github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github-mirrors:v1.1.1
Branches Tags
github-mirrors:master github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0
...
compare: github-mirrors:v1.1.2
Branches Tags
github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:master github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0

118 Commits
v1.1.1 ... v1.1.2

Author SHA1 Message Date
Jeremy Long
6379bfb8b8 version 1.1.2 
Former-commit-id: 876e8a1a02fdb24968779f6988652e0c11afc866
 2014-03-03 08:51:17 -05:00
Jeremy Long
220539e51a minor update to formating 
Former-commit-id: b3c3f53e6d227c8b08ff908380bf2af94cb64b04
 2014-03-03 07:37:33 -05:00
Jeremy Long
95cd215e9e added more javadoc 
Former-commit-id: 5b42bdc4fdf6670ea5316d21c02a3223a44505d4
 2014-03-03 07:32:43 -05:00
Jeremy Long
88c04714f8 updated pre-flight to correctly skip the proxy if configured to do so 
Former-commit-id: eca1f3b7bf24d88b4e80cda9e296e31ad8c1215b
 2014-03-03 07:12:58 -05:00
Jeremy Long
6d47e32cac minor update to logging statement 
Former-commit-id: 0f197a42a7bdf4eebefed860d5d03b5dd2634a1d
 2014-03-03 07:05:24 -05:00
Jeremy Long
fc34b40c0a corrected spelling 
Former-commit-id: 9acb6efd615f2327a8235f13bd2054797d8b52f7
 2014-03-03 07:02:59 -05:00
Jeremy Long
d95fa8a893 updated logging of properties 
Former-commit-id: f9e224a9c5ad0972e2f8ae0fc5850947b1e59c2f
 2014-03-03 07:01:19 -05:00
Jeremy Long
b48f83ff49 updated imports 
Former-commit-id: f7c013937243063b60f2b5cb7012e476b1fdcc98
 2014-03-03 06:36:25 -05:00
Jeremy Long
c189b258b4 corrected long option name for nexus uses proxy argument 
Former-commit-id: 4dfcd0fc4324828ff99138ca5d5903aa8e368a39
 2014-03-03 05:41:55 -05:00
Jeremy Long
06fc5e71c3 updated documentation 
Former-commit-id: 0380144c003adf7a2e50d32d43f3605a30b6b089
 2014-03-02 19:23:04 -05:00
Jeremy Long
8093927579 minor checkstyle patch 
Former-commit-id: e72e6856d19861fcfcc18e723852ca5fec2ff58a
 2014-03-02 19:17:08 -05:00
Jeremy Long
d9eed4a460 updated to address issue #74 
Former-commit-id: 9ebe411a6f1dae5c0ffb39399fe5b5c63b927836
 2014-03-02 18:26:58 -05:00
Jeremy Long
9d609b6085 added configuration for whether or not the nexus analyzer should use the configured proxy 
Former-commit-id: 99f3110346941ebc00c14ae1c00220eef76c1e9f
 2014-03-02 18:16:12 -05:00
Jeremy Long
ef97f9c088 checkstyle fix 
Former-commit-id: 1968682a460b5b294553f375ea191bcf6a45072b
 2014-03-02 12:27:26 -05:00
Jeremy Long
bb8aa0fe6f fixed JavaDoc @link missing close curly bracket 
Former-commit-id: 2ae5d38ac5e469c65e986ff0dd0292dcb8267285
 2014-03-02 12:26:56 -05:00
Jeremy Long
be441d2aa5 checkstyle fix 
Former-commit-id: 108f7d5e6b1ef4f59b2d009eddbcb00671576dd8
 2014-03-02 12:26:17 -05:00
Jeremy Long
73e089d330 removed unused argument from runScan 
Former-commit-id: 777688a5a541a9d3758294cee13f95c7b0d854e5
 2014-03-02 12:25:50 -05:00
Jeremy Long
0a24fb57aa minor code formating change 
Former-commit-id: 184bb0405efa2352116c7412efa07bd354df3e96
 2014-03-01 16:09:14 -05:00
Jeremy Long
7f2c51f337 cleaned up code duplication 
Former-commit-id: 561f5f16b22f07199450d090ebb8c56df3703739
 2014-03-01 16:08:58 -05:00
Jeremy Long
537e490f0f Merge branch 'master' of github.com:colezlaw/DependencyCheck into colezlaw-master 
Former-commit-id: 852aaebdb276c0974da0a76fe53e7228228a18a1
 2014-03-01 15:35:57 -05:00
Jeremy Long
a85fb3a871 corrected db initialization sequence 
Former-commit-id: bfea90ba44673f49b76d509688a6e4a4d6a912a0
 2014-03-01 15:26:17 -05:00
Will Stranathan
05a49ff5db Fixed merge conflict 
Former-commit-id: b6832bce2c905ca406d328cbf87d45f1ebb50393
 2014-03-01 15:07:40 -05:00
Jeremy Long
0bec242b2e added logos 
Former-commit-id: e00a53546ce2671eef59b264fc4b2e12b6f9691f
 2014-03-01 14:36:51 -05:00
Jeremy Long
831624897b added powered by for cloudbees and built using intellij 
Former-commit-id: c0b21530aad1dfa52e0417e67af22ac3c22f0e30
 2014-03-01 14:36:33 -05:00
Jeremy Long
ca8a0e9a88 minor format change 
Former-commit-id: f96c54e1fb969fc50ff27ab2a177490efdd3ab66
 2014-03-01 14:35:48 -05:00
Will Stranathan
865ff7911a Merge branch 'master' of github.com:/colezlaw/DependencyCheck 
Former-commit-id: 1e5c7e9d4b41a70a8139afb2d572a96fba113cd6
 2014-03-01 07:24:35 -05:00
Will Stranathan
eefc6a5567 Added proper waitfor to the process. Need to add a watchdog to this 
Former-commit-id: ff4b0b1f2c1254449e63eb660c1dbd31cef21c3b
 2014-03-01 07:24:12 -05:00
Will Stranathan
bf3bc83fd8 Fixed JULI Logging (stupid fix imports) 
Former-commit-id: d29bba7ac4ccdf648d9a945e728e9d0dbc301b6e
 2014-03-01 07:24:12 -05:00
Will Stranathan
03b06eee67 Fixed logging to JULI 
Former-commit-id: b8155251fa7120e33a042115f36ecac05fc7dce2
 2014-03-01 07:24:12 -05:00
Will Stranathan
3bc17e7b83 Fixed JULI Logging (stupid fix imports) 
Former-commit-id: 65aa4381b27717ec7bc766f37705fd63941849d1
 2014-03-01 07:16:38 -05:00
Will Stranathan
458297bf56 Fixed logging to JULI 
Former-commit-id: 5f5d9b29a6ba76f9193d47aa485b11cadb47bb67
 2014-03-01 07:13:00 -05:00
Jeremy Long
9673b2aa7c ensured output streams are closed 
Former-commit-id: c3102271cd7631bd1e38bf39b5f87ebb71da9e52
 2014-03-01 06:59:48 -05:00
Jeremy Long
a55710df7b refactored closing input streams 
Former-commit-id: 5cb4c326cc8030ff6b776fcc20a6d790494aee43
 2014-03-01 06:56:42 -05:00
Jeremy Long
73edd3bc40 made a broad catch even broader 
Former-commit-id: 2308606f9459ad25f4b81179f2d93768c5afa35d
 2014-03-01 06:46:16 -05:00
Jeremy Long
f2ee243628 made a broad catch even broader 
Former-commit-id: 11528d014d58a77c79b80073503352fce77ef45b
 2014-03-01 06:45:57 -05:00
Jeremy Long
88b1e668ee made a broad catch even broader 
Former-commit-id: 909064cae6d9bac8a9630fb9b8cca13f73353bfb
 2014-03-01 06:45:32 -05:00
Jeremy Long
1c92a47d75 checkstyle fixes 
Former-commit-id: 1ae545e0e16e3c49e3c6a0d6b95e89bf431c9598
 2014-03-01 06:45:06 -05:00
Jeremy Long
d2a9f0583a checkstyle fixes 
Former-commit-id: 81cedcd97db9bc7f1f824cdd2f496a05330b8e5f
 2014-03-01 06:44:45 -05:00
Jeremy Long
2621d2e1dc checkstyle corrections and Javadoc update 
Former-commit-id: 2bec74eecf56f5a758234edbbaccc146da32c835
 2014-03-01 06:44:23 -05:00
Jeremy Long
1ce683a95a made a broad catch even broader 
Former-commit-id: 1a8c926890702a58037457861f7172cb4916cff5
 2014-03-01 06:44:01 -05:00
Jeremy Long
3d5f725004 made a broad catch even broader 
Former-commit-id: 303c1ac281443fc121517a4dea88f072bab117bf
 2014-03-01 06:43:42 -05:00
Jeremy Long
655bc4bee3 made a broad catch even broader 
Former-commit-id: 1a553b664d41760f313245584ecec0dfd25a55c3
 2014-03-01 06:43:23 -05:00
Jeremy Long
c67d372667 made a broad catch even broader 
Former-commit-id: e9900933e58227f32b32b1562f17ae9bf50fe836
 2014-03-01 06:43:02 -05:00
Jeremy Long
54e45dac51 checkstyle fixes 
Former-commit-id: 377512fe3a5d5fcf92cd2690bff64f53f12e6d4f
 2014-03-01 06:42:44 -05:00
Jeremy Long
5b0b594761 made a broad catch even broader and some minor format changes 
Former-commit-id: 42c434756593c80eaa02146d2a6a1fd517d9b8e3
 2014-03-01 06:42:18 -05:00
Jeremy Long
cdf6e3b456 made a broad catch even broader and checkstyle corrections 
Former-commit-id: 5b6eb0775bfa5604bf27e510d75a693d5eb5dc66
 2014-03-01 06:41:40 -05:00
Jeremy Long
cf46afea94 made a broad catch even broader 
Former-commit-id: 3ae82930f8d25eeb59f162c44491d2f298ca3031
 2014-03-01 06:41:11 -05:00
Jeremy Long
ea6cca588c made a broad catch even broader 
Former-commit-id: 34ca7cd3269aca17a24e08e0db9d04ef21a17f89
 2014-03-01 06:40:54 -05:00
Jeremy Long
1f9996fe62 made a broad catch even broader 
Former-commit-id: 419f42bfbdab2328b6d6eb32baaa6b409ce20b82
 2014-03-01 06:40:29 -05:00
Jeremy Long
e0be6c746c checkstyle fixes 
Former-commit-id: 0970762bb0105e36ae089aa17013a7be78b988f3
 2014-03-01 06:40:07 -05:00
Jeremy Long
2b62bf0337 made a broad catch even broader 
Former-commit-id: bf8e7083115bce94128112645eac4d0883e58cbf
 2014-03-01 06:39:45 -05:00
Jeremy Long
845825c0bf made a broad catch even broader 
Former-commit-id: aefe84c760d9146e76ce950bdb83fd15b6772813
 2014-03-01 06:39:20 -05:00
Jeremy Long
f9b09e5b61 minor update to the author JavaDoc 
Former-commit-id: d4d7f5dae1a2951c0f9175c05afad4ab83afea9c
 2014-03-01 05:47:26 -05:00
Jeremy Long
1403aa18eb minor formating change 
Former-commit-id: 2be516fedafbdb88603bf3c041e327fe08e536db
 2014-03-01 05:47:10 -05:00
Will Stranathan
ba2fff249d Added colezlaw to the developers list 
Former-commit-id: 1055a7ca09579e010792777feeae0e8282635bc5
 2014-02-28 13:14:54 -05:00
Jeremy Long
17447d3cdc updated deletion and logging of temporary files to resolve issue #73 
Former-commit-id: 566b0629dc20e7f8fb1fa00fa8d7b3485e739815
 2014-02-28 06:52:51 -05:00
Jeremy Long
3f4c1e7029 refactored the creation of the HttpUrlConnection objects to a factory 
Former-commit-id: 984968995bf68ad9889bac843770a0d615d4478c
 2014-02-28 06:25:08 -05:00
Jeremy Long
543bbf34c2 removed my previous "correction" for the if statement... 
Former-commit-id: 70509cee3c061bfbfad927a0eb72cd32bc40ad6f
 2014-02-28 06:03:26 -05:00
Jeremy Long
5394151e42 minor correction to an if statement that missed the explicit check against null 
Former-commit-id: 115a691e3eb74038a1ed7f5d7fe357cb0b2b2a06
 2014-02-28 05:52:49 -05:00
Will Stranathan
9349e9cd99 Fixes issue 75 
Changed getConnection to public and made one which makes using the proxy optional, even if configured

