -76,7 +116,7 @@ public final class Downloader {
BufferedOutputStream writer = null;
InputStream reader = null;
try {
if (encoding != null && "gzip".equalsIgnoreCase(encoding)) {
if (unzip || (encoding != null && "gzip".equalsIgnoreCase(encoding))) {
reader = new GZIPInputStream(conn.getInputStream());
} else if (encoding != null && "deflate".equalsIgnoreCase(encoding)) {
reader = new InflaterInputStream(conn.getInputStream());
@@ -96,6 +136,7 @@ public final class Downloader {
if (writer != null) {
try {
writer.close();
writer = null;
} catch (Exception ex) {
Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
"Error closing the writer in Downloader.", ex);
@@ -104,7 +145,9 @@ public final class Downloader {
if (reader != null) {
try {
reader.close();
reader = null;
} catch (Exception ex) {
Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
"Error closing the reader in Downloader.", ex);
}
@@ -119,8 +162,7 @@ public final class Downloader {
/**
* Makes an HTTP Head request to retrieve the last modified date of the
* given URL. If the file:// protocol is specified, then the lastTimestamp
* of the file is returned.
* given URL.
*
* @param url the URL to retrieve the timestamp from
* @return an epoch timestamp
@@ -128,42 +170,21 @@ public final class Downloader {
* the HTTP request
*/
public static long getLastModified(URL url) throws DownloadFailedException {
HttpURLConnection conn = null;
long timestamp = 0;
//TODO add the FPR protocol?
if ("file".equalsIgnoreCase(url.getProtocol())) {
File f;
try {
if (System.getProperty("os.name").toLowerCase().startsWith("windows")) {
String filePath = url.toString();
if (filePath.matches("file://[a-zA-Z]:.*")) {
f = new File(filePath.substring(7));
} else {
f = new File(url.toURI());
}
} else {
f = new File(url.toURI());
}
} catch (URISyntaxException ex) {
final String msg = String.format("Unable to locate '%s'; is the cve.url-2.0.modified property set correctly?", url.toString());
throw new DownloadFailedException(msg);
}
timestamp = f.lastModified();
} else {
HttpURLConnection conn = null;
try {
conn = Downloader.getConnection(url);
conn.setRequestMethod("HEAD");
conn.connect();
timestamp = conn.getLastModified();
} catch (Exception ex) {
throw new DownloadFailedException("Error making HTTP HEAD request.", ex);
} finally {
if (conn != null) {
try {
conn.disconnect();
} finally {
conn = null;
}
try {
conn = Downloader.getConnection(url);
conn.setRequestMethod("HEAD");
conn.connect();
timestamp = conn.getLastModified();
} catch (Exception ex) {
throw new DownloadFailedException("Error making HTTP HEAD request.", ex);
} finally {
if (conn != null) {
try {
conn.disconnect();
} finally {
conn = null;
}
}
}

69
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionException.java
View File

@@ -1,69 +0,0 @@
/*
* This file is part of dependency-check-core.
*
* Dependency-check-core is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation, either version 3 of the License, or (at your option) any
* later version.
*
* Dependency-check-core is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* dependency-check-core. If not, see http://www.gnu.org/licenses/.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.io.IOException;
/**
* An exception used when a file is unable to be un-zipped.
*
* @author Jeremy Long (jeremy.long@owasp.org)
*/
public class ExtractionException extends IOException {
/**
* The serial version UID.
*/
private static final long serialVersionUID = 1L;
/**
* Creates a new ExtractionException.
*/
public ExtractionException() {
super();
}
/**
* Creates a new ExtractionException.
*
* @param msg a message for the exception.
*/
public ExtractionException(String msg) {
super(msg);
}
/**
* Creates a new ExtractionException.
*
* @param ex the cause of the download failure.
*/
public ExtractionException(Throwable ex) {
super(ex);
}
/**
* Creates a new ExtractionException.
*
* @param msg a message for the exception.
* @param ex the cause of the download failure.
*/
public ExtractionException(String msg, Throwable ex) {
super(msg, ex);
}
}

137
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java
View File

@@ -18,22 +18,11 @@
*/
package org.owasp.dependencycheck.utils;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.AnalysisException;
import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer;
/**
* A collection of utilities for processing information about files.
@@ -42,11 +31,6 @@ import org.owasp.dependencycheck.analyzer.ArchiveAnalyzer;
*/
public final class FileUtils {
/**
* The buffer size to use when extracting files from the archive.
*/
private static final int BUFFER_SIZE = 4096;
/**
* Private constructor for a utility class.
*/
@@ -86,31 +70,6 @@ public final class FileUtils {
}
}
/**
* Deletes a file. If the File is a directory it will recursively delete the
* contents.
*
* @param file the File to delete
* @param deleteOnExit setting this to true will cause errors to be ignored
* and if there is an error deleting the file it will be setup to be deleted
* when the JVM exits.
* @throws IOException is thrown if the file could not be deleted
*/
public static void delete(File file, boolean deleteOnExit) throws IOException {
if (file.isDirectory()) {
for (File c : file.listFiles()) {
delete(c);
}
}
if (!file.delete()) {
if (deleteOnExit) {
file.deleteOnExit();
} else {
throw new FileNotFoundException("Failed to delete file: " + file);
}
}
}
/**
* Returns the data directory. If a path was specified in
* dependencycheck.properties or was specified using the Settings object,
@@ -155,100 +114,4 @@ public final class FileUtils {
final File jarPath = new File(decodedPath);
return jarPath.getParentFile();
}
/**
* Extracts the contents of an archive into the specified directory.
*
* @param archive an archive file such as a WAR or EAR
* @param extractTo a directory to extract the contents to
* @throws ExtractionException thrown if an exception occurs while
* extracting the files
*/
public static void extractFiles(File archive, File extractTo) throws ExtractionException {
extractFiles(archive, extractTo, null);
}
/**
* Extracts the contents of an archive into the specified directory. The
* files are only extracted if they are supported by the analyzers loaded
* into the specified engine. If the engine is specified as null then all
* files are extracted.
*
* @param archive an archive file such as a WAR or EAR
* @param extractTo a directory to extract the contents to
* @param engine the scanning engine
* @throws ExtractionException thrown if there is an error extracting the
* files
*/
public static void extractFiles(File archive, File extractTo, Engine engine) throws ExtractionException {
if (archive == null || extractTo == null) {
return;
}
FileInputStream fis = null;
ZipInputStream zis = null;
try {
fis = new FileInputStream(archive);
} catch (FileNotFoundException ex) {
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.INFO, null, ex);
throw new ExtractionException("Archive file was not found.", ex);
}
zis = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;
try {
while ((entry = zis.getNextEntry()) != null) {
if (entry.isDirectory()) {
final File d = new File(extractTo, entry.getName());
if (!d.mkdirs()) {
final String msg = String.format("Unable to create '%s'.", d.getAbsolutePath());
throw new ExtractionException(msg);
}
} else {
final File file = new File(extractTo, entry.getName());
final String ext = getFileExtension(file.getName());
if (engine == null || engine.supportsExtension(ext)) {
BufferedOutputStream bos = null;
FileOutputStream fos;
try {
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
int count;
final byte data[] = new byte[BUFFER_SIZE];
while ((count = zis.read(data, 0, BUFFER_SIZE)) != -1) {
bos.write(data, 0, count);
}
bos.flush();
} catch (FileNotFoundException ex) {
Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
final String msg = String.format("Unable to find file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} catch (IOException ex) {
Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} finally {
if (bos != null) {
try {
bos.close();
} catch (IOException ex) {
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
}
}
}
}
}
}
} catch (IOException ex) {
final String msg = String.format("Exception reading archive '%s'.", archive.getName());
Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, msg, ex);
throw new ExtractionException(msg, ex);
} finally {
try {
zis.close();
} catch (IOException ex) {
Logger.getLogger(FileUtils.class.getName()).log(Level.FINEST, null, ex);
}
}
}
}

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -67,11 +67,6 @@ public final class Settings {
* The base path to use for the data directory.
*/
public static final String DATA_DIRECTORY = "data.directory";
/**
* The location of the batch update URL. This is a zip file that
* contains the contents of the data directory.
*/
public static final String BATCH_UPDATE_URL = "batch.update.url";
/**
* The properties key for the path where the CPE Lucene Index will be
* stored.
@@ -82,6 +77,14 @@ public final class Settings {
* stored.
*/
public static final String CVE_DATA_DIRECTORY = "data.cve";
/**
* The properties key for the URL to the CPE.
*/
public static final String CPE_URL = "cpe.url";
/**
* The properties key for the URL to the CPE.
*/
public static final String CPE_META_URL = "cpe.meta.url";
/**
* The properties key for the URL to retrieve the "meta" data from about
* the CVE entries.

19
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -2,30 +2,27 @@ application.name=${pom.name}
application.version=${pom.version}
autoupdate=true
# the location of the temp directory. if this is not specified it defaults to
# System.getProperty("java.io.tmpdir")
#temp.directory defaults to System.getProperty("java.io.tmpdir")
#temp.directory=[path to temp directory]
# the path to the data directory; if this begins with "[JAR]" the directory
# specified will be in the same directory as the core jar file.
# the path to the data directory; if tis
data.directory=[JAR]/data
# the path to the lucene index to store the cpe data
data.cpe=cpe
# the path to the h2 database to store the nvd cve data
data.cve=cve
# the path to the cpe xml file
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
# the path to the cpe meta data file.
cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
# the number of days that the modified nvd cve data holds data for. We don't need
# to update the other files if we are within this timespan. Per NIST this file
# holds 8 days of updates, we are using 7 just to be safe.
cve.url.modified.validfordays=7
# the location of the zipped CVE database and Lucene index. If specified and
# a full download of data is required this URL will be used and the data extracted
# into the specified "data" directory. Additionally, after pulling the data the
# system will attempt to update the modified. Thus, if one were maintaining an
# internal copy of the data one would not need to update it nightly.
batch.update.url=file://C:/Users/jeremy/Desktop/demo/cli/data/data.zip
# the path to the modified nvd cve xml file.
cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml

15
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java
View File

@@ -18,7 +18,6 @@
*/
package org.owasp.dependencycheck.utils;
import java.io.File;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.Downloader;
import java.net.URL;
@@ -64,15 +63,13 @@ public class DownloaderIntegrationTest {
// Settings.setString(Settings.KEYS.PROXY_PORT, "8080");
// Settings.setString(Settings.KEYS.PROXY_URL, "127.0.0.1");
URL url = new URL(Settings.getString(Settings.KEYS.CPE_URL));
String outputPath = "target/downloaded_cpe.xml";
Downloader.fetchFile(url, outputPath, true);
// Removed as the actual CPE is no longer used.
// URL url = new URL(Settings.getString(Settings.KEYS.CPE_URL));
// String outputPath = "target/downloaded_cpe.xml";
// Downloader.fetchFile(url, outputPath, true);
URL url = new URL(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
File outputPath = new File("target/downloaded_cve.xml");
Downloader.fetchFile(url, outputPath);
url = new URL(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
outputPath = "target/downloaded_cve.xml";
Downloader.fetchFile(url, outputPath, false);
}

2
dependency-check-maven/pom.xml
View File

@@ -24,7 +24,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.0.2-SNAPSHOT</version>
<version>1.0.1</version>
</parent>
<artifactId>dependency-check-maven</artifactId>

5
dependency-check-maven/src/main/resources/mojo.properties
View File

@@ -1,5 +1,2 @@
application.name=${pom.name}
application.version=${pom.version}
# the path to the data directory
data.directory=[JAR]/../../dependency-check-data/${project.version}
data.directory=[JAR]/../../dependency-check-data

8
pom.xml
View File

@@ -22,7 +22,7 @@ along with Dependency-Check. If not, see <http://www.gnu.org/licenses />.
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.0.2-SNAPSHOT</version>
<version>1.0.1</version>
<packaging>pom</packaging>
<parent>
@@ -79,7 +79,7 @@ along with Dependency-Check. If not, see <http://www.gnu.org/licenses />.
<connection>scm:git:git@github.com:jeremylong/DependencyCheck.git</connection>
<url>https://github.com/jeremylong/DependencyCheck.git</url>
<developerConnection>scm:git:git@github.com:jeremylong/DependencyCheck.git</developerConnection>
<tag>dependency-check-1.0.1</tag>
<tag>HEAD</tag>
</scm>
<issueManagement>
<system>github</system>
@@ -209,7 +209,7 @@ along with Dependency-Check. If not, see <http://www.gnu.org/licenses />.
</executions>
</plugin>
<!-- end copy -->
<!--<plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.4</version>
@@ -222,7 +222,7 @@ along with Dependency-Check. If not, see <http://www.gnu.org/licenses />.
</goals>
</execution>
</executions>
</plugin>-->
</plugin>
</plugins>
</build>
<dependencies>