v0.3.2.3

Former-commit-id: f1a80ca108a9089e26c716bab8389844faa3e3a4

pom.xml

@@ -22,7 +22,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check</artifactId>
-    <version>0.3.2.2</version>
+    <version>0.3.2.3</version>
     <packaging>jar</packaging>
 
     <name>DependencyCheck</name>

src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -337,7 +337,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                 final XMLReader xr = sp.getXMLReader();
                 filter.setParent(xr);
                 final NonClosingStream stream = new NonClosingStream(jar.getInputStream(entry));
-                final InputStreamReader reader = new InputStreamReader(stream);
+                final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
                 final InputSource xml = new InputSource(reader);
                 final SAXSource source = new SAXSource(filter, xml);
                 final JAXBElement<Model> el = pomUnmarshaller.unmarshal(source, Model.class);

src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java

@@ -1,165 +0,0 @@
-/*
- * This file is part of Dependency-Check.
- *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
- *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.analyzer;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Identifier;
-
-/**
- * This analyzer ensures that the Spring Framework Core CPE identifiers are only associated
- * with the "core" jar files. If there are other Spring JARs, such as spring-beans, and
- * spring-core is in the scanned dependencies then only the spring-core will have a reference
- * to the CPE values (if there are any for the version of spring being used).
- *
- * @author Jeremy Long (jeremy.long@owasp.org)
- * @deprecated This class has been deprecated as it has been replaced by the BundlingAnalyzer
- */
-@Deprecated
-public class SpringCleaningAnalyzer extends AbstractAnalyzer implements Analyzer {
-
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = newHashSet("jar");
-    /**
-     * The name of the analyzer.
-     */
-    private static final String ANALYZER_NAME = "Jar Analyzer";
-    /**
-     * The phase that this analyzer is intended to run in.
-     */
-    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
-
-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }
-
-    /**
-     * Returns the name of the analyzer.
-     *
-     * @return the name of the analyzer.
-     */
-    public String getName() {
-        return ANALYZER_NAME;
-    }
-
-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support
-     * @return whether or not the specified file extension is supported by this
-     * analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return EXTENSIONS.contains(extension);
-    }
-
-    /**
-     * Returns the phase that the analyzer is intended to run in.
-     *
-     * @return the phase that the analyzer is intended to run in.
-     */
-    public AnalysisPhase getAnalysisPhase() {
-        return ANALYSIS_PHASE;
-    }
-
-    /**
-     * a list of spring versions.
-     */
-    private List<Identifier> springVersions;
-
-    /**
-     * Determines if several "spring" libraries were scanned and trims the
-     * cpe:/a:springsource:spring_framework:[version] from the none "core" framework
-     * if the core framework was part of the scan.
-     *
-     * @param dependency the dependency to analyze.
-     * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR
-     * file.
-     */
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        collectSpringFrameworkIdentifiers(engine);
-
-        final List<Identifier> identifiersToRemove = new ArrayList<Identifier>();
-        for (Identifier identifier : dependency.getIdentifiers()) {
-            if (springVersions.contains(identifier) && !isCoreFramework(dependency.getFileName())) {
-                identifiersToRemove.add(identifier);
-            }
-        }
-
-        for (Identifier i : identifiersToRemove) {
-            dependency.getIdentifiers().remove(i);
-        }
-    }
-
-    /**
-     * Cycles through the dependencies and creates a collection of the spring identifiers.
-     *
-     * @param engine the core engine.
-     */
-    private void collectSpringFrameworkIdentifiers(Engine engine) {
-        //check to see if any of the libs are the core framework
-        if (springVersions == null) {
-            springVersions = new ArrayList<Identifier>();
-            for (Dependency d : engine.getDependencies()) {
-                if (supportsExtension(d.getFileExtension())) {
-                    for (Identifier i : d.getIdentifiers()) {
-                        if (isSpringFrameworkCpe(i)) {
-                            if (isCoreFramework(d.getFileName())) {
-                                springVersions.add(i);
-                            }
-                        }
-                    }
-                }
-            }
-        }
-    }
-
-    /**
-     * Attempts to determine if the identifier is for the spring framework.
-     *
-     * @param identifier an identifier
-     * @return whether or not it is believed to be a spring identifier
-     */
-    private boolean isSpringFrameworkCpe(Identifier identifier) {
-        return "cpe".equals(identifier.getType())
-                && (identifier.getValue().startsWith("cpe:/a:springsource:spring_framework:")
-                || identifier.getValue().startsWith("cpe:/a:vmware:springsource_spring_framework"));
-    }
-
-    /**
-     * Attempts to determine if the file name passed in is for the core spring-framework.
-     *
-     * @param filename a file name
-     * @return whether or not it is believed the file name is for the core spring framework
-     */
-    private boolean isCoreFramework(String filename) {
-        return filename.toLowerCase().matches("^spring([ _-]?core)?[ _-]?\\d.*");
-    }
-}

src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java

@@ -64,7 +64,11 @@ public class ReportGenerator {
         /**
          * Generate HTML report.
          */
-        HTML
+        HTML,
+        /**
+         * Generate HTML Vulnerability report.
+         */
+        VULN
     }
     /**
      * The Velocity Engine.
@@ -139,6 +143,9 @@ public class ReportGenerator {
         if (format == Format.HTML || format == Format.ALL) {
             generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
         }
+        if (format == Format.VULN || format == Format.ALL) {
+            generateReport("VulnerabilityReport", outputDir + File.separator + "DependencyCheck-Vulnerability.html");
+        }
     }
 
     /**
@@ -151,14 +158,20 @@ public class ReportGenerator {
      * reports.
      */
     public void generateReports(String outputDir, String outputFormat) throws IOException, Exception {
-        if ("XML".equalsIgnoreCase(outputFormat)) {
-            generateReports(outputDir, Format.XML);
-        }
-        if ("HTML".equalsIgnoreCase(outputFormat)) {
-            generateReports(outputDir, Format.HTML);
-        }
-        if ("ALL".equalsIgnoreCase(outputFormat)) {
-            generateReports(outputDir, Format.ALL);
+        final String format = outputFormat.toUpperCase();
+        if (format.matches("^(XML|HTML|VULN|ALL)$")) {
+            if ("XML".equalsIgnoreCase(format)) {
+                generateReports(outputDir, Format.XML);
+            }
+            if ("HTML".equalsIgnoreCase(format)) {
+                generateReports(outputDir, Format.HTML);
+            }
+            if ("VULN".equalsIgnoreCase(format)) {
+                generateReports(outputDir, Format.VULN);
+            }
+            if ("ALL".equalsIgnoreCase(format)) {
+                generateReports(outputDir, Format.ALL);
+            }
         }
     }
 

src/main/java/org/owasp/dependencycheck/utils/CliParser.java

@@ -109,8 +109,9 @@ public final class CliParser {
                 final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
                 if (!("ALL".equalsIgnoreCase(format)
                         || "XML".equalsIgnoreCase(format)
-                        || "HTML".equalsIgnoreCase(format))) {
-                    throw new ParseException("Supported output formats are XML, HTML, or ALL");
+                        || "HTML".equalsIgnoreCase(format)
+                        || "VULN".equalsIgnoreCase(format))) {
+                    throw new ParseException("Supported output formats are XML, HTML, VULN, or ALL");
                 }
             }
         }
@@ -157,47 +158,47 @@ public final class CliParser {
     @SuppressWarnings("static-access")
     private Options createCommandLineOptions() {
         final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
-                "print this message.");
+                "Print this message.");
 
         final Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
-                "extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
+                "Extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
 
         final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
-                false, "print the version information.");
+                false, "Print the version information.");
 
         final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
-                false, "disables the automatic updating of the CPE data.");
+                false, "Disables the automatic updating of the CPE data.");
 
         final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
-                .withDescription("the name of the application being scanned.")
+                .withDescription("The name of the application being scanned.")
                 .create(ArgumentName.APP_NAME_SHORT);
 
         final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
-                .withDescription("the connection timeout (in milliseconds) to use when downloading resources.")
+                .withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
                 .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
 
         final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
-                .withDescription("the proxy url to use when downloading resources.")
+                .withDescription("The proxy url to use when downloading resources.")
                 .create(ArgumentName.PROXY_URL_SHORT);
 
         final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
-                .withDescription("the proxy port to use when downloading resources.")
+                .withDescription("The proxy port to use when downloading resources.")
                 .create(ArgumentName.PROXY_PORT_SHORT);
 
         final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
-                .withDescription("the path to scan - this option can be specified multiple times.")
+                .withDescription("The path to scan - this option can be specified multiple times.")
                 .create(ArgumentName.SCAN_SHORT);
 
         final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
-                .withDescription("a property file to load.")
+                .withDescription("A property file to load.")
                 .create(ArgumentName.PROP_SHORT);
 
         final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
-                .withDescription("the folder to write reports to.")
+                .withDescription("The folder to write reports to.")
                 .create(ArgumentName.OUT_SHORT);
 
         final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
-                .withDescription("the output format to write to (XML, HTML, ALL).")
+                .withDescription("The output format to write to (XML, HTML, VULN, ALL).")
                 .create(ArgumentName.OUTPUT_FORMAT_SHORT);
 
         final OptionGroup og = new OptionGroup();

src/main/resources/META-INF/licenses/StupidTablePlugin/LICENSE.txt

@@ -0,0 +1,19 @@
+Copyright (c) 2012 Joseph McCullough
+
+Permission is hereby granted, free of charge, to any person obtaining a copy   
+of this software and associated documentation files (the "Software"), to deal   
+in the Software without restriction, including without limitation the rights   
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell   
+copies of the Software, and to permit persons to whom the Software is   
+furnished to do so, subject to the following conditions:  
+
+The above copyright notice and this permission notice shall be included in all  
+copies or substantial portions of the Software.  
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR   
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,  
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE  
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER  
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,  
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE  
+SOFTWARE.

src/main/resources/templates/HtmlReport.vsl

@@ -284,10 +284,16 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <h2 class="sectionheader white">Project:&nbsp;$esc.html($applicationName)</h2>
             <div class="sectioncontent">Report Generated On: $date<br/><br/>
                 #set($depCount=$dependencies.size())
+                #set($vulnCount=0)
+
                 #foreach($dependency in $dependencies)
                     #set($depCount=$depCount+$dependency.getRelatedDependencies().size())
+                    #if($dependency.getVulnerabilities().size()>0)
+                        #set($vulnCount=$vulnCount+1)
+                    #end
                 #end
-                Dependencies Scanned:&nbsp;$depCount<br/><br/>
+                Dependencies Scanned:&nbsp;$depCount<br/>
+                Vulnerable Dependencies:&nbsp;$vulnCount<br/><br/>
                 <div class="indent">
                 #set($lnkcnt=0)
                 #foreach($dependency in $dependencies)