Added a preflight request and proxy logic


Former-commit-id: 19fdfcf4edacacfa3724c8969c7da74a593f9a7c
 2014-02-26 22:19:13 -05:00
Will Stranathan
594aa03c5a Merge remote-tracking branch 'upstream/master' 
Former-commit-id: 0bd0189c8d6b432de170452118a0a6d8f0864191
 2014-02-26 20:45:30 -05:00
Jeremy Long
ff1328dbdd changed log level to hide extraction of Grok Assembly from users 
Former-commit-id: c2701066dc9fe268d82539a83e4b5a27e1ad0e04
 2014-02-23 08:45:04 -05:00
Jeremy Long
9ba44e32fb re-wrote the retrieval of the vendor product list to use a generic pair and completely encapsulate all sql objects in CveDB 
Former-commit-id: f84c88e2acc3c876228150736c71290b3467e2d2
 2014-02-23 08:42:16 -05:00
Jeremy Long
245becdc8c pmd corrections - unused exceptions 
Former-commit-id: 25ac03c35e7805ec5b9a77c3a3deb5c667ae32c7
 2014-02-23 07:45:43 -05:00
Jeremy Long
56f77e88a8 checkstyle corrections 
Former-commit-id: 54a8da5be77dc5c13ebaa275de668e746d306762
 2014-02-23 07:42:56 -05:00
Jeremy Long
695e35634c updated error messages 
Former-commit-id: 57b15967c6df98c13a0fd2d940ff20a9166bbaed
 2014-02-22 17:43:12 -05:00
Jeremy Long
1f408dd7a7 ensured engine.cleanup() is now being called 
Former-commit-id: 99afdd8d82d6dce65d8dd3ac23893070b318c082
 2014-02-22 16:46:59 -05:00
Jeremy Long
303a3ac376 updated log levels when logging exceptions 
Former-commit-id: 343daf8cf4176d1bb810d7ecd30d56c8cdc6bf4d
 2014-02-22 15:50:20 -05:00
Jeremy Long
221537601f updated so compilation/tests work on linux 
Former-commit-id: 3759e9438065138e6339aa3a56c81c08215406e4
 2014-02-22 15:30:50 -05:00
Jeremy Long
f08919a829 made initialize and cleanup synchronized so we can avoid un-needed duplicate initialization/cleanup 
Former-commit-id: 061d6a1a5c56806ea7c23d2599a6c6f7df1dae58
 2014-02-22 09:25:52 -05:00
Jeremy Long
cfb1f8c767 re-structured the database connection factory 
Former-commit-id: 5d84399dcb20a271a8e41414ca0604e8a9908727
 2014-02-22 08:43:42 -05:00
Jeremy Long
39d3e447ab added the AssemblyAnalylzer to the list of analyzer services 
Former-commit-id: 1099b9174450efa073d25f86d99e710b831ff954
 2014-02-19 19:41:24 -05:00
Jeremy Long
bb76242632 added temporary hack to allow compilation on linux systems - H2 fails to load with AUTO_SERVER=true 
Former-commit-id: b41ab9787071e97a5cff8c329716f8ff86b215c8
 2014-02-18 19:38:13 -05:00
Jeremy Long
6bfb709233 fix for issue #72 
Former-commit-id: 866b658eddb30ac1617d2d0d1729333a4864f753
 2014-02-18 19:36:20 -05:00
Will Stranathan
ab9ec7145d Ignore the test if we can't run GrokAssembly.exe 
Former-commit-id: f1241a8b701cb989c55de50fc5728306bea06ccd
 2014-02-15 15:58:44 -05:00
Jeremy Long
6ec931fcd7 updates to resolve issue #71 - added configuration for cve urls to the ant task 
Former-commit-id: d30b9b01f9af8392e1e8a2493a7c8951d088241f
 2014-02-15 08:32:20 -05:00
Jeremy Long
ae76a7f7d4 updates to resolve issue #71 - added configuration for cve urls 
Former-commit-id: 5b1ce45649cdefc92c694cea54cedd18fa30b005
 2014-02-15 07:50:00 -05:00
Jeremy Long
2f20bf1bee removed old cwe data file that is not used 
Former-commit-id: 9c5edd6f16d1d2b0a2af4ec23ecf7f1c0729c45a
 2014-02-14 22:21:28 -05:00
Jeremy Long
f9d01d2fad updated test case to build serialized hashmap for CWE version 2.5 for issue #68 
Former-commit-id: 9246126c1915e65862fddf2fe57a1cf58a2d8401
 2014-02-14 22:15:13 -05:00
Jeremy Long
1eb1329f68 updated to CWE version 2.5 to close issue #68 
Former-commit-id: dcc564320e283425f70f67830047d73cf8099fe4
 2014-02-14 22:14:33 -05:00
Jeremy Long
51a3e60913 removed unused property 
Former-commit-id: 2a808617fae27e023b322604d3364bde29274a01
 2014-02-14 22:09:34 -05:00
Jeremy Long
30c88a2fe7 added additional logging to try and solve issue #49 
Former-commit-id: 5a4e804aa461b3d2603a70ee4aa79b236306d3cc
 2014-02-14 08:20:26 -05:00
Jeremy Long
4ffd336c72 Merge branch 'master' of github.com:hgomez/DependencyCheck into hgomez-master 
Former-commit-id: 031bd2f2e7c9ff211245654fc594fdb1b8630d9f
 2014-02-14 08:05:33 -05:00
Jeremy Long
7cbc047b41 commented out unused properties 
Former-commit-id: 80ef6ece02e7e8ed74a34ecb6a580c339ad69431
 2014-02-14 08:02:50 -05:00
Henri Gomez
adf4222b24 tipo 
Former-commit-id: 61cfcee87376f7fe1a1cb1bebc5a0fed875745b4
 2014-02-14 12:16:17 +01:00
Henri Gomez
c095118e98 Skipped Scope parametized 
Former-commit-id: 7a0807b77afef6a3db24af30ca98b770b44bea04
 2014-02-14 12:14:06 +01:00
Jeremy Long
11d7d25037 patch for issue #34 - hibernate3.jar no longer reports cpe:/a:jboss:jboss 
Former-commit-id: e67337af94b3b83cae112f10beed5020540c6440
 2014-02-13 20:51:54 -05:00
Jeremy Long
c45ff40250 added hibernate3.jar to test resources to test and fix issue #34 
Former-commit-id: c88585d08a3ff93057a81ea15720d6cd88a0d047
 2014-02-13 20:31:09 -05:00
Jeremy Long
2f8c2b05bd fixes for issue #63 and issue #65 
Former-commit-id: 6b5f22ffe706cf8aafa36fc8a118e7119c7f0cdf
 2014-02-13 20:20:19 -05:00
Jeremy Long
a4c17bb308 Merge branch 'master' of github.com:hgomez/DependencyCheck into hgomez-master 
Former-commit-id: 7ce63ad527be7a6270cf877d87c5ad56fe2abb1b
 2014-02-13 06:08:33 -05:00
Jeremy Long
75eff7f083 updated getParentLogger to compile under 1.6 for issue #62 
Former-commit-id: 67a48a7f1e48bd922ee772bf7e407c2f8b3ed7e1
 2014-02-11 09:18:41 -05:00
Henri Gomez
a5b9a707a4 Add support for extra extensions provided externally 
Former-commit-id: 6c8632566de0a46ff4ce24ef5285bbd84c8ef89f
 2014-02-11 14:05:26 +01:00
Henri Gomez
1b013db312 No need to redefined Test Scope String 
Former-commit-id: 1da78b9b9994d055b38f1f5aeebb6fb67a1fb756
 2014-02-11 12:54:26 +01:00
Henri Gomez
158250e98d Artifact with scope Provided and Runtime should be excluded too 
Former-commit-id: 53e086b5bf02eee8cb4c4f3703a61923608c13dd
 2014-02-11 12:51:59 +01:00
jeremylong
f9f4be181d corrected link for issue #59 
Former-commit-id: 8b45674adfa218b82738cf910a7ebe03054c1be6
 2014-02-10 19:53:17 -05:00
Jeremy Long
3bea99c000 added dependencies to a testAll profile for issue #34 
Former-commit-id: 9cc56005bcb3e33a364a3929d1f361bd45b03662
 2014-02-08 23:54:11 -05:00
Jeremy Long
05e52ca236 updated how the description is processsed from the manifest to fix issue #34 for wss4j-1.5.7.jar 
Former-commit-id: 2a9d9fc46b0437778383cdb4f1c34c04ef746c20
 2014-02-08 23:53:47 -05:00
Jeremy Long
f268a48a16 added build-id to specific items in the manifest to patch dependencies like batli-util.jar in issue #34 
Former-commit-id: 0a6727676c5fa63a32fa7d4be18859ca622bad24
 2014-02-08 22:37:11 -05:00
Jeremy Long
96bb9a2f8e applied patch for m-core CPE per issue #34 - xstreamcore 
Former-commit-id: 9f683ade5473688c106d7bc82e464635a900277e
 2014-02-08 22:35:24 -05:00
Jeremy Long
f9b977d266 noop 
Former-commit-id: c522f08c16c28265c96b846f58461aa83fe82ed1
 2014-02-08 22:05:08 -05:00
Jeremy Long
7fca2a9cc6 removed analysisExceptions from the dependency object, instead we are logging the exception for issue #46 
Former-commit-id: feee45a009165fce559d3bad2e9c45f95f230200
 2014-02-08 12:35:53 -05:00
Jeremy Long
e473ef36b1 removed analysisExceptions for issue #46 
Former-commit-id: d18690baa5de2ad38a46936e5d3e64681b2ccc29
 2014-02-08 12:24:25 -05:00
Jeremy Long
3b5b832bbc update to make failure more verbose for issue #57 
Former-commit-id: 7315afe74cc78c65254e5f12032ece0a461be751
 2014-02-08 12:09:58 -05:00
Jeremy Long
4cfb451755 updated cobertura version and configuration 
Former-commit-id: edd13a1df620a51e1c72a232310d72b90580e81c
 2014-02-08 11:57:52 -05:00
Jeremy Long
368d1ad354 moved exceptions to their own package to avoid clutter in the org.owasp.dependencycheck.analyzer package 
Former-commit-id: 26bba207b470459d4ca238145592c2b4e776684a
 2014-02-02 07:13:53 -05:00
Will Stranathan
9a8f7ccba8 Refactored the test run of GrokAssembly to avoid double-closing 
Former-commit-id: edc5ae7da2cb52900f9eed1cd133c843f161a9aa
 2014-02-01 09:33:47 -05:00
Jeremy Long
032c8e9fac Changed from using the ConditionalIgnoreRule to using junit's core assumeFalse 
Former-commit-id: fa9e77a19adeda13aa30c48c3ffa903ec50ed762
 2014-02-01 09:11:52 -05:00
Jeremy Long
20d1abd2e1 updated test case using an invalid mono path so that it does not run on Windows 
Former-commit-id: 4a26ca21e64614bf74cb329d8d9b424442e7647c
 2014-02-01 08:49:00 -05:00
Jeremy Long
73903cbd1f added conditional ignore for JUnit tests 
Former-commit-id: ed8a216bc31a7ac8f69b08d34a0ffc356f1cd912
 2014-02-01 08:48:14 -05:00
Jeremy Long
bff22a4e4e explicitly closed the FileOutputStream after writting the assembly 
Former-commit-id: 70d6fbcd06acad1cb950c7dff8829891cd5c4721
 2014-02-01 08:20:24 -05:00
Jeremy Long
daaaed4118 Merge branch 'grokassembly-work' of https://github.com/colezlaw/DependencyCheck 
Former-commit-id: bfee1c77cc20c2fdd34a20a12696ad8009a86cd0
 2014-02-01 08:10:22 -05:00
Will Stranathan
c2c9db66e2 Fixed merge conflicts 
Former-commit-id: 64182608dd121fd22aded543552d857009cf7af9
 2014-01-31 21:52:08 -05:00
Will Stranathan
09308083a9 Adding the AssemblyAnalyzer to analyze .NET assemblies 
Changed the author on a few files

Added GrokAssembly.exe for grokking assemblies

First revision of the assembly analyzer

Added ability to configure where mono is located


Former-commit-id: c0fa65ecb227f23c8432a5950403483be8b5de25
 2014-01-31 21:44:28 -05:00
Jeremy Long
cf492355b4 updated to use markdown syntax rather then HTML (fixing vm/md interaction) 
Former-commit-id: bde9d01fb7a656bd115ec23994bc474c82bfcf74
 2014-01-31 06:15:37 -05:00
Jeremy Long
1cd1b1cb08 updated version to 1.1.2-SNAPSHOT 
Former-commit-id: 0ee7b4a66d817b5e78e6838ddd0c66527146a684
 2014-01-31 05:38:29 -05:00
Will Stranathan
ca44e3062e First revision of the assembly analyzer 
Former-commit-id: ebe1edf714da079f80af33ed257e37b2750304fd
 2014-01-28 19:23:13 -05:00
Will Stranathan
3d919f1836 Added GrokAssembly.exe for grokking assemblies 
Former-commit-id: 3886ba720b7ed3d090f3d58fa372be7d2a7aee52
 2014-01-28 19:21:54 -05:00
Will Stranathan
f4fa2150b5 Changed the author on a few files 
Former-commit-id: 67923ceb8b5419eaccfbc33a9b34bf92f0916c00
 2014-01-28 17:10:48 -05:00
78 changed files with 2142 additions and 177200 deletions
Expand all files Collapse all files

2
README.md
View File

@@ -29,7 +29,7 @@ On Windows
### Maven Plugin
More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/installation.html).
More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/usage.html).
The plugin can be configured using the following:
```xml

14
dependency-check-ant/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.1</version>
<version>1.1.2</version>
</parent>
<artifactId>dependency-check-ant</artifactId>
@@ -237,8 +237,11 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.5.2</version>
<version>2.6</version>
<configuration>
<instrumentation>
<ignoreTrivial>true</ignoreTrivial>
</instrumentation>
<check>
<branchRate>85</branchRate>
<lineRate>85</lineRate>
@@ -270,11 +273,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<version>2.16</version>
<configuration>
<systemProperties>
<property>
<name>net.sourceforge.cobertura.datafile</name>
<value>${project.build.directory}/cobertura/cobertura.ser</value>
<workingDirectory>target</workingDirectory>
</property>
<property>
<name>data.directory</name>
<value>${project.build.directory}/dependency-check-data</value>
@@ -356,7 +354,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.5.2</version>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>

236
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
View File

@@ -502,6 +502,28 @@ public class DependencyCheckTask extends Task {
public void setNexusUrl(String nexusUrl) {
this.nexusUrl = nexusUrl;
}
/**
* Whether or not the defined proxy should be used when connecting to Nexus.
*/
private boolean nexusUsesProxy = true;
/**
* Get the value of nexusUsesProxy.
*
* @return the value of nexusUsesProxy
*/
public boolean isNexusUsesProxy() {
return nexusUsesProxy;
}
/**
* Set the value of nexusUsesProxy.
*
* @param nexusUsesProxy new value of nexusUsesProxy
*/
public void setNexusUsesProxy(boolean nexusUsesProxy) {
this.nexusUsesProxy = nexusUsesProxy;
}
/**
* The database driver name; such as org.h2.Driver.
@@ -616,6 +638,122 @@ public class DependencyCheckTask extends Task {
this.databasePassword = databasePassword;
}
/**
* Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
* like ZIP files.
*/
private String zipExtensions;
/**
* Get the value of zipExtensions.
*
* @return the value of zipExtensions
*/
public String getZipExtensions() {
return zipExtensions;
}
/**
* Set the value of zipExtensions.
*
* @param zipExtensions new value of zipExtensions
*/
public void setZipExtensions(String zipExtensions) {
this.zipExtensions = zipExtensions;
}
/**
* The url for the modified NVD CVE (1.2 schema).
*/
private String cveUrl12Modified;
/**
* Get the value of cveUrl12Modified.
*
* @return the value of cveUrl12Modified
*/
public String getCveUrl12Modified() {
return cveUrl12Modified;
}
/**
* Set the value of cveUrl12Modified.
*
* @param cveUrl12Modified new value of cveUrl12Modified
*/
public void setCveUrl12Modified(String cveUrl12Modified) {
this.cveUrl12Modified = cveUrl12Modified;
}
/**
* The url for the modified NVD CVE (2.0 schema).
*/
private String cveUrl20Modified;
/**
* Get the value of cveUrl20Modified.
*
* @return the value of cveUrl20Modified
*/
public String getCveUrl20Modified() {
return cveUrl20Modified;
}
/**
* Set the value of cveUrl20Modified.
*
* @param cveUrl20Modified new value of cveUrl20Modified
*/
public void setCveUrl20Modified(String cveUrl20Modified) {
this.cveUrl20Modified = cveUrl20Modified;
}
/**
* Base Data Mirror URL for CVE 1.2.
*/
private String cveUrl12Base;
/**
* Get the value of cveUrl12Base.
*
* @return the value of cveUrl12Base
*/
public String getCveUrl12Base() {
return cveUrl12Base;
}
/**
* Set the value of cveUrl12Base.
*
* @param cveUrl12Base new value of cveUrl12Base
*/
public void setCveUrl12Base(String cveUrl12Base) {
this.cveUrl12Base = cveUrl12Base;
}
/**
* Data Mirror URL for CVE 2.0.
*/
private String cveUrl20Base;
/**
* Get the value of cveUrl20Base.
*
* @return the value of cveUrl20Base
*/
public String getCveUrl20Base() {
return cveUrl20Base;
}
/**
* Set the value of cveUrl20Base.
*
* @param cveUrl20Base new value of cveUrl20Base
*/
public void setCveUrl20Base(String cveUrl20Base) {
this.cveUrl20Base = cveUrl20Base;
}
@Override
public void execute() throws BuildException {
final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
@@ -625,46 +763,60 @@ public class DependencyCheckTask extends Task {
validateConfiguration();
populateSettings();
final Engine engine = new Engine();
for (Resource resource : path) {
final FileProvider provider = resource.as(FileProvider.class);
if (provider != null) {
final File file = provider.getFile();
if (file != null && file.exists()) {
engine.scan(file);
}
}
}
Engine engine = null;
try {
engine.analyzeDependencies();
DatabaseProperties prop = null;
CveDB cve = null;
try {
cve = new CveDB();
cve.open();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
} finally {
if (cve != null) {
cve.close();
engine = new Engine();
for (Resource resource : path) {
final FileProvider provider = resource.as(FileProvider.class);
if (provider != null) {
final File file = provider.getFile();
if (file != null && file.exists()) {
engine.scan(file);
}
}
}
final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
reporter.generateReports(reportOutputDirectory, reportFormat);
try {
engine.analyzeDependencies();
DatabaseProperties prop = null;
CveDB cve = null;
try {
cve = new CveDB();
cve.open();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
} finally {
if (cve != null) {
cve.close();
}
}
final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
reporter.generateReports(reportOutputDirectory, reportFormat);
if (this.failBuildOnCVSS <= 10) {
checkForFailure(engine.getDependencies());
if (this.failBuildOnCVSS <= 10) {
checkForFailure(engine.getDependencies());
}
if (this.showSummary) {
showSummary(engine.getDependencies());
}
} catch (IOException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
"Unable to generate dependency-check report", ex);
throw new BuildException("Unable to generate dependency-check report", ex);
} catch (Exception ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
"An exception occurred; unable to continue task", ex);
throw new BuildException("An exception occurred; unable to continue task", ex);
}
if (this.showSummary) {
showSummary(engine.getDependencies());
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE,
"Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "", ex);
} finally {
if (engine != null) {
engine.cleanup();
}
} catch (IOException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to generate dependency-check report", ex);
throw new BuildException("Unable to generate dependency-check report", ex);
} catch (Exception ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "An exception occurred; unable to continue task", ex);
throw new BuildException("An exception occurred; unable to continue task", ex);
}
}
@@ -737,6 +889,7 @@ public class DependencyCheckTask extends Task {
if (nexusUrl != null && !nexusUrl.isEmpty()) {
Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
}
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
}
@@ -752,6 +905,21 @@ public class DependencyCheckTask extends Task {
if (databasePassword != null && !databasePassword.isEmpty()) {
Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
}
if (zipExtensions != null && !zipExtensions.isEmpty()) {
Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
}
if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
}
if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
}
if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
}
if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
}
}
/**

52
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -20,27 +20,31 @@ the project's dependencies.
```
The following table lists the configurable properties:
Property | Description | Requirement
----------------------|-------------|---------
ApplicationName | The name of the application to use in the generated report. | Required
ReportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional
ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional
FailBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional
AutoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional
DataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional
LogFile | The file path to write verbose logging information. | Optional
SuppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional
ProxyUrl | Defines the proxy used to connect to the Internet. | Optional
ProxyPort | Defines the port for the proxy. | Optional
ProxyUsername | Defines the proxy user name. | Optional
ProxyPassword | Defines the proxy password. | Optional
ConnectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional
nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional
nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional
connectionString | The connection string used to connect to the database. | Optional
databaseUser | The username used when connecting to the database. | Optional
databasePassword | The password used when connecting to the database. | Optional
Property | Description | Requirement | Default Value
----------------------|-------------|-------------|------------
applicationName | The name of the application to use in the generated report. | Required | &nbsp;
reportFormat | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML
reportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional | &nbsp;
failBuildOn | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11
autoUpdate | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true
dataDirectory | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional | &nbsp;
logFile | The file path to write verbose logging information. | Optional | &nbsp;
suppressionFile | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional | &nbsp;
proxyUrl | Defines the proxy used to connect to the Internet. | Optional | &nbsp;
proxyPort | Defines the port for the proxy. | Optional | &nbsp;
proxyUsername | Defines the proxy user name. | Optional | &nbsp;
proxyPassword | Defines the proxy password. | Optional | &nbsp;
connectionTimeout | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
nexusUrl | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | Optional | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional | &nbsp;
connectionString | The connection string used to connect to the database. | Optional | &nbsp;
databaseUser | The username used when connecting to the database. | Optional | dcuser
databasePassword | The password used when connecting to the database. | Optional | &nbsp;
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional | &nbsp;
cveUrl12Modified | URL for the modified CVE 1.2 | Optional | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml

14
dependency-check-cli/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.1</version>
<version>1.1.2</version>
</parent>
<artifactId>dependency-check-cli</artifactId>
@@ -77,8 +77,11 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.5.2</version>
<version>2.6</version>
<configuration>
<instrumentation>
<ignoreTrivial>true</ignoreTrivial>
</instrumentation>
<check>
<branchRate>85</branchRate>
<lineRate>85</lineRate>
@@ -115,11 +118,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<version>2.16</version>
<configuration>
<systemProperties>
<property>
<name>net.sourceforge.cobertura.datafile</name>
<value>${project.build.directory}/cobertura/cobertura.ser</value>
<workingDirectory>target</workingDirectory>
</property>
<property>
<name>cpe</name>
<value>data/cpe</value>
@@ -206,7 +204,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.5.2</version>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>

73
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -98,36 +98,46 @@ public class App {
* @param files the files/directories to scan
*/
private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
final Engine scanner = new Engine();
for (String file : files) {
scanner.scan(file);
}
scanner.analyzeDependencies();
final List<Dependency> dependencies = scanner.getDependencies();
DatabaseProperties prop = null;
CveDB cve = null;
Engine scanner = null;
try {
cve = new CveDB();
cve.open();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
Logger.getLogger(App.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
} finally {
if (cve != null) {
cve.close();
scanner = new Engine();
for (String file : files) {
scanner.scan(file);
}
scanner.analyzeDependencies();
final List<Dependency> dependencies = scanner.getDependencies();
DatabaseProperties prop = null;
CveDB cve = null;
try {
cve = new CveDB();
cve.open();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
Logger.getLogger(App.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
} finally {
if (cve != null) {
cve.close();
}
}
final ReportGenerator report = new ReportGenerator(applicationName, dependencies, scanner.getAnalyzers(), prop);
try {
report.generateReports(reportDirectory, outputFormat);
} catch (IOException ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
} catch (Throwable ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
}
} catch (DatabaseException ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(App.class.getName()).log(Level.FINE, "", ex);
} finally {
if (scanner != null) {
scanner.cleanup();
}
}
final ReportGenerator report = new ReportGenerator(applicationName, dependencies, scanner.getAnalyzers(), prop);
try {
report.generateReports(reportDirectory, outputFormat);
} catch (IOException ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
} catch (Exception ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
}
}
@@ -150,11 +160,13 @@ public class App {
final String suppressionFile = cli.getSuppressionFile();
final boolean nexusDisabled = cli.isNexusDisabled();
final String nexusUrl = cli.getNexusUrl();
final boolean nexusUsesProxy = cli.isNexusUsesProxy();
final String databaseDriverName = cli.getDatabaseDriverName();
final String databaseDriverPath = cli.getDatabaseDriverPath();
final String connectionString = cli.getConnectionString();
final String databaseUser = cli.getDatabaseUser();
final String databasePassword = cli.getDatabasePassword();
final String additionalZipExtensions = cli.getAdditionalZipExtensions();
if (propertiesFile != null) {
try {
@@ -204,7 +216,7 @@ public class App {
if (nexusUrl != null && !nexusUrl.isEmpty()) {
Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
}
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
}
@@ -220,5 +232,8 @@ public class App {
if (databasePassword != null && !databasePassword.isEmpty()) {
Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
}
if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) {
Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
}
}
}

45
dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
View File

@@ -204,6 +204,16 @@ public final class CliParser {
.withDescription("The url to the Nexus Server.")
.create();
final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
.withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
.create();
final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
.withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
.withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
+ "(ZIP, EAR, WAR are already treated as zip files)")
.create();
//This is an option group because it can be specified more then once.
final OptionGroup og = new OptionGroup();
og.addOption(path);
@@ -220,7 +230,9 @@ public final class CliParser {
.addOption(verboseLog)
.addOption(suppressionFile)
.addOption(disableNexusAnalyzer)
.addOption(nexusUrl);
.addOption(nexusUrl)
.addOption(nexusUsesProxy)
.addOption(additionalZipExtensions);
}
/**
@@ -335,6 +347,20 @@ public final class CliParser {
}
}
/**
* Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is
* returned.
*
* @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
*/
public boolean isNexusUsesProxy() {
if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
return true;
} else {
return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
}
}
/**
* Displays the command line help message to the standard output.
*/
@@ -548,6 +574,15 @@ public final class CliParser {
return line.getOptionValue(ArgumentName.DB_PASSWORD);
}
/**
* Returns the additional Extensions if specified; otherwise null is returned.
*
* @return the additional Extensions; otherwise null is returned
*/
public String getAdditionalZipExtensions() {
return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS);
}
/**
* A collection of static final strings that represent the possible command line arguments.
*/
@@ -681,6 +716,10 @@ public final class CliParser {
* The URL of the nexus server.
*/
public static final String NEXUS_URL = "nexus";
/**
* Whether or not the defined proxy should be used when connecting to Nexus.
*/
public static final String NEXUS_USES_PROXY = "nexusUsesProxy";
/**
* The CLI argument name for setting the connection string.
*/
@@ -701,5 +740,9 @@ public final class CliParser {
* The CLI argument name for setting the path to the database driver; in case it is not on the class path.
*/
public static final String DB_DRIVER_PATH = "dbDriverPath";
/**
* The CLI argument name for setting extra extensions.
*/
public static final String ADDITIONAL_ZIP_EXTENSIONS = "zipExtensions";
}
}

52
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -3,28 +3,30 @@ Command Line Arguments
The following table lists the command line arguments:
Short | Argument Name | Parameter | Description | Requirement
-------|-----------------------|-------------|-------------|------------
\-a | \-\-app | \<name\> | The name of the application being scanned. This is a required argument. |
\-c | \-\-connectiontimeout | \<timeout\> | The connection timeout (in milliseconds) to use when downloading resources. | Optional
\-d | \-\-data | \<path\> | The location of the data directory used to store persistent data. This option should generally not be set. | Optional
\-f | \-\-format | \<format\> | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. |
\-h | \-\-help | | Print the help message. | Optional
\-l | \-\-log | \<file\> | The file path to write verbose logging information. | Optional
\-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional
\-o | \-\-out | \<folder\> | The folder to write reports to. This defaults to the current directory. | Optional
\-p | \-\-proxyport | \<port\> | The proxy port to use when downloading resources. | Optional
| \-\-proxypass | \<pass\> | The proxy password to use when downloading resources. | Optional
| \-\-proxyuser | \<user\> | The proxy username to use when downloading resources. | Optional
\-s | \-\-scan | \<path\> | The path to scan \- this option can be specified multiple times. |
| \-\-suppression | \<file\> | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
\-u | \-\-proxyurl | \<url\> | The proxy url to use when downloading resources. | Optional
\-v | \-\-version | | Print the version information. | Optional
| \-\-advancedHelp | | Print the advanced help message. | Optional
| \-\-connectionString | \<connStr\> | The connection string to the database. | Optional
| \-\-dbDriverName | \<driver\> | The database driver name. | Optional
| \-\-dbDriverPath | \<path\> | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional
| \-\-dbPassword | \<password\>| The password for connecting to the database. | Optional
| \-\-dbUser | \<user\> | The username used to connect to the database. | Optional
| \-\-disableNexus | | Disable the Nexus Analyzer. | Optional
| \-\-nexus | \<url\> | The url to the Nexus Server. | Optional
Short | Argument Name | Parameter | Description | Requirement
-------|-----------------------|-----------------|-------------|------------
\-a | \-\-app | \<name\> | The name of the application being scanned. This is a required argument. | Required
\-c | \-\-connectiontimeout | \<timeout\> | The connection timeout (in milliseconds) to use when downloading resources. | Optional
\-d | \-\-data | \<path\> | The location of the data directory used to store persistent data. This option should generally not be set. | Optional
\-f | \-\-format | \<format\> | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
\-h | \-\-help | | Print the help message. | Optional
\-l | \-\-log | \<file\> | The file path to write verbose logging information. | Optional
\-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional
\-o | \-\-out | \<folder\> | The folder to write reports to. This defaults to the current directory. | Optional
\-p | \-\-proxyport | \<port\> | The proxy port to use when downloading resources. | Optional
| \-\-proxypass | \<pass\> | The proxy password to use when downloading resources. | Optional
| \-\-proxyuser | \<user\> | The proxy username to use when downloading resources. | Optional
\-s | \-\-scan | \<path\> | The path to scan \- this option can be specified multiple times. | Required
| \-\-suppression | \<file\> | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
\-u | \-\-proxyurl | \<url\> | The proxy url to use when downloading resources. | Optional
\-v | \-\-version | | Print the version information. | Optional
| \-\-advancedHelp | | Print the advanced help message. | Optional
| \-\-connectionString | \<connStr\> | The connection string to the database. | Optional
| \-\-dbDriverName | \<driver\> | The database driver name. | Optional
| \-\-dbDriverPath | \<path\> | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional
| \-\-dbPassword | \<password\> | The password for connecting to the database. | Optional
| \-\-dbUser | \<user\> | The username used to connect to the database. | Optional
| \-\-disableNexus | | Disable the Nexus Analyzer. | Optional
| \-\-nexus | \<url\> | The url to the Nexus Server. | Optional
| \-\-nexusUsesProxy | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | Optional
| \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional

14
dependency-check-cli/src/site/markdown/installation.md.vm
View File

@@ -1,5 +1,5 @@
Installation & Usage
--------------------
====================
Download the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-${project.version}-release.zip).
Extract the zip file to a location on your computer and put the 'bin' directory into the
path environment variable. On \*nix systems you will likely need to make the shell
@@ -9,15 +9,19 @@ script executable:
To scan a folder on the system you can run:
<h3>Windows</h3>
Windows
-------
dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"
<h3>\*nix</h3>
\*nix
-------
dependency-check.sh --app "My App Name" --scan "/java/application/lib"
To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
<h3>Windows</h3>
Windows
-------
dependency-check.bat --help
<h3>\*nix</h3>
\*nix
-------
dependency-check.sh --help

38
dependency-check-core/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.1</version>
<version>1.1.2</version>
</parent>
<artifactId>dependency-check-core</artifactId>
@@ -144,6 +144,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<version>2.6</version>
<configuration>
<instrumentation>
<ignoreTrivial>true</ignoreTrivial>
<ignores>
<ignore>.*\$KEYS\.class</ignore>
<ignore>.*\$Element\.class</ignore>
@@ -635,5 +636,40 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</plugins>
</build>
</profile>
<profile>
<!-- The following profile adds additional
dependencies that are only used during testing.
Additionally, these are only added when using "allTests" to
make the build slightly faster in most cases. -->
<id>False Positive Tests</id>
<!--activation>
<property>
<name>allTests</name>
</property>
</activation-->
<dependencies>
<dependency>
<groupId>org.apache.xmlgraphics</groupId>
<artifactId>batik-util</artifactId>
<version>1.7</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.2</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.apache.ws.security</groupId>
<artifactId>wss4j</artifactId>
<version>1.5.7</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
</dependencies>
</profile>
</profiles>
</project>

34
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -26,12 +26,13 @@ import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.analyzer.AnalysisException;
import org.owasp.dependencycheck.analyzer.AnalysisPhase;
import org.owasp.dependencycheck.analyzer.Analyzer;
import org.owasp.dependencycheck.analyzer.AnalyzerService;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
import org.owasp.dependencycheck.data.cpe.IndexException;
import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.update.CachedWebDataSource;
@@ -67,11 +68,14 @@ public class Engine {
/**
* Creates a new Engine.
*
* @throws DatabaseException thrown if there is an error connecting to the database
*/
public Engine() {
public Engine() throws DatabaseException {
this.extensions = new HashSet<String>();
this.dependencies = new ArrayList<Dependency>();
this.analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
ConnectionFactory.initialize();
boolean autoUpdate = true;
try {
@@ -85,6 +89,13 @@ public class Engine {
loadAnalyzers();
}
/**
* Properly cleans up resources allocated during analysis.
*/
public void cleanup() {
ConnectionFactory.cleanup();
}
/**
* Loads the analyzers specified in the configuration file (or system properties).
*/
@@ -288,13 +299,13 @@ public class Engine {
final String msg = String.format("Initializing %s", a.getName());
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
a.initialize();
} catch (Exception ex) {
} catch (Throwable ex) {
final String msg = String.format("Exception occurred initializing %s.", a.getName());
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(Engine.class.getName()).log(Level.INFO, null, ex);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
try {
a.close();
} catch (Exception ex1) {
} catch (Throwable ex1) {
Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex1);
}
}
@@ -321,13 +332,14 @@ public class Engine {
try {
a.analyze(d, this);
} catch (AnalysisException ex) {
d.addAnalysisException(ex);
final String exMsg = String.format("An error occured while analyzing '%s'.", d.getActualFilePath());
Logger.getLogger(Engine.class.getName()).log(Level.WARNING, exMsg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
} catch (Throwable ex) {
final String axMsg = String.format("An unexpected error occurred during analysis of '%s'", d.getActualFilePath());
final AnalysisException ax = new AnalysisException(axMsg, ex);
d.addAnalysisException(ax);
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, axMsg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, axMsg, ex);
//final AnalysisException ax = new AnalysisException(axMsg, ex);
Logger.getLogger(Engine.class.getName()).log(Level.WARNING, axMsg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
}
}
}
@@ -342,7 +354,7 @@ public class Engine {
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
try {
a.close();
} catch (Exception ex) {
} catch (Throwable ex) {
Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex);
}
}

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import java.util.Set;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;

33
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -25,6 +25,7 @@ import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
@@ -38,9 +39,11 @@ import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
import org.apache.commons.compress.compressors.CompressorInputStream;
import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
import org.apache.commons.compress.compressors.gzip.GzipUtils;
import org.h2.store.fs.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.Settings;
/**
@@ -86,11 +89,18 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
*/
private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "nupkg");
/**
* The set of file extensions supported by this analyzer.
* The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
* to be explicitly handled in extractFiles().
*/
private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz");
static {
EXTENSIONS.addAll(ZIPPABLES);
final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
if (additionalZipExt != null) {
final HashSet ext = new HashSet<String>(Arrays.asList(additionalZipExt));
ZIPPABLES.addAll(ext);
}
EXTENSIONS.addAll(ZIPPABLES);
}
/**
@@ -157,14 +167,19 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
}
/**
* The close method does nothing for this Analyzer.
* The close method deletes any temporary files and directories created during analysis.
*
* @throws Exception thrown if there is an exception deleting temporary files
*/
@Override
public void close() throws Exception {
if (tempFileLocation != null && tempFileLocation.exists()) {
FileUtils.deleteRecursive(tempFileLocation.getAbsolutePath(), true);
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, "Attempting to delete temporary files");
final boolean success = FileUtils.delete(tempFileLocation);
if (!success) {
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING,
"Failed to delete some temporary files, see the log for more details");
}
}
}
@@ -253,10 +268,10 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
try {
fis = new FileInputStream(archive);
} catch (FileNotFoundException ex) {
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.INFO, null, ex);
Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
throw new AnalysisException("Archive file was not found.", ex);
}
final String archiveExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(archive.getName()).toLowerCase();
final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase();
try {
if (ZIPPABLES.contains(archiveExt)) {
extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
@@ -264,7 +279,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
} else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
final String uncompressedExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(uncompressedName).toLowerCase();
final String uncompressedExt = FileUtils.getFileExtension(uncompressedName).toLowerCase();
if (engine.supportsExtension(uncompressedExt)) {
decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), new File(destination, uncompressedName));
}
@@ -308,7 +323,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
}
} else {
final File file = new File(destination, entry.getName());
final String ext = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(file.getName());
final String ext = FileUtils.getFileExtension(file.getName());
if (engine.supportsExtension(ext)) {
BufferedOutputStream bos = null;
FileOutputStream fos;

269
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java Normal file
View File

@@ -0,0 +1,269 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.utils.Settings;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;
/**
* Analyzer for getting company, product, and version information from a .NET assembly.
*
* @author colezlaw
*
*/
public class AssemblyAnalyzer extends AbstractAnalyzer {
/**
* The analyzer name
*/
private static final String ANALYZER_NAME = "Assembly Analyzer";
/**
* The analysis phase
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
/**
* The list of supported extensions
*/
private static final Set<String> SUPORTED_EXTENSIONS = newHashSet("dll", "exe");
/**
* The temp value for GrokAssembly.exe
*/
private File grokAssemblyExe;
/**
* The DocumentBuilder for parsing the XML
*/
private DocumentBuilder builder;
/**
* Logger
*/
private static final Logger LOG = Logger.getLogger(AbstractAnalyzer.class.getName());
/**
* Builds the beginnings of a List for ProcessBuilder
*
* @return the list of arguments to begin populating the ProcessBuilder
*/
private List<String> buildArgumentList() {
// Use file.separator as a wild guess as to whether this is Windows
final List<String> args = new ArrayList<String>();
if (!"\\".equals(System.getProperty("file.separator"))) {
if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) {
args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH));
} else {
args.add("mono");
}
}
args.add(grokAssemblyExe.getPath());
return args;
}
/**
* Performs the analysis on a single Dependency.
*
* @param dependency the dependency to analyze
* @param engine the engine to perform the analysis under
* @throws AnalysisException if anything goes sideways
*/
@Override
public void analyze(Dependency dependency, Engine engine)
throws AnalysisException {
if (grokAssemblyExe == null) {
LOG.warning("GrokAssembly didn't get deployed");
return;
}
final List<String> args = buildArgumentList();
args.add(dependency.getActualFilePath());
final ProcessBuilder pb = new ProcessBuilder(args);
try {
final Process proc = pb.start();
final Document doc = builder.parse(proc.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
// First, see if there was an error
final String error = xpath.evaluate("/assembly/error", doc);
if (error != null && !"".equals(error)) {
throw new AnalysisException(error);
}
final String version = xpath.evaluate("/assembly/version", doc);
if (version != null) {
dependency.getVersionEvidence().addEvidence(new Evidence("grokassembly", "version",
version, Confidence.HIGHEST));
}
final String vendor = xpath.evaluate("/assembly/company", doc);
if (vendor != null) {
dependency.getVendorEvidence().addEvidence(new Evidence("grokassembly", "vendor",
vendor, Confidence.HIGH));
}
final String product = xpath.evaluate("/assembly/product", doc);
if (product != null) {
dependency.getProductEvidence().addEvidence(new Evidence("grokassembly", "product",
product, Confidence.HIGH));
}
} catch (IOException ioe) {
throw new AnalysisException(ioe);
} catch (SAXException saxe) {
throw new AnalysisException("Couldn't parse GrokAssembly result", saxe);
} catch (XPathExpressionException xpe) {
// This shouldn't happen
throw new AnalysisException(xpe);
}
}
/**
* Initialize the analyzer. In this case, extract GrokAssembly.exe to a temporary location.
*
* @throws Exception if anything goes wrong
*/
@Override
public void initialize() throws Exception {
super.initialize();
final File tempFile = File.createTempFile("GKA", ".exe");
FileOutputStream fos = null;
InputStream is = null;
try {
fos = new FileOutputStream(tempFile);
is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe");
final byte[] buff = new byte[4096];
int bread = -1;
while ((bread = is.read(buff)) >= 0) {
fos.write(buff, 0, bread);
}
grokAssemblyExe = tempFile;
// Set the temp file to get deleted when we're done
grokAssemblyExe.deleteOnExit();
LOG.log(Level.FINE, "Extracted GrokAssembly.exe to {0}", grokAssemblyExe.getPath());
} catch (IOException ioe) {
LOG.log(Level.WARNING, "Could not extract GrokAssembly.exe: {0}", ioe.getMessage());
throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
} finally {
if (fos != null) {
try {
fos.close();
} catch (Throwable e) {
LOG.fine("Error closing output stream");
}
}
if (is != null) {
try {
is.close();
} catch (Throwable e) {
LOG.fine("Error closing input stream");
}
}
}
// Now, need to see if GrokAssembly actually runs from this location.
final List<String> args = buildArgumentList();
try {
final Process p = new ProcessBuilder(args).start();
final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String error = xpath.evaluate("/assembly/error", doc);
if (p.waitFor() != 1 || error == null || "".equals(error)) {
LOG.warning("An error occured with the .NET AssemblyAnalyzer, please see the log for more details.");
LOG.fine("GrokAssembly.exe is not working properly");
grokAssemblyExe = null;
throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
}
} catch (Throwable e) {
LOG.warning("An error occured with the .NET AssemblyAnalyzer; "
+ "this can be ignored unless you are scanning .NET dlls. Please see the log for more details.");
LOG.log(Level.FINE, "Could not execute GrokAssembly {0}", e.getMessage());
throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
}
builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
}
@Override
public void close() throws Exception {
super.close();
try {
grokAssemblyExe.delete();
} catch (SecurityException se) {
LOG.fine("Can't delete temporary GrokAssembly.exe");
}
}
/**
* Gets the set of extensions supported by this analyzer.
*
* @return the list of supported extensions
*/
@Override
public Set<String> getSupportedExtensions() {
return SUPORTED_EXTENSIONS;
}
/**
* Gets this analyzer's name.
*
* @return the analyzer name
*/
@Override
public String getName() {
return ANALYZER_NAME;
}
/**
* Gets whether the analyzer supports the provided extension.
*
* @param extension the extension to check
* @return whether the analyzer supports the extension
*/
@Override
public boolean supportsExtension(String extension) {
return SUPORTED_EXTENSIONS.contains(extension);
}
/**
* Returns the phase this analyzer runs under.
*
* @return the phase this runs under
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
}

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -33,6 +33,7 @@ import org.apache.lucene.queryparser.classic.ParseException;
import org.apache.lucene.search.ScoreDoc;
import org.apache.lucene.search.TopDocs;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
import org.owasp.dependencycheck.data.cpe.Fields;
import org.owasp.dependencycheck.data.cpe.IndexEntry;

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.suppression.SuppressionRule;

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import java.io.File;
import java.util.HashSet;
import java.util.Iterator;

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -30,6 +30,7 @@ import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
@@ -281,6 +282,12 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
} else if (i.getValue().startsWith("cpe:/a:apache:maven")
&& !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) {
itr.remove();
} else if (i.getValue().startsWith("cpe:/a:m-core:m-core")
&& !dependency.getEvidenceUsed().containsUsedString("m-core")) {
itr.remove();
} else if (i.getValue().startsWith("cpe:/a:jboss:jboss")
&& !dependency.getFileName().toLowerCase().matches("jboss-[\\d\\.]+(GA)?\\.jar")) {
itr.remove();
}
}
}

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import java.io.File;
import java.util.Set;
import org.owasp.dependencycheck.Engine;

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Set;

170
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -25,6 +25,7 @@ import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.Reader;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
@@ -53,9 +54,9 @@ import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.sax.SAXSource;
import org.h2.store.fs.FileUtils;
import org.jsoup.Jsoup;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
@@ -64,6 +65,7 @@ import org.owasp.dependencycheck.jaxb.pom.generated.License;
import org.owasp.dependencycheck.jaxb.pom.generated.Model;
import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
import org.owasp.dependencycheck.jaxb.pom.generated.Parent;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.NonClosingStream;
import org.owasp.dependencycheck.utils.Settings;
import org.xml.sax.InputSource;
@@ -260,8 +262,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
jar = new JarFile(dependency.getActualFilePath());
} catch (IOException ex) {
final String msg = String.format("Unable to read JarFile '%s'.", dependency.getActualFilePath());
final AnalysisException ax = new AnalysisException(msg, ex);
dependency.getAnalysisExceptions().add(ax);
//final AnalysisException ax = new AnalysisException(msg, ex);
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
return false;
@@ -271,10 +272,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
pomEntries = retrievePomListing(jar);
} catch (IOException ex) {
final String msg = String.format("Unable to read Jar file entries in '%s'.", dependency.getActualFilePath());
final AnalysisException ax = new AnalysisException(msg, ex);
dependency.getAnalysisExceptions().add(ax);
//final AnalysisException ax = new AnalysisException(msg, ex);
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.INFO, msg, ex);
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, msg, ex);
return false;
}
if (pomEntries.isEmpty()) {
@@ -313,7 +313,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
foundSomething |= setPomEvidence(dependency, pom, pomProperties, classes);
}
} catch (AnalysisException ex) {
dependency.addAnalysisException(ex);
final String msg = String.format("An error occured while analyzing '%s'.", dependency.getActualFilePath());
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, "", ex);
}
}
return foundSomething;
@@ -392,11 +394,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
} catch (IOException ex) {
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
} finally {
try {
input.close();
} catch (IOException ex) {
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
}
closeStream(bos);
closeStream(fos);
closeStream(input);
}
Model model = null;
FileInputStream fis = null;
@@ -422,17 +422,41 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
throw ex;
} finally {
if (fis != null) {
try {
fis.close();
} catch (IOException ex) {
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, null, ex);
}
}
closeStream(fis);
}
return model;
}
/**
* Silently closes an input stream ignoring errors.
*
* @param stream an input stream to close
*/
private void closeStream(InputStream stream) {
if (stream != null) {
try {
stream.close();
} catch (IOException ex) {
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, null, ex);
}
}
}
/**
* Silently closes an output stream ignoring errors.
*
* @param stream an output stream to close
*/
private void closeStream(OutputStream stream) {
if (stream != null) {
try {
stream.close();
} catch (IOException ex) {
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, null, ex);
}
}
}
/**
* Retrieves the specified POM from a jar file and converts it to a Model.
*
@@ -575,43 +599,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
foundSomething = true;
final String description = interpolateString(pom.getDescription(), pomProperties);
if (description != null && !description.isEmpty()) {
addDescription(dependency, description, "pom", "description");
addMatchingValues(classes, description, dependency.getVendorEvidence());
addMatchingValues(classes, description, dependency.getProductEvidence());
}
}
//license
if (pom.getLicenses() != null) {
String license = null;
for (License lic : pom.getLicenses().getLicense()) {
String tmp = null;
if (lic.getName() != null) {
tmp = interpolateString(lic.getName(), pomProperties);
}
if (lic.getUrl() != null) {
if (tmp == null) {
tmp = interpolateString(lic.getUrl(), pomProperties);
} else {
tmp += ": " + interpolateString(lic.getUrl(), pomProperties);
}
}
if (tmp == null) {
continue;
}
if (HTML_DETECTION_PATTERN.matcher(tmp).find()) {
tmp = Jsoup.parse(tmp).text();
}
if (license == null) {
license = tmp;
} else {
license += "\n" + tmp;
}
}
if (license != null) {
dependency.setLicense(license);
final String trimmedDescription = addDescription(dependency, description, "pom", "description");
addMatchingValues(classes, trimmedDescription, dependency.getVendorEvidence());
addMatchingValues(classes, trimmedDescription, dependency.getProductEvidence());
}
}
extractLicense(pom, pomProperties, dependency);
return foundSomething;
}
@@ -767,7 +760,16 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
} else {
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
}
} else if ("build-id".equals(key)) {
int pos = value.indexOf('(');
if (pos >= 0) {
value = value.substring(0, pos - 1);
}
pos = value.indexOf('[');
if (pos >= 0) {
value = value.substring(0, pos - 1);
}
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
} else if (key.contains("title")) {
productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, productEvidence);
@@ -816,14 +818,18 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
}
/**
* Adds a description to the given dependency.
* Adds a description to the given dependency. If the description contains one of the following strings beyond 100
* characters, then the description used will be trimmed to that position:
* <ul><li>"such as"</li><li>"like "</li><li>"will use "</li><li>"* uses "</li></ul>
*
* @param dependency a dependency
* @param description the description
* @param source the source of the evidence
* @param key the "name" of the evidence
* @return if the description is trimmed, the trimmed version is returned; otherwise the original description is
* returned
*/
private void addDescription(Dependency dependency, String description, String source, String key) {
private String addDescription(Dependency dependency, String description, String source, String key) {
if (dependency.getDescription() == null) {
dependency.setDescription(description);
}
@@ -835,29 +841,42 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
}
dependency.setDescription(desc);
if (desc.length() > 100) {
desc = desc.replaceAll("\\s\\s+", " ");
final int posSuchAs = desc.toLowerCase().indexOf("such as ", 100);
final int posLike = desc.toLowerCase().indexOf("like ", 100);
final int posWillUse = desc.toLowerCase().indexOf("will use ", 100);
final int posUses = desc.toLowerCase().indexOf(" uses ", 100);
int pos = -1;
if (posLike > 0 && posSuchAs > 0) {
pos = posLike > posSuchAs ? posLike : posSuchAs;
} else if (posLike > 0) {
pos = posLike;
} else if (posSuchAs > 0) {
pos = posSuchAs;
pos = Math.max(pos, posSuchAs);
if (pos >= 0 && posLike >= 0) {
pos = Math.min(pos, posLike);
} else {
pos = Math.max(pos, posLike);
}
String descToUse = desc;
if (pos >= 0 && posWillUse >= 0) {
pos = Math.min(pos, posWillUse);
} else {
pos = Math.max(pos, posWillUse);
}
if (pos >= 0 && posUses >= 0) {
pos = Math.min(pos, posUses);
} else {
pos = Math.max(pos, posUses);
}
if (pos > 0) {
final StringBuilder sb = new StringBuilder(pos + 3);
sb.append(desc.substring(0, pos));
sb.append("...");
descToUse = sb.toString();
desc = sb.toString();
}
dependency.getProductEvidence().addEvidence(source, key, descToUse, Confidence.LOW);
dependency.getVendorEvidence().addEvidence(source, key, descToUse, Confidence.LOW);
dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.LOW);
dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.LOW);
} else {
dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.MEDIUM);
dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.MEDIUM);
}
return desc;
}
/**
@@ -910,7 +929,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
@Override
public void close() {
if (tempFileLocation != null && tempFileLocation.exists()) {
FileUtils.deleteRecursive(tempFileLocation.getAbsolutePath(), true);
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, "Attempting to delete temporary files");
final boolean success = FileUtils.delete(tempFileLocation);
if (!success) {
Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING,
"Failed to delete some temporary files, see the log for more details");
}
}
}
@@ -1195,7 +1219,17 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
addDescription(dependency, description, "pom", "description");
}
}
extractLicense(pom, pomProperties, dependency);
}
/**
* Extracts the license information from the pom and adds it to the dependency.
*
* @param pom the pom object
* @param pomProperties the properties, used for string interpolation
* @param dependency the dependency to add license information too
*/
private void extractLicense(Model pom, Properties pomProperties, Dependency dependency) {
//license
if (pom.getLicenses() != null) {
String license = null;

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
View File

@@ -27,13 +27,14 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
/**
*
* Used to analyze a JavaScript file to gather information to aid in identification of a CPE identifier.
*
* @author Jeremy Long (jeremy.long@owasp.org)
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {

5
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -25,6 +25,7 @@ import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.nexus.NexusSearch;
import org.owasp.dependencycheck.dependency.Confidence;
@@ -92,6 +93,10 @@ public class NexusAnalyzer extends AbstractAnalyzer {
LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
try {
searcher = new NexusSearch(new URL(searchUrl));
if (!searcher.preflightRequest()) {
LOGGER.warning("There was an issue getting Nexus status. Disabling analyzer.");
enabled = false;
}
} catch (MalformedURLException mue) {
// I know that initialize can throw an exception, but we'll
// just disable the analyzer if the URL isn't valid

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
View File

@@ -21,8 +21,8 @@ import java.io.FileInputStream;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.nuget.NugetPackage;
import org.owasp.dependencycheck.data.nuget.NuspecParser;
import org.owasp.dependencycheck.data.nuget.XPathNuspecParser;
@@ -125,7 +125,11 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
np = parser.parse(fis);
} finally {
if (fis != null) {
try { fis.close(); } catch (Exception e) { }
try {
fis.close();
} catch (Throwable e) {
LOGGER.fine("Error closing input stream");
}
}
}
@@ -138,7 +142,7 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
if (np.getTitle() != null) {
dependency.getProductEvidence().addEvidence("nuspec", "title", np.getTitle(), Confidence.MEDIUM);
}
} catch (Exception e) {
} catch (Throwable e) {
throw new AnalysisException(e);
}
}

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import java.io.IOException;
import java.sql.SQLException;
import java.util.List;

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.suppression.SuppressionRule;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisException.java → dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/AnalysisException.java
View File

@@ -15,7 +15,7 @@
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
package org.owasp.dependencycheck.analyzer.exception;
/**
* An exception thrown when the analysis of a dependency fails.

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveExtractionException.java → dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/ArchiveExtractionException.java
View File

@@ -15,7 +15,7 @@
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
package org.owasp.dependencycheck.analyzer.exception;
/**
* An exception thrown when files in an archive cannot be extracted.

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/package-info.java Normal file
View File

@@ -0,0 +1,12 @@
/**
* <html>
* <head>
* <title>org.owasp.dependencycheck.analyzer.exception</title>
* </head>
* <body>
* <p>
* A collection of exception classes used within the analyzers.</p>
* </body>
* </html>
*/
package org.owasp.dependencycheck.analyzer.exception;

18
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
View File

@@ -18,10 +18,9 @@
package org.owasp.dependencycheck.data.cpe;
import java.io.IOException;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.lucene.analysis.Analyzer;
@@ -45,6 +44,8 @@ import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
import org.owasp.dependencycheck.data.lucene.LuceneUtils;
import org.owasp.dependencycheck.data.lucene.SearchFieldAnalyzer;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.utils.Pair;
/**
* An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within
@@ -210,7 +211,7 @@ public final class CpeMemoryIndex {
}
/**
* Builds the lucene index based off of the data within the CveDB.
* Builds the CPE Lucene Index based off of the data within the CveDB.
*
* @param cve the data base containing the CPE data
* @throws IndexException thrown if there is an issue creating the index
@@ -222,15 +223,12 @@ public final class CpeMemoryIndex {
analyzer = createIndexingAnalyzer();
final IndexWriterConfig conf = new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer);
indexWriter = new IndexWriter(index, conf);
final ResultSet rs = cve.getVendorProductList();
if (rs == null) {
throw new IndexException("No data exists");
}
try {
while (rs.next()) {
saveEntry(rs.getString(1), rs.getString(2), indexWriter);
final Set<Pair<String, String>> data = cve.getVendorProductList();
for (Pair<String, String> pair : data) {
saveEntry(pair.getLeft(), pair.getRight(), indexWriter);
}
} catch (SQLException ex) {
} catch (DatabaseException ex) {
Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINE, null, ex);
throw new IndexException("Error reading CPE data", ex);
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java
View File

@@ -67,7 +67,7 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
final List<String> data = UrlStringUtils.extractImportantUrlData(part);
tokens.addAll(data);
} catch (MalformedURLException ex) {
Logger.getLogger(UrlTokenizingFilter.class.getName()).log(Level.INFO, "error parsing " + part, ex);
Logger.getLogger(UrlTokenizingFilter.class.getName()).log(Level.FINE, "error parsing " + part, ex);
tokens.add(part);
}
} else {

96
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
View File

@@ -19,13 +19,18 @@ package org.owasp.dependencycheck.data.nexus;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLConnection;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathFactory;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.URLConnectionFactory;
import org.w3c.dom.Document;
/**
@@ -40,10 +45,16 @@ public class NexusSearch {
*/
private final URL rootURL;
/**
* Whether to use the Proxy when making requests
*/
private boolean useProxy;
/**
* Used for logging.
*/
private static final Logger LOGGER = Logger.getLogger(NexusSearch.class.getName());
private static final Logger LOGGER = Logger.getLogger(NexusSearch.class
.getName());
/**
* Creates a NexusSearch for the given repository URL.
@@ -53,6 +64,18 @@ public class NexusSearch {
*/
public NexusSearch(URL rootURL) {
this.rootURL = rootURL;
try {
if (null != Settings.getString(Settings.KEYS.PROXY_URL)
&& Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY)) {
useProxy = true;
LOGGER.fine("Using proxy");
} else {
useProxy = false;
LOGGER.fine("Not using proxy");
}
} catch (InvalidSettingException ise) {
useProxy = false;
}
}
/**
@@ -69,11 +92,19 @@ public class NexusSearch {
throw new IllegalArgumentException("Invalid SHA1 format");
}
final URL url = new URL(rootURL, String.format("identify/sha1/%s", sha1.toLowerCase()));
final URL url = new URL(rootURL, String.format("identify/sha1/%s",
sha1.toLowerCase()));
LOGGER.fine(String.format("Searching Nexus url %s", url.toString()));
final URLConnection conn = url.openConnection();
// Determine if we need to use a proxy. The rules:
// 1) If the proxy is set, AND the setting is set to true, use the proxy
// 2) Otherwise, don't use the proxy (either the proxy isn't configured,
// or proxy is specifically
// set to false
URLConnection conn = null;
conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
conn.setDoOutput(true);
// JSON would be more elegant, but there's not currently a dependency
@@ -82,23 +113,64 @@ public class NexusSearch {
conn.connect();
try {
final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
final DocumentBuilder builder = DocumentBuilderFactory
.newInstance().newDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String groupId = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/groupId", doc);
final String artifactId = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/artifactId", doc);
final String version = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/version", doc);
final String link = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink", doc);
final String groupId = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/groupId",
doc);
final String artifactId = xpath.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactId",
doc);
final String version = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/version",
doc);
final String link = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
doc);
return new MavenArtifact(groupId, artifactId, version, link);
} catch (FileNotFoundException fnfe) {
// This is what we get when the SHA1 they sent doesn't exist in Nexus. This
// is useful upstream for recovery, so we just re-throw it
/* This is what we get when the SHA1 they sent doesn't exist in
* Nexus. This is useful upstream for recovery, so we just re-throw it
*/
throw fnfe;
} catch (Exception e) {
// Anything else is jacked-up XML stuff that we really can't recover from well
} catch (Throwable e) {
// Anything else is jacked-up XML stuff that we really can't recover
// from well
throw new IOException(e.getMessage(), e);
}
}
/**
* Do a preflight request to see if the repository is actually working.
*
* @return whether the repository is listening and returns the /status URL correctly
*/
public boolean preflightRequest() {
try {
final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status"), useProxy);
conn.addRequestProperty("Accept", "application/xml");
conn.connect();
if (conn.getResponseCode() != 200) {
LOGGER.log(Level.WARNING, "Expected 200 result from Nexus, got {0}", conn.getResponseCode());
return false;
}
final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
if (!"status".equals(doc.getDocumentElement().getNodeName())) {
LOGGER.log(Level.WARNING, "Expected root node name of status, got {0}", doc.getDocumentElement().getNodeName());
return false;
}
} catch (Throwable e) {
return false;
}
return true;
}
}
// vim: cc=120:sw=4:ts=4:sts=4

19
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java
View File

@@ -23,6 +23,7 @@ package org.owasp.dependencycheck.data.nuget;
* @author colezlaw
*/
public class NuspecParseException extends Exception {
/**
* The serialVersionUID
*/
@@ -31,20 +32,19 @@ public class NuspecParseException extends Exception {
/**
* Constructs a new exception with <code>null</code> as its detail message.
*
* The cause is not initialized, and may subsequently be initialized by a call
* to {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
* The cause is not initialized, and may subsequently be initialized by a call to
* {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
*/
public NuspecParseException() {
super();
}
/**
* Constructs a new exception with the specified detail message. The cause is
* not initialized, and may subsequently be initialized by a call to
* {@link java.lang.Throwable#initCause(java.lang.Throwable).
* Constructs a new exception with the specified detail message. The cause is not initialized, and may subsequently
* be initialized by a call to {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
*
* @param message the detail message. The detail message is saved for later retrieval
* by the {@link java.lang.Throwable#getMessage()} method.
* @param message the detail message. The detail message is saved for later retrieval by the
* {@link java.lang.Throwable#getMessage()} method.
*/
public NuspecParseException(String message) {
super(message);
@@ -58,9 +58,8 @@ public class NuspecParseException extends Exception {
*
* @param message the detail message (whcih is saved for later retrieval by the
* {@link java.lang.Throwable#getMessage()} method.
* @param cause the cause (which is saved for later retrieval by the
* {@link java.lang.Throwable#getCause()} method). (A <code>null</code> value is permitted,
* and indicates that the cause is nonexistent or unknown).
* @param cause the cause (which is saved for later retrieval by the {@link java.lang.Throwable#getCause()} method).
* (A <code>null</code> value is permitted, and indicates that the cause is nonexistent or unknown).
*/
public NuspecParseException(String message, Throwable cause) {
super(message, cause);

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParser.java
View File

@@ -22,7 +22,7 @@ import java.io.InputStream;
/**
* Interface defining methods for parsing a Nuspec file.
*
* @author willstranathan
* @author colezlaw
*
*/
public interface NuspecParser {

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java
View File

@@ -18,21 +18,20 @@
package org.owasp.dependencycheck.data.nuget;
import java.io.InputStream;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
/**
* Parse a Nuspec file using XPath.
*
* @author willstranathan
* @author colezlaw
*/
public class XPathNuspecParser implements NuspecParser {
/**
* Gets the string value of a node or null if it's not present
*
@@ -71,11 +70,11 @@ public class XPathNuspecParser implements NuspecParser {
nuspec.setId(xpath.evaluate("/package/metadata/id", d));
nuspec.setVersion(xpath.evaluate("/package/metadata/version", d));
nuspec.setAuthors(xpath.evaluate("/package/metadata/authors", d));
nuspec.setOwners(getOrNull((Node) xpath.evaluate("/package/metadata/owners", d, XPathConstants.NODE)));
nuspec.setLicenseUrl(getOrNull((Node) xpath.evaluate("/package/metadata/licenseUrl", d, XPathConstants.NODE)));
nuspec.setTitle(getOrNull((Node) xpath.evaluate("/package/metadata/title", d, XPathConstants.NODE)));
nuspec.setOwners(getOrNull((Node) xpath.evaluate("/package/metadata/owners", d, XPathConstants.NODE)));
nuspec.setLicenseUrl(getOrNull((Node) xpath.evaluate("/package/metadata/licenseUrl", d, XPathConstants.NODE)));
nuspec.setTitle(getOrNull((Node) xpath.evaluate("/package/metadata/title", d, XPathConstants.NODE)));
return nuspec;
} catch (Exception e) {
} catch (Throwable e) {
throw new NuspecParseException("Unable to parse nuspec", e);
}
}

164
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
View File

@@ -24,6 +24,7 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.sql.CallableStatement;
import java.sql.Connection;
import java.sql.Driver;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
@@ -50,6 +51,22 @@ public final class ConnectionFactory {
* Resource location for SQL file used to create the database schema.
*/
public static final String DB_STRUCTURE_RESOURCE = "data/initialize.sql";
/**
* The database driver used to connect to the database.
*/
private static Driver driver = null;
/**
* The database connection string.
*/
private static String connectionString = null;
/**
* The username to connect to the database.
*/
private static String userName = null;
/**
* The password for the database.
*/
private static String password = null;
/**
* Private constructor for this factory class; no instance is ever needed.
@@ -58,64 +75,135 @@ public final class ConnectionFactory {
}
/**
* Constructs a new database connection object per the database configuration. This will load the appropriate
* database driver, via the DriverManager, if configured.
* Initializes the connection factory. Ensuring that the appropriate drivers are loaded and that a connection can be
* made successfully.
*
* @return a database connection object
* @throws DatabaseException thrown if there is an exception loading the database connection
* @throws DatabaseException thrown if we are unable to connect to the database
*/
public static Connection getConnection() throws DatabaseException {
public static synchronized void initialize() throws DatabaseException {
//this only needs to be called once.
if (connectionString != null) {
return;
}
Connection conn = null;
try {
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading database connection");
final String connStr = getConnectionString();
final String user = Settings.getString(Settings.KEYS.DB_USER, "dcuser");
//yes, yes - hard-coded password - only if there isn't one in the properties file.
final String pass = Settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Connection String: {0}", connStr);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Database User: {0}", user);
boolean createTables = false;
if (connStr.startsWith("jdbc:h2:file:")) { //H2
createTables = needToCreateDatabaseStructure();
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Need to create DB Structure: {0}", createTables);
}
//load the driver if necessary
final String driverName = Settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
if (!driverName.isEmpty()) { //likely need to load the correct driver
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver: {0}", driverName);
final String driverPath = Settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
if (!driverPath.isEmpty()) { //ugh, driver is not on classpath?
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver from: {0}", driverPath);
DriverLoader.load(driverName, driverPath);
try {
if (!driverPath.isEmpty()) {
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver from: {0}", driverPath);
driver = DriverLoader.load(driverName, driverPath);
} else {
driver = DriverLoader.load(driverName);
}
} catch (DriverLoadException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to load database driver", ex);
throw new DatabaseException("Unable to load database driver");
}
}
userName = Settings.getString(Settings.KEYS.DB_USER, "dcuser");
//yes, yes - hard-coded password - only if there isn't one in the properties file.
password = Settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
try {
connectionString = getConnectionString();
} catch (IOException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
"Unable to retrieve the database connection string", ex);
throw new DatabaseException("Unable to retrieve the database connection string");
}
boolean shouldCreateSchema = false;
try {
if (connectionString.startsWith("jdbc:h2:file:")) { //H2
shouldCreateSchema = !dbSchemaExists();
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
}
} catch (IOException ioex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to verify database exists", ioex);
throw new DatabaseException("Unable to verify database exists");
}
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading database connection");
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Connection String: {0}", connectionString);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Database User: {0}", userName);
try {
conn = DriverManager.getConnection(connectionString, userName, password);
} catch (SQLException ex) {
if (ex.getMessage().contains("java.net.UnknownHostException") && connectionString.contains("AUTO_SERVER=TRUE;")) {
connectionString = connectionString.replace("AUTO_SERVER=TRUE;", "");
try {
conn = DriverManager.getConnection(connectionString, userName, password);
Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
"Unable to start the database in server mode; reverting to single user mode");
} catch (SQLException sqlex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
throw new DatabaseException("Unable to connect to the database");
}
} else {
DriverLoader.load(driverName);
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
throw new DatabaseException("Unable to connect to the database");
}
}
//JDBC4 drivers don't need this call.
//Class.forName("org.h2.Driver");
conn = DriverManager.getConnection(connStr, user, pass);
if (createTables) {
if (shouldCreateSchema) {
try {
createTables(conn);
} catch (DatabaseException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
} catch (DatabaseException dex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
throw new DatabaseException("Unable to create the database structure");
}
} else {
try {
ensureSchemaVersion(conn);
} catch (DatabaseException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
} catch (DatabaseException dex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
throw new DatabaseException("Database schema does not match this version of dependency-check");
}
}
} catch (IOException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
throw new DatabaseException("Unable to load database");
} catch (DriverLoadException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
throw new DatabaseException("Unable to load database driver");
} finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured closing the connection", ex);
}
}
}
}
/**
* Cleans up resources and unloads any registered database drivers. This needs to be called to ensure the driver is
* unregistered prior to the finalize method being called as during shutdown the class loader used to load the
* driver may be unloaded prior to the driver being de-registered.
*/
public static synchronized void cleanup() {
if (driver != null) {
try {
DriverManager.deregisterDriver(driver);
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured unloading the databse driver", ex);
}
driver = null;
}
connectionString = null;
userName = null;
password = null;
}
/**
* Constructs a new database connection object per the database configuration.
*
* @return a database connection object
* @throws DatabaseException thrown if there is an exception loading the database connection
*/
public static Connection getConnection() throws DatabaseException {
initialize();
Connection conn = null;
try {
conn = DriverManager.getConnection(connectionString, userName, password);
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
throw new DatabaseException("Unable to connect to the database");
@@ -164,11 +252,11 @@ public final class ConnectionFactory {
* @return true if the H2 database file does not exist; otherwise false
* @throws IOException thrown if the data directory does not exist and cannot be created
*/
private static boolean needToCreateDatabaseStructure() throws IOException {
private static boolean dbSchemaExists() throws IOException {
final File dir = getDataDirectory();
final String name = String.format("cve.%s.h2.db", DB_SCHEMA_VERSION);
final File file = new File(dir, name);
return !file.exists();
return file.exists();
}
/**

29
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -38,6 +38,7 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.DBUtils;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
import org.owasp.dependencycheck.utils.Pair;
/**
* The database holding information about the NVD CVE data.
@@ -96,6 +97,10 @@ public class CveDB {
final String msg = "There was an error attempting to close the CveDB, see the log for more details.";
Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
} catch (Throwable ex) {
final String msg = "There was an exception attempting to close the CveDB, see the log for more details.";
Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
}
conn = null;
}
@@ -128,7 +133,9 @@ public class CveDB {
* @throws Throwable thrown if there is a problem
*/
@Override
@SuppressWarnings("FinalizeDeclaration")
protected void finalize() throws Throwable {
Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, "Entering finalize");
close();
super.finalize();
}
@@ -289,19 +296,27 @@ public class CveDB {
/**
* Returns the entire list of vendor/product combinations.
*
* @return the entire list of vendor/product combinations.
* @return the entire list of vendor/product combinations
* @throws DatabaseException thrown when there is an error retrieving the data from the DB
*/
public ResultSet getVendorProductList() {
public Set<Pair<String, String>> getVendorProductList() throws DatabaseException {
final HashSet data = new HashSet<Pair<String, String>>();
ResultSet rs = null;
PreparedStatement ps = null;
try {
final PreparedStatement ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST);
ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST);
rs = ps.executeQuery();
while (rs.next()) {
data.add(new Pair(rs.getString(1), rs.getString(2)));
}
} catch (SQLException ex) {
final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
} // can't close the statement in the PS as the resultset is returned, closing PS would close the resultset
return rs;
throw new DatabaseException(msg, ex);
} finally {
DBUtils.closeResultSet(rs);
DBUtils.closeStatement(ps);
}
return data;
}
/**

17
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
View File

@@ -47,11 +47,12 @@ public final class DriverLoader {
* Loads the specified class using the system class loader and registers the driver with the driver manager.
*
* @param className the fully qualified name of the desired class
* @return the loaded Driver
* @throws DriverLoadException thrown if the driver cannot be loaded
*/
public static void load(String className) throws DriverLoadException {
public static Driver load(String className) throws DriverLoadException {
final ClassLoader loader = DriverLoader.class.getClassLoader(); //ClassLoader.getSystemClassLoader();
load(className, loader);
return load(className, loader);
}
/**
@@ -64,9 +65,10 @@ public final class DriverLoader {
* @param className the fully qualified name of the desired class
* @param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list
* of paths
* @return the loaded Driver
* @throws DriverLoadException thrown if the driver cannot be loaded
*/
public static void load(String className, String pathToDriver) throws DriverLoadException {
public static Driver load(String className, String pathToDriver) throws DriverLoadException {
final URLClassLoader parent = (URLClassLoader) ClassLoader.getSystemClassLoader();
final ArrayList<URL> urls = new ArrayList<URL>();
final String[] paths = pathToDriver.split(File.pathSeparator);
@@ -103,7 +105,7 @@ public final class DriverLoader {
}
});
load(className, loader);
return load(className, loader);
}
/**
@@ -111,15 +113,18 @@ public final class DriverLoader {
*
* @param className the fully qualified name of the desired class
* @param loader the class loader to use when loading the driver
* @return the loaded Driver
* @throws DriverLoadException thrown if the driver cannot be loaded
*/
private static void load(String className, ClassLoader loader) throws DriverLoadException {
private static Driver load(String className, ClassLoader loader) throws DriverLoadException {
try {
final Class c = Class.forName(className, true, loader);
//final Class c = loader.loadClass(className);
final Driver driver = (Driver) c.newInstance();
final Driver shim = new DriverShim(driver);
//using the DriverShim to get around the fact that the DriverManager won't register a driver not in the base class path
DriverManager.registerDriver(new DriverShim(driver));
DriverManager.registerDriver(shim);
return shim;
} catch (ClassNotFoundException ex) {
final String msg = String.format("Unable to load database driver '%s'", className);
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);

73
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java
View File

@@ -17,12 +17,15 @@
*/
package org.owasp.dependencycheck.data.nvdcve;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.sql.Connection;
import java.sql.Driver;
import java.sql.DriverPropertyInfo;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
/**
@@ -64,6 +67,20 @@ class DriverShim implements Driver {
return this.driver.acceptsURL(url);
}
/**
* Wraps the call to the underlying driver's connect method.
*
* @param url the URL of the database
* @param info a collection of string/value pairs
* @return a Connection object
* @throws SQLException thrown if there is an error connecting to the database
* @see java.sql.Driver#connect(java.lang.String, java.util.Properties)
*/
@Override
public Connection connect(String url, Properties info) throws SQLException {
return this.driver.connect(url, info);
}
/**
* Returns the wrapped driver's major version number.
*
@@ -87,28 +104,33 @@ class DriverShim implements Driver {
}
/**
* Returns whether or not the wrapped driver is jdbcCompliant.
* Wraps the call to the underlying driver's getParentLogger method.
*
* @return true if the wrapped driver is JDBC compliant; otherwise false
* @see java.sql.Driver#jdbcCompliant()
* @return the parent's Logger
* @throws SQLFeatureNotSupportedException thrown if the feature is not supported
* @see java.sql.Driver#getParentLogger()
*/
@Override
public boolean jdbcCompliant() {
return this.driver.jdbcCompliant();
}
/**
* Wraps the call to the underlying driver's connect method.
*
* @param url the URL of the database
* @param info a collection of string/value pairs
* @return a Connection object
* @throws SQLException thrown if there is an error connecting to the database
* @see java.sql.Driver#connect(java.lang.String, java.util.Properties)
*/
@Override
public Connection connect(String url, Properties info) throws SQLException {
return this.driver.connect(url, info);
//@Override
public Logger getParentLogger() throws SQLFeatureNotSupportedException {
//return driver.getParentLogger();
Method m = null;
try {
m = driver.getClass().getMethod("getParentLogger");
} catch (Throwable e) {
throw new SQLFeatureNotSupportedException();
}
if (m != null) {
try {
return (Logger) m.invoke(m);
} catch (IllegalAccessException ex) {
Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
} catch (IllegalArgumentException ex) {
Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
} catch (InvocationTargetException ex) {
Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
}
}
throw new SQLFeatureNotSupportedException();
}
/**
@@ -126,15 +148,14 @@ class DriverShim implements Driver {
}
/**
* Wraps the call to the underlying driver's getParentLogger method.
* Returns whether or not the wrapped driver is jdbcCompliant.
*
* @return the parent's Logger
* @throws SQLFeatureNotSupportedException thrown if the feature is not supported
* @see java.sql.Driver#getParentLogger()
* @return true if the wrapped driver is JDBC compliant; otherwise false
* @see java.sql.Driver#jdbcCompliant()
*/
@Override
public Logger getParentLogger() throws SQLFeatureNotSupportedException {
return this.driver.getParentLogger();
public boolean jdbcCompliant() {
return this.driver.jdbcCompliant();
}
/**

23
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
View File

@@ -134,20 +134,20 @@ public class StandardUpdate {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download", ex);
throw new UpdateException("The download was interupted", ex);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download", ex);
throw new UpdateException("The download was interrupted", ex);
} catch (ExecutionException ex) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download execution", ex);
throw new UpdateException("The execution of the download was interupted", ex);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download execution", ex);
throw new UpdateException("The execution of the download was interrupted", ex);
}
if (task == null) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download");
throw new UpdateException("The download was interupted; unable to complete the update");
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download");
throw new UpdateException("The download was interrupted; unable to complete the update");
} else {
processFutures.add(task);
}
@@ -161,7 +161,7 @@ public class StandardUpdate {
}
} catch (InterruptedException ex) {
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during processing", ex);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during processing", ex);
throw new UpdateException(ex);
} catch (ExecutionException ex) {
processExecutor.shutdownNow();
@@ -245,11 +245,8 @@ public class StandardUpdate {
}
} catch (NumberFormatException ex) {
final String msg = "An invalid schema version or timestamp exists in the data.properties file.";
Logger
.getLogger(StandardUpdate.class
.getName()).log(Level.WARNING, msg);
Logger.getLogger(StandardUpdate.class
.getName()).log(Level.FINE, null, ex);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "", ex);
}
}
return updates;
@@ -292,7 +289,7 @@ public class StandardUpdate {
if (cveDB != null) {
try {
cveDB.close();
} catch (Exception ignore) {
} catch (Throwable ignore) {
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINEST, "Error closing the cveDB", ignore);
}
}

38
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -20,8 +20,6 @@ package org.owasp.dependencycheck.dependency;
import java.io.File;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
@@ -327,37 +325,6 @@ public class Dependency implements Comparable<Dependency> {
public EvidenceCollection getVersionEvidence() {
return this.versionEvidence;
}
/**
* A list of exceptions that occurred during analysis of this dependency.
*/
private List<Exception> analysisExceptions = new ArrayList<Exception>();
/**
* Get the value of analysisExceptions.
*
* @return the value of analysisExceptions
*/
public List<Exception> getAnalysisExceptions() {
return analysisExceptions;
}
/**
* Set the value of analysisExceptions.
*
* @param analysisExceptions new value of analysisExceptions
*/
public void setAnalysisExceptions(List<Exception> analysisExceptions) {
this.analysisExceptions = analysisExceptions;
}
/**
* Adds an exception to the analysis exceptions collection.
*
* @param ex an exception.
*/
public void addAnalysisException(Exception ex) {
this.analysisExceptions.add(ex);
}
/**
* The description of the JAR file.
*/
@@ -544,10 +511,6 @@ public class Dependency implements Comparable<Dependency> {
if (this.versionEvidence != other.versionEvidence && (this.versionEvidence == null || !this.versionEvidence.equals(other.versionEvidence))) {
return false;
}
if (this.analysisExceptions != other.analysisExceptions
&& (this.analysisExceptions == null || !this.analysisExceptions.equals(other.analysisExceptions))) {
return false;
}
if ((this.description == null) ? (other.description != null) : !this.description.equals(other.description)) {
return false;
}
@@ -582,7 +545,6 @@ public class Dependency implements Comparable<Dependency> {
hash = 47 * hash + (this.vendorEvidence != null ? this.vendorEvidence.hashCode() : 0);
hash = 47 * hash + (this.productEvidence != null ? this.productEvidence.hashCode() : 0);
hash = 47 * hash + (this.versionEvidence != null ? this.versionEvidence.hashCode() : 0);
hash = 47 * hash + (this.analysisExceptions != null ? this.analysisExceptions.hashCode() : 0);
hash = 47 * hash + (this.description != null ? this.description.hashCode() : 0);
hash = 47 * hash + (this.license != null ? this.license.hashCode() : 0);
hash = 47 * hash + (this.vulnerabilities != null ? this.vulnerabilities.hashCode() : 0);

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -360,7 +360,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
final List<String> data = UrlStringUtils.extractImportantUrlData(part);
sb.append(' ').append(StringUtils.join(data, ' '));
} catch (MalformedURLException ex) {
Logger.getLogger(EvidenceCollection.class.getName()).log(Level.INFO, "error parsing " + part, ex);
Logger.getLogger(EvidenceCollection.class.getName()).log(Level.FINE, "error parsing " + part, ex);
sb.append(' ').append(part);
}
} else {

71
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -22,12 +22,7 @@ import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.Authenticator;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.PasswordAuthentication;
import java.net.Proxy;
import java.net.SocketAddress;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.logging.Level;
@@ -58,7 +53,7 @@ public final class Downloader {
public static void fetchFile(URL url, File outputPath) throws DownloadFailedException {
HttpURLConnection conn = null;
try {
conn = Downloader.getConnection(url);
conn = URLConnectionFactory.createHttpURLConnection(url);
conn.setRequestProperty("Accept-Encoding", "gzip, deflate");
conn.connect();
} catch (IOException ex) {
@@ -90,13 +85,13 @@ public final class Downloader {
while ((bytesRead = reader.read(buffer)) > 0) {
writer.write(buffer, 0, bytesRead);
}
} catch (Exception ex) {
} catch (Throwable ex) {
throw new DownloadFailedException("Error saving downloaded file.", ex);
} finally {
if (writer != null) {
try {
writer.close();
} catch (Exception ex) {
} catch (Throwable ex) {
Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
"Error closing the writer in Downloader.", ex);
}
@@ -104,7 +99,7 @@ public final class Downloader {
if (reader != null) {
try {
reader.close();
} catch (Exception ex) {
} catch (Throwable ex) {
Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
"Error closing the reader in Downloader.", ex);
}
@@ -149,11 +144,13 @@ public final class Downloader {
} else {
HttpURLConnection conn = null;
try {
conn = Downloader.getConnection(url);
conn = URLConnectionFactory.createHttpURLConnection(url);
conn.setRequestMethod("HEAD");
conn.connect();
timestamp = conn.getLastModified();
} catch (Exception ex) {
} catch (URLConnectionFailureException ex) {
throw new DownloadFailedException("Error creating URL Connection for HTTP HEAD request.", ex);
} catch (IOException ex) {
throw new DownloadFailedException("Error making HTTP HEAD request.", ex);
} finally {
if (conn != null) {
@@ -167,56 +164,4 @@ public final class Downloader {
}
return timestamp;
}
/**
* Utility method to get an HttpURLConnection. If the app is configured to use a proxy this method will retrieve the
* proxy settings and use them when setting up the connection.
*
* @param url the url to connect to
* @return an HttpURLConnection
* @throws DownloadFailedException thrown if there is an exception
*/
private static HttpURLConnection getConnection(URL url) throws DownloadFailedException {
HttpURLConnection conn = null;
Proxy proxy = null;
final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_URL);
try {
if (proxyUrl != null) {
final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
final SocketAddress addr = new InetSocketAddress(proxyUrl, proxyPort);
final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
if (username != null && password != null) {
final Authenticator auth = new Authenticator() {
@Override
public PasswordAuthentication getPasswordAuthentication() {
if (getRequestorType().equals(RequestorType.PROXY)) {
return new PasswordAuthentication(username, password.toCharArray());
}
return super.getPasswordAuthentication();
}
};
Authenticator.setDefault(auth);
}
proxy = new Proxy(Proxy.Type.HTTP, addr);
conn = (HttpURLConnection) url.openConnection(proxy);
} else {
conn = (HttpURLConnection) url.openConnection();
}
final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 60000);
conn.setConnectTimeout(timeout);
} catch (IOException ex) {
if (conn != null) {
try {
conn.disconnect();
} finally {
conn = null;
}
}
throw new DownloadFailedException("Error getting connection.", ex);
}
return conn;
}
}

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java
View File

@@ -69,23 +69,21 @@ public final class FileUtils {
* Deletes a file. If the File is a directory it will recursively delete the contents.
*
* @param file the File to delete
* @throws IOException is thrown if the file could not be deleted
* @return true if the file was deleted successfully, otherwise false
*/
public static void delete(File file) throws IOException {
if (file.isDirectory()) {
for (File c : file.listFiles()) {
delete(c);
public static boolean delete(File file) {
boolean success = true;
if (file.isDirectory()) { //some of this may duplicative of deleteQuietly....
for (File f : file.listFiles()) {
success &= delete(f);
}
}
if (!org.apache.commons.io.FileUtils.deleteQuietly(file)) {
throw new FileNotFoundException("Failed to delete file: " + file);
success = false;
final String msg = String.format("Failed to delete file: %s", file.getPath());
Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, msg);
}
/* else {
//delete on exit was a bad idea. if for some reason the file can't be deleted
// this will cause a newly constructed file to be deleted and a subsequent run may fail.
// still not sure why a file fails to be deleted, but can be overwritten... odd.
file.deleteOnExit();
}*/
return success;
}
/**
@@ -160,7 +158,7 @@ public final class FileUtils {
try {
fis = new FileInputStream(archive);
} catch (FileNotFoundException ex) {
Logger.getLogger(FileUtils.class.getName()).log(Level.INFO, null, ex);
Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
throw new ExtractionException("Archive file was not found.", ex);
}
zis = new ZipInputStream(new BufferedInputStream(fis));

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/LogUtils.java
View File

@@ -66,7 +66,7 @@ public final class LogUtils {
if (in != null) {
try {
in.close();
} catch (Exception ex) {
} catch (Throwable ex) {
Logger.getLogger(LogUtils.class.getName()).log(Level.FINEST, "Error closing resource stream", ex);
}
}

127
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Pair.java Normal file
View File

@@ -0,0 +1,127 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
/**
* A generic pair of elements.
*
* @param <L> the type for the left element in the pair
* @param <R> the type for the right element in the pair
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class Pair<L, R> {
/**
* Constructs a new empty pair.
*/
public Pair() {
}
/**
* Constructs a new Pair with the given left and right values.
*
* @param left the value for the left pair
* @param right the value for the right pair
*/
public Pair(L left, R right) {
this.left = left;
this.right = right;
}
/**
* The left element of the pair.
*/
private L left = null;
/**
* Get the value of left.
*
* @return the value of left
*/
public L getLeft() {
return left;
}
/**
* Set the value of left.
*
* @param left new value of left
*/
public void setLeft(L left) {
this.left = left;
}
/**
* The right element of the pair.
*/
private R right = null;
/**
* Get the value of right.
*
* @return the value of right
*/
public R getRight() {
return right;
}
/**
* Set the value of right.
*
* @param right new value of right
*/
public void setRight(R right) {
this.right = right;
}
/**
* Generates the hash code using the hash codes from the contained objects.
*
* @return the hash code of the Pair
*/
@Override
public int hashCode() {
int hash = 3;
hash = 53 * hash + (this.left != null ? this.left.hashCode() : 0);
hash = 53 * hash + (this.right != null ? this.right.hashCode() : 0);
return hash;
}
/**
* Determines the equality of this and the provided object.
*
* @param obj the {@link Object} to check for equality to this
* @return true if this and the provided {@link Object} are equal; otherwise false
*/
@Override
public boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (getClass() != obj.getClass()) {
return false;
}
final Pair<?, ?> other = (Pair<?, ?>) obj;
if (this.left != other.left && (this.left == null || !this.left.equals(other.left))) {
return false;
}
if (this.right != other.right && (this.right == null || !this.right.equals(other.right))) {
return false;
}
return true;
}
}

76
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -22,8 +22,11 @@ import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.Enumeration;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -35,6 +38,11 @@ import java.util.logging.Logger;
*/
public final class Settings {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(Settings.class.getName());
/**
* The collection of keys used within the properties file.
*/
@@ -145,6 +153,30 @@ public final class Settings {
* The properties key for the Nexus search URL.
*/
public static final String ANALYZER_NEXUS_URL = "analyzer.nexus.url";
/**
* The properties key for using the proxy to reach Nexus.
*/
public static final String ANALYZER_NEXUS_PROXY = "analyzer.nexus.proxy";
/**
* The path to mono, if available.
*/
public static final String ANALYZER_ASSEMBLY_MONO_PATH = "analyzer.assembly.mono.path";
/**
* The additional configured zip file extensions, if available.
*/
public static final String ADDITIONAL_ZIP_EXTENSIONS = "extensions.zip";
/**
* The properties key for whether Test Scope dependencies should be skipped.
*/
public static final String SKIP_TEST_SCOPE = "skip.test.scope";
/**
* The properties key for whether Runtime Scope dependencies should be skipped.
*/
public static final String SKIP_RUNTIME_SCOPE = "skip.runtime.scope";
/**
* The properties key for whether Provided Scope dependencies should be skipped.
*/
public static final String SKIP_PROVIDED_SCOPE = "skip.provided.scope";
}
/**
* The properties file location.
@@ -180,6 +212,43 @@ public final class Settings {
}
}
}
logProperties("Properties loaded", props);
}
/**
* Logs the properties. This will not log any properties that contain 'password' in the key.
*
* @param header the header to print with the log message
* @param properties the properties to log
*/
private static void logProperties(String header, Properties properties) {
if (LOGGER.isLoggable(Level.FINE)) {
final StringWriter sw = new StringWriter();
PrintWriter pw = null;
try {
pw = new PrintWriter(sw);
pw.format("%s:%n%n", header);
final Enumeration e = properties.propertyNames();
while (e.hasMoreElements()) {
final String key = (String) e.nextElement();
if (key.contains("password")) {
pw.format("%s='*****'%n", key);
} else {
final String value = properties.getProperty(key);
if (value != null) {
pw.format("%s='%s'%n", key, value);
}
}
}
pw.flush();
LOGGER.fine(sw.toString());
} finally {
if (pw != null) {
pw.close();
}
}
}
}
/**
@@ -190,6 +259,9 @@ public final class Settings {
*/
public static void setString(String key, String value) {
INSTANCE.props.setProperty(key, value);
if (LOGGER.isLoggable(Level.FINE)) {
LOGGER.fine(String.format("Setting: %s='%s'", key, value));
}
}
/**
@@ -204,6 +276,9 @@ public final class Settings {
} else {
INSTANCE.props.setProperty(key, Boolean.FALSE.toString());
}
if (LOGGER.isLoggable(Level.FINE)) {
LOGGER.fine(String.format("Setting: %s='%b'", key, value));
}
}
/**
@@ -244,6 +319,7 @@ public final class Settings {
*/
public static void mergeProperties(InputStream stream) throws IOException {
INSTANCE.props.load(stream);
logProperties("Properties updated via merge", INSTANCE.props);
}
/**

118
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java Normal file
View File

@@ -0,0 +1,118 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.io.IOException;
import java.net.Authenticator;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.PasswordAuthentication;
import java.net.Proxy;
import java.net.SocketAddress;
import java.net.URL;
/**
* A URLConnection Factory to create new connections. This encapsulates several configuration checks to ensure that the
* connection uses the correct proxy settings.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class URLConnectionFactory {
/**
* Private constructor for this factory.
*/
private URLConnectionFactory() {
}
/**
* Utility method to create an HttpURLConnection. If the application is configured to use a proxy this method will
* retrieve the proxy settings and use them when setting up the connection.
*
* @param url the url to connect to
* @return an HttpURLConnection
* @throws URLConnectionFailureException thrown if there is an exception
*/
public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
HttpURLConnection conn = null;
Proxy proxy = null;
final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_URL);
try {
if (proxyUrl != null) {
final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
final SocketAddress addr = new InetSocketAddress(proxyUrl, proxyPort);
final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
if (username != null && password != null) {
final Authenticator auth = new Authenticator() {
@Override
public PasswordAuthentication getPasswordAuthentication() {
if (getRequestorType().equals(Authenticator.RequestorType.PROXY)) {
return new PasswordAuthentication(username, password.toCharArray());
}
return super.getPasswordAuthentication();
}
};
Authenticator.setDefault(auth);
}
proxy = new Proxy(Proxy.Type.HTTP, addr);
conn = (HttpURLConnection) url.openConnection(proxy);
} else {
conn = (HttpURLConnection) url.openConnection();
}
final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 60000);
conn.setConnectTimeout(timeout);
} catch (IOException ex) {
if (conn != null) {
try {
conn.disconnect();
} finally {
conn = null;
}
}
throw new URLConnectionFailureException("Error getting connection.", ex);
}
return conn;
}
/**
* Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a
* proxy is configured but we don't want to use it (for example, if there's an internal repository configured)
*
* @param url the url to connect to
* @param proxy whether to use the proxy (if configured)
* @return a newly constructed HttpURLConnection
* @throws URLConnectionFailureException thrown if there is an exception
*/
public static HttpURLConnection createHttpURLConnection(URL url, boolean proxy) throws URLConnectionFailureException {
if (proxy) {
return createHttpURLConnection(url);
}
HttpURLConnection conn = null;
try {
conn = (HttpURLConnection) url.openConnection();
final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 60000);
conn.setConnectTimeout(timeout);
} catch (IOException ioe) {
throw new URLConnectionFailureException("Error getting connection.", ioe);
}
return conn;
}
}

68
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFailureException.java Normal file
View File

@@ -0,0 +1,68 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.io.IOException;
/**
* An exception used when the creation of an URLConnection fails.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class URLConnectionFailureException extends IOException {
/**
* The serial version UID.
*/
private static final long serialVersionUID = 1L;
/**
* Creates a new URLConnectionFailureException.
*/
public URLConnectionFailureException() {
super();
}
/**
* Creates a new URLConnectionFailureException.
*
* @param msg a message for the exception.
*/
public URLConnectionFailureException(String msg) {
super(msg);
}
/**
* Creates a new URLConnectionFailureException.
*
* @param ex the cause of the download failure.
*/
public URLConnectionFailureException(Throwable ex) {
super(ex);
}
/**
* Creates a new URLConnectionFailureException.
*
* @param msg a message for the exception.
* @param ex the cause of the download failure.
*/
public URLConnectionFailureException(String msg, Throwable ex) {
super(msg, ex);
}
}

BIN
dependency-check-core/src/main/resources/GrokAssembly.exe Executable file
View File

Binary file not shown.

1
dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
View File

@@ -10,3 +10,4 @@ org.owasp.dependencycheck.analyzer.NvdCveAnalyzer
org.owasp.dependencycheck.analyzer.VulnerabilitySuppressionAnalyzer
org.owasp.dependencycheck.analyzer.NexusAnalyzer
org.owasp.dependencycheck.analyzer.NuspecAnalyzer
org.owasp.dependencycheck.analyzer.AssemblyAnalyzer

BIN
dependency-check-core/src/main/resources/data/cwe.hashmap.serialized
View File

Binary file not shown.

9
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -30,11 +30,6 @@ data.password=DC-Pass1337!
data.driver_name=org.h2.Driver
data.driver_path=
# the path to the cpe xml file
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
# the path to the cpe meta data file.
cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
# the number of days that the modified nvd cve data holds data for. We don't need
# to update the other files if we are within this timespan. Per NIST this file
# holds 8 days of updates, we are using 7 just to be safe.
@@ -50,4 +45,6 @@ cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=true
analyzer.nexus.url=http://repository.sonatype.org/service/local/
# If set to true, the proxy will still ONLY be used if the proxy properties (proxy.url, proxy.port)
# are configured
analyzer.nexus.proxy=true

1
dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java
View File

@@ -69,5 +69,6 @@ public class EngineIntegrationTest {
ReportGenerator rg = new ReportGenerator("DependencyCheck",
instance.getDependencies(), instance.getAnalyzers(), dbProp);
rg.generateReports("./target/", "ALL");
instance.cleanup();
}
}

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java
View File

@@ -160,6 +160,8 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase {
instance.analyze(dependency, engine);
int ending_size = engine.getDependencies().size();
engine.cleanup();
assertTrue(initial_size < ending_size);
} finally {
@@ -186,6 +188,7 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase {
int initial_size = engine.getDependencies().size();
instance.analyze(dependency, engine);
int ending_size = engine.getDependencies().size();
engine.cleanup();
assertTrue(initial_size < ending_size);
@@ -214,7 +217,7 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase {
engine.scan(file);
engine.analyzeDependencies();
int ending_size = engine.getDependencies().size();
engine.cleanup();
assertTrue(initial_size < ending_size);
} finally {
@@ -261,7 +264,7 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase {
engine.scan(file);
engine.analyzeDependencies();
int ending_size = engine.getDependencies().size();
engine.cleanup();
assertTrue(initial_size < ending_size);
} finally {
@@ -292,6 +295,7 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase {
// }
// assertTrue(failed);
int ending_size = engine.getDependencies().size();
engine.cleanup();
assertEquals(initial_size, ending_size);
} finally {
instance.close();

134
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java Normal file
View File

@@ -0,0 +1,134 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.junit.After;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Assume;
import static org.junit.Assume.assumeFalse;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.utils.Settings;
/**
* Tests for the AssemblyAnalyzer.
*
* @author colezlaw
*
*/
public class AssemblyAnalyzerTest {
private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzerTest.class.getName());
AssemblyAnalyzer analyzer;
/**
* Sets up the analyzer.
*
* @throws Exception if anything goes sideways
*/
@Before
public void setUp() {
try {
analyzer = new AssemblyAnalyzer();
analyzer.initialize();
} catch (Exception e) {
LOGGER.log(Level.WARNING, "Exception setting up AssemblyAnalyzer. Tests will be incomplete", e);
Assume.assumeNoException("Is mono installed? TESTS WILL BE INCOMPLETE", e);
}
}
/**
* Tests to make sure the name is correct.
*/
@Test
public void testGetName() {
assertEquals("Assembly Analyzer", analyzer.getName());
}
@Test
public void testAnalysis() throws Exception {
File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("GrokAssembly.exe").getPath());
Dependency d = new Dependency(f);
analyzer.analyze(d, null);
assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.0.5140.29700", Confidence.HIGHEST)));
}
@Test
public void testLog4Net() throws Exception {
File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
Dependency d = new Dependency(f);
analyzer.analyze(d, null);
assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.2.13.0", Confidence.HIGHEST)));
assertTrue(d.getVendorEvidence().getEvidence().contains(new Evidence("grokassembly", "vendor", "The Apache Software Foundation", Confidence.HIGH)));
assertTrue(d.getProductEvidence().getEvidence().contains(new Evidence("grokassembly", "product", "log4net", Confidence.HIGH)));
}
@Test(expected = AnalysisException.class)
public void testNonexistent() throws Exception {
File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
File test = new File(f.getParent(), "nonexistent.dll");
Dependency d = new Dependency(test);
analyzer.analyze(d, null);
}
@Test(expected = AnalysisException.class)
public void testWithSettingMono() throws Exception {
//This test doesn't work on Windows.
assumeFalse(System.getProperty("os.name").startsWith("Windows"));
String oldValue = Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH);
// if oldValue is null, that means that neither the system property nor the setting has
// been set. If that's the case, then we have to make it such that when we recover,
// null still comes back. But you can't put a null value in a HashMap, so we have to set
// the system property rather than the setting.
if (oldValue == null) {
System.setProperty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, "/yooser/bine/mono");
} else {
Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, "/yooser/bine/mono");
}
try {
// Have to make a NEW analyzer because during setUp, it would have gotten the correct one
AssemblyAnalyzer aanalyzer = new AssemblyAnalyzer();
aanalyzer.initialize();
} finally {
// Now recover the way we came in. If we had to set a System property, delete it. Otherwise,
// reset the old value
if (oldValue == null) {
System.getProperties().remove(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH);
} else {
Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, oldValue);
}
}
}
@After
public void tearDown() throws Exception {
analyzer.close();
}
}

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
View File

@@ -31,7 +31,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
/**
*
* @author Jeremy Long (jeremy.long@owasp.org)
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class JavaScriptAnalyzerTest {

19
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java
View File

@@ -59,11 +59,26 @@ public class CweDBTest {
// SAXParser saxParser = factory.newSAXParser();
//
// CweHandler handler = new CweHandler();
// File file = new File(this.getClass().getClassLoader().getResource("cwe.2000.xml").getPath());
// //File file = new File(this.getClass().getClassLoader().getResource("cwe.2000.xml").getPath());
// File file = new File(this.getClass().getClassLoader().getResource("cwec_v2.5.xml").getPath());
//
// saxParser.parse(file, handler);
// System.out.println("Found " + handler.getCwe().size() + " cwe entries.");
// Map<String,String> cwe = handler.getCwe();
// Map<String, String> cwe = handler.getCwe();
//// FileOutputStream fout = new FileOutputStream("target/current.csv");
//// //FileOutputStream fout = new FileOutputStream("target/new.csv");
//// PrintWriter writer = new PrintWriter(fout);
//// for (Map.Entry<String, String> entry : cwe.entrySet()) {
//// writer.print('"');
//// writer.print(entry.getKey());
//// writer.print('"');
//// writer.print(',');
//// writer.print('"');
//// writer.print(entry.getValue());
//// writer.println('"');
//// }
//// writer.close();
//
// FileOutputStream fout = new FileOutputStream("src/main/resources/data/cwe.hashmap.serialized");
// ObjectOutputStream objOut = new ObjectOutputStream(fout);
// objOut.writeObject(cwe);

11
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusSearchTest.java
View File

@@ -17,13 +17,15 @@
*/
package org.owasp.dependencycheck.data.nexus;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import java.io.FileNotFoundException;
import java.net.URL;
import java.util.logging.Logger;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
import org.owasp.dependencycheck.utils.Settings;
@@ -37,6 +39,7 @@ public class NexusSearchTest {
String nexusUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
LOGGER.fine(nexusUrl);
searcher = new NexusSearch(new URL(nexusUrl));
Assume.assumeTrue(searcher.preflightRequest());
}
@Test(expected = IllegalArgumentException.class)
@@ -52,7 +55,6 @@ public class NexusSearchTest {
// This test does generate network traffic and communicates with a host
// you may not be able to reach. Remove the @Ignore annotation if you want to
// test it anyway
@Ignore
@Test
public void testValidSha1() throws Exception {
MavenArtifact ma = searcher.searchSha1("9977a8d04e75609cf01badc4eb6a9c7198c4c5ea");
@@ -65,7 +67,6 @@ public class NexusSearchTest {
// This test does generate network traffic and communicates with a host
// you may not be able to reach. Remove the @Ignore annotation if you want to
// test it anyway
@Ignore
@Test(expected = FileNotFoundException.class)
public void testMissingSha1() throws Exception {
searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java
View File

@@ -25,7 +25,7 @@ import static org.junit.Assert.*;
/**
*
* @author willstranathan
* @author colezlaw
*
*/
public class XPathNuspecParserTest {

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java
View File

@@ -73,7 +73,7 @@ public abstract class BaseDBTestCase extends TestCase {
while ((count = zin.read(data, 0, BUFFER_SIZE)) != -1) {
dest.write(data, 0, count);
}
} catch (Exception ex) {
} catch (Throwable ex) {
Logger.getLogger(BaseDBTestCase.class.getName()).log(Level.SEVERE, null, ex);
} finally {
try {

37
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java
View File

@@ -59,7 +59,14 @@ public class DriverLoaderTest {
@Test
public void testLoad_String() throws Exception {
String className = "org.h2.Driver";
DriverLoader.load(className);
Driver d = null;
try {
d = DriverLoader.load(className);
} finally {
if (d != null) {
DriverManager.deregisterDriver(d);
}
}
}
/**
@@ -68,7 +75,7 @@ public class DriverLoaderTest {
@Test(expected = DriverLoadException.class)
public void testLoad_String_ex() throws Exception {
String className = "bad.Driver";
DriverLoader.load(className);
Driver d = DriverLoader.load(className);
}
/**
@@ -82,9 +89,16 @@ public class DriverLoaderTest {
File driver = new File(testClassPath, "../../src/test/resources/mysql-connector-java-5.1.27-bin.jar");
assertTrue("MySQL Driver JAR file not found in src/test/resources?", driver.isFile());
DriverLoader.load(className, driver.getAbsolutePath());
Driver d = DriverManager.getDriver("jdbc:mysql://localhost:3306/dependencycheck");
assertNotNull(d);
Driver d = null;
try {
d = DriverLoader.load(className, driver.getAbsolutePath());
d = DriverManager.getDriver("jdbc:mysql://localhost:3306/dependencycheck");
assertNotNull(d);
} finally {
if (d != null) {
DriverManager.deregisterDriver(d);
}
}
}
/**
@@ -99,7 +113,14 @@ public class DriverLoaderTest {
final File dir2 = new File(testClassPath, "../../src/test/resources/");
final String paths = String.format("%s" + File.pathSeparator + "%s", dir1.getAbsolutePath(), dir2.getAbsolutePath());
DriverLoader.load(className, paths);
Driver d = null;
try {
d = DriverLoader.load(className, paths);
} finally {
if (d != null) {
DriverManager.deregisterDriver(d);
}
}
}
/**
@@ -113,7 +134,7 @@ public class DriverLoaderTest {
File driver = new File(testClassPath, "../../src/test/resources/mysql-connector-java-5.1.27-bin.jar");
assertTrue("MySQL Driver JAR file not found in src/test/resources?", driver.isFile());
DriverLoader.load(className, driver.getAbsolutePath());
Driver d = DriverLoader.load(className, driver.getAbsolutePath());
}
/**
@@ -125,6 +146,6 @@ public class DriverLoaderTest {
//we know this is in target/test-classes
File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
File driver = new File(testClassPath, "../../src/test/bad/mysql-connector-java-5.1.27-bin.jar");
DriverLoader.load(className, driver.getAbsolutePath());
Driver d = DriverLoader.load(className, driver.getAbsolutePath());
}
}

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/xml/NvdCve_2_0_HandlerTest.java
View File

@@ -54,7 +54,7 @@ public class NvdCve_2_0_HandlerTest {
@Test
public void testParse() {
Exception results = null;
Throwable results = null;
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
@@ -64,7 +64,7 @@ public class NvdCve_2_0_HandlerTest {
NvdCve20Handler instance = new NvdCve20Handler();
saxParser.parse(file, instance);
} catch (Exception ex) {
} catch (Throwable ex) {
results = ex;
}
assertTrue("Exception thrown during parse of 2012 CVE version 2.0?", results == null);

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorTest.java
View File

@@ -150,6 +150,8 @@ public class ReportGeneratorTest {
ReportGenerator generator = new ReportGenerator("Test Report", engine.getDependencies(), engine.getAnalyzers(), dbProp);
generator.generateReport(templateName, writeTo);
engine.cleanup();
InputStream xsdStream = ReportGenerator.class.getClassLoader().getResourceAsStream("schema/DependencyCheck.xsd");
StreamSource xsdSource = new StreamSource(xsdStream);
StreamSource xmlSource = new StreamSource(new File(writeTo));

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java
View File

@@ -22,6 +22,7 @@ import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import org.junit.Before;
import org.junit.BeforeClass;
@@ -76,7 +77,8 @@ public class FileUtilsTest {
if (!file.exists()) {
fail("Unable to create a temporary file.");
}
FileUtils.delete(file);
boolean status = FileUtils.delete(file);
assertTrue("delete returned a failed status", status);
assertFalse("Temporary file exists after attempting deletion", file.exists());
}
}

176610
dependency-check-core/src/test/resources/cwe.2000.xml
View File

File diff suppressed because it is too large Load Diff

3
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -50,3 +50,6 @@ cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=true
analyzer.nexus.url=http://repository.sonatype.org/service/local/
# If set to true, the proxy will still ONLY be used if the proxy properties (proxy.url, proxy.port)
# are configured
analyzer.nexus.proxy=true

BIN
dependency-check-core/src/test/resources/log4net.dll Normal file
View File

Binary file not shown.

2
dependency-check-jenkins/pom.xml
View File

@@ -6,7 +6,7 @@
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.1</version>
<version>1.1.2</version>
</parent>
<groupId>org.owasp</groupId>

4
dependency-check-maven/pom.xml
View File

@@ -23,7 +23,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.1</version>
<version>1.1.2</version>
</parent>
<artifactId>dependency-check-maven</artifactId>
@@ -180,7 +180,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.5.2</version>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>

192
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
View File

@@ -76,10 +76,6 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
* Name of the logging properties file.
*/
private static final String LOG_PROPERTIES_FILE = "log.properties";
/**
* The name of the test scope.
*/
public static final String TEST_SCOPE = "test";
/**
* System specific new line character.
*/
@@ -202,6 +198,12 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "nexusUrl", defaultValue = "", required = false)
private String nexusUrl;
/**
* Whether or not the configured proxy is used to connect to Nexus.
*/
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "nexusUsesProxy", defaultValue = "true", required = false)
private boolean nexusUsesProxy = true;
/**
* The database connection string.
*/
@@ -232,27 +234,90 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "databasePassword", defaultValue = "", required = false)
private String databasePassword;
// </editor-fold>
/**
* A comma-separated list of file extensions to add to analysis next to jar, zip, ....
*/
@Parameter(property = "zipExtensions", required = false)
private String zipExtensions;
/**
* Skip Analisys for Test Scope Dependencies
*/
@Parameter(property = "skipTestScope", defaultValue = "true", required = false)
private boolean skipTestScope = true;
/**
* Skip Analisys for Runtime Scope Dependencies
*/
@Parameter(property = "skipRuntimeScope", defaultValue = "false", required = false)
private boolean skipRuntimeScope = false;
/**
* Skip Analisys for Provided Scope Dependencies
*/
@Parameter(property = "skipProvidedScope", defaultValue = "false", required = false)
private boolean skipProvidedScope = false;
/**
* The data directory, hold DC SQL DB.
*/
@Parameter(property = "dataDirectory", defaultValue = "", required = false)
private String dataDirectory;
/**
* Data Mirror URL for CVE 1.2
*/
@Parameter(property = "cveUrl12Modified", defaultValue = "", required = false)
private String cveUrl12Modified;
/**
* Data Mirror URL for CVE 2.0
*/
@Parameter(property = "cveUrl20Modified", defaultValue = "", required = false)
private String cveUrl20Modified;
/**
* Base Data Mirror URL for CVE 1.2
*/
@Parameter(property = "cveUrl12Base", defaultValue = "", required = false)
private String cveUrl12Base;
/**
* Data Mirror URL for CVE 2.0
*/
@Parameter(property = "cveUrl20Base", defaultValue = "", required = false)
private String cveUrl20Base;
// </editor-fold>
/**
* Executes the Dependency-Check on the dependent libraries.
*
* @return the Engine used to scan the dependencies.
* @throws DatabaseException thrown if there is an exception connecting to the database
*/
private Engine executeDependencyCheck() {
private Engine executeDependencyCheck() throws DatabaseException {
final InputStream in = DependencyCheckMojo.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
LogUtils.prepareLogger(in, logFile);
populateSettings();
final Engine engine = new Engine();
final Set<Artifact> artifacts = project.getArtifacts();
for (Artifact a : artifacts) {
if (!TEST_SCOPE.equals(a.getScope())) {
Engine engine = null;
try {
engine = new Engine();
final Set<Artifact> artifacts = project.getArtifacts();
for (Artifact a : artifacts) {
if (skipTestScope && Artifact.SCOPE_TEST.equals(a.getScope())) {
continue;
}
if (skipProvidedScope && Artifact.SCOPE_PROVIDED.equals(a.getScope())) {
continue;
}
if (skipRuntimeScope && !Artifact.SCOPE_RUNTIME.equals(a.getScope())) {
continue;
}
engine.scan(a.getFile().getAbsolutePath());
}
engine.analyzeDependencies();
} finally {
if (engine != null) {
engine.cleanup();
}
}
engine.analyzeDependencies();
return engine;
}
@@ -282,7 +347,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE,
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, null, ex);
} catch (Exception ex) {
} catch (Throwable ex) {
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE,
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, null, ex);
@@ -304,7 +369,6 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
int cnt = 0;
for (Dependency d : dependencies) {
writeSiteReportDependencyHeader(sink, d);
cnt = writeSiteReportDependencyAnalysisExceptions(d, cnt, sink);
cnt = writeSiteReportDependencyEvidenceUsed(d, cnt, sink);
cnt = writeSiteReportDependencyRelatedDependencies(d, cnt, sink);
writeSiteReportDependencyIdentifiers(d, sink);
@@ -510,35 +574,6 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
return cnt;
}
/**
* Writes the analysis exceptions generated during analysis to the site report.
*
* @param d the dependency
* @param sink the sink to write the data to
* @param collapsibleHeaderCount the collapsible header count
* @return the collapsible header count
*/
private int writeSiteReportDependencyAnalysisExceptions(Dependency d, int collapsibleHeaderCount, Sink sink) {
int cnt = collapsibleHeaderCount;
if (d.getAnalysisExceptions() != null && !d.getAnalysisExceptions().isEmpty()) {
cnt += 1;
sink.sectionTitle4();
sink.rawText("<font style=\"color:red\">Errors occurred during analysis:</font> <a href=\"javascript:toggleElement(this, 'errors"
+ cnt + "')\">[+]</a>");
sink.sectionTitle4_();
sink.rawText("<div id=\"errors" + cnt + "\">");
sink.list();
for (Exception e : d.getAnalysisExceptions()) {
sink.listItem();
sink.text(e.getMessage());
sink.listItem_();
}
sink.list_();
sink.rawText("</div>");
}
return cnt;
}
/**
* Writes the dependency header to the site report.
*
@@ -722,6 +757,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
if (nexusUrl != null && !nexusUrl.isEmpty()) {
Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
}
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
}
@@ -737,6 +773,33 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
if (databasePassword != null && !databasePassword.isEmpty()) {
Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
}
if (zipExtensions != null && !zipExtensions.isEmpty()) {
Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
}
// Scope Exclusion
Settings.setBoolean(Settings.KEYS.SKIP_TEST_SCOPE, skipTestScope);
Settings.setBoolean(Settings.KEYS.SKIP_RUNTIME_SCOPE, skipRuntimeScope);
Settings.setBoolean(Settings.KEYS.SKIP_PROVIDED_SCOPE, skipProvidedScope);
// Data Directory
if (dataDirectory != null && !dataDirectory.isEmpty()) {
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
}
// CVE Data Mirroring
if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
}
if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
}
if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
}
if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
}
}
/**
@@ -746,13 +809,24 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
* @throws MojoFailureException thrown if a CVSS score is found that is higher then the configured level
*/
public void execute() throws MojoExecutionException, MojoFailureException {
final Engine engine = executeDependencyCheck();
generateExternalReports(engine);
if (this.failBuildOnCVSS <= 10) {
checkForFailure(engine.getDependencies());
}
if (this.showSummary) {
showSummary(engine.getDependencies());
Engine engine = null;
try {
engine = executeDependencyCheck();
generateExternalReports(engine);
if (this.showSummary) {
showSummary(engine.getDependencies());
}
if (this.failBuildOnCVSS <= 10) {
checkForFailure(engine.getDependencies());
}
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE,
"Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, "", ex);
} finally {
if (engine != null) {
engine.cleanup();
}
}
}
@@ -777,8 +851,19 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
* @throws MavenReportException if a maven report exception occurs
*/
public void generate(Sink sink, SinkFactory sinkFactory, Locale locale) throws MavenReportException {
final Engine engine = executeDependencyCheck();
generateMavenSiteReport(engine, sink);
Engine engine = null;
try {
engine = executeDependencyCheck();
generateMavenSiteReport(engine, sink);
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE,
"Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, "", ex);
} finally {
if (engine != null) {
engine.cleanup();
}
}
}
// <editor-fold defaultstate="collapsed" desc="required setter/getter methods">
@@ -867,9 +952,12 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
private void checkForFailure(List<Dependency> dependencies) throws MojoFailureException {
final StringBuilder ids = new StringBuilder();
for (Dependency d : dependencies) {
boolean addName = true;
for (Vulnerability v : d.getVulnerabilities()) {
if (v.getCvssScore() >= failBuildOnCVSS) {
if (ids.length() == 0) {
if (addName) {
addName = false;
ids.append(NEW_LINE).append(d.getFileName()).append(": ");
ids.append(v.getName());
} else {
ids.append(", ").append(v.getName());

50
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -2,23 +2,33 @@ Configuration
====================
The following properties can be set on the dependency-check-maven plugin.
Property | Description | Default Value
--------------------|------------------------------------|------------------
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
logFile | The file path to write verbose logging information. |
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) |
connectionTimeout | The Connection Timeout. |
proxyUrl | The Proxy URL. |
proxyPort | The Proxy Port. |
proxyUsername | Defines the proxy user name. |
proxyPassword | Defines the proxy password. |
nexusAnalyzerEnabled | The connection timeout used when downloading data files from the Internet. |
nexusUrl | The connection timeout used when downloading data files from the Internet. |
databaseDriverName | The name of the database driver. Example: org.h2.Driver. |
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |
connectionString | The connection string used to connect to the database. |
databaseUser | The username used when connecting to the database. |
databasePassword | The password used when connecting to the database. |
Property | Description | Default Value
---------------------|------------------------------------|------------------
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
externalReport | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
logFile | The file path to write verbose logging information. |
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) |
connectionTimeout | The Connection Timeout. |
proxyUrl | The Proxy URL. |
proxyPort | The Proxy Port. |
proxyUsername | Defines the proxy user name. |
proxyPassword | Defines the proxy password. |
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. |
nexusUrl | Defines the Nexus URL. |
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
databaseDriverName | The name of the database driver. Example: org.h2.Driver. |
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |
connectionString | The connection string used to connect to the database. |
databaseUser | The username used when connecting to the database. |
databasePassword | The password used when connecting to the database. |
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |
skipTestScope | Should be skip analysis for artifacts with Test Scope | true
skipProvidedScope | Should be skip analysis for artifacts with Provided Scope | false
skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope | false
dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. |
cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml
cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml

79
dependency-check-maven/src/site/markdown/usage.md.vm
View File

@@ -10,7 +10,9 @@ Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
After the first batch download, as long as the plugin is executed at least once every
seven days the update will only take a few seconds.
<h3>Create the DependencyCheck-report.html in the target directory</h3>
Example 1:
---------------------
Create the DependencyCheck-report.html in the target directory
```xml
<project>
@@ -37,7 +39,9 @@ seven days the update will only take a few seconds.
</project>
```
<h3>Create the DependencyCheck-report.html and fail the build for CVSS greater then 8</h3>
Example 2:
---------------------
Create the DependencyCheck-report.html and fail the build for CVSS greater then 8
```xml
<project>
@@ -67,7 +71,9 @@ seven days the update will only take a few seconds.
</project>
```
<h3>Create the dependency-check report within the site</h3>
Example 3:
---------------------
Create the dependency-check report within the site
```xml
<project>
@@ -97,3 +103,70 @@ seven days the update will only take a few seconds.
...
</project>
```
Example 4:
---------------------
Create the DependencyCheck-report.html and skip artifacts no bundled in distribution (Provided and Runtime scope)
```xml
<project>
<build>
<plugins>
...
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${project.version}</version>
<configuration>
<skipProvidedScope>true</skipProvidedScope>
<skipRuntimeScope>true</skipRuntimeScope>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
...
</plugins>
...
</build>
...
</project>
```
Example 5:
---------------------
Create the DependencyCheck-report.html and use internal mirroring of CVE contents
```xml
<project>
<build>
<plugins>
...
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${project.version}</version>
<configuration>
<cveUrl12Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-modified.xml</cveUrl12Modified>
<cveUrl20Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-modified.xml</cveUrl20Modified>
<cveUrl12Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-%d.xml</cveUrl12Base>
<cveUrl20Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-%d.xml</cveUrl20Base>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
...
</plugins>
...
</build>
...
</project>
```

14
pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.1</version>
<version>1.1.2</version>
<packaging>pom</packaging>
<modules>
@@ -64,6 +64,18 @@ Copyright (c) 2012 - Jeremy Long
<role>developer</role>
</roles>
</developer>
<developer>
<name>Will Stranathan</name>
<email>Will.Stranathan@owasp.org</email>
<organization>OWASP</organization>
<organizationUrl>https://www.owasp.org/index.php/OWASP_Dependency_Check</organizationUrl>
<roles>
<role>developer</role>
</roles>
<properties>
<twitter>@willathome</twitter>
</properties>
</developer>
</developers>
<contributors>
<contributor>

49
src/site/markdown/suppression.md
View File

@@ -18,6 +18,55 @@ A sample suppression file would look like:
```
The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash.
The following shows some other ways to suppress individual findings. Note the ways to select files using either
the sha1 hash or the filePath (the filePath can also be a regex). Additionally, there are several things that
can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common
would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the
HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<suppressions
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression'
xsi:schemaLocation='https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression suppression.xsd'>
<suppress>
<notes><![CDATA[
This suppresses cpe:/a:csv:csv:1.0 for some.jar in the "c:\path\to" directory.
]]></notes>
<filePath>c:\path\to\some.jar</filePath>
<cpe>cpe:/a:csv:csv:1.0</cpe>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses any jboss:jboss cpe for any test.jar in any directory.
]]></notes>
<filePath regex="true">.*\btest\.jar</filePath>
<cpe>cpe:/a:jboss:jboss</cpe>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses a specific cve for any test.jar in any directory.
]]></notes>
<filePath regex="true">.*\btest\.jar</filePath>
<cve>CVE-2013-1337</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses a specific cve for any dependency in any directory that has the specified sha1 checksum.
]]></notes>
<sha1>384FAA82E193D4E4B0546059CA09572654BC3970</sha1>
<cve>CVE-2013-1337</cve>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses all CVE entries that have a score below CVSS 7.
]]></notes>
<cvssBelow>7</cvssBelow>
</suppress>
</suppressions>
```
The full schema for suppression files can be found here: [suppression.xsd](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/suppression.xsd "Suppression Schema")
Please see the appropriate configuration option in each interfaces configuration guide:

BIN
src/site/resources/images/logos/Button-Built-on-CB-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.3 KiB

BIN
src/site/resources/images/logos/logo_intellij_idea.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.9 KiB

26
src/site/site.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<skin>
<groupId>org.apache.maven.skins</groupId>
<artifactId>maven-fluido-skin</artifactId>
<version>1.3.0</version>
<version>1.3.1</version>
</skin>
<custom>
<fluidoSkin>
@@ -37,6 +37,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<showUser>true</showUser>
<showFollowers>true</showFollowers>
</twitter>
<googlePlusOne />
</fluidoSkin>
</custom>
<bannerLeft>
@@ -44,6 +45,21 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</bannerLeft>
<publishDate position="right" />
<version position="right" />
<poweredBy>
<logo name="Maven" href="http://maven.apache.org/"
title="built with maven"
alt="built with maven"
img="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png"/>
<logo name="IntelliJ" href="http://maven.apache.org/"
title="developed using" width="170px"
alt="developed using"
img="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png"/>
<logo name="Cloudbees" href="http://www.cloudbees.com/"
title="built on cloudbees"
alt="built on cloudbees"
img="http://jeremylong.github.io/DependencyCheck/images/logos/Button-Built-on-CB-1.png"/>
</poweredBy>
<body>
<head>
<style type="text/css">
@@ -59,13 +75,13 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<item name="False Positives" href="./suppression.html">
<description>Suppressing False Positives</description>
</item>
<item name="Project Presentation (pptx)" href="./dependency-check.pptx">
<item name="Project Presentation (pptx)" href="./dependency-check.pptx">
<description>PowerPoint Deck</description>
</item>
<item name="Project Presentation (pdf)" href="./dependency-check.pdf">
<item name="Project Presentation (pdf)" href="./dependency-check.pdf">
<description>PowerPoint Deck</description>
</item>
<item name="Sample Report" href="./SampleReport.html">
<item name="Sample Report" href="./SampleReport.html">
<description>Sample Report</description>
</item>
</menu>
@@ -86,6 +102,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<description>A Jenkins plugin for dependency-check.</description>
</item>
</menu>
<footer/>
<footer>Copyright © 2012-2014 Jeremy Long. All Rights Reserved.</footer>
</body>
</project>