github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 07:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github-mirrors:v1.1.4
Branches Tags
github-mirrors:master github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0
...
compare: github-mirrors:v1.2.0
Branches Tags
github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:master github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0

97 Commits
v1.1.4 ... v1.2.0

Author SHA1 Message Date
Jeremy Long
72f9564757 version 1.2.0 
Former-commit-id: b678810925b242d0ab9c17cc43c7edc4583ef8e3
 2014-04-28 08:58:09 -04:00
Jeremy Long
ab1a80152d excluded HelpMojo from PMD 
Former-commit-id: 01cd292267305c6b6ed017dfcbe40ea53d4313e8
 2014-04-28 08:20:11 -04:00
Jeremy Long
a87c677a35 checkstyle correction 
Former-commit-id: 542c5817a18cc0f372dabd8e8010c4c93b5ef34b
 2014-04-28 08:19:54 -04:00
Jeremy Long
9e0ed57cec checkstyle corrections... javadoc, final variables, etc. 
Former-commit-id: 87905c8a957efb5b57e1c142eda9e7c2e7312f78
 2014-04-27 17:16:49 -04:00
Jeremy Long
767f4797b0 moved checkstyle configuration to match pmd 
Former-commit-id: ef4ac52a2fa483d776b6191356ce98486832a250
 2014-04-27 09:31:16 -04:00
Jeremy Long
8f8c9c4582 updated to reduce exception messages during build when mono isn't available 
Former-commit-id: b6701c012669d3b5fc9e8b7cc168ac8d5df4d8f0
 2014-04-27 09:18:50 -04:00
Jeremy Long
9acfe3afdb Merge branch 'master' of github.com:jeremylong/DependencyCheck 
Former-commit-id: 45916cc4a0b3334ac9d0fe5d849032556db59f8e
 2014-04-27 08:51:31 -04:00
Jeremy Long
9c03962c26 Merge branch 'master' of github.com:bkimminich/DependencyCheck into bkimminich-master 
Former-commit-id: a25a71286aed7adb384e7efde40278006e67d847
 2014-04-27 08:50:59 -04:00
Jeremy Long
a135460caa moved pmd rules to follow the maven directory structure 
Former-commit-id: 71f80a18aad5c92662a2eab142009f243e7416bf
 2014-04-27 08:50:03 -04:00
Jeremy Long
7f72ef88e0 removed code duplication ensuring temporary directory exists 
Former-commit-id: fba6dfcd3a133378c5f46f4126fa97c02ab110be
 2014-04-27 08:42:02 -04:00
Steve Springett
fa1adc5294 Cleaning up Velocity. Minor change to Engine and ServiceLoaders to optionally use custom ClassLoader. 
Former-commit-id: 8c1a58247faeaa032ca7389106378b095ac45edf
 2014-04-26 01:25:56 -05:00
Björn Kimminich
579b526196 organized imports 
extracted exception handling


Former-commit-id: 5fa0d46fc4241e8feae58e4f1e8fd365aedb27f5
 2014-04-25 14:39:56 +02:00
Björn Kimminich
654e6942cb attempt to locate suppressions in classpath when they cannot be found via URL or file path 
Former-commit-id: 03e7f14d9561940bb83a38faab926a5e45f2748b
 2014-04-25 14:33:15 +02:00
Jeremy Long
b7ed1429de added new test case for the hint analyzer 
Former-commit-id: 019194943dd81b11201ef41e00bb4f5d9aa6fe73
 2014-04-24 07:23:39 -04:00
Will Stranathan
6642c23761 Updated PMD configuration to work with all the projects. 
Former-commit-id: 80b9aac40019ef95d95ac5dcd3cb417290c37d7e
 2014-04-22 20:50:06 -04:00
Jeremy Long
f2b908c859 checkstyle corrections 
Former-commit-id: 8833f928a384474df1dd5b306e835ec8919a572a
 2014-04-22 09:01:53 -04:00
Jeremy Long
709840ca02 removed unused variable and inner assignment 
Former-commit-id: 24b669e885ae51c2812ed1b31d86241b0a13509d
 2014-04-22 08:14:30 -04:00
Jeremy Long
9fe596f3de checkstyle corrections 
Former-commit-id: 2f6fb660cd0152de284b55de3aab9cbb1b22b0b0
 2014-04-22 08:10:54 -04:00
Jeremy Long
228bb2fc86 converted long running tests to integration tests 
Former-commit-id: 36a20d08b8de14b369a083d1c52e0f458b276d47
 2014-04-21 21:46:54 -04:00
Jeremy Long
d07947f712 spelling corrections 
Former-commit-id: 6b3c1ae8e8150cca82449f5e5b4448a9a829e680
 2014-04-21 21:01:10 -04:00
Jeremy Long
70022088fb spelling corrections 
Former-commit-id: 43b77de6e21a4d586f7b66b6da0045572c097f42
 2014-04-21 20:59:18 -04:00
Jeremy Long
9143564d41 merged update from Will 
Former-commit-id: ee4020e643221aa4ea403a6fb59314e65ab9e1b5
 2014-04-21 20:42:58 -04:00
Jeremy Long
55440ae32b Merge branch 'master' of github.com:jeremylong/DependencyCheck 
Former-commit-id: ddb7a60c533bf82e5f6faa9a5fbd794ca7dfaf5f
 2014-04-21 20:31:48 -04:00
Jeremy Long
db65c0b422 spelling corrections 
Former-commit-id: 35f1650765a5e8de33ef078a13b20bfa2994eb71
 2014-04-21 20:31:26 -04:00
Jeremy Long
f0297938b6 spelling corrections 
Former-commit-id: 56795c1f9276347f4b383e911c8c1b35918d55d9
 2014-04-21 20:21:53 -04:00
Steve Springett
4d390b65fe Removing Jenkins workaround for previous snapshot's race condition 
Former-commit-id: 69304c08687945ebecaf3f253e16861dd9627d43
 2014-04-21 14:19:30 -05:00
Will Stranathan
294df359d5 Added PMD rule to find Loggers that weren't fields and corrected existing instances. 
Former-commit-id: d1844676a9e2f9ccbbc584d51f9dc13ecc255c11
 2014-04-19 22:08:17 -04:00
Jeremy Long
a855d53542 checkstyle corrections 
Former-commit-id: 8caae0e4f0dd1828419c84b081fbc32d4d7be93c
 2014-04-19 12:49:57 -04:00
Jeremy Long
57a0c48293 speed up test by disabling auto-update 
Former-commit-id: 55e2cbff478577b7e2fc49b91f1e58c2e1563da7
 2014-04-19 10:00:06 -04:00
Jeremy Long
bbc82d827e speed up test by disabling auto-update 
Former-commit-id: 709c870c42d8b67b1e02ef8669981f2726c653e1
 2014-04-19 09:59:45 -04:00
Jeremy Long
742b49e302 updated test case to perform autoupdate 
Former-commit-id: 3e93783a97af223a1c63cde2b8f5916158a729e9
 2014-04-19 09:59:09 -04:00
Jeremy Long
8716f14941 updated settings initialization 
Former-commit-id: f53733aa65df96d09a817b74fd440da133b8be08
 2014-04-19 09:58:40 -04:00
Jeremy Long
8b7b41de47 removed singleton pattern from service loaders 
Former-commit-id: 0e7b90141333548c47fbb4c9944b44fe295acfec
 2014-04-19 09:58:16 -04:00
Jeremy Long
36fd4dbcf4 updated to initialize the settings object 
Former-commit-id: 7920a16418cb0b539571058942606dfd3b142525
 2014-04-19 08:59:04 -04:00
Jeremy Long
291a8c2bfb Merge branch 'master' of github.com:bkimminich/DependencyCheck into bkimminich-master 
Former-commit-id: 4b8d77255bef86d4cb4243eefd80eedadf5ca8f7
 2014-04-19 08:22:47 -04:00
Jeremy Long
a1db394d93 added a mechanism to copy the global settings object to forked threads 
Former-commit-id: 2932ae216d79d3cd08f4fb57695f3bd979c95c59
 2014-04-19 08:21:59 -04:00
Jeremy Long
0933d96954 updated to use BaseTest to initialize the Settings correctly 
Former-commit-id: 473e0db1cc94efe745c1d4664d2c204731e1b931
 2014-04-19 08:08:53 -04:00
Björn Kimminich
c4fcb6c88c fixed documentation of suppressionFile parameter 
Former-commit-id: 937974c6952f8ba4d90ece584c46ada635da1d50
 2014-04-17 11:17:17 +02:00
Björn Kimminich
2390b20e68 extracted logger as field 
Former-commit-id: 3a9819dcd526191bb7156d2012c248bb7914cf29
 2014-04-16 16:35:40 +02:00
Jeremy Long
a6fd0434de made the settings ThreadLocal to solve a threading issue 
Former-commit-id: 052839b76cd6d914e66c79b2fe88321eef735146
 2014-04-16 08:19:35 -04:00
Jeremy Long
53b36472a0 initial base test class to support the new Settings implementation 
Former-commit-id: 5414eb1c0b4b4e6c9462728f3ed0be270b2c8c01
 2014-04-16 08:18:40 -04:00
Jeremy Long
ccefea6b59 added additional error handling 
Former-commit-id: 7853689d3273afaa348a7e16c26d3c2cf14b5c9b
 2014-04-16 08:13:38 -04:00
Jeremy Long
b24c63cb49 updated to support the new Settings implementation 
Former-commit-id: 2e275cd7333b0e44b46745d5f51f89f3f1687b8f
 2014-04-16 08:12:36 -04:00
Jeremy Long
38f69fd7cc updated to support the new Settings implementation 
Former-commit-id: e2a2b98e2742580e52750a1a1bcdbeddae3c5787
 2014-04-16 08:12:16 -04:00
Jeremy Long
6a9ea3bc0f updated to support the new Settings implementation 
Former-commit-id: 7382682e8fe7ab4d93c19dc35c7e1c300fd02886
 2014-04-16 08:11:56 -04:00
Jeremy Long
d1b4e93f9e updated to support the new Settings implementation 
Former-commit-id: 50235f22de97afc2a352f8dc7d2de9120cf73c75
 2014-04-16 08:11:09 -04:00
Jeremy Long
9a6a61151d minor javadoc update 
Former-commit-id: 0611618b0abde40a3f8fd5cb98c63ae5cc71c387
 2014-04-16 08:10:50 -04:00
Jeremy Long
497d0f0c74 removed un-needed methods 
Former-commit-id: 8276c1e9554a1c69c764103611c53ef85803a006
 2014-04-16 08:10:24 -04:00
Jeremy Long
ecf1c90c22 updated to support the new Settings implementation 
Former-commit-id: 8ec7546bb8437406da724d7296fea765781a9640
 2014-04-16 08:09:47 -04:00
Jeremy Long
1aa13c1c8c updated to support the new Settings implementation 
Former-commit-id: 3e39bbadb32b7f3d447676ce04dfb7d4a22a4478
 2014-04-16 08:09:24 -04:00
Jeremy Long
251ad23a9e removed unused methods 
Former-commit-id: 9b66b0a3362d6299c9c9b61ad9267f80bfe6cdc4
 2014-04-16 08:08:54 -04:00
Jeremy Long
22876e5a25 removed unused methods 
Former-commit-id: 70d7e89ae7f62b42eb7fe2cd8085caa270c8f381
 2014-04-16 08:08:36 -04:00
Jeremy Long
12162e2aae updated to support the new Settings implementation 
Former-commit-id: 572697ad9f84f341e1ac5a4f4e6036df0ed02f3a
 2014-04-16 08:07:52 -04:00
Jeremy Long
2af09fb49d updated to support the new Settings implementation 
Former-commit-id: 58ea4b5d184999aa7c2f67e00374a7c52fef639f
 2014-04-16 08:07:32 -04:00
Jeremy Long
c58589026c updated to support the new Settings implementation 
Former-commit-id: 00b11fb5e4eb3c288d4017e8974dac39e7a6f2c6
 2014-04-16 08:07:09 -04:00
Jeremy Long
5b83919eb2 updated to support the new Settings implementation 
Former-commit-id: d559571b5adf664155b12075c7f42644c001d4be
 2014-04-16 08:06:52 -04:00
Jeremy Long
f26f02c986 removed unused methods 
Former-commit-id: cb23f2dbc928c46149be608144aa79fcdcd6e815
 2014-04-16 08:04:46 -04:00
Jeremy Long
c5d16a49d0 updated to support the new Settings implementation 
Former-commit-id: 00ccc5ae2b0ceac9b1bffae27e25dfb55b262f08
 2014-04-16 08:04:13 -04:00
Jeremy Long
260b2c3532 updated to support the new Settings implementation 
Former-commit-id: 9cbc15ce470881f316a8ede89b94c7122c1381c1
 2014-04-16 08:03:55 -04:00
Jeremy Long
420da8f476 updated to support the new Settings implementation 
Former-commit-id: 8eccff73254d27425813dfac1646b8832fac8604
 2014-04-16 08:03:36 -04:00
Jeremy Long
c2a39d3296 updated to support the new Settings implementation 
Former-commit-id: b2b4137934983f3688f115f31ced54004d33d2e9
 2014-04-16 08:03:15 -04:00
Jeremy Long
6cd4bf337e updated to support the new Settings implementation 
Former-commit-id: a530f8ae502e47345f36c1e563c001797b223280
 2014-04-16 08:02:50 -04:00
Jeremy Long
095c48a942 updated to support the new Settings implementation 
Former-commit-id: e34221085daf9880ce658cd71df15f9f8b0def9d
 2014-04-16 08:02:24 -04:00
Jeremy Long
e61ef1ae85 updated to support the new Settings implementation 
Former-commit-id: 9715d8c76c5667d813a64c56d74a366fa83d2470
 2014-04-16 08:02:05 -04:00
Jeremy Long
886b21af68 updated to support the new Settings implementation 
Former-commit-id: bc891a90f8e0d234fbefcd19bc559bf828af5636
 2014-04-16 08:01:45 -04:00
Jeremy Long
7bba66737f updated to support the new Settings implementation 
Former-commit-id: d6e86661ae20968179c729fd21bfb07df00858a7
 2014-04-16 08:01:15 -04:00
Jeremy Long
52fd2772cf updated to support the new Settings implementation 
Former-commit-id: c84709a4cf38a6e55166de59b6a8b372c1f082e4
 2014-04-16 08:00:55 -04:00
Jeremy Long
48043b5ec4 updated to support the new Settings implementation 
Former-commit-id: 39536545c92d2c56017a4a8279704f2184b8124c
 2014-04-16 08:00:10 -04:00
Jeremy Long
1f67ae82bd updated to support the new Settings implementation 
Former-commit-id: 624d4c04e4fa208ef0da60245ca20ca755610c81
 2014-04-16 07:59:13 -04:00
Jeremy Long
e7749c161d updated to support the new Settings implementation 
Former-commit-id: dd98df72654badebf3d4b7fa24da718ff588339d
 2014-04-16 07:58:50 -04:00
Jeremy Long
144f913aa9 updated to support the new Settings implementation 
Former-commit-id: 3b0db7eb50c088342b7c49d23f43ba23edd5458f
 2014-04-16 07:58:28 -04:00
Jeremy Long
e28b6b9f73 updated to support the new Settings implementation 
Former-commit-id: dd2d8cdd1c8688482752a8f1df2fc54ef6f638c8
 2014-04-16 07:57:11 -04:00
Jeremy Long
691636de7b removed unused methods 
Former-commit-id: 6e0577ad17ed28f5e6e4f72fa35c10c5250343b4
 2014-04-16 07:56:51 -04:00
Jeremy Long
6f2b1b8f06 updated to support the new Settings implementation 
Former-commit-id: 18ba158d3b4651b424ee2d3ec02907410f7ea8ba
 2014-04-16 07:56:23 -04:00
Jeremy Long
139640e768 updated to support the new Settings implementation 
Former-commit-id: 4731df058a88b10661ea70addb082aced7590e80
 2014-04-16 07:55:56 -04:00
Jeremy Long
ae2fa19c0e updated documentation 
Former-commit-id: c374ee235b5c0e1beff55f678e02523213ef5868
 2014-04-13 07:47:50 -04:00
Jeremy Long
f8867abe49 reordered operations 
Former-commit-id: 1a487bcc4400d881c8dda7118318b183a68a0fe3
 2014-04-13 07:45:54 -04:00
Jeremy Long
fd83e72177 Merge branch 'master' of github.com:jeremylong/DependencyCheck 
Former-commit-id: 3a30dd648eef49290e9290be719fb0eb25f79764
 2014-04-12 05:33:02 -04:00
Jeremy Long
1ff45c8e02 improved error handling 
Former-commit-id: f5086f9ebae6dab987fedf5e87d885c243af188e
 2014-04-11 06:38:13 -04:00
Steve Springett
608c338403 Added archive support for JAR, SAR, and APK file formats. Ticket #106 
Former-commit-id: 19991f8b32e746d9691e48eeac15343178dd3e99
 2014-04-10 23:39:52 -05:00
Jeremy Long
f23da0dd5a updated connection string to use FILE_LOCK=SERIALIZED instead of AUTO_SERVER=TRUE 
Former-commit-id: 59bc2334093063d99c67bcef2c73690895ce9c72
 2014-04-09 06:40:25 -04:00
Jeremy Long
8c3f887cac redirected standard error to hide expected [fatal] message from being displayed during tests 
Former-commit-id: 4a5d1e47a0e613e2b8a14e14fc8cd73b1bd4519a
 2014-04-09 06:34:57 -04:00
Jeremy Long
6e6f16d6ee updated report to show suppressed vulnerabilities and identifiers per issue #66 
Former-commit-id: 0669a01ae3cc11bbeb36951411e95d2a7f8c5cf8
 2014-04-04 06:46:31 -04:00
Jeremy Long
8a83385c7f fixed formating in support of issue #66 
Former-commit-id: 3b27d6fefb6745ffe2e6169d248166a3408791c9
 2014-04-04 06:46:04 -04:00
Jeremy Long
147bc797a2 updated schema to 1.2 to support changes for issue #66 
Former-commit-id: fc7d7e8b8453bb8065be1d83cbc7ce3d5f47ea88
 2014-04-04 06:45:35 -04:00
Jeremy Long
1735f36b82 added to simplify velocity templates 
Former-commit-id: 0d9c1624b7cc81a7843ff7db4488b115405a9e74
 2014-04-02 06:54:25 -04:00
Jeremy Long
a782354874 Merge branch 'master' of github.com:jeremylong/DependencyCheck 
Former-commit-id: 2ff2fbf86c9ebbf7bc1aec2aaf833bdd2ef00851
 2014-04-02 06:52:59 -04:00
Jeremy Long
21a709cf89 simplified velocity report generation 
Former-commit-id: dc690db1eb9186f1bfbf49472f893137e7602953
 2014-04-02 06:52:26 -04:00
Jeremy Long
76a0c1d96e coveritys copy paste analysis is awsome - identified a real bug that has been fixed 
Former-commit-id: bccecaef9181eeb60a79873ebefc6f8ead259f71
 2014-03-31 21:32:38 -04:00
Jeremy Long
1c30e555dc updated test case to ensure suppressed vulnerabilities were tracked correctly per issue #66 
Former-commit-id: 657213bab4b2f0a9538fb03319ff945971765b47
 2014-03-30 06:31:52 -04:00
Jeremy Long
9bdff89833 Updated to support the tracking of suppressed CPE/CVE per issue #66 
Former-commit-id: 12b514a914a1b1df96e92efd78e6a7ec6b9c42bd
 2014-03-30 06:26:50 -04:00
Jeremy Long
08105eee48 updated to ignore coverity directory 
Former-commit-id: 9db069c9e11d8a387dd944399023cb485ac4e63b
 2014-03-30 06:25:56 -04:00
Steve Springett
40e13184ca Fix to prevent rules from being cached between Jenkins builds even if suppression file is not specified. 
Former-commit-id: 860fded462d768acb207ebe35464936d7f80f59c
 2014-03-29 22:57:44 -05:00
Jeremy Long
b5a65c5e43 updated commons-compress version 
Former-commit-id: 4aeedcf31bb2a99b73c35aa68bd1dd1876512c67
 2014-03-29 08:56:04 -04:00
Jeremy Long
7eac65fec2 specifically set InputStreamReader to use UTF-8 
Former-commit-id: 517159b6d919a98d83ebbf1037b5d375285f8390
 2014-03-29 08:37:39 -04:00
Jeremy Long
9bc974661c updated to version 1.1.5-SNAPSHOT 
Former-commit-id: 529545190847cf43edec6934ab6393583adc6e47
 2014-03-29 08:37:03 -04:00
Jeremy Long
b8c41a91e1 updated to version 1.1.5-SNAPSHOT 
Former-commit-id: 09c36d34a5390b22e3a870c8317e8e309083b5f2
 2014-03-29 08:36:43 -04:00
120 changed files with 1694 additions and 2027 deletions
Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -17,4 +17,6 @@ Gemfile
Gemfile.lock
_site/**
#unknown as to why these are showing up... but need to be ignored.
.LCKpom.xml~
.LCKpom.xml~
#coverity
/cov-int/

9
dependency-check-ant/config/checkstyle-suppressions.xml
View File

@@ -1,9 +0,0 @@
<?xml version="1.0"?>
<!DOCTYPE suppressions PUBLIC
"-//Puppy Crawl//DTD Suppressions 1.0//EN"
"http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
<suppressions>
<suppress checks=".*" files=".*[\\/]package-info\.java" />
</suppressions>

17
dependency-check-ant/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.4</version>
<version>1.2.0</version>
</parent>
<artifactId>dependency-check-ant</artifactId>
@@ -398,9 +398,9 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
@@ -412,6 +412,15 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>

27
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
View File

@@ -62,6 +62,10 @@ public class DependencyCheckTask extends Task {
* System specific new line character.
*/
private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(DependencyCheckTask.class.getName());
/**
* Construct a new DependencyCheckTask.
@@ -882,7 +886,7 @@ public class DependencyCheckTask extends Task {
cve.open();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
} finally {
if (cve != null) {
cve.close();
@@ -898,19 +902,17 @@ public class DependencyCheckTask extends Task {
showSummary(engine.getDependencies());
}
} catch (IOException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
"Unable to generate dependency-check report", ex);
LOGGER.log(Level.FINE, "Unable to generate dependency-check report", ex);
throw new BuildException("Unable to generate dependency-check report", ex);
} catch (Exception ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
"An exception occurred; unable to continue task", ex);
LOGGER.log(Level.FINE, "An exception occurred; unable to continue task", ex);
throw new BuildException("An exception occurred; unable to continue task", ex);
}
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE,
"Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
LOGGER.log(Level.FINE, "", ex);
} finally {
Settings.cleanup();
if (engine != null) {
engine.cleanup();
}
@@ -936,19 +938,20 @@ public class DependencyCheckTask extends Task {
* properties required to change the proxy url, port, and connection timeout.
*/
private void populateSettings() {
Settings.initialize();
InputStream taskProperties = null;
try {
taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
Settings.mergeProperties(taskProperties);
} catch (IOException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
LOGGER.log(Level.FINE, null, ex);
} finally {
if (taskProperties != null) {
try {
taskProperties.close();
} catch (IOException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}
@@ -1098,7 +1101,7 @@ public class DependencyCheckTask extends Task {
final String msg = String.format("%n%n"
+ "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+ "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, msg);
LOGGER.log(Level.WARNING, msg);
}
}

17
dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
View File

@@ -18,14 +18,12 @@
package org.owasp.dependencycheck.taskdefs;
import java.io.File;
import static junit.framework.TestCase.assertTrue;
import org.apache.tools.ant.BuildFileTest;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
import org.owasp.dependencycheck.utils.Settings;
/**
*
@@ -33,20 +31,10 @@ import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
*/
public class DependencyCheckTaskTest extends BuildFileTest {
public DependencyCheckTaskTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
@Override
public void setUp() throws Exception {
Settings.initialize();
BaseDBTestCase.ensureDBExists();
final String buildFile = this.getClass().getClassLoader().getResource("build.xml").getPath();
configureProject(buildFile);
@@ -57,6 +45,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
public void tearDown() {
//no cleanup...
//executeTarget("cleanup");
Settings.cleanup();
}
/**

223
dependency-check-cli/config/checkstyle-checks.xml
View File

@@ -1,223 +0,0 @@
<?xml version="1.0"?>
<!DOCTYPE module PUBLIC
"-//Puppy Crawl//DTD Check Configuration 1.3//EN"
"http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
<module name="Checker">
<!--
If you set the basedir property below, then all reported file
names will be relative to the specified directory. See
http://checkstyle.sourceforge.net/5.x/config.html#Checker
<property name="basedir" value="${basedir}"/>
-->
<property name="severity" value="error"/>
<module name="SuppressionFilter">
<property name="file" value="${checkstyle.suppressions.file}"/>
</module>
<module name="JavadocPackage">
<property name="allowLegacy" value="false"/>
</module>
<module name="Translation">
<property name="severity" value="warning"/>
</module>
<module name="FileTabCharacter">
<property name="eachLine" value="false"/>
</module>
<module name="FileLength">
<property name="fileExtensions" value="java"/>
</module>
<module name="NewlineAtEndOfFile">
<property name="fileExtensions" value="java"/>
<property name="lineSeparator" value="lf"/>
</module>
<module name="RegexpHeader">
<property name="headerFile" value="${checkstyle.header.file}"/>
<property name="fileExtensions" value="java"/>
<property name="id" value="header"/>
</module>
<module name="RegexpSingleline">
<property name="format" value="\s+$"/>
<property name="minimum" value="0"/>
<property name="maximum" value="0"/>
</module>
<module name="TreeWalker">
<property name="tabWidth" value="4"/>
<module name="AvoidStarImport"/>
<module name="ConstantName"/>
<module name="EmptyBlock"/>
<module name="EmptyForIteratorPad"/>
<module name="EqualsHashCode"/>
<module name="OneStatementPerLine"/>
<!-- module name="IllegalCatch"/ -->
<!--module name="ImportControl">
<property name="file" value="${checkstyle.importcontrol.file}"/>
</module-->
<module name="IllegalImport"/>
<module name="IllegalInstantiation"/>
<module name="IllegalThrows"/>
<module name="InnerAssignment"/>
<module name="JavadocType">
<property name="authorFormat" value="\S"/>
</module>
<module name="JavadocMethod">
<property name="allowUndeclaredRTE" value="true"/>
<property name="allowThrowsTagsForSubclasses" value="true"/>
<property name="allowMissingPropertyJavadoc" value="true"/>
</module>
<module name="JavadocVariable"/>
<module name="JavadocStyle">
<property name="scope" value="public"/>
</module>
<module name="LeftCurly">
<property name="option" value="eol"/>
<property name="tokens" value="CLASS_DEF"/>
<property name="tokens" value="CTOR_DEF"/>
<property name="tokens" value="INTERFACE_DEF"/>
<property name="tokens" value="METHOD_DEF"/>
<property name="tokens" value="LITERAL_CATCH"/>
<property name="tokens" value="LITERAL_DO"/>
<property name="tokens" value="LITERAL_ELSE"/>
<property name="tokens" value="LITERAL_FINALLY"/>
<property name="tokens" value="LITERAL_FOR"/>
<property name="tokens" value="LITERAL_IF"/>
<property name="tokens" value="LITERAL_SWITCH"/>
<property name="tokens" value="LITERAL_SYNCHRONIZED"/>
<property name="tokens" value="LITERAL_TRY"/>
<property name="tokens" value="LITERAL_WHILE"/>
</module>
<module name="OuterTypeNumber"/>
<module name="LineLength">
<property name="ignorePattern" value="^ *\* *[^ ]+$"/>
<property name="max" value="150"/>
</module>
<module name="MethodCount">
<property name="maxTotal" value="40"/>
</module>
<module name="LocalFinalVariableName"/>
<module name="LocalVariableName"/>
<module name="MemberName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="MethodLength">
<property name="max" value="160"/>
<property name="countEmpty" value="false"/>
</module>
<module name="MethodName"/>
<module name="MethodParamPad"/>
<module name="ModifierOrder"/>
<module name="NeedBraces"/>
<module name="NoWhitespaceAfter">
<property name="tokens" value="ARRAY_INIT"/>
<property name="tokens" value="BNOT"/>
<property name="tokens" value="DEC"/>
<property name="tokens" value="DOT"/>
<property name="tokens" value="INC"/>
<property name="tokens" value="LNOT"/>
<property name="tokens" value="UNARY_MINUS"/>
<property name="tokens" value="UNARY_PLUS"/>
</module>
<module name="NoWhitespaceBefore"/>
<module name="NoWhitespaceBefore">
<property name="tokens" value="DOT"/>
<property name="allowLineBreaks" value="true"/>
</module>
<module name="OperatorWrap"/>
<module name="OperatorWrap">
<property name="tokens" value="ASSIGN"/>
<property name="tokens" value="DIV_ASSIGN"/>
<property name="tokens" value="PLUS_ASSIGN"/>
<property name="tokens" value="MINUS_ASSIGN"/>
<property name="tokens" value="STAR_ASSIGN"/>
<property name="tokens" value="MOD_ASSIGN"/>
<property name="tokens" value="SR_ASSIGN"/>
<property name="tokens" value="BSR_ASSIGN"/>
<property name="tokens" value="SL_ASSIGN"/>
<property name="tokens" value="BXOR_ASSIGN"/>
<property name="tokens" value="BOR_ASSIGN"/>
<property name="tokens" value="BAND_ASSIGN"/>
<property name="option" value="eol"/>
</module>
<module name="PackageName"/>
<module name="ParameterName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="ParameterNumber">
<property name="id" value="paramNum"/>
</module>
<module name="ParenPad"/>
<module name="TypecastParenPad"/>
<module name="RedundantImport"/>
<module name="RedundantModifier"/>
<module name="RightCurly">
<property name="option" value="same"/>
</module>
<module name="SimplifyBooleanExpression"/>
<module name="SimplifyBooleanReturn"/>
<module name="StaticVariableName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="TypeName"/>
<module name="UnusedImports"/>
<module name="UpperEll"/>
<module name="VisibilityModifier"/>
<module name="WhitespaceAfter"/>
<module name="WhitespaceAround"/>
<module name="GenericWhitespace"/>
<module name="FinalClass"/>
<module name="MissingSwitchDefault"/>
<!--module name="MagicNumber"/-->
<!--module name="Indentation">
<property name="basicOffset" value="4"/>
<property name="braceAdjustment" value="0"/>
<property name="caseIndent" value="0"/>
</module-->
<module name="ArrayTrailingComma"/>
<module name="FinalLocalVariable"/>
<module name="EqualsAvoidNull"/>
<module name="ParameterAssignment"/>
<!-- Generates quite a few errors -->
<module name="CyclomaticComplexity">
<property name="severity" value="ignore"/>
</module>
<module name="NestedForDepth">
<property name="max" value="2"/>
</module>
<module name="NestedIfDepth">
<property name="max" value="4"/>
</module>
<module name="NestedTryDepth">
<property name="max" value="2"/>
</module>
<!--module name="ExplicitInitialization"/-->
<module name="AnnotationUseStyle"/>
<module name="MissingDeprecated"/>
<module name="MissingOverride">
<property name="javaFiveCompatibility" value="true"/>
</module>
<module name="PackageAnnotation"/>
<module name="SuppressWarnings"/>
<module name="OuterTypeFilename"/>
<module name="HideUtilityClassConstructor"/>
</module>
</module>

18
dependency-check-cli/config/checkstyle-header.txt
View File

@@ -1,18 +0,0 @@
^/\*\s*$
^ \* This file is part of dependency-check-cli\.\s*$
^ \*\s*$
^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
^ \* you may not use this file except in compliance with the License.\s*$
^ \* You may obtain a copy of the License at\s*$
^ \*\s*$
^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
^ \*\s*$
^ \* Unless required by applicable law or agreed to in writing, software\s*$
^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
^ \* See the License for the specific language governing permissions and\s*$
^ \* limitations under the License\.\s*$
^ \*\s*$
^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
^ \*/\s*$
^package

9
dependency-check-cli/config/checkstyle-suppressions.xml
View File

@@ -1,9 +0,0 @@
<?xml version="1.0"?>
<!DOCTYPE suppressions PUBLIC
"-//Puppy Crawl//DTD Suppressions 1.0//EN"
"http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
<suppressions>
<suppress checks=".*" files=".*[\\/]package-info\.java" />
</suppressions>

16
dependency-check-cli/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.4</version>
<version>1.2.0</version>
</parent>
<artifactId>dependency-check-cli</artifactId>
@@ -248,16 +248,16 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.0.1</version>
<version>3.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
@@ -265,6 +265,12 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>

34
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -46,6 +46,11 @@ public class App {
*/
private static final String LOG_PROPERTIES_FILE = "log.properties";
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(App.class.getName());
/**
* The main method for the application.
*
@@ -82,7 +87,7 @@ public class App {
if (cli.isGetVersion()) {
cli.printVersionInfo();
} else if (cli.isRunScan()) {
updateSettings(cli);
populateSettings(cli);
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
} else {
cli.printHelp();
@@ -115,7 +120,7 @@ public class App {
cve.open();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
Logger.getLogger(App.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
} finally {
if (cve != null) {
cve.close();
@@ -125,16 +130,17 @@ public class App {
try {
report.generateReports(reportDirectory, outputFormat);
} catch (IOException ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
LOGGER.log(Level.FINE, null, ex);
} catch (Throwable ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, "There was an error while attempting to generate the report.");
LOGGER.log(Level.FINE, null, ex);
}
} catch (DatabaseException ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(App.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
LOGGER.log(Level.FINE, "", ex);
} finally {
Settings.cleanup();
if (scanner != null) {
scanner.cleanup();
}
@@ -147,7 +153,9 @@ public class App {
* @param cli a reference to the CLI Parser that contains the command line arguments used to set the corresponding
* settings in the core engine.
*/
private void updateSettings(CliParser cli) {
private void populateSettings(CliParser cli) {
Settings.initialize();
final boolean autoUpdate = cli.isAutoUpdate();
final String connectionTimeout = cli.getConnectionTimeout();
@@ -177,12 +185,12 @@ public class App {
Settings.mergeProperties(propertiesFile);
} catch (FileNotFoundException ex) {
final String msg = String.format("Unable to load properties file '%s'", propertiesFile.getPath());
Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
} catch (IOException ex) {
final String msg = String.format("Unable to find properties file '%s'", propertiesFile.getPath());
Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
}
}
// We have to wait until we've merged the properties before attempting to set whether we use

8
dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
View File

@@ -199,7 +199,7 @@ public final class CliParser {
.withDescription("The file path to write verbose logging information.")
.create(ArgumentName.VERBOSE_LOG_SHORT);
final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESION_FILE)
final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESSION_FILE)
.withDescription("The file path to the suppression XML file.")
.create();
@@ -301,7 +301,7 @@ public final class CliParser {
final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
.withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
.withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
.withDescription("A comma separated list of additional extensions to be scanned as ZIP files "
+ "(ZIP, EAR, WAR are already treated as zip files)")
.create();
@@ -587,7 +587,7 @@ public final class CliParser {
* @return the path to the suppression file
*/
public String getSuppressionFile() {
return line.getOptionValue(ArgumentName.SUPPRESION_FILE);
return line.getOptionValue(ArgumentName.SUPPRESSION_FILE);
}
/**
@@ -791,7 +791,7 @@ public final class CliParser {
/**
* The CLI argument name for setting the location of the suppression file.
*/
public static final String SUPPRESION_FILE = "suppression";
public static final String SUPPRESSION_FILE = "suppression";
/**
* Disables the Jar Analyzer.
*/

3
dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java
View File

@@ -29,6 +29,7 @@ import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.utils.Settings;
/**
*
@@ -38,10 +39,12 @@ public class CliParserTest {
@BeforeClass
public static void setUpClass() throws Exception {
Settings.initialize();
}
@AfterClass
public static void tearDownClass() throws Exception {
Settings.cleanup();
}
@Before

223
dependency-check-core/config/checkstyle-checks.xml
View File

@@ -1,223 +0,0 @@
<?xml version="1.0"?>
<!DOCTYPE module PUBLIC
"-//Puppy Crawl//DTD Check Configuration 1.3//EN"
"http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
<module name="Checker">
<!--
If you set the basedir property below, then all reported file
names will be relative to the specified directory. See
http://checkstyle.sourceforge.net/5.x/config.html#Checker
<property name="basedir" value="${basedir}"/>
-->
<property name="severity" value="error"/>
<module name="SuppressionFilter">
<property name="file" value="${checkstyle.suppressions.file}"/>
</module>
<module name="JavadocPackage">
<property name="allowLegacy" value="false"/>
</module>
<module name="Translation">
<property name="severity" value="warning"/>
</module>
<module name="FileTabCharacter">
<property name="eachLine" value="false"/>
</module>
<module name="FileLength">
<property name="fileExtensions" value="java"/>
</module>
<module name="NewlineAtEndOfFile">
<property name="fileExtensions" value="java"/>
<property name="lineSeparator" value="lf"/>
</module>
<module name="RegexpHeader">
<property name="headerFile" value="${checkstyle.header.file}"/>
<property name="fileExtensions" value="java"/>
<property name="id" value="header"/>
</module>
<module name="RegexpSingleline">
<property name="format" value="\s+$"/>
<property name="minimum" value="0"/>
<property name="maximum" value="0"/>
</module>
<module name="TreeWalker">
<property name="tabWidth" value="4"/>
<module name="AvoidStarImport"/>
<module name="ConstantName"/>
<module name="EmptyBlock"/>
<module name="EmptyForIteratorPad"/>
<module name="EqualsHashCode"/>
<module name="OneStatementPerLine"/>
<!-- module name="IllegalCatch"/ -->
<!--module name="ImportControl">
<property name="file" value="${checkstyle.importcontrol.file}"/>
</module-->
<module name="IllegalImport"/>
<module name="IllegalInstantiation"/>
<module name="IllegalThrows"/>
<module name="InnerAssignment"/>
<module name="JavadocType">
<property name="authorFormat" value="\S"/>
</module>
<module name="JavadocMethod">
<property name="allowUndeclaredRTE" value="true"/>
<property name="allowThrowsTagsForSubclasses" value="true"/>
<property name="allowMissingPropertyJavadoc" value="true"/>
</module>
<module name="JavadocVariable"/>
<module name="JavadocStyle">
<property name="scope" value="public"/>
</module>
<module name="LeftCurly">
<property name="option" value="eol"/>
<property name="tokens" value="CLASS_DEF"/>
<property name="tokens" value="CTOR_DEF"/>
<property name="tokens" value="INTERFACE_DEF"/>
<property name="tokens" value="METHOD_DEF"/>
<property name="tokens" value="LITERAL_CATCH"/>
<property name="tokens" value="LITERAL_DO"/>
<property name="tokens" value="LITERAL_ELSE"/>
<property name="tokens" value="LITERAL_FINALLY"/>
<property name="tokens" value="LITERAL_FOR"/>
<property name="tokens" value="LITERAL_IF"/>
<property name="tokens" value="LITERAL_SWITCH"/>
<property name="tokens" value="LITERAL_SYNCHRONIZED"/>
<property name="tokens" value="LITERAL_TRY"/>
<property name="tokens" value="LITERAL_WHILE"/>
</module>
<module name="OuterTypeNumber"/>
<module name="LineLength">
<property name="ignorePattern" value="^ *\* *[^ ]+$"/>
<property name="max" value="150"/>
</module>
<module name="MethodCount">
<property name="maxTotal" value="40"/>
</module>
<module name="LocalFinalVariableName"/>
<module name="LocalVariableName"/>
<module name="MemberName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="MethodLength">
<property name="max" value="160"/>
<property name="countEmpty" value="false"/>
</module>
<module name="MethodName"/>
<module name="MethodParamPad"/>
<module name="ModifierOrder"/>
<module name="NeedBraces"/>
<module name="NoWhitespaceAfter">
<property name="tokens" value="ARRAY_INIT"/>
<property name="tokens" value="BNOT"/>
<property name="tokens" value="DEC"/>
<property name="tokens" value="DOT"/>
<property name="tokens" value="INC"/>
<property name="tokens" value="LNOT"/>
<property name="tokens" value="UNARY_MINUS"/>
<property name="tokens" value="UNARY_PLUS"/>
</module>
<module name="NoWhitespaceBefore"/>
<module name="NoWhitespaceBefore">
<property name="tokens" value="DOT"/>
<property name="allowLineBreaks" value="true"/>
</module>
<module name="OperatorWrap"/>
<module name="OperatorWrap">
<property name="tokens" value="ASSIGN"/>
<property name="tokens" value="DIV_ASSIGN"/>
<property name="tokens" value="PLUS_ASSIGN"/>
<property name="tokens" value="MINUS_ASSIGN"/>
<property name="tokens" value="STAR_ASSIGN"/>
<property name="tokens" value="MOD_ASSIGN"/>
<property name="tokens" value="SR_ASSIGN"/>
<property name="tokens" value="BSR_ASSIGN"/>
<property name="tokens" value="SL_ASSIGN"/>
<property name="tokens" value="BXOR_ASSIGN"/>
<property name="tokens" value="BOR_ASSIGN"/>
<property name="tokens" value="BAND_ASSIGN"/>
<property name="option" value="eol"/>
</module>
<module name="PackageName"/>
<module name="ParameterName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="ParameterNumber">
<property name="id" value="paramNum"/>
</module>
<module name="ParenPad"/>
<module name="TypecastParenPad"/>
<module name="RedundantImport"/>
<module name="RedundantModifier"/>
<module name="RightCurly">
<property name="option" value="same"/>
</module>
<module name="SimplifyBooleanExpression"/>
<module name="SimplifyBooleanReturn"/>
<module name="StaticVariableName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="TypeName"/>
<module name="UnusedImports"/>
<module name="UpperEll"/>
<module name="VisibilityModifier"/>
<module name="WhitespaceAfter"/>
<module name="WhitespaceAround"/>
<module name="GenericWhitespace"/>
<module name="FinalClass"/>
<module name="MissingSwitchDefault"/>
<!--module name="MagicNumber"/-->
<!--module name="Indentation">
<property name="basicOffset" value="4"/>
<property name="braceAdjustment" value="0"/>
<property name="caseIndent" value="0"/>
</module-->
<module name="ArrayTrailingComma"/>
<module name="FinalLocalVariable"/>
<module name="EqualsAvoidNull"/>
<module name="ParameterAssignment"/>
<!-- Generates quite a few errors -->
<module name="CyclomaticComplexity">
<property name="severity" value="ignore"/>
</module>
<module name="NestedForDepth">
<property name="max" value="2"/>
</module>
<module name="NestedIfDepth">
<property name="max" value="4"/>
</module>
<module name="NestedTryDepth">
<property name="max" value="2"/>
</module>
<!--module name="ExplicitInitialization"/-->
<module name="AnnotationUseStyle"/>
<module name="MissingDeprecated"/>
<module name="MissingOverride">
<property name="javaFiveCompatibility" value="true"/>
</module>
<module name="PackageAnnotation"/>
<module name="SuppressWarnings"/>
<module name="OuterTypeFilename"/>
<module name="HideUtilityClassConstructor"/>
</module>
</module>

18
dependency-check-core/config/checkstyle-header.txt
View File

@@ -1,18 +0,0 @@
^/\*\s*$
^ \* This file is part of dependency-check-core\.\s*$
^ \*\s*$
^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
^ \* you may not use this file except in compliance with the License.\s*$
^ \* You may obtain a copy of the License at\s*$
^ \*\s*$
^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
^ \*\s*$
^ \* Unless required by applicable law or agreed to in writing, software\s*$
^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
^ \* See the License for the specific language governing permissions and\s*$
^ \* limitations under the License\.\s*$
^ \*\s*$
^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
^ \*/\s*$
^package

33
dependency-check-core/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.4</version>
<version>1.2.0</version>
</parent>
<artifactId>dependency-check-core</artifactId>
@@ -348,16 +348,16 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.0.1</version>
<version>3.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
@@ -365,6 +365,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
@@ -410,6 +416,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<artifactId>commons-cli</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.8</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
@@ -495,11 +506,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<version>1.7.2</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.5</version>
</dependency>
<!-- The following dependencies are only used during testing -->
<dependency>
<groupId>org.apache.maven.scm</groupId>
@@ -588,6 +594,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
<version>3.0</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
</dependencies>
<profiles>
<profile>

78
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -66,6 +66,14 @@ public class Engine {
* A Map of analyzers grouped by Analysis phase.
*/
private final Set<FileTypeAnalyzer> fileTypeAnalyzers;
/**
* The ClassLoader to use when dynamically loading Analyzer and Update services.
*/
private ClassLoader serviceClassLoader;
/**
* The Logger for use throughout the class.
*/
private static final Logger LOGGER = Logger.getLogger(Engine.class.getName());
/**
* Creates a new Engine.
@@ -73,9 +81,20 @@ public class Engine {
* @throws DatabaseException thrown if there is an error connecting to the database
*/
public Engine() throws DatabaseException {
this(Thread.currentThread().getContextClassLoader());
}
/**
* Creates a new Engine using the specified classloader to dynamically load Analyzer and Update services.
*
* @param serviceClassLoader the ClassLoader to use when dynamically loading Analyzer and Update services
* @throws DatabaseException thrown if there is an error connecting to the database
*/
public Engine(ClassLoader serviceClassLoader) throws DatabaseException {
this.dependencies = new ArrayList<Dependency>();
this.analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
this.fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
this.serviceClassLoader = serviceClassLoader;
ConnectionFactory.initialize();
@@ -83,7 +102,7 @@ public class Engine {
try {
autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
} catch (InvalidSettingException ex) {
Logger.getLogger(Engine.class.getName()).log(Level.FINE, "Invalid setting for auto-update; using true.");
LOGGER.log(Level.FINE, "Invalid setting for auto-update; using true.");
}
if (autoUpdate) {
doUpdates();
@@ -107,7 +126,7 @@ public class Engine {
analyzers.put(phase, new ArrayList<Analyzer>());
}
final AnalyzerService service = AnalyzerService.getInstance();
final AnalyzerService service = new AnalyzerService(serviceClassLoader);
final Iterator<Analyzer> iterator = service.getAnalyzers();
while (iterator.hasNext()) {
final Analyzer a = iterator.next();
@@ -175,7 +194,7 @@ public class Engine {
scan(files);
} else {
final String msg = String.format("Invalid file path provided to scan '%s'", path);
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
LOGGER.log(Level.SEVERE, msg);
}
} else {
final File file = new File(path);
@@ -269,7 +288,7 @@ public class Engine {
protected void scanFile(File file) {
if (!file.isFile()) {
final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
return;
}
final String fileName = file.getName();
@@ -282,7 +301,7 @@ public class Engine {
} else {
final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.",
file.toString());
Logger.getLogger(Engine.class.getName()).log(Level.FINEST, msg);
LOGGER.log(Level.FINEST, msg);
}
}
@@ -295,13 +314,13 @@ public class Engine {
ensureDataExists();
} catch (NoDataException ex) {
final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
return;
} catch (DatabaseException ex) {
final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
return;
}
@@ -310,8 +329,8 @@ public class Engine {
+ "----------------------------------------------------%n"
+ "BEGIN ANALYSIS%n"
+ "----------------------------------------------------");
Logger.getLogger(Engine.class.getName()).log(Level.FINE, logHeader);
Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Starting");
LOGGER.log(Level.FINE, logHeader);
LOGGER.log(Level.INFO, "Analysis Starting");
// analysis phases
for (AnalysisPhase phase : AnalysisPhase.values()) {
@@ -325,7 +344,7 @@ public class Engine {
* This is okay for adds/deletes because it happens per analyzer.
*/
final String msg = String.format("Begin Analyzer '%s'", a.getName());
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
final Set<Dependency> dependencySet = new HashSet<Dependency>();
dependencySet.addAll(dependencies);
for (Dependency d : dependencySet) {
@@ -336,18 +355,18 @@ public class Engine {
}
if (shouldAnalyze) {
final String msgFile = String.format("Begin Analysis of '%s'", d.getActualFilePath());
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msgFile);
LOGGER.log(Level.FINE, msgFile);
try {
a.analyze(d, this);
} catch (AnalysisException ex) {
final String exMsg = String.format("An error occured while analyzing '%s'.", d.getActualFilePath());
Logger.getLogger(Engine.class.getName()).log(Level.WARNING, exMsg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
final String exMsg = String.format("An error occurred while analyzing '%s'.", d.getActualFilePath());
LOGGER.log(Level.WARNING, exMsg);
LOGGER.log(Level.FINE, "", ex);
} catch (Throwable ex) {
final String axMsg = String.format("An unexpected error occurred during analysis of '%s'", d.getActualFilePath());
//final AnalysisException ax = new AnalysisException(axMsg, ex);
Logger.getLogger(Engine.class.getName()).log(Level.WARNING, axMsg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.WARNING, axMsg);
LOGGER.log(Level.FINE, "", ex);
}
}
}
@@ -365,8 +384,8 @@ public class Engine {
+ "----------------------------------------------------%n"
+ "END ANALYSIS%n"
+ "----------------------------------------------------");
Logger.getLogger(Engine.class.getName()).log(Level.FINE, logFooter);
Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Complete");
LOGGER.log(Level.FINE, logFooter);
LOGGER.log(Level.INFO, "Analysis Complete");
}
/**
@@ -377,16 +396,16 @@ public class Engine {
private void initializeAnalyzer(Analyzer analyzer) {
try {
final String msg = String.format("Initializing %s", analyzer.getName());
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
analyzer.initialize();
} catch (Throwable ex) {
final String msg = String.format("Exception occurred initializing %s.", analyzer.getName());
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
try {
analyzer.close();
} catch (Throwable ex1) {
Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex1);
LOGGER.log(Level.FINEST, null, ex1);
}
}
}
@@ -398,11 +417,11 @@ public class Engine {
*/
private void closeAnalyzer(Analyzer analyzer) {
final String msg = String.format("Closing Analyzer '%s'", analyzer.getName());
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
try {
analyzer.close();
} catch (Throwable ex) {
Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
@@ -410,16 +429,16 @@ public class Engine {
* Cycles through the cached web data sources and calls update on all of them.
*/
private void doUpdates() {
final UpdateService service = UpdateService.getInstance();
final UpdateService service = new UpdateService(serviceClassLoader);
final Iterator<CachedWebDataSource> iterator = service.getDataSources();
while (iterator.hasNext()) {
final CachedWebDataSource source = iterator.next();
try {
source.update();
} catch (UpdateException ex) {
Logger.getLogger(Engine.class.getName()).log(Level.WARNING,
LOGGER.log(Level.WARNING,
"Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
Logger.getLogger(Engine.class.getName()).log(Level.FINE,
LOGGER.log(Level.FINE,
String.format("Unable to update details for %s", source.getClass().getName()), ex);
}
}
@@ -483,5 +502,4 @@ public class Engine {
throw new NoDataException("No documents exist");
}
}
}

36
dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
View File

@@ -64,7 +64,10 @@ public class DependencyCheckScanAgent {
* System specific new line character.
*/
private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
/**
* Logger for use throughout the class.
*/
private static final Logger LOGGER = Logger.getLogger(DependencyCheckScanAgent.class.getName());
/**
* The application name for the report.
*/
@@ -747,16 +750,9 @@ public class DependencyCheckScanAgent {
private Engine executeDependencyCheck() throws DatabaseException {
populateSettings();
Engine engine = null;
try {
engine = new Engine();
engine.setDependencies(this.dependencies);
engine.analyzeDependencies();
} finally {
if (engine != null) {
engine.cleanup();
}
}
engine = new Engine();
engine.setDependencies(this.dependencies);
engine.analyzeDependencies();
return engine;
}
@@ -774,7 +770,7 @@ public class DependencyCheckScanAgent {
cve.open();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
} finally {
if (cve != null) {
cve.close();
@@ -784,13 +780,13 @@ public class DependencyCheckScanAgent {
try {
r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
} catch (IOException ex) {
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
LOGGER.log(Level.SEVERE,
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
} catch (Throwable ex) {
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
LOGGER.log(Level.SEVERE,
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
}
}
@@ -799,6 +795,7 @@ public class DependencyCheckScanAgent {
* properties required to change the proxy url, port, and connection timeout.
*/
private void populateSettings() {
Settings.initialize();
if (dataDirectory != null) {
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
} else {
@@ -887,10 +884,11 @@ public class DependencyCheckScanAgent {
checkForFailure(engine.getDependencies());
}
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
LOGGER.log(Level.SEVERE,
"Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.FINE, "", ex);
} finally {
Settings.cleanup();
if (engine != null) {
engine.cleanup();
}
@@ -966,7 +964,7 @@ public class DependencyCheckScanAgent {
final String msg = String.format("%n%n"
+ "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+ "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.WARNING, msg);
LOGGER.log(Level.WARNING, msg);
}
}

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
View File

@@ -45,7 +45,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
try {
enabled = Settings.getBoolean(key, true);
} catch (InvalidSettingException ex) {
String msg = String.format("Invalid settting for property '%s'", key);
String msg = String.format("Invalid setting for property '%s'", key);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, "", ex);
msg = String.format("%s has been disabled", getName());
@@ -54,7 +54,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
}
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Field defentitions">
//<editor-fold defaultstate="collapsed" desc="Field definitions">
/**
* The logger.
*/
@@ -194,7 +194,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
if (ext == null) {
final String msg = String.format("The '%s' analyzer is misconfigured and does not have any file extensions;"
+ " it will be disabled", getName());
Logger.getLogger(AbstractFileTypeAnalyzer.class.getName()).log(Level.SEVERE, msg);
LOGGER.log(Level.SEVERE, msg);
return false;
} else {
final boolean match = ext.contains(extension);

55
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
View File

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.List;
@@ -41,6 +42,11 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
/**
* The Logger for use throughout the class
*/
private static final Logger LOGGER = Logger.getLogger(AbstractSuppressionAnalyzer.class.getName());
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* Returns a list of file EXTENSIONS supported by this analyzer.
@@ -62,6 +68,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
super.initialize();
loadSuppressionData();
}
/**
* The list of suppression rules
*/
@@ -110,40 +117,56 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
}
} else {
file = new File(suppressionFilePath);
if (!file.exists()) {
final InputStream suppressionsFromClasspath = this.getClass().getClassLoader().getResourceAsStream(suppressionFilePath);
if (suppressionsFromClasspath != null) {
deleteTempFile = true;
file = FileUtils.getTempFile("suppression", "xml");
try {
org.apache.commons.io.FileUtils.copyInputStreamToFile(suppressionsFromClasspath, file);
} catch (IOException ex) {
throwSuppressionParseException("Unable to locate suppressions file in classpath", ex);
}
}
}
}
if (file != null) {
final SuppressionParser parser = new SuppressionParser();
try {
rules = parser.parseSuppressionRules(file);
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, rules.size() + " suppression rules were loaded.");
LOGGER.log(Level.FINE, rules.size() + " suppression rules were loaded.");
} catch (SuppressionParseException ex) {
final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, ex.getMessage());
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.WARNING, ex.getMessage());
LOGGER.log(Level.FINE, "", ex);
throw ex;
}
}
} catch (DownloadFailedException ex) {
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
"Unable to fetch the configured suppression file");
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
throw new SuppressionParseException("Unable to fetch the configured suppression file", ex);
throwSuppressionParseException("Unable to fetch the configured suppression file", ex);
} catch (MalformedURLException ex) {
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
"Configured suppression file has an invalid URL");
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
throw new SuppressionParseException("Configured suppression file has an invalid URL", ex);
throwSuppressionParseException("Configured suppression file has an invalid URL", ex);
} catch (IOException ex) {
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
"Unable to create temp file for suppressions");
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
throw new SuppressionParseException("Unable to create temp file for suppressions", ex);
throwSuppressionParseException("Unable to create temp file for suppressions", ex);
} finally {
if (deleteTempFile && file != null) {
FileUtils.delete(file);
}
}
}
/**
* Utility method to throw parse exceptions.
*
* @param message the exception message
* @param exception the cause of the exception
* @throws SuppressionParseException throws the generated SuppressionParseException
*/
private void throwSuppressionParseException(String message, Exception exception) throws SuppressionParseException {
LOGGER.log(Level.WARNING, message);
LOGGER.log(Level.FINE, "", exception);
throw new SuppressionParseException(message, exception);
}
}

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
View File

@@ -21,15 +21,13 @@ import java.util.Iterator;
import java.util.ServiceLoader;
/**
* The Analyzer Service Loader. This class loads all services that implement
* org.owasp.dependencycheck.analyzer.Analyzer.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class AnalyzerService {
public class AnalyzerService {
/**
* The analyzer service singleton.
*/
private static AnalyzerService service;
/**
* The service loader for analyzers.
*/
@@ -37,21 +35,11 @@ public final class AnalyzerService {
/**
* Creates a new instance of AnalyzerService.
*/
private AnalyzerService() {
loader = ServiceLoader.load(Analyzer.class);
}
/**
* Retrieve the singleton instance of AnalyzerService.
*
* @return a singleton AnalyzerService.
* @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
*/
public static synchronized AnalyzerService getInstance() {
if (service == null) {
service = new AnalyzerService();
}
return service;
public AnalyzerService(ClassLoader classLoader) {
loader = ServiceLoader.load(Analyzer.class, classLoader);
}
/**

17
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -92,7 +92,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The set of things we can handle with Zip methods
*/
private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "nupkg");
private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
/**
* The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
* to be explicitly handled in extractFiles().
@@ -157,12 +157,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
@Override
public void initializeFileTypeAnalyzer() throws Exception {
final File baseDir = Settings.getTempDirectory();
if (!baseDir.exists()) {
if (!baseDir.mkdirs()) {
final String msg = String.format("Unable to make a temporary folder '%s'", baseDir.getPath());
throw new AnalysisException(msg);
}
}
tempFileLocation = File.createTempFile("check", "tmp", baseDir);
if (!tempFileLocation.delete()) {
final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
@@ -351,13 +345,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
}
bos.flush();
} catch (FileNotFoundException ex) {
Logger.getLogger(ArchiveAnalyzer.class
.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("Unable to find file '%s'.", file.getName());
throw new AnalysisException(msg, ex);
} catch (IOException ex) {
Logger.getLogger(ArchiveAnalyzer.class
.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
throw new AnalysisException(msg, ex);
} finally {
@@ -365,8 +357,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
try {
bos.close();
} catch (IOException ex) {
Logger.getLogger(ArchiveAnalyzer.class
.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}

51
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -61,7 +61,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The list of supported extensions
*/
private static final Set<String> SUPORTED_EXTENSIONS = newHashSet("dll", "exe");
private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("dll", "exe");
/**
* The temp value for GrokAssembly.exe
*/
@@ -73,7 +73,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Logger
*/
private static final Logger LOG = Logger.getLogger(AssemblyAnalyzer.class.getName());
private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzer.class.getName());
/**
* Builds the beginnings of a List for ProcessBuilder
@@ -106,7 +106,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
public void analyzeFileType(Dependency dependency, Engine engine)
throws AnalysisException {
if (grokAssemblyExe == null) {
LOG.warning("GrokAssembly didn't get deployed");
LOGGER.warning("GrokAssembly didn't get deployed");
return;
}
@@ -117,10 +117,10 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
try {
final Process proc = pb.start();
// Try evacuating the error stream
rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream()));
rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
String line = null;
while (rdr.ready() && (line = rdr.readLine()) != null) {
LOG.log(Level.WARNING, "Error from GrokAssembly: {0}", line);
LOGGER.log(Level.WARNING, "Error from GrokAssembly: {0}", line);
}
int rc = 0;
final Document doc = builder.parse(proc.getInputStream());
@@ -156,10 +156,10 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
return;
}
if (rc == 3) {
LOG.log(Level.INFO, "{0} is not a valid assembly", dependency.getActualFilePath());
LOGGER.log(Level.INFO, "{0} is not a valid assembly", dependency.getActualFilePath());
return;
} else if (rc != 0) {
LOG.log(Level.WARNING, "Return code {0} from GrokAssembly", rc);
LOGGER.log(Level.WARNING, "Return code {0} from GrokAssembly", rc);
}
} catch (IOException ioe) {
@@ -174,7 +174,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
try {
rdr.close();
} catch (IOException ex) {
Logger.getLogger(AssemblyAnalyzer.class.getName()).log(Level.FINEST, "ignore", ex);
LOGGER.log(Level.FINEST, "ignore", ex);
}
}
}
@@ -201,23 +201,23 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
grokAssemblyExe = tempFile;
// Set the temp file to get deleted when we're done
grokAssemblyExe.deleteOnExit();
LOG.log(Level.FINE, "Extracted GrokAssembly.exe to {0}", grokAssemblyExe.getPath());
LOGGER.log(Level.FINE, "Extracted GrokAssembly.exe to {0}", grokAssemblyExe.getPath());
} catch (IOException ioe) {
LOG.log(Level.WARNING, "Could not extract GrokAssembly.exe: {0}", ioe.getMessage());
LOGGER.log(Level.WARNING, "Could not extract GrokAssembly.exe: {0}", ioe.getMessage());
throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
} finally {
if (fos != null) {
try {
fos.close();
} catch (Throwable e) {
LOG.fine("Error closing output stream");
LOGGER.fine("Error closing output stream");
}
}
if (is != null) {
try {
is.close();
} catch (Throwable e) {
LOG.fine("Error closing input stream");
LOGGER.fine("Error closing input stream");
}
}
}
@@ -229,31 +229,34 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
final ProcessBuilder pb = new ProcessBuilder(args);
final Process p = pb.start();
// Try evacuating the error stream
rdr = new BufferedReader(new InputStreamReader(p.getErrorStream()));
String line;
while (rdr.ready() && (line = rdr.readLine()) != null) {
rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
while (rdr.ready() && rdr.readLine() != null) {
// We expect this to complain
}
final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String error = xpath.evaluate("/assembly/error", doc);
if (p.waitFor() != 1 || error == null || "".equals(error)) {
LOG.warning("An error occured with the .NET AssemblyAnalyzer, please see the log for more details.");
LOG.fine("GrokAssembly.exe is not working properly");
LOGGER.warning("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.");
LOGGER.fine("GrokAssembly.exe is not working properly");
grokAssemblyExe = null;
throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
}
} catch (Throwable e) {
LOG.warning("An error occured with the .NET AssemblyAnalyzer; "
+ "this can be ignored unless you are scanning .NET dlls. Please see the log for more details.");
LOG.log(Level.FINE, "Could not execute GrokAssembly {0}", e.getMessage());
throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
if (e instanceof AnalysisException) {
throw (AnalysisException) e;
} else {
LOGGER.warning("An error occured with the .NET AssemblyAnalyzer; "
+ "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
LOGGER.log(Level.FINE, "Could not execute GrokAssembly {0}", e.getMessage());
throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
}
} finally {
if (rdr != null) {
try {
rdr.close();
} catch (IOException ex) {
Logger.getLogger(AssemblyAnalyzer.class.getName()).log(Level.FINEST, "ignore", ex);
LOGGER.log(Level.FINEST, "ignore", ex);
}
}
}
@@ -269,7 +272,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
grokAssemblyExe.deleteOnExit();
}
} catch (SecurityException se) {
LOG.fine("Can't delete temporary GrokAssembly.exe");
LOGGER.fine("Can't delete temporary GrokAssembly.exe");
}
}
@@ -280,7 +283,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
*/
@Override
public Set<String> getSupportedExtensions() {
return SUPORTED_EXTENSIONS;
return SUPPORTED_EXTENSIONS;
}
/**

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -57,7 +57,10 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class CPEAnalyzer implements Analyzer {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(CPEAnalyzer.class.getName());
/**
* The maximum number of query results to return.
*/
@@ -125,15 +128,15 @@ public class CPEAnalyzer implements Analyzer {
* by another process.
*/
public void open() throws IOException, DatabaseException {
Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Opening the CVE Database");
LOGGER.log(Level.FINE, "Opening the CVE Database");
cve = new CveDB();
cve.open();
Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Creating the Lucene CPE Index");
LOGGER.log(Level.FINE, "Creating the Lucene CPE Index");
cpe = CpeMemoryIndex.getInstance();
try {
cpe.open(cve);
} catch (IndexException ex) {
Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "IndexException", ex);
LOGGER.log(Level.FINE, "IndexException", ex);
throw new DatabaseException(ex);
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
View File

@@ -30,7 +30,7 @@ import org.owasp.dependencycheck.suppression.SuppressionRule;
*/
public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/

25
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
View File

@@ -46,6 +46,11 @@ import org.owasp.dependencycheck.utils.LogUtils;
*/
public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(DependencyBundlingAnalyzer.class.getName());
//<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
/**
* A pattern for obtaining the first part of a filename.
@@ -106,18 +111,18 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
while (subIterator.hasNext()) {
final Dependency nextDependency = subIterator.next();
if (isShadedJar(dependency, nextDependency)) {
if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
dependenciesToRemove.add(dependency);
} else {
dependenciesToRemove.add(nextDependency);
}
} else if (hashesMatch(dependency, nextDependency)) {
if (hashesMatch(dependency, nextDependency)) {
if (isCore(dependency, nextDependency)) {
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
} else {
mergeDependencies(nextDependency, dependency, dependenciesToRemove);
}
} else if (isShadedJar(dependency, nextDependency)) {
if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
dependenciesToRemove.add(dependency);
} else {
dependenciesToRemove.add(nextDependency);
}
} else if (cpeIdentifiersMatch(dependency, nextDependency)
&& hasSameBasePath(dependency, nextDependency)
&& fileNameMatch(dependency, nextDependency)) {
@@ -270,7 +275,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
}
if (LogUtils.isVerboseLoggingEnabled()) {
final String msg = String.format("IdentifiersMatch=%s (%s, %s)", matches, dependency1.getFileName(), dependency2.getFileName());
Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
}
return matches;
}
@@ -341,13 +346,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
* be shorter:
* axis2-saaj-1.4.1.jar
* axis2-1.4.1.jar <-----
* axis2-kernal-1.4.1.jar
* axis2-kernel-1.4.1.jar
*/
returnVal = leftName.length() <= rightName.length();
}
if (LogUtils.isVerboseLoggingEnabled()) {
final String msg = String.format("IsCore=%s (%s, %s)", returnVal, left.getFileName(), right.getFileName());
Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
}
return returnVal;
}

20
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -42,7 +42,11 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware;
*/
public class FalsePositiveAnalyzer extends AbstractAnalyzer {
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(FalsePositiveAnalyzer.class.getName());
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/
@@ -132,8 +136,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
final String nextVersion = nextCpe.getVersion();
if (currentVersion == null && nextVersion == null) {
//how did we get here?
Logger.getLogger(FalsePositiveAnalyzer.class
.getName()).log(Level.FINE, "currentVersion and nextVersion are both null?");
LOGGER.log(Level.FINE, "currentVersion and nextVersion are both null?");
} else if (currentVersion == null && nextVersion != null) {
dependency.getIdentifiers().remove(currentId);
} else if (nextVersion == null && currentVersion != null) {
@@ -156,7 +159,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
* Regex to identify core java libraries and a few other commonly misidentified ones.
*/
public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
+ "java(_platfrom_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+ "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+ "jdk|jre|jsf|jsse)($|:.*)");
/**
* Regex to identify core java library files. This is currently incomplete.
@@ -179,7 +182,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
itr.remove();
}
//replacecd with the regex above.
//replaced with the regex above.
// if (("cpe:/a:sun:java".equals(i.getValue())
// || "cpe:/a:oracle:java".equals(i.getValue())
// || "cpe:/a:ibm:java".equals(i.getValue())
@@ -217,7 +220,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
try {
cpe.parseName(value);
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
return null;
}
return cpe;
@@ -242,7 +245,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
//Set<Evidence> artifactId = dependency.getVendorEvidence().getEvidence("pom", "artifactid");
while (itr.hasNext()) {
final Identifier i = itr.next();
//TODO move this startswith expression to a configuration file?
//TODO move this startsWith expression to a configuration file?
if ("cpe".equals(i.getType())) {
if ((i.getValue().matches(".*c\\+\\+.*")
|| i.getValue().startsWith("cpe:/a:jquery:jquery")
@@ -337,8 +340,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
newCpe4,
String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe4, "UTF-8")));
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(FalsePositiveAnalyzer.class
.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
}
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
View File

@@ -33,7 +33,7 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
*/
public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.dependency.Evidence;
*/
public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/

31
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -364,7 +364,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
*
* @param jar the JarFile to search
* @return a list of pom.xml entries
* @throws IOException thrown if there is an exception reading a JarEntryf
* @throws IOException thrown if there is an exception reading a JarEntry
*/
private List<String> retrievePomListing(final JarFile jar) throws IOException {
final List<String> pomEntries = new ArrayList<String>();
@@ -408,7 +408,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
bos.flush();
dependency.setActualFilePath(file.getAbsolutePath());
} catch (IOException ex) {
final String msg = String.format("An error occured reading '%s' from '%s'.", path, dependency.getFilePath());
final String msg = String.format("An error occurred reading '%s' from '%s'.", path, dependency.getFilePath());
LOGGER.warning(msg);
LOGGER.log(Level.SEVERE, "", ex);
} finally {
@@ -496,11 +496,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
model = readPom(source);
} catch (SecurityException ex) {
final String msg = String.format("Unable to parse pom '%s' in jar '%s'; invalid signature", path, jar.getName());
Logger
.getLogger(JarAnalyzer.class
.getName()).log(Level.WARNING, msg);
Logger.getLogger(JarAnalyzer.class
.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
throw new AnalysisException(ex);
} catch (IOException ex) {
final String msg = String.format("Unable to parse pom '%s' in jar '%s' (IO Exception)", path, jar.getName());
@@ -693,10 +690,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
&& !dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
&& !dependency.getFileName().toLowerCase().endsWith("-src.jar")
&& !dependency.getFileName().toLowerCase().endsWith("-doc.jar")) {
Logger.getLogger(JarAnalyzer.class
.getName()).log(Level.INFO,
String.format("Jar file '%s' does not contain a manifest.",
dependency.getFileName()));
LOGGER.log(Level.INFO,
String.format("Jar file '%s' does not contain a manifest.",
dependency.getFileName()));
}
return false;
}
@@ -924,12 +920,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
@Override
public void initializeFileTypeAnalyzer() throws Exception {
final File baseDir = Settings.getTempDirectory();
if (!baseDir.exists()) {
if (!baseDir.mkdirs()) {
final String msg = String.format("Unable to make a temporary folder '%s'", baseDir.getPath());
throw new AnalysisException(msg);
}
}
tempFileLocation = File.createTempFile("check", "tmp", baseDir);
if (!tempFileLocation.delete()) {
final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
@@ -1050,11 +1040,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
} catch (IOException ex) {
final String msg = String.format("Unable to open jar file '%s'.", dependency.getFileName());
Logger
.getLogger(JarAnalyzer.class
.getName()).log(Level.WARNING, msg);
Logger.getLogger(JarAnalyzer.class
.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
} finally {
if (jar != null) {
try {

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
View File

@@ -44,7 +44,7 @@ public class JavaScriptAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final Logger LOGGER = Logger.getLogger(JavaScriptAnalyzer.class.getName());
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/
@@ -107,7 +107,7 @@ public class JavaScriptAnalyzer extends AbstractFileTypeAnalyzer {
*/
@Override
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
BufferedReader fin = null;;
BufferedReader fin = null;
try {
// /\*([^\*][^/]|[\r\n\f])+?\*/
final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)", Pattern.MULTILINE);

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -168,7 +168,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
} catch (FileNotFoundException fnfe) {
//dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
LOGGER.fine(String.format("Artificat not found in repository '%s'", dependency.getFileName()));
LOGGER.fine(String.format("Artifact not found in repository '%s'", dependency.getFileName()));
LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
} catch (IOException ioe) {
//dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
View File

@@ -109,6 +109,17 @@ public class NvdCveAnalyzer implements Analyzer {
}
}
}
for (Identifier id : dependency.getSuppressedIdentifiers()) {
if ("cpe".equals(id.getType())) {
try {
final String value = id.getValue();
final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
dependency.getSuppressedVulnerabilities().addAll(vulns);
} catch (DatabaseException ex) {
throw new AnalysisException(ex);
}
}
}
}
/**

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
View File

@@ -54,7 +54,10 @@ import org.owasp.dependencycheck.utils.Pair;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class CpeMemoryIndex {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(CpeMemoryIndex.class.getName());
/**
* singleton instance.
*/
@@ -197,7 +200,7 @@ public final class CpeMemoryIndex {
try {
indexReader.close();
} catch (IOException ex) {
Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
indexReader = null;
}
@@ -229,7 +232,7 @@ public final class CpeMemoryIndex {
saveEntry(pair.getLeft(), pair.getRight(), indexWriter);
}
} catch (DatabaseException ex) {
Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new IndexException("Error reading CPE data", ex);
}
} catch (CorruptIndexException ex) {

15
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
View File

@@ -29,7 +29,10 @@ import java.util.logging.Logger;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class CweDB {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(CweDB.class.getName());
/**
* Empty private constructor as this is a utility class.
*/
@@ -54,17 +57,17 @@ public final class CweDB {
oin = new ObjectInputStream(input);
return (HashMap<String, String>) oin.readObject();
} catch (ClassNotFoundException ex) {
Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
LOGGER.log(Level.FINE, null, ex);
} catch (IOException ex) {
Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
LOGGER.log(Level.FINE, null, ex);
} finally {
if (oin != null) {
try {
oin.close();
} catch (IOException ex) {
Logger.getLogger(CweDB.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java
View File

@@ -36,7 +36,10 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(UrlTokenizingFilter.class.getName());
/**
* Constructs a new VersionTokenizingFilter.
*
@@ -67,7 +70,7 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
final List<String> data = UrlStringUtils.extractImportantUrlData(part);
tokens.addAll(data);
} catch (MalformedURLException ex) {
Logger.getLogger(UrlTokenizingFilter.class.getName()).log(Level.FINE, "error parsing " + part, ex);
LOGGER.log(Level.FINE, "error parsing " + part, ex);
tokens.add(part);
}
} else {

70
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
View File

@@ -21,7 +21,6 @@ import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLConnection;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.parsers.DocumentBuilder;
@@ -84,7 +83,7 @@ public class NexusSearch {
*
* @param sha1 The SHA-1 hash string for which to search
* @return the populated Maven coordinates
* @throws IOException if it's unable to connect to the specified repositor or if the specified artifact is not
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
* found.
*/
public MavenArtifact searchSha1(String sha1) throws IOException {
@@ -102,8 +101,7 @@ public class NexusSearch {
// 2) Otherwise, don't use the proxy (either the proxy isn't configured,
// or proxy is specifically
// set to false
URLConnection conn = null;
conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
conn.setDoOutput(true);
@@ -112,36 +110,40 @@ public class NexusSearch {
conn.addRequestProperty("Accept", "application/xml");
conn.connect();
try {
final DocumentBuilder builder = DocumentBuilderFactory
.newInstance().newDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String groupId = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/groupId",
doc);
final String artifactId = xpath.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactId",
doc);
final String version = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/version",
doc);
final String link = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
doc);
return new MavenArtifact(groupId, artifactId, version, link);
} catch (FileNotFoundException fnfe) {
/* This is what we get when the SHA1 they sent doesn't exist in
* Nexus. This is useful upstream for recovery, so we just re-throw it
*/
throw fnfe;
} catch (Throwable e) {
// Anything else is jacked-up XML stuff that we really can't recover
// from well
throw new IOException(e.getMessage(), e);
if (conn.getResponseCode() == 200) {
try {
final DocumentBuilder builder = DocumentBuilderFactory
.newInstance().newDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String groupId = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/groupId",
doc);
final String artifactId = xpath.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactId",
doc);
final String version = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/version",
doc);
final String link = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
doc);
return new MavenArtifact(groupId, artifactId, version, link);
} catch (Throwable e) {
// Anything else is jacked-up XML stuff that we really can't recover
// from well
throw new IOException(e.getMessage(), e);
}
} else if (conn.getResponseCode() == 404) {
throw new FileNotFoundException("Artifact not found in Nexus");
} else {
final String msg = String.format("Could not connect to Nexus received response code: %d %s",
conn.getResponseCode(), conn.getResponseMessage());
LOGGER.fine(msg);
throw new IOException(msg);
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java
View File

@@ -56,7 +56,7 @@ public class NuspecParseException extends Exception {
* Note that the detail message associated with <code>cause</code> is <em>not</em>
* automatically incorporated in this exception's detail message.
*
* @param message the detail message (whcih is saved for later retrieval by the
* @param message the detail message (which is saved for later retrieval by the
* {@link java.lang.Throwable#getMessage()} method.
* @param cause the cause (which is saved for later retrieval by the {@link java.lang.Throwable#getCause()} method).
* (A <code>null</code> value is permitted, and indicates that the cause is nonexistent or unknown).

52
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
View File

@@ -42,7 +42,10 @@ import org.owasp.dependencycheck.utils.Settings;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class ConnectionFactory {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(ConnectionFactory.class.getName());
/**
* The version of the current DB Schema.
*/
@@ -90,17 +93,17 @@ public final class ConnectionFactory {
//load the driver if necessary
final String driverName = Settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
if (!driverName.isEmpty()) { //likely need to load the correct driver
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver: {0}", driverName);
LOGGER.log(Level.FINE, "Loading driver: {0}", driverName);
final String driverPath = Settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
try {
if (!driverPath.isEmpty()) {
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver from: {0}", driverPath);
LOGGER.log(Level.FINE, "Loading driver from: {0}", driverPath);
driver = DriverLoader.load(driverName, driverPath);
} else {
driver = DriverLoader.load(driverName);
}
} catch (DriverLoadException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to load database driver", ex);
LOGGER.log(Level.FINE, "Unable to load database driver", ex);
throw new DatabaseException("Unable to load database driver");
}
}
@@ -110,7 +113,7 @@ public final class ConnectionFactory {
try {
connectionString = getConnectionString();
} catch (IOException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
LOGGER.log(Level.FINE,
"Unable to retrieve the database connection string", ex);
throw new DatabaseException("Unable to retrieve the database connection string");
}
@@ -118,15 +121,15 @@ public final class ConnectionFactory {
try {
if (connectionString.startsWith("jdbc:h2:file:")) { //H2
shouldCreateSchema = !dbSchemaExists();
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
LOGGER.log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
}
} catch (IOException ioex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to verify database exists", ioex);
LOGGER.log(Level.FINE, "Unable to verify database exists", ioex);
throw new DatabaseException("Unable to verify database exists");
}
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading database connection");
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Connection String: {0}", connectionString);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Database User: {0}", userName);
LOGGER.log(Level.FINE, "Loading database connection");
LOGGER.log(Level.FINE, "Connection String: {0}", connectionString);
LOGGER.log(Level.FINE, "Database User: {0}", userName);
try {
conn = DriverManager.getConnection(connectionString, userName, password);
@@ -136,14 +139,14 @@ public final class ConnectionFactory {
try {
conn = DriverManager.getConnection(connectionString, userName, password);
Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
LOGGER.log(Level.FINE,
"Unable to start the database in server mode; reverting to single user mode");
} catch (SQLException sqlex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
LOGGER.log(Level.FINE, "Unable to connect to the database", ex);
throw new DatabaseException("Unable to connect to the database");
}
} else {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
LOGGER.log(Level.FINE, "Unable to connect to the database", ex);
throw new DatabaseException("Unable to connect to the database");
}
}
@@ -152,14 +155,14 @@ public final class ConnectionFactory {
try {
createTables(conn);
} catch (DatabaseException dex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
LOGGER.log(Level.FINE, null, dex);
throw new DatabaseException("Unable to create the database structure");
}
} else {
try {
ensureSchemaVersion(conn);
} catch (DatabaseException dex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
LOGGER.log(Level.FINE, null, dex);
throw new DatabaseException("Database schema does not match this version of dependency-check");
}
}
@@ -168,7 +171,7 @@ public final class ConnectionFactory {
try {
conn.close();
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured closing the connection", ex);
LOGGER.log(Level.FINE, "An error occurred closing the connection", ex);
}
}
}
@@ -184,7 +187,10 @@ public final class ConnectionFactory {
try {
DriverManager.deregisterDriver(driver);
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured unloading the databse driver", ex);
LOGGER.log(Level.FINE, "An error occurred unloading the database driver", ex);
} catch (Throwable unexpected) {
LOGGER.log(Level.FINE,
"An unexpected throwable occurred unloading the database driver", unexpected);
}
driver = null;
}
@@ -205,7 +211,7 @@ public final class ConnectionFactory {
try {
conn = DriverManager.getConnection(connectionString, userName, password);
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new DatabaseException("Unable to connect to the database");
}
return conn;
@@ -223,7 +229,7 @@ public final class ConnectionFactory {
if (connStr.contains("%s")) {
final String directory = getDataDirectory().getCanonicalPath();
final File dataFile = new File(directory, "cve." + DB_SCHEMA_VERSION);
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, String.format("File path for H2 file: '%s'", dataFile.toString()));
LOGGER.log(Level.FINE, String.format("File path for H2 file: '%s'", dataFile.toString()));
return String.format(connStr, dataFile.getAbsolutePath());
}
return connStr;
@@ -266,7 +272,7 @@ public final class ConnectionFactory {
* @throws DatabaseException thrown if there is a Database Exception
*/
private static void createTables(Connection conn) throws DatabaseException {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Creating database structure");
LOGGER.log(Level.FINE, "Creating database structure");
InputStream is;
InputStreamReader reader;
BufferedReader in = null;
@@ -284,7 +290,7 @@ public final class ConnectionFactory {
statement = conn.createStatement();
statement.execute(sb.toString());
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new DatabaseException("Unable to create database statement", ex);
} finally {
DBUtils.closeStatement(statement);
@@ -296,7 +302,7 @@ public final class ConnectionFactory {
try {
in.close();
} catch (IOException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}
@@ -323,7 +329,7 @@ public final class ConnectionFactory {
throw new DatabaseException("Database schema is missing");
}
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new DatabaseException("Unable to check the database schema version");
} finally {
DBUtils.closeResultSet(rs);

53
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -46,7 +46,10 @@ import org.owasp.dependencycheck.utils.Pair;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class CveDB {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(CveDB.class.getName());
/**
* Database connection
*/
@@ -95,12 +98,12 @@ public class CveDB {
conn.close();
} catch (SQLException ex) {
final String msg = "There was an error attempting to close the CveDB, see the log for more details.";
Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
} catch (Throwable ex) {
final String msg = "There was an exception attempting to close the CveDB, see the log for more details.";
Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
}
conn = null;
}
@@ -135,7 +138,7 @@ public class CveDB {
@Override
@SuppressWarnings("FinalizeDeclaration")
protected void finalize() throws Throwable {
Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, "Entering finalize");
LOGGER.log(Level.FINE, "Entering finalize");
close();
super.finalize();
}
@@ -284,8 +287,8 @@ public class CveDB {
}
} catch (SQLException ex) {
final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
} finally {
DBUtils.closeResultSet(rs);
DBUtils.closeStatement(ps);
@@ -336,8 +339,8 @@ public class CveDB {
}
} catch (SQLException ex) {
final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
} finally {
DBUtils.closeStatement(ps);
DBUtils.closeResultSet(rs);
@@ -358,8 +361,8 @@ public class CveDB {
updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
} catch (SQLException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
LOGGER.log(Level.WARNING, "Unable to save properties to the database");
LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
return;
}
for (Entry<Object, Object> entry : props.entrySet()) {
@@ -374,8 +377,8 @@ public class CveDB {
}
} catch (SQLException ex) {
final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
}
}
} finally {
@@ -397,8 +400,8 @@ public class CveDB {
try {
updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
} catch (SQLException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
LOGGER.log(Level.WARNING, "Unable to save properties to the database");
LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
return;
}
try {
@@ -408,8 +411,8 @@ public class CveDB {
try {
insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
} catch (SQLException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
LOGGER.log(Level.WARNING, "Unable to save properties to the database");
LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
return;
}
insertProperty.setString(1, key);
@@ -418,8 +421,8 @@ public class CveDB {
}
} catch (SQLException ex) {
final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
}
} finally {
DBUtils.closeStatement(updateProperty);
@@ -440,7 +443,7 @@ public class CveDB {
try {
cpe.parseName(cpeStr);
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
final DependencyVersion detectedVersion = parseDependencyVersion(cpe);
final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
@@ -678,7 +681,7 @@ public class CveDB {
} catch (SQLException ex) {
final String msg = String.format("Error updating '%s'", vuln.getName());
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new DatabaseException(msg, ex);
} finally {
DBUtils.closeStatement(selectVulnerabilityId);
@@ -707,8 +710,8 @@ public class CveDB {
}
} catch (SQLException ex) {
final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
} finally {
DBUtils.closeStatement(ps);
}
@@ -763,7 +766,7 @@ public class CveDB {
cpe.parseName(cpeStr);
} catch (UnsupportedEncodingException ex) {
//never going to happen.
Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
return parseDependencyVersion(cpe);
}

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
View File

@@ -17,7 +17,6 @@
*/
package org.owasp.dependencycheck.data.nvdcve;
import com.hazelcast.logging.Logger;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
@@ -26,6 +25,7 @@ import java.util.Map.Entry;
import java.util.Properties;
import java.util.TreeMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
@@ -36,6 +36,10 @@ import org.owasp.dependencycheck.data.update.exception.UpdateException;
*/
public class DatabaseProperties {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(DatabaseProperties.class.getName());
/**
* Modified key word, used as a key to store information about the modified file (i.e. the containing the last 8
* days of updates)..
@@ -150,8 +154,8 @@ public class DatabaseProperties {
final DateFormat format = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
final String formatted = format.format(date);
map.put(key, formatted);
} catch (Throwable ex) { //deliberatly being broad in this catch clause
Logger.getLogger(DatabaseProperties.class.getName()).log(Level.FINE, "Unable to parse timestamp from DB", ex);
} catch (Throwable ex) { //deliberately being broad in this catch clause
LOGGER.log(Level.FINE, "Unable to parse timestamp from DB", ex);
map.put(key, entry.getValue());
}
} else {

19
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
View File

@@ -37,6 +37,11 @@ import java.util.logging.Logger;
*/
public final class DriverLoader {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(DriverLoader.class.getName());
/**
* Private constructor for a utility class.
*/
@@ -58,7 +63,7 @@ public final class DriverLoader {
/**
* Loads the specified class by registering the supplied paths to the class loader and then registers the driver
* with the driver manager. The pathToDriver argument is added to the class loader so that an external driver can be
* loaded. Note, the pathTodriver can contain a semi-colon separated list of paths so any dependencies can be added
* loaded. Note, the pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added
* as needed. If a path in the pathToDriver argument is a directory all files in the directory are added to the
* class path.
*
@@ -83,7 +88,7 @@ public final class DriverLoader {
} catch (MalformedURLException ex) {
final String msg = String.format("Unable to load database driver '%s'; invalid path provided '%s'",
className, f.getAbsoluteFile());
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
}
}
@@ -93,7 +98,7 @@ public final class DriverLoader {
} catch (MalformedURLException ex) {
final String msg = String.format("Unable to load database driver '%s'; invalid path provided '%s'",
className, file.getAbsoluteFile());
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
}
}
@@ -127,19 +132,19 @@ public final class DriverLoader {
return shim;
} catch (ClassNotFoundException ex) {
final String msg = String.format("Unable to load database driver '%s'", className);
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
} catch (InstantiationException ex) {
final String msg = String.format("Unable to load database driver '%s'", className);
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
} catch (IllegalAccessException ex) {
final String msg = String.format("Unable to load database driver '%s'", className);
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
} catch (SQLException ex) {
final String msg = String.format("Unable to load database driver '%s'", className);
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
}
}

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java
View File

@@ -39,6 +39,10 @@ import java.util.logging.Logger;
*/
class DriverShim implements Driver {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(DriverShim.class.getName());
/**
* The database driver being wrapped.
*/
@@ -123,11 +127,11 @@ class DriverShim implements Driver {
try {
return (Logger) m.invoke(m);
} catch (IllegalAccessException ex) {
Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
LOGGER.log(Level.FINER, null, ex);
} catch (IllegalArgumentException ex) {
Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
LOGGER.log(Level.FINER, null, ex);
} catch (InvocationTargetException ex) {
Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
LOGGER.log(Level.FINER, null, ex);
}
}
throw new SQLFeatureNotSupportedException();

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
View File

@@ -30,6 +30,11 @@ import org.owasp.dependencycheck.utils.DownloadFailedException;
*/
public class NvdCveUpdater implements CachedWebDataSource {
/**
* The logger
*/
private static final Logger LOGGER = Logger.getLogger(NvdCveUpdater.class.getName());
/**
* <p>
* Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.</p>
@@ -44,13 +49,13 @@ public class NvdCveUpdater implements CachedWebDataSource {
task.update();
}
} catch (MalformedURLException ex) {
Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.WARNING,
LOGGER.log(Level.WARNING,
"NVD CVE properties files contain an invalid URL, unable to update the data to use the most current data.");
Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
} catch (DownloadFailedException ex) {
Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.WARNING,
LOGGER.log(Level.WARNING,
"Unable to download the NVD CVE data, unable to update the data to use the most current data.");
Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
}
}
}

34
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
View File

@@ -47,6 +47,10 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public class StandardUpdate {
/**
* Static logger.
*/
private static final Logger LOGGER = Logger.getLogger(StandardUpdate.class.getName());
/**
* The max thread pool size to use when downloading files.
*/
@@ -104,7 +108,7 @@ public class StandardUpdate {
return;
}
if (maxUpdates > 3) {
Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO,
LOGGER.log(Level.INFO,
"NVD CVE requires several updates; this could take a couple of minutes.");
}
if (maxUpdates > 0) {
@@ -118,7 +122,7 @@ public class StandardUpdate {
final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<Future<Future<ProcessTask>>>(maxUpdates);
for (NvdCveInfo cve : updateable) {
if (cve.getNeedsUpdate()) {
final CallableDownloadTask call = new CallableDownloadTask(cve, processExecutor, cveDB);
final CallableDownloadTask call = new CallableDownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
downloadFutures.add(downloadExecutors.submit(call));
}
}
@@ -134,19 +138,19 @@ public class StandardUpdate {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download", ex);
LOGGER.log(Level.FINE, "Thread was interrupted during download", ex);
throw new UpdateException("The download was interrupted", ex);
} catch (ExecutionException ex) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download execution", ex);
LOGGER.log(Level.FINE, "Thread was interrupted during download execution", ex);
throw new UpdateException("The execution of the download was interrupted", ex);
}
if (task == null) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download");
LOGGER.log(Level.FINE, "Thread was interrupted during download");
throw new UpdateException("The download was interrupted; unable to complete the update");
} else {
processFutures.add(task);
@@ -161,11 +165,11 @@ public class StandardUpdate {
}
} catch (InterruptedException ex) {
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during processing", ex);
LOGGER.log(Level.FINE, "Thread was interrupted during processing", ex);
throw new UpdateException(ex);
} catch (ExecutionException ex) {
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Execution Exception during process", ex);
LOGGER.log(Level.FINE, "Execution Exception during process", ex);
throw new UpdateException(ex);
} finally {
processExecutor.shutdown();
@@ -197,10 +201,10 @@ public class StandardUpdate {
updates = retrieveCurrentTimestampsFromWeb();
} catch (InvalidDataException ex) {
final String msg = "Unable to retrieve valid timestamp from nvd cve downloads page";
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DownloadFailedException(msg, ex);
} catch (InvalidSettingException ex) {
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Invalid setting found when retrieving timestamps", ex);
LOGGER.log(Level.FINE, "Invalid setting found when retrieving timestamps", ex);
throw new DownloadFailedException("Invalid settings", ex);
}
@@ -233,9 +237,7 @@ public class StandardUpdate {
} catch (NumberFormatException ex) {
final String msg = String.format("Error parsing '%s' '%s' from nvdcve.lastupdated",
DatabaseProperties.LAST_UPDATED_BASE, entry.getId());
Logger
.getLogger(StandardUpdate.class
.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
}
if (currentTimestamp == entry.getTimestamp()) {
entry.setNeedsUpdate(false);
@@ -245,8 +247,8 @@ public class StandardUpdate {
}
} catch (NumberFormatException ex) {
final String msg = "An invalid schema version or timestamp exists in the data.properties file.";
Logger.getLogger(StandardUpdate.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, "", ex);
}
}
return updates;
@@ -290,7 +292,7 @@ public class StandardUpdate {
try {
cveDB.close();
} catch (Throwable ignore) {
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINEST, "Error closing the cveDB", ignore);
LOGGER.log(Level.FINEST, "Error closing the cveDB", ignore);
}
}
}
@@ -309,7 +311,7 @@ public class StandardUpdate {
cveDB.open();
} catch (DatabaseException ex) {
closeDataStores();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Database Exception opening databases", ex);
LOGGER.log(Level.FINE, "Database Exception opening databases", ex);
throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
}
}

26
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java
View File

@@ -21,37 +21,25 @@ import java.util.Iterator;
import java.util.ServiceLoader;
/**
* The CachedWebDataSource Service Loader. This class loads all services that implement
* org.owasp.dependencycheck.data.update.CachedWebDataSource.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class UpdateService {
public class UpdateService {
/**
* the singleton reference to the service.
*/
private static UpdateService service;
/**
* the service loader for CachedWebDataSource.
*/
private final ServiceLoader<CachedWebDataSource> loader;
/**
* Creates a new instance of UpdateService
*/
private UpdateService() {
loader = ServiceLoader.load(CachedWebDataSource.class);
}
/**
* Retrieve the singleton instance of UpdateService.
* Creates a new instance of UpdateService.
*
* @return a singleton UpdateService.
* @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
*/
public static synchronized UpdateService getInstance() {
if (service == null) {
service = new UpdateService();
}
return service;
public UpdateService(ClassLoader classLoader) {
loader = ServiceLoader.load(CachedWebDataSource.class, classLoader);
}
/**

35
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java
View File

@@ -27,6 +27,7 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.Settings;
@@ -38,17 +39,26 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(CallableDownloadTask.class.getName());
/**
* Simple constructor for the callable download task.
*
* @param nvdCveInfo the NVD CVE info
* @param processor the processor service to submit the downloaded files to
* @param cveDB the CVE DB to use to store the vulnerability data
* @param settings a reference to the global settings object; this is necessary so that when the thread is started
* the dependencies have a correct reference to the global settings.
* @throws UpdateException thrown if temporary files could not be created
*/
public CallableDownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB) {
public CallableDownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB, Settings settings) throws UpdateException {
this.nvdCveInfo = nvdCveInfo;
this.processorService = processor;
this.cveDB = cveDB;
this.settings = settings;
final File file1;
final File file2;
@@ -57,7 +67,7 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
} catch (IOException ex) {
return;
throw new UpdateException("Unable to create temporary files", ex);
}
this.first = file1;
this.second = file2;
@@ -75,6 +85,10 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
* The NVD CVE Meta Data.
*/
private NvdCveInfo nvdCveInfo;
/**
* A reference to the global settings object.
*/
private Settings settings;
/**
* Get the value of nvdCveInfo.
@@ -163,30 +177,33 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
@Override
public Future<ProcessTask> call() throws Exception {
try {
Settings.setInstance(settings);
final URL url1 = new URL(nvdCveInfo.getUrl());
final URL url2 = new URL(nvdCveInfo.getOldSchemaVersionUrl());
String msg = String.format("Download Started for NVD CVE - %s", nvdCveInfo.getId());
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.INFO, msg);
LOGGER.log(Level.INFO, msg);
try {
Downloader.fetchFile(url1, first);
Downloader.fetchFile(url2, second);
} catch (DownloadFailedException ex) {
msg = String.format("Download Failed for NVD CVE - %s%nSome CVEs may not be reported.", nvdCveInfo.getId());
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
return null;
}
msg = String.format("Download Complete for NVD CVE - %s", nvdCveInfo.getId());
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.INFO, msg);
LOGGER.log(Level.INFO, msg);
final ProcessTask task = new ProcessTask(cveDB, this);
final ProcessTask task = new ProcessTask(cveDB, this, settings);
return this.processorService.submit(task);
} catch (Throwable ex) {
final String msg = String.format("An exception occurred downloading NVD CVE - %s%nSome CVEs may not be reported.", nvdCveInfo.getId());
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.FINE, "Download Task Failed", ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, "Download Task Failed", ex);
} finally {
Settings.cleanup();
}
return null;
}

22
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java
View File

@@ -32,11 +32,11 @@ import javax.xml.parsers.SAXParserFactory;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.StandardUpdate;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.data.update.xml.NvdCve12Handler;
import org.owasp.dependencycheck.data.update.xml.NvdCve20Handler;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.Settings;
import org.xml.sax.SAXException;
/**
@@ -46,6 +46,10 @@ import org.xml.sax.SAXException;
*/
public class ProcessTask implements Callable<ProcessTask> {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(ProcessTask.class.getName());
/**
* A field to store any update exceptions that occur during the "call".
*/
@@ -80,17 +84,24 @@ public class ProcessTask implements Callable<ProcessTask> {
* A reference to the properties.
*/
private final DatabaseProperties properties;
/**
* A reference to the global settings object.
*/
private Settings settings;
/**
* Constructs a new ProcessTask used to process an NVD CVE update.
*
* @param cveDB the data store object
* @param filePair the download task that contains the URL references to download
* @param settings a reference to the global settings object; this is necessary so that when the thread is started
* the dependencies have a correct reference to the global settings.
*/
public ProcessTask(final CveDB cveDB, final CallableDownloadTask filePair) {
public ProcessTask(final CveDB cveDB, final CallableDownloadTask filePair, Settings settings) {
this.cveDB = cveDB;
this.filePair = filePair;
this.properties = cveDB.getDatabaseProperties();
this.settings = settings;
}
/**
@@ -103,9 +114,12 @@ public class ProcessTask implements Callable<ProcessTask> {
@Override
public ProcessTask call() throws Exception {
try {
Settings.setInstance(settings);
processFiles();
} catch (UpdateException ex) {
this.exception = ex;
} finally {
Settings.cleanup();
}
return this;
}
@@ -145,7 +159,7 @@ public class ProcessTask implements Callable<ProcessTask> {
*/
private void processFiles() throws UpdateException {
String msg = String.format("Processing Started for NVD CVE - %s", filePair.getNvdCveInfo().getId());
Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO, msg);
LOGGER.log(Level.INFO, msg);
try {
importXML(filePair.getFirst(), filePair.getSecond());
cveDB.commit();
@@ -168,6 +182,6 @@ public class ProcessTask implements Callable<ProcessTask> {
filePair.cleanup();
}
msg = String.format("Processing Complete for NVD CVE - %s", filePair.getNvdCveInfo().getId());
Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO, msg);
LOGGER.log(Level.INFO, msg);
}
}

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/NvdCve20Handler.java
View File

@@ -40,6 +40,10 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class NvdCve20Handler extends DefaultHandler {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(NvdCve20Handler.class.getName());
/**
* the current supported schema version.
*/
@@ -168,8 +172,8 @@ public class NvdCve20Handler extends DefaultHandler {
final float score = Float.parseFloat(nodeText.toString());
vulnerability.setCvssScore(score);
} catch (NumberFormatException ex) {
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, "Error parsing CVSS Score.");
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, "Error parsing CVSS Score.");
LOGGER.log(Level.FINE, null, ex);
}
nodeText = null;
} else if (current.isCVSSAccessVectorNode()) {

77
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -37,6 +37,10 @@ import org.owasp.dependencycheck.utils.FileUtils;
*/
public class Dependency implements Comparable<Dependency> {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(Dependency.class.getName());
/**
* The actual file path of the dependency on disk.
*/
@@ -87,6 +91,8 @@ public class Dependency implements Comparable<Dependency> {
versionEvidence = new EvidenceCollection();
identifiers = new TreeSet<Identifier>();
vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
suppressedIdentifiers = new TreeSet<Identifier>();
suppressedVulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
}
/**
@@ -290,6 +296,69 @@ public class Dependency implements Comparable<Dependency> {
public void addIdentifier(Identifier identifier) {
this.identifiers.add(identifier);
}
/**
* A set of identifiers that have been suppressed.
*/
private Set<Identifier> suppressedIdentifiers;
/**
* Get the value of suppressedIdentifiers.
*
* @return the value of suppressedIdentifiers
*/
public Set<Identifier> getSuppressedIdentifiers() {
return suppressedIdentifiers;
}
/**
* Set the value of suppressedIdentifiers.
*
* @param suppressedIdentifiers new value of suppressedIdentifiers
*/
public void setSuppressedIdentifiers(Set<Identifier> suppressedIdentifiers) {
this.suppressedIdentifiers = suppressedIdentifiers;
}
/**
* Adds an identifier to the list of suppressed identifiers.
*
* @param identifier an identifier that was suppressed.
*/
public void addSuppressedIdentifier(Identifier identifier) {
this.suppressedIdentifiers.add(identifier);
}
/**
* A set of vulnerabilities that have been suppressed.
*/
private SortedSet<Vulnerability> suppressedVulnerabilities;
/**
* Get the value of suppressedVulnerabilities.
*
* @return the value of suppressedVulnerabilities
*/
public SortedSet<Vulnerability> getSuppressedVulnerabilities() {
return suppressedVulnerabilities;
}
/**
* Set the value of suppressedVulnerabilities.
*
* @param suppressedVulnerabilities new value of suppressedVulnerabilities
*/
public void setSuppressedVulnerabilities(SortedSet<Vulnerability> suppressedVulnerabilities) {
this.suppressedVulnerabilities = suppressedVulnerabilities;
}
/**
* Adds a vulnerability to the set of suppressed vulnerabilities.
*
* @param vulnerability the vulnerability that was suppressed
*/
public void addSuppressedVulnerability(Vulnerability vulnerability) {
this.suppressedVulnerabilities.add(vulnerability);
}
/**
* Returns the evidence used to identify this dependency.
@@ -415,12 +484,12 @@ public class Dependency implements Comparable<Dependency> {
sha1 = Checksum.getSHA1Checksum(file);
} catch (IOException ex) {
final String msg = String.format("Unable to read '%s' to determine hashes.", file.getName());
Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
} catch (NoSuchAlgorithmException ex) {
final String msg = "Unable to use MD5 of SHA1 checksums.";
Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
}
this.setMd5sum(md5);
this.setSha1sum(sha1);

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -38,6 +38,10 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
*/
public class EvidenceCollection implements Iterable<Evidence> {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(EvidenceCollection.class.getName());
/**
* Used to iterate over highest confidence evidence contained in the collection.
*/
@@ -360,7 +364,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
final List<String> data = UrlStringUtils.extractImportantUrlData(part);
sb.append(' ').append(StringUtils.join(data, ' '));
} catch (MalformedURLException ex) {
Logger.getLogger(EvidenceCollection.class.getName()).log(Level.FINE, "error parsing " + part, ex);
LOGGER.log(Level.FINE, "error parsing " + part, ex);
sb.append(' ').append(part);
}
} else {

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
View File

@@ -31,6 +31,10 @@ import org.owasp.dependencycheck.data.cpe.IndexEntry;
*/
public class VulnerableSoftware extends IndexEntry implements Serializable, Comparable<VulnerableSoftware> {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(VulnerableSoftware.class.getName());
/**
* The serial version UID.
*/
@@ -46,8 +50,8 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
parseName(cpe);
} catch (UnsupportedEncodingException ex) {
final String msg = String.format("Character encoding is unsupported for CPE '%s'.", cpe);
Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
setName(cpe);
}
}

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/MavenNamespaceFilter.java
View File

@@ -56,16 +56,16 @@ public class MavenNamespaceFilter extends XMLFilterImpl {
* @param uri the uri
* @param localName the localName
* @param qName the qualified name
* @param atts the attributes
* @param attributes the attributes
* @throws SAXException thrown if there is a SAXException
*/
@Override
public void startElement(String uri, String localName, String qName, Attributes atts) throws SAXException {
super.startElement(NAMESPACE, localName, qName, atts);
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
super.startElement(NAMESPACE, localName, qName, attributes);
}
/**
* Indicatees the start of the document.
* Indicates the start of the document.
*
* @param uri the uri
* @param localName the localName

74
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java Normal file
View File

@@ -0,0 +1,74 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.reporting;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.lang.StringEscapeUtils;
/**
* An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This
* class was created to simplify the velocity configuration and avoid using the "built-in" escape tool.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class EscapeTool {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(EscapeTool.class.getName());
/**
* URL Encodes the provided text.
*
* @param text the text to encode
* @return the URL encoded text
*/
public String url(String text) {
try {
return URLEncoder.encode(text, "UTF-8");
} catch (UnsupportedEncodingException ex) {
LOGGER.log(Level.WARNING, "UTF-8 is not supported?");
LOGGER.log(Level.INFO, null, ex);
}
return "";
}
/**
* HTML Encodes the provided text.
*
* @param text the text to encode
* @return the HTML encoded text
*/
public String html(String text) {
return StringEscapeUtils.escapeHtml(text);
}
/**
* XML Encodes the provided text.
*
* @param text the text to encode
* @return the XML encoded text
*/
public String xml(String text) {
return StringEscapeUtils.escapeXml(text);
}
}

53
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
View File

@@ -26,15 +26,16 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.context.Context;
import org.apache.velocity.runtime.RuntimeConstants;
import org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader;
import org.apache.velocity.tools.ToolManager;
import org.apache.velocity.tools.config.EasyFactoryConfiguration;
import org.owasp.dependencycheck.analyzer.Analyzer;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -48,6 +49,11 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public class ReportGenerator {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(ReportGenerator.class.getName());
/**
* An enumeration of the report formats.
*/
@@ -93,10 +99,20 @@ public class ReportGenerator {
engine.init();
final DateFormat dateFormat = new SimpleDateFormat("MMM d, yyyy 'at' HH:mm:ss z");
final DateFormat dateFormatXML = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
final Date d = new Date();
final String scanDate = dateFormat.format(d);
final String scanDateXML = dateFormatXML.format(d);
final EscapeTool enc = new EscapeTool();
context.put("applicationName", applicationName);
context.put("dependencies", dependencies);
context.put("analyzers", analyzers);
context.put("properties", properties);
context.put("scanDate", scanDate);
context.put("scanDateXML", scanDateXML);
context.put("enc", enc);
context.put("version", Settings.getString("application.version", "Unknown"));
}
@@ -106,28 +122,19 @@ public class ReportGenerator {
* @return a velocity engine.
*/
private VelocityEngine createVelocityEngine() {
final VelocityEngine ve = new VelocityEngine();
ve.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, VelocityLoggerRedirect.class.getName());
ve.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
ve.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName());
return ve;
final VelocityEngine engine = new VelocityEngine();
// Logging redirection for Velocity - Required by Jenkins and other server applications
engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, VelocityLoggerRedirect.class.getName());
return engine;
}
/**
* Creates a new Velocity Context initialized with escape and date tools.
* Creates a new Velocity Context.
*
* @return a Velocity Context.
*/
@edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "RV_RETURN_VALUE_IGNORED_INFERRED",
justification = "No plan to fix this style issue")
private Context createContext() {
final ToolManager manager = new ToolManager();
final Context c = manager.createContext();
final EasyFactoryConfiguration config = new EasyFactoryConfiguration();
config.addDefaultTools();
config.toolbox("application").tool("esc", "org.apache.velocity.tools.generic.EscapeTool").tool("org.apache.velocity.tools.generic.DateTool");
manager.configure(config);
return c;
return new VelocityContext();
}
/**
@@ -196,8 +203,8 @@ public class ReportGenerator {
input = new FileInputStream(f);
} catch (FileNotFoundException ex) {
final String msg = "Unable to generate the report, the report template file could not be found.";
Logger.getLogger(ReportGenerator.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
}
} else {
templatePath = "templates/" + templateName + ".vsl";
@@ -232,20 +239,20 @@ public class ReportGenerator {
try {
writer.close();
} catch (IOException ex) {
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
if (outputStream != null) {
try {
outputStream.close();
} catch (IOException ex) {
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
try {
reader.close();
} catch (IOException ex) {
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java
View File

@@ -19,7 +19,6 @@ package org.owasp.dependencycheck.reporting;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.velocity.app.Velocity;
import org.apache.velocity.runtime.RuntimeServices;
import org.apache.velocity.runtime.log.LogChute;
@@ -37,6 +36,11 @@ import org.apache.velocity.runtime.log.LogChute;
*/
public class VelocityLoggerRedirect implements LogChute {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(VelocityLoggerRedirect.class.getName());
/**
* This will be invoked once by the LogManager.
*
@@ -54,7 +58,7 @@ public class VelocityLoggerRedirect implements LogChute {
* @param message the message to be logged
*/
public void log(int level, String message) {
Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message);
LOGGER.log(getLevel(level), message);
}
/**
@@ -66,7 +70,7 @@ public class VelocityLoggerRedirect implements LogChute {
* @param t a throwable to log
*/
public void log(int level, String message, Throwable t) {
Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message, t);
LOGGER.log(getLevel(level), message, t);
}
/**

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionErrorHandler.java
View File

@@ -30,6 +30,11 @@ import org.xml.sax.SAXParseException;
*/
public class SuppressionErrorHandler implements ErrorHandler {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(SuppressionErrorHandler.class.getName());
/**
* Builds a prettier exception message.
*
@@ -65,7 +70,7 @@ public class SuppressionErrorHandler implements ErrorHandler {
*/
@Override
public void warning(SAXParseException ex) throws SAXException {
Logger.getLogger(SuppressionErrorHandler.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
}
/**

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
View File

@@ -164,7 +164,7 @@ public class SuppressionHandler extends DefaultHandler {
pt.setRegex(Boolean.parseBoolean(regex));
}
final String caseSensitive = currentAttributes.getValue("caseSensitive");
if (regex != null) {
if (caseSensitive != null) {
pt.setCaseSensitive(Boolean.parseBoolean(caseSensitive));
}
}

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
View File

@@ -41,6 +41,10 @@ import org.xml.sax.XMLReader;
*/
public class SuppressionParser {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(SuppressionParser.class.getName());
/**
* JAXP Schema Language. Source: http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
*/
@@ -85,16 +89,16 @@ public class SuppressionParser {
return handler.getSuppressionRules();
} catch (ParserConfigurationException ex) {
Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new SuppressionParseException(ex);
} catch (SAXException ex) {
Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new SuppressionParseException(ex);
} catch (FileNotFoundException ex) {
Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new SuppressionParseException(ex);
} catch (IOException ex) {
Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new SuppressionParseException(ex);
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
View File

@@ -254,6 +254,7 @@ public class SuppressionRule {
final Identifier i = itr.next();
for (PropertyType c : this.cpe) {
if (cpeMatches(c, i)) {
dependency.addSuppressedIdentifier(i);
itr.remove();
break;
}
@@ -292,6 +293,7 @@ public class SuppressionRule {
}
}
if (remove) {
dependency.addSuppressedVulnerability(v);
itr.remove();
}
}

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Checksum.java
View File

@@ -20,7 +20,11 @@ import java.util.logging.Logger;
*
*/
public final class Checksum {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(Checksum.class.getName());
/**
* Private constructor for a utility class.
*/
@@ -57,7 +61,7 @@ public final class Checksum {
try {
fis.close();
} catch (IOException ex) {
Logger.getLogger(Checksum.class.getName()).log(Level.FINEST, "Error closing file '" + file.getName() + "'.", ex);
LOGGER.log(Level.FINEST, "Error closing file '" + file.getName() + "'.", ex);
}
}
}

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java
View File

@@ -23,7 +23,6 @@ import java.sql.SQLException;
import java.sql.Statement;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
/**
@@ -32,6 +31,11 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
*/
public final class DBUtils {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(DBUtils.class.getName());
/**
* Private constructor for a utility class.
*/
@@ -70,8 +74,7 @@ public final class DBUtils {
try {
statement.close();
} catch (SQLException ex) {
Logger.getLogger(CveDB.class
.getName()).log(Level.FINEST, statement.toString(), ex);
LOGGER.log(Level.FINEST, statement.toString(), ex);
}
}
}
@@ -86,8 +89,7 @@ public final class DBUtils {
try {
rs.close();
} catch (SQLException ex) {
Logger.getLogger(CveDB.class
.getName()).log(Level.FINEST, rs.toString(), ex);
LOGGER.log(Level.FINEST, rs.toString(), ex);
}
}
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
View File

@@ -47,10 +47,10 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
/**
* Constructor for a DependencyVersion that will parse a version string.
* <b>Note</b>, this should only be used when the version passed in is already known to be a well formated version
* <b>Note</b>, this should only be used when the version passed in is already known to be a well formatted version
* number. Otherwise, DependencyVersionUtil.parseVersion() should be used instead.
*
* @param version the well formated version number to parse
* @param version the well formatted version number to parse
*/
public DependencyVersion(String version) {
parseVersion(version);

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -37,6 +37,11 @@ import java.util.zip.InflaterInputStream;
*/
public final class Downloader {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(Downloader.class.getName());
/**
* Private constructor for utility class.
*/
@@ -124,7 +129,7 @@ public final class Downloader {
try {
writer.close();
} catch (Throwable ex) {
Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
LOGGER.log(Level.FINEST,
"Error closing the writer in Downloader.", ex);
}
}
@@ -132,7 +137,7 @@ public final class Downloader {
try {
reader.close();
} catch (Throwable ex) {
Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
LOGGER.log(Level.FINEST,
"Error closing the reader in Downloader.", ex);
}
}

23
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java
View File

@@ -40,6 +40,10 @@ import org.owasp.dependencycheck.Engine;
*/
public final class FileUtils {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(FileUtils.class.getName());
/**
* Bit bucket for non-Windows systems
*/
@@ -87,7 +91,7 @@ public final class FileUtils {
if (!org.apache.commons.io.FileUtils.deleteQuietly(file)) {
success = false;
final String msg = String.format("Failed to delete file: %s; attempting to delete on exit.", file.getPath());
Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
file.deleteOnExit();
}
return success;
@@ -103,11 +107,6 @@ public final class FileUtils {
*/
public static File getTempFile(String prefix, String extension) throws IOException {
final File dir = Settings.getTempDirectory();
if (!dir.exists()) {
if (!dir.mkdirs()) {
throw new IOException("Unable to create temporary folder");
}
}
final String tempFileName = String.format("%s%s.%s", prefix, UUID.randomUUID().toString(), extension);
final File tempFile = new File(dir, tempFileName);
if (tempFile.exists()) {
@@ -188,7 +187,7 @@ public final class FileUtils {
try {
fis = new FileInputStream(archive);
} catch (FileNotFoundException ex) {
Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new ExtractionException("Archive file was not found.", ex);
}
zis = new ZipInputStream(new BufferedInputStream(fis));
@@ -217,11 +216,11 @@ public final class FileUtils {
}
bos.flush();
} catch (FileNotFoundException ex) {
Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("Unable to find file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} catch (IOException ex) {
Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} finally {
@@ -229,7 +228,7 @@ public final class FileUtils {
try {
bos.close();
} catch (IOException ex) {
Logger.getLogger(FileUtils.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}
@@ -238,13 +237,13 @@ public final class FileUtils {
}
} catch (IOException ex) {
final String msg = String.format("Exception reading archive '%s'.", archive.getName());
Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new ExtractionException(msg, ex);
} finally {
try {
zis.close();
} catch (IOException ex) {
Logger.getLogger(FileUtils.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/LogUtils.java
View File

@@ -32,6 +32,11 @@ import java.util.logging.SimpleFormatter;
*/
public final class LogUtils {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(LogUtils.class.getName());
/**
* Private constructor for a utility class.
*/
@@ -59,15 +64,15 @@ public final class LogUtils {
logger.setLevel(Level.FINE);
}
} catch (IOException ex) {
Logger.getLogger(LogUtils.class.getName()).log(Level.FINE, "IO Error preparing the logger", ex);
LOGGER.log(Level.FINE, "IO Error preparing the logger", ex);
} catch (SecurityException ex) {
Logger.getLogger(LogUtils.class.getName()).log(Level.FINE, "Error preparing the logger", ex);
LOGGER.log(Level.FINE, "Error preparing the logger", ex);
} finally {
if (in != null) {
try {
in.close();
} catch (Throwable ex) {
Logger.getLogger(LogUtils.class.getName()).log(Level.FINEST, "Error closing resource stream", ex);
LOGGER.log(Level.FINEST, "Error closing resource stream", ex);
}
}
}

109
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -38,11 +38,7 @@ import java.util.logging.Logger;
*/
public final class Settings {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(Settings.class.getName());
//<editor-fold defaultstate="collapsed" desc="KEYS used to access settings">
/**
* The collection of keys used within the properties file.
*/
@@ -198,14 +194,20 @@ public final class Settings {
*/
public static final String SKIP_PROVIDED_SCOPE = "skip.provided.scope";
}
//</editor-fold>
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(Settings.class.getName());
/**
* The properties file location.
*/
private static final String PROPERTIES_FILE = "dependencycheck.properties";
/**
* The singleton instance variable.
* Thread local settings.
*/
private static final Settings INSTANCE = new Settings();
private static ThreadLocal<Settings> localSettings = new ThreadLocal();
/**
* The properties.
*/
@@ -221,20 +223,60 @@ public final class Settings {
in = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
props.load(in);
} catch (IOException ex) {
Logger.getLogger(Settings.class.getName()).log(Level.SEVERE, "Unable to load default settings.");
Logger.getLogger(Settings.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, "Unable to load default settings.");
LOGGER.log(Level.FINE, null, ex);
} finally {
if (in != null) {
try {
in.close();
} catch (IOException ex) {
Logger.getLogger(Settings.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}
logProperties("Properties loaded", props);
}
/**
* Initializes the thread local settings object. Note, to use the settings object you must call this method.
* However, you must also call Settings.cleanup() to properly release resources.
*/
public static void initialize() {
localSettings.set(new Settings());
}
/**
* Cleans up resources to prevent memory leaks.
*/
public static void cleanup() {
if (tempDirectory != null && tempDirectory.exists()) {
FileUtils.delete(tempDirectory);
}
try {
localSettings.remove();
} catch (Throwable ex) {
LOGGER.log(Level.FINE, "Error cleaning up Settings", ex);
}
}
/**
* Gets the underlying instance of the Settings object.
*
* @return the Settings object
*/
public static Settings getInstance() {
return localSettings.get();
}
/**
* Sets the instance of the Settings object to use in this thread.
*
* @param instance the instance of the settings object to use in this thread
*/
public static void setInstance(Settings instance) {
localSettings.set(instance);
}
/**
* Logs the properties. This will not log any properties that contain 'password' in the key.
*
@@ -278,7 +320,7 @@ public final class Settings {
* @param value the value for the property
*/
public static void setString(String key, String value) {
INSTANCE.props.setProperty(key, value);
localSettings.get().props.setProperty(key, value);
if (LOGGER.isLoggable(Level.FINE)) {
LOGGER.fine(String.format("Setting: %s='%s'", key, value));
}
@@ -292,9 +334,9 @@ public final class Settings {
*/
public static void setBoolean(String key, boolean value) {
if (value) {
INSTANCE.props.setProperty(key, Boolean.TRUE.toString());
localSettings.get().props.setProperty(key, Boolean.TRUE.toString());
} else {
INSTANCE.props.setProperty(key, Boolean.FALSE.toString());
localSettings.get().props.setProperty(key, Boolean.FALSE.toString());
}
if (LOGGER.isLoggable(Level.FINE)) {
LOGGER.fine(String.format("Setting: %s='%b'", key, value));
@@ -338,8 +380,8 @@ public final class Settings {
* @throws IOException is thrown when there is an exception loading/merging the properties
*/
public static void mergeProperties(InputStream stream) throws IOException {
INSTANCE.props.load(stream);
logProperties("Properties updated via merge", INSTANCE.props);
localSettings.get().props.load(stream);
logProperties("Properties updated via merge", localSettings.get().props);
}
/**
@@ -372,16 +414,16 @@ public final class Settings {
*/
public static File getDataFile(String key) {
final String file = getString(key);
Logger.getLogger(Settings.class.getName()).log(Level.FINE, String.format("Settings.getDataFile() - file: '%s'", file));
LOGGER.log(Level.FINE, String.format("Settings.getDataFile() - file: '%s'", file));
if (file == null) {
return null;
}
if (file.startsWith("[JAR]")) {
Logger.getLogger(Settings.class.getName()).log(Level.FINE, "Settings.getDataFile() - transforming filename");
LOGGER.log(Level.FINE, "Settings.getDataFile() - transforming filename");
final File jarPath = getJarPath();
Logger.getLogger(Settings.class.getName()).log(Level.FINE, String.format("Settings.getDataFile() - jar file: '%s'", jarPath.toString()));
LOGGER.log(Level.FINE, String.format("Settings.getDataFile() - jar file: '%s'", jarPath.toString()));
final File retVal = new File(jarPath, file.substring(6));
Logger.getLogger(Settings.class.getName()).log(Level.FINE, String.format("Settings.getDataFile() - returning: '%s'", retVal.toString()));
LOGGER.log(Level.FINE, String.format("Settings.getDataFile() - returning: '%s'", retVal.toString()));
return retVal;
}
return new File(file);
@@ -398,7 +440,7 @@ public final class Settings {
try {
decodedPath = URLDecoder.decode(jarPath, "UTF-8");
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(Settings.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
final File path = new File(decodedPath);
@@ -419,17 +461,32 @@ public final class Settings {
* @return the property from the properties file
*/
public static String getString(String key, String defaultValue) {
final String str = System.getProperty(key, INSTANCE.props.getProperty(key, defaultValue));
final String str = System.getProperty(key, localSettings.get().props.getProperty(key, defaultValue));
return str;
}
/**
* A reference to the temporary directory; used incase it needs to be deleted during cleanup.
*/
private static File tempDirectory = null;
/**
* Returns the temporary directory.
*
* @return the temporary directory
* @throws java.io.IOException thrown if the temporary directory does not exist and cannot be created
*/
public static File getTempDirectory() {
return new File(Settings.getString(Settings.KEYS.TEMP_DIRECTORY, System.getProperty("java.io.tmpdir")));
public static File getTempDirectory() throws IOException {
final File tmpDir = new File(Settings.getString(Settings.KEYS.TEMP_DIRECTORY, System.getProperty("java.io.tmpdir")));
if (!tmpDir.exists()) {
if (!tmpDir.mkdirs()) {
final String msg = String.format("Unable to make a temporary folder '%s'", tmpDir.getPath());
throw new IOException(msg);
} else {
tempDirectory = tmpDir;
}
}
return tmpDir;
}
/**
@@ -441,7 +498,7 @@ public final class Settings {
* @return the property from the properties file
*/
public static String getString(String key) {
return System.getProperty(key, INSTANCE.props.getProperty(key));
return System.getProperty(key, localSettings.get().props.getProperty(key));
}
/**
@@ -450,7 +507,7 @@ public final class Settings {
* @param key the property key to remove
*/
public static void removeProperty(String key) {
INSTANCE.props.remove(key);
localSettings.get().props.remove(key);
}
/**
@@ -488,7 +545,7 @@ public final class Settings {
value = Integer.parseInt(Settings.getString(key));
} catch (NumberFormatException ex) {
final String msg = String.format("Could not convert property '%s' to an int.", key);
Logger.getLogger(Settings.class.getName()).log(Level.FINEST, msg, ex);
LOGGER.log(Level.FINEST, msg, ex);
value = defaultValue;
}
return value;

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
View File

@@ -55,7 +55,7 @@ public final class URLConnectionFactory {
try {
if (proxyUrl != null) {
final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
final SocketAddress addr = new InetSocketAddress(proxyUrl, proxyPort);
final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
@@ -72,7 +72,7 @@ public final class URLConnectionFactory {
Authenticator.setDefault(auth);
}
proxy = new Proxy(Proxy.Type.HTTP, addr);
proxy = new Proxy(Proxy.Type.HTTP, address);
conn = (HttpURLConnection) url.openConnection(proxy);
} else {
conn = (HttpURLConnection) url.openConnection();

4
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -13,8 +13,10 @@ max.download.threads=3
# will not be used. The data.directory will be resolved and if the connection string
# below contains a %s then the data.directory will replace the %s.
data.directory=[JAR]/data
data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
#data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
# user name and password for the database connection. The inherent case is to use H2.
# As such, this unsecure username/password exist.
data.user=dcuser

166
dependency-check-core/src/main/resources/schema/DependencyCheck.xsd
View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.1">
<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2">
<xs:element name="analysis">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
@@ -119,64 +119,124 @@
<xs:element name="identifiers" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="identifier" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="type" type="xs:string" use="required" />
<xs:attribute name="confidence" type="xs:string" use="optional" />
</xs:complexType>
</xs:element>
<xs:sequence>
<xs:element name="identifier" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="type" type="xs:string" use="required" />
<xs:attribute name="confidence" type="xs:string" use="optional" />
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:sequence>
<xs:element name="suppressedIdentifier" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="type" type="xs:string" use="required" />
<xs:attribute name="confidence" type="xs:string" use="optional" />
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerabilities" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="vulnerability" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="references" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="software" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="allPreviousVersion" type="xs:boolean" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:sequence>
<xs:element name="vulnerability" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="references" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="software" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="allPreviousVersion" type="xs:boolean" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:sequence>
<xs:element name="suppressedVulnerability" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="references" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="software" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="allPreviousVersion" type="xs:boolean" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>

251
dependency-check-core/src/main/resources/templates/HtmlReport.vsl
View File

@@ -39,15 +39,23 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
var content = "#content" + h.id.substr(6);
var header = "#" + h.id;
$(content).slideToggle("fast");
var exprx = /expandablesubsection/;
var exprx = /expandable\b/;
if (exprx.exec($(header).attr("class"))) {
$(header).addClass("collapsed");
$(header).removeClass("expandable");
} else {
$(header).addClass("expandable");
$(header).removeClass("collapsed");
}
var essrx = /expandablesubsection/;
var cssrx = /collaspablesubsection/;
if (essrx.exec($(header).attr("class"))) {
$(header).addClass("collaspablesubsection");
$(header).removeClass("expandablesubsection");
} else {
} else if (cssrx.exec($(header).attr("class"))) {
$(header).addClass("expandablesubsection");
$(header).removeClass("collaspablesubsection");
}
});
});
@@ -129,6 +137,19 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#modal-text:focus {
outline: none;
}
.suppressedLabel {
cursor: default;
padding:1px;
background-color: #eeeeee;
border: 1px solid #555555;
color:#555555;
text-decoration:none;
-moz-border-radius: 3px;
-webkit-border-radius: 3px;
-khtml-border-radius: 3px;
-o-border-radius: 3px;
border-radius: 3px;
}
.copybutton {
padding:1px;
background-color: #eeeeee;
@@ -215,24 +236,25 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
.hidden {
display: none;
}
.exandable {}
.expandablesubsection {
.expandable {
cursor: pointer;
/*background-image: url(img/plus.gif);*/
background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIcjI8Hy22Q1FNwhnpxhW3d2XFWJn2PNiZbyERuAQA7);
background-repeat: no-repeat;
background-position: 98% 50%;
}
.collapsed {
cursor: pointer;
background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
background-repeat: no-repeat;
background-position: 98% 50%;
}
.expandablesubsection {
-moz-border-radius-bottomleft:15px; /* bottom left corner */
-webkit-border-bottom-left-radius:15px; /* bottom left corner */
border-bottom-left-radius: 15px;
border-bottom: 1px solid #cccccc;
}
.collaspablesubsection {
cursor: pointer;
/*background-image: url(img/minus.gif);*/
background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
background-repeat: no-repeat;
background-position: 98% 50%;
-moz-border-radius-bottomleft:0px; /* bottom left corner */
-webkit-border-bottom-left-radius:0px; /* bottom left corner */
border-bottom-left-radius: 0px;
@@ -244,7 +266,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
border-bottom-left-radius: 0px;
border-bottom: 0px solid #ffffff;
}
.content {
margin-top:0px;
margin-left:20px;
@@ -471,26 +492,38 @@ implied or otherwise, with regard to the analysis or its use. Any use of the too
is at the users risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
]]#
<h2 class="">Project:&nbsp;$esc.html($applicationName)</h2>
<h2 class="">Project:&nbsp;$enc.html($applicationName)</h2>
<div class="">
#set($depCount=$dependencies.size())
#set($vulnDepCount=0)
#set($vulnCount=0)
#set($vulnSuppressedCount=0)
#set($cpeSuppressedCount=0)
#foreach($dependency in $dependencies)
#set($depCount=$depCount+$dependency.getRelatedDependencies().size())
#if($dependency.getVulnerabilities().size()>0)
#set($vulnCount=$vulnCount+1)
#set($vulnDepCount=$vulnDepCount+1)
#set($vulnCount=$vulnCount+$dependency.getVulnerabilities().size())
#end
#if($dependency.getSuppressedIdentifiers().size()>0)
#set($cpeSuppressedCount=$cpeSuppressedCount+1)
#end
#if($dependency.getSuppressedVulnerabilities().size()>0)
#set($vulnSuppressedCount=$vulnSuppressedCount+$dependency.getSuppressedVulnerabilities().size())
#end
#end
Scan Information (<a href="#" onclick="toggleDisplay(this, '.scaninfo'); return false;">show all</a>):<br/>
<ul class="indent">
<li><i>dependency-check version</i>: $version</li>
<li><i>Report Generated On</i>: $date</li>
<li><i>Report Generated On</i>: $scanDate</li>
<li><i>Dependencies Scanned</i>:&nbsp;$depCount</li>
<li><i>Vulnerable Dependencies</i>:&nbsp;$vulnCount</li>
<li><i>Vulnerable Dependencies</i>:&nbsp;$vulnDepCount</li>
<li><i>Vulnerabilities Found</i>:&nbsp;$vulnCount</li>
<li><i>Vulnerabilities Suppressed</i>:&nbsp;$vulnSuppressedCount</li>
<li class="scaninfo">...</li>
#foreach($prop in $properties.getMetaData().entrySet())
<li class="scaninfo hidden"><i>$esc.html($prop.key)</i>: $esc.html($prop.value)</li>
<li class="scaninfo hidden"><i>$enc.html($prop.key)</i>: $enc.html($prop.value)</li>
#end
</ul><br/>
Dependency Display:&nbsp;<a href="#" onclick="toggleDisplay(this,'.notvulnerable'); return false;">show all</a><br/><br/>
@@ -499,11 +532,11 @@ arising out of or in connection with the use of this tool, the analysis performe
#foreach($dependency in $dependencies)
#set($lnkcnt=$lnkcnt+1)
<li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
<a href="#l${lnkcnt}_$esc.html($esc.url($dependency.Sha1sum))">$esc.html($dependency.FileName)</a>
<a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.FileName)</a>
#if($dependency.getRelatedDependencies().size()>0)
<ul>
#foreach($related in $dependency.getRelatedDependencies())
<li>$esc.html($related.FileName)</li>
<li>$enc.html($related.FileName)</li>
#end
</ul>
#end
@@ -516,22 +549,22 @@ arising out of or in connection with the use of this tool, the analysis performe
#set($vsctr=0) ##counter to create unique groups for vulnerable software
#foreach($dependency in $dependencies)
#set($lnkcnt=$lnkcnt+1)
<h3 class="subsectionheader standardsubsection#if($dependency.getVulnerabilities().size()==0) notvulnerable#end"><a name="l${lnkcnt}_$esc.html($dependency.Sha1sum)"></a>$esc.html($dependency.FileName)</h3>
<h3 class="subsectionheader standardsubsection#if($dependency.getVulnerabilities().size()==0) notvulnerable#end"><a name="l${lnkcnt}_$enc.html($dependency.Sha1sum)"></a>$enc.html($dependency.FileName)</h3>
<div class="subsectioncontent#if($dependency.getVulnerabilities().size()==0) notvulnerable#end">
#if ($dependency.description)
<p><b>Description:</b>&nbsp;$esc.html($dependency.description)<br/></p>
<p><b>Description:</b>&nbsp;$enc.html($dependency.description)<br/></p>
#end
<p>
#if ($dependency.license)
#if ($dependency.license.startsWith("http://"))
<b>License:</b><pre class="indent"><a href="$esc.html($dependency.license)">$esc.html($dependency.license)</a></pre>
<b>License:</b><pre class="indent"><a href="$enc.html($dependency.license)">$enc.html($dependency.license)</a></pre>
#else
<b>License:</b><pre class="indent">$esc.html($dependency.license)</pre>
<b>License:</b><pre class="indent">$enc.html($dependency.license)</pre>
#end
#end
<b>File&nbsp;Path:</b>&nbsp;$esc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$esc.html($dependency.Md5sum)<br/>
<b>SHA1:</b>&nbsp;$esc.html($dependency.Sha1sum)
<b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
<b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
</p>
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
@@ -539,7 +572,7 @@ arising out of or in connection with the use of this tool, the analysis performe
<table class="lined fullwidth" border="0">
<tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
#foreach($evidence in $dependency.getEvidenceUsed())
<tr><td>$esc.html($evidence.getSource())</td><td>$esc.html($evidence.getName())</td><td>$esc.html($evidence.getValue())</td></tr>
<tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
#end
</table>
</div>
@@ -549,18 +582,18 @@ arising out of or in connection with the use of this tool, the analysis performe
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<ul>
#foreach($related in $dependency.getRelatedDependencies())
<li>$esc.html($related.FileName)
<li>$enc.html($related.FileName)
<ul>
<li>File Path:&nbsp;$esc.html($related.FilePath)</li>
<li>SHA1:&nbsp;$esc.html($related.Sha1sum)</li>
<li>MD5:&nbsp;$esc.html($related.Md5sum)</li>
<li>File Path:&nbsp;$enc.html($related.FilePath)</li>
<li>SHA1:&nbsp;$enc.html($related.Sha1sum)</li>
<li>MD5:&nbsp;$enc.html($related.Md5sum)</li>
#foreach($id in $related.getIdentifiers())
#if ($id.type=="maven")
#if( $id.url )
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
<li>$esc.html($id.type):&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a>
<li>$enc.html($id.type):&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
#else
<li>$esc.html($id.type):&nbsp;$esc.html($id.value)
<li>$enc.html($id.type):&nbsp;$enc.html($id.value)
#end
</li>
#end
@@ -579,7 +612,7 @@ arising out of or in connection with the use of this tool, the analysis performe
#end
#end
<h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
##:&nbsp;<a href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($cpevalue)" target="_blank">$esc.html($cpevalue)</a></h4>
##:&nbsp;<a href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
<div id="content$cnt" class="subsectioncontent standardsubsection">
#if ($dependency.getIdentifiers().size()==0)
<ul><li><b>None</b></li></ul>
@@ -588,19 +621,19 @@ arising out of or in connection with the use of this tool, the analysis performe
#foreach($id in $dependency.getIdentifiers())
#if( $id.url )
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
<li><b>$esc.html($id.type):</b>&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a>
<li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
#else
<li><b>$esc.html($id.type):</b>&nbsp;$esc.html($id.value)
<li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)
#end
#if ($id.confidence)
&nbsp;&nbsp;<i>Confidence</i>:$id.confidence
#end
#if ($id.type=="cpe")
##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet
&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$esc.html($dependency.FileNameForJavaScript)', '$esc.html($dependency.Sha1sum)', 'cpe', '$esc.html($id.value)')">suppress</button>
&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cpe', '$enc.html($id.value)')">suppress</button>
#end
#if ($id.description)
<br/>$esc.html($id.description)
<br/>$enc.html($id.description)
#end
</li>
#end
@@ -613,7 +646,7 @@ arising out of or in connection with the use of this tool, the analysis performe
<div id="content$cnt" class="subsectioncontent standardsubsection">
#foreach($vuln in $dependency.getVulnerabilities())
#set($vsctr=$vsctr+1)
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$esc.html($dependency.FileNameForJavaScript)', '$esc.html($dependency.Sha1sum)', 'cve', '$esc.html($vuln.name)')">suppress</button></p>
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
<p>Severity:
#if ($vuln.cvssScore<4.0)
Low
@@ -626,20 +659,20 @@ arising out of or in connection with the use of this tool, the analysis performe
#if ($vuln.cwe)
<br/>CWE: $vuln.cwe
#end</p>
<p>$esc.html($vuln.description)
<p>$enc.html($vuln.description)
#if ($vuln.getReferences().size()>0)
<ul>
#foreach($ref in $vuln.getReferences())
<li>$esc.html($ref.source) - <a target="_blank" href="$esc.html($ref.url)">$ref.name</a></li>
<li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
#end
</ul>
#end
</p>
<p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
<li class="vs$vsctr"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($vuln.matchedCPE)">$esc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
<li class="vs$vsctr"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
<li class="vs$vsctr">...</li>
#foreach($vs in $vuln.getVulnerableSoftware())
<li class="vs$vsctr hidden"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($vs.name)">$esc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
<li class="vs$vsctr hidden"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
#end
</ul></p>
#end
@@ -647,6 +680,138 @@ arising out of or in connection with the use of this tool, the analysis performe
#end
</div>
#end
## BEGIN SUPPRESSED VULNERABILITIES
#if ($vulnSuppressedCount>0 || $cpeSuppressedCount>0)
#set($cnt=$cnt+1)
<h2 id="header$cnt" class="expandable">Suppressed Vulnerabilities</h3>
<div id="content$cnt" class="hidden">
#foreach($dependency in $dependencies)
#if ($dependency.getSuppressedIdentifiers().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
#set($lnkcnt=$lnkcnt+1)
<h3 class="subsectionheader standardsubsection">$enc.html($dependency.FileName)</h3>
<div class="subsectioncontent">
#if ($dependency.description)
<p><b>Description:</b>&nbsp;$enc.html($dependency.description)<br/></p>
#end
<p>
#if ($dependency.license)
#if ($dependency.license.startsWith("http://"))
<b>License:</b><pre class="indent"><a href="$enc.html($dependency.license)">$enc.html($dependency.license)</a></pre>
#else
<b>License:</b><pre class="indent">$enc.html($dependency.license)</pre>
#end
#end
<b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
<b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
</p>
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<table class="lined fullwidth" border="0">
<tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
#foreach($evidence in $dependency.getEvidenceUsed())
<tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
#end
</table>
</div>
#if($dependency.getRelatedDependencies().size()>0)
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Related Dependencies</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<ul>
#foreach($related in $dependency.getRelatedDependencies())
<li>$enc.html($related.FileName)
<ul>
<li>File Path:&nbsp;$enc.html($related.FilePath)</li>
<li>SHA1:&nbsp;$enc.html($related.Sha1sum)</li>
<li>MD5:&nbsp;$enc.html($related.Md5sum)</li>
</ul>
</li>
#end
</ul>
</div>
#end
#set($cnt=$cnt+1)
#set($cpeCount=0)
#foreach($id in $dependency.getSuppressedIdentifiers())
#if($id.type.equals("cpe"))
#set($cpeCount=$cpeCount+1)
#end
#end
<h4 id="header$cnt" class="subsectionheader white">Suppressed Identifiers</h4>
##:&nbsp;<a href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
<div id="content$cnt" class="subsectioncontent standardsubsection">
#if ($dependency.getSuppressedIdentifiers().size()==0)
<ul><li><b>None</b></li></ul>
#else ## ($dependency.getSuppressedIdentifiers().size()>0)
<ul>
#foreach($id in $dependency.getSuppressedIdentifiers())
#if( $id.url )
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
<li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span>
#else
<li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span>
#end
#if ($id.confidence)
&nbsp;&nbsp;<i>Confidence</i>:$id.confidence
#end
#if ($id.description)
<br/>$enc.html($id.description)
#end
</li>
#end
</ul>
#end
</div>
#if($dependency.getSuppressedVulnerabilities().size()>0)
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable collaspablesubsection white">Suppressed Vulnerabilities</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection">
#foreach($vuln in $dependency.getSuppressedVulnerabilities())
#set($vsctr=$vsctr+1)
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span></p>
<p>Severity:
#if ($vuln.cvssScore<4.0)
Low
#elseif ($vuln.cvssScore>=7.0)
High
#else
Medium
#end
<br/>CVSS Score: $vuln.cvssScore
#if ($vuln.cwe)
<br/>CWE: $vuln.cwe
#end</p>
<p>$enc.html($vuln.description)
#if ($vuln.getReferences().size()>0)
<ul>
#foreach($ref in $vuln.getReferences())
<li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
#end
</ul>
#end
</p>
<p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
<li class="vs$vsctr"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
<li class="vs$vsctr">...</li>
#foreach($vs in $vuln.getVulnerableSoftware())
<li class="vs$vsctr hidden"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
#end
</ul></p>
#end
</div>
#end
</div>
#end
#end
</div>
#end
## END SUPPRESSED VULNERABILITIES
</div>
</div>
<div><br/><br/>This report contains data retrieved from the <a href="nvd.nist.gov">National Vulnerability Database</a>.</div>

10
dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl
View File

@@ -178,8 +178,8 @@ implied or otherwise, with regard to the analysis or its use. Any use of the too
is at the users risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
]]#
<h2 class="sectionheader white">Project:&nbsp;$esc.html($applicationName)</h2>
<div class="sectioncontent">Report Generated On: $date<br/><br/>
<h2 class="sectionheader white">Project:&nbsp;$enc.html($applicationName)</h2>
<div class="sectioncontent">Report Generated On: $scanDate<br/><br/>
#set($depCount=$dependencies.size())
#set($vulnCount=0)
@@ -205,7 +205,7 @@ arising out of or in connection with the use of this tool, the analysis performe
#if($dependency.getVulnerabilities().size()>0)
#foreach($vuln in $dependency.getVulnerabilities())
<tr>
<td><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></td>
<td><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></td>
<td>
#if ($vuln.cwe)
$vuln.cwe
@@ -222,10 +222,10 @@ arising out of or in connection with the use of this tool, the analysis performe
($vuln.cvssScore)
<td>#set($cnt=$cnt+1)
#if($dependency.getRelatedDependencies().size()>0)<span id="header$cnt" class="expandable collapsedList">#end
$esc.html($dependency.FileName)
$enc.html($dependency.FileName)
#if($dependency.getRelatedDependencies().size()>0)&nbsp;&nbsp;&nbsp;</span><div id="content$cnt" class="hidden">#end
#foreach($related in $dependency.getRelatedDependencies())
$esc.html($related.FileName)<br/>
$enc.html($related.FileName)<br/>
#end
#if($dependency.getRelatedDependencies().size()>0)</div#end
</td>

102
dependency-check-core/src/main/resources/templates/XmlReport.vsl
View File

@@ -18,47 +18,47 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@author Jeremy Long <jeremy.long@owasp.org>
@version 1.1
*#<?xml version="1.0"?>
<analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.1">
<analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2">
<scanInfo>
<engineVersion>$version</engineVersion>
#foreach($prop in $properties.getMetaData().entrySet())
<dataSource>
<name>$esc.xml($prop.key)</name>
<timestamp>$esc.xml($prop.value)</timestamp>
<name>$enc.xml($prop.key)</name>
<timestamp>$enc.xml($prop.value)</timestamp>
</dataSource>
#end
</scanInfo>
<projectInfo>
<name>$esc.xml($applicationName)</name>
<reportDate>$date</reportDate>
<name>$enc.xml($applicationName)</name>
<reportDate>$scanDateXML</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
<dependencies>
#foreach($dependency in $dependencies)
<dependency>
<fileName>$esc.xml($dependency.FileName)</fileName>
<filePath>$esc.xml($dependency.FilePath)</filePath>
<md5>$esc.xml($dependency.Md5sum)</md5>
<sha1>$esc.xml($dependency.Sha1sum)</sha1>
<fileName>$enc.xml($dependency.FileName)</fileName>
<filePath>$enc.xml($dependency.FilePath)</filePath>
<md5>$enc.xml($dependency.Md5sum)</md5>
<sha1>$enc.xml($dependency.Sha1sum)</sha1>
#if ($dependency.description)
<description>$esc.xml($dependency.description)</description>
<description>$enc.xml($dependency.description)</description>
#end
#if ($dependency.license)
<license>$esc.xml($dependency.license)</license>
<license>$enc.xml($dependency.license)</license>
#end
#if ($dependency.getRelatedDependencies().size()>0)
<relatedDependencies>
#foreach($related in $dependency.getRelatedDependencies())
<relatedDependency>
<filePath>$esc.xml($related.FilePath)</filePath>
<sha1>$esc.xml($related.Sha1sum)</sha1>
<md5>$esc.xml($related.Md5sum)</md5>
<filePath>$enc.xml($related.FilePath)</filePath>
<sha1>$enc.xml($related.Sha1sum)</sha1>
<md5>$enc.xml($related.Md5sum)</md5>
#foreach($id in $related.getIdentifiers())
#if ($id.type=="maven")
<identifier type="$esc.xml($id.type)">
<identifier type="$enc.xml($id.type)">
<name>($id.value)</name>
#if( $id.url )
<url>$esc.xml($id.url)</url>
<url>$enc.xml($id.url)</url>
#end
</identifier>
#end
@@ -70,32 +70,43 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<evidenceCollected>
#foreach($evidence in $dependency.getEvidenceUsed())
<evidence>
<source>$esc.xml($evidence.getSource())</source>
<name>$esc.xml($evidence.getName())</name>
<value>$esc.xml($evidence.getValue().trim())</value>
<source>$enc.xml($evidence.getSource())</source>
<name>$enc.xml($evidence.getName())</name>
<value>$enc.xml($evidence.getValue().trim())</value>
</evidence>
#end
</evidenceCollected>
#if($dependency.getIdentifiers().size()>0)
<identifiers>
#foreach($id in $dependency.getIdentifiers())
<identifier type="$esc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
<identifier type="$enc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
<name>($id.value)</name>
#if( $id.url )
<url>$esc.xml($id.url)</url>
<url>$enc.xml($id.url)</url>
#end
#if( $id.description )
<description>$esc.xml($id.description)</description>
<description>$enc.xml($id.description)</description>
#end
</identifier>
#end
#foreach($id in $dependency.getSuppressedIdentifiers())
<suppressedIdentifier type="$enc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
<name>($id.value)</name>
#if( $id.url )
<url>$enc.xml($id.url)</url>
#end
#if( $id.description )
<description>$enc.xml($id.description)</description>
#end
</suppressedIdentifier>
#end
</identifiers>
#end
#if($dependency.getVulnerabilities().size()>0)
#if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
<vulnerabilities>
#foreach($vuln in $dependency.getVulnerabilities())
<vulnerability>
<name>$esc.xml($vuln.name)</name>
<name>$enc.xml($vuln.name)</name>
<cvssScore>$vuln.cvssScore</cvssScore>
#if ($vuln.cvssScore<4.0)
<severity>Low</severity>
@@ -105,24 +116,55 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<severity>Medium</severity>
#end
#if ($vuln.cwe)
<cwe>$esc.xml($vuln.cwe)</cwe>
<cwe>$enc.xml($vuln.cwe)</cwe>
#end
<description>$esc.xml($vuln.description)</description>
<description>$enc.xml($vuln.description)</description>
<references>
#foreach($ref in $vuln.getReferences())
<reference>
<source>$esc.xml($ref.source)</source>
<url>$esc.xml($ref.url)</url>
<name>$esc.xml($ref.name)</name>
<source>$enc.xml($ref.source)</source>
<url>$enc.xml($ref.url)</url>
<name>$enc.xml($ref.name)</name>
</reference>
#end
</references>
<vulnerableSoftware>
#foreach($vs in $vuln.getVulnerableSoftware())
<software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$esc.xml($vs.name)</software>
<software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
#end
</vulnerableSoftware>
</vulnerability>
#end
#foreach($vuln in $dependency.getSuppressedVulnerabilities())
<suppressedVulnerability>
<name>$enc.xml($vuln.name)</name>
<cvssScore>$vuln.cvssScore</cvssScore>
#if ($vuln.cvssScore<4.0)
<severity>Low</severity>
#elseif ($vuln.cvssScore>=7.0)
<severity>High</severity>
#else
<severity>Medium</severity>
#end
#if ($vuln.cwe)
<cwe>$enc.xml($vuln.cwe)</cwe>
#end
<description>$enc.xml($vuln.description)</description>
<references>
#foreach($ref in $vuln.getReferences())
<reference>
<source>$enc.xml($ref.source)</source>
<url>$enc.xml($ref.url)</url>
<name>$enc.xml($ref.name)</name>
</reference>
#end
</references>
<vulnerableSoftware>
#foreach($vs in $vuln.getVulnerableSoftware())
<software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
#end
</vulnerableSoftware>
</suppressedVulnerability>
#end
</vulnerabilities>
#end

37
dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseTest.java Normal file
View File

@@ -0,0 +1,37 @@
/*
* Copyright 2014 OWASP.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.owasp.dependencycheck;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class BaseTest {
@BeforeClass
public static void setUpClass() throws Exception {
Settings.initialize();
}
@AfterClass
public static void tearDownClass() throws Exception {
Settings.cleanup();
}
}

15
dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java
View File

@@ -18,10 +18,8 @@
package org.owasp.dependencycheck;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
@@ -33,15 +31,7 @@ import org.owasp.dependencycheck.utils.Settings;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class EngineIntegrationTest {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
public class EngineIntegrationTest extends BaseTest {
@Before
public void setUp() throws Exception {
@@ -80,7 +70,10 @@ public class EngineIntegrationTest {
@Test
public void testEngine() throws Exception {
String testClasses = "target/test-classes";
// boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
// Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Engine instance = new Engine();
// Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
instance.scan(testClasses);
assertTrue(instance.getDependencies().size() > 0);
instance.analyzeDependencies();

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java
View File

@@ -18,38 +18,16 @@
package org.owasp.dependencycheck.analyzer;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class AbstractFileTypeAnalyzerTest {
public AbstractFileTypeAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class AbstractFileTypeAnalyzerTest extends BaseTest {
/**
* Test of newHashSet method, of class AbstractAnalyzer.

23
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
View File

@@ -23,13 +23,11 @@ import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNull;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -40,21 +38,10 @@ import org.owasp.dependencycheck.utils.Settings;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class AbstractSuppressionAnalyzerTest {
public AbstractSuppressionAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
public class AbstractSuppressionAnalyzerTest extends BaseTest {
@Before
public void setUp() {
public void setUp() throws Exception {
try {
final String uri = this.getClass().getClassLoader().getResource("suppressions.xml").toURI().toURL().toString();
Settings.setString(Settings.KEYS.SUPPRESSION_FILE, uri);
@@ -65,10 +52,6 @@ public class AbstractSuppressionAnalyzerTest {
}
}
@After
public void tearDown() {
}
/**
* Test of getSupportedExtensions method, of class AbstractSuppressionAnalyzer.
*/

28
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
View File

@@ -18,44 +18,22 @@
package org.owasp.dependencycheck.analyzer;
import java.util.Iterator;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class AnalyzerServiceTest {
public AnalyzerServiceTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class AnalyzerServiceTest extends BaseTest {
/**
* Test of getAnalyzers method, of class AnalyzerService.
*/
@Test
public void testGetAnalyzers() {
AnalyzerService instance = AnalyzerService.getInstance();
AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
Iterator<Analyzer> result = instance.getAnalyzers();
boolean found = false;

34
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
View File

@@ -20,10 +20,8 @@ package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.util.HashSet;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
@@ -34,30 +32,7 @@ import org.owasp.dependencycheck.utils.Settings;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class ArchiveAnalyzerTest extends AbstractDatabaseTestCase {
public ArchiveAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
@Override
public void setUp() throws Exception {
super.setUp();
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
}
public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
/**
* Test of getSupportedExtensions method, of class ArchiveAnalyzer.
@@ -69,6 +44,9 @@ public class ArchiveAnalyzerTest extends AbstractDatabaseTestCase {
expResult.add("zip");
expResult.add("war");
expResult.add("ear");
expResult.add("jar");
expResult.add("sar");
expResult.add("apk");
expResult.add("nupkg");
expResult.add("tar");
expResult.add("gz");

23
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
View File

@@ -17,19 +17,18 @@
*/
package org.owasp.dependencycheck.analyzer;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.junit.Assume.assumeFalse;
import java.io.File;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.junit.After;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import org.junit.Assume;
import static org.junit.Assume.assumeFalse;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -42,7 +41,7 @@ import org.owasp.dependencycheck.utils.Settings;
* @author colezlaw
*
*/
public class AssemblyAnalyzerTest {
public class AssemblyAnalyzerTest extends BaseTest {
private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzerTest.class.getName());
@@ -54,13 +53,17 @@ public class AssemblyAnalyzerTest {
* @throws Exception if anything goes sideways
*/
@Before
public void setUp() {
public void setUp() throws Exception {
try {
analyzer = new AssemblyAnalyzer();
analyzer.supportsExtension("dll");
analyzer.initialize();
} catch (Exception e) {
LOGGER.log(Level.WARNING, "Exception setting up AssemblyAnalyzer. Tests will be incomplete", e);
if (e.getMessage().contains("Could not execute .NET AssemblyAnalyzer")) {
LOGGER.log(Level.WARNING, "Exception setting up AssemblyAnalyzer. Tests will be incomplete");
} else {
LOGGER.log(Level.WARNING, "Exception setting up AssemblyAnalyzer. Tests will be incomplete", e);
}
Assume.assumeNoException("Is mono installed? TESTS WILL BE INCOMPLETE", e);
}
}
@@ -85,7 +88,7 @@ public class AssemblyAnalyzerTest {
}
}
assertTrue(foundVendor);
boolean foundProduct = false;
for (Evidence e : d.getProductEvidence().getEvidence("grokassembly", "product")) {
if ("GrokAssembly".equals(e.getValue())) {

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
View File

@@ -24,11 +24,7 @@ import java.util.List;
import java.util.Set;
import org.apache.lucene.index.CorruptIndexException;
import org.apache.lucene.queryparser.classic.ParseException;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
import org.owasp.dependencycheck.data.cpe.IndexEntry;
@@ -39,27 +35,7 @@ import org.owasp.dependencycheck.dependency.Identifier;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class CPEAnalyzerTest extends AbstractDatabaseTestCase {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
@Override
public void setUp() throws Exception {
super.setUp();
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
}
public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
/**
* Tests of buildSearch of class CPEAnalyzer.

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
View File

@@ -17,38 +17,16 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.Dependency;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class DependencyBundlingAnalyzerTest {
public DependencyBundlingAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class DependencyBundlingAnalyzerTest extends BaseTest {
/**
* Test of getName method, of class DependencyBundlingAnalyzer.

23
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java
View File

@@ -15,12 +15,8 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -31,25 +27,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
*/
public class FalsePositiveAnalyzerTest {
public FalsePositiveAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of getName method, of class FalsePositiveAnalyzer.
*/

23
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
View File

@@ -18,12 +18,8 @@
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -33,25 +29,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
*/
public class FileNameAnalyzerTest {
public FileNameAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of getName method, of class FileNameAnalyzer.
*/

114
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java Normal file
View File

@@ -0,0 +1,114 @@
/*
* Copyright 2014 OWASP.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.util.Set;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class HintAnalyzerTest extends BaseTest {
@Before
public void setUp() throws Exception {
org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
}
/**
* Test of getName method, of class HintAnalyzer.
*/
@Test
public void testGetName() {
HintAnalyzer instance = new HintAnalyzer();
String expResult = "Hint Analyzer";
String result = instance.getName();
assertEquals(expResult, result);
}
/**
* Test of getAnalysisPhase method, of class HintAnalyzer.
*/
@Test
public void testGetAnalysisPhase() {
HintAnalyzer instance = new HintAnalyzer();
AnalysisPhase expResult = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
}
/**
* Test of analyze method, of class HintAnalyzer.
*/
@Test
public void testAnalyze() throws Exception {
HintAnalyzer instance = new HintAnalyzer();
File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
//Dependency guice = new Dependency(fileg);
File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
//Dependency spring = new Dependency(files);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Engine engine = new Engine();
engine.scan(guice);
engine.scan(spring);
engine.analyzeDependencies();
Dependency gdep = null;
Dependency sdep = null;
for (Dependency d : engine.getDependencies()) {
if (d.getActualFile().equals(guice)) {
gdep = d;
} else {
sdep = d;
}
}
final Evidence springTest1 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
final Evidence springTest2 = new Evidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
Set<Evidence> evidence = gdep.getEvidence().getEvidence();
assertFalse(evidence.contains(springTest1));
assertFalse(evidence.contains(springTest2));
assertFalse(evidence.contains(springTest3));
assertFalse(evidence.contains(springTest4));
assertFalse(evidence.contains(springTest5));
evidence = sdep.getEvidence().getEvidence();
assertTrue(evidence.contains(springTest1));
assertTrue(evidence.contains(springTest2));
assertTrue(evidence.contains(springTest3));
//assertTrue(evidence.contains(springTest4));
//assertTrue(evidence.contains(springTest5));
}
}

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
View File

@@ -21,13 +21,10 @@ import java.io.File;
import java.util.HashSet;
import java.util.Properties;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
@@ -35,26 +32,7 @@ import org.owasp.dependencycheck.dependency.Evidence;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class JarAnalyzerTest {
public JarAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class JarAnalyzerTest extends BaseTest {
/**
* Test of inspect method, of class JarAnalyzer.

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
View File

@@ -20,12 +20,9 @@ package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.util.HashSet;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -33,26 +30,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class JavaScriptAnalyzerTest {
public JavaScriptAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class JavaScriptAnalyzerTest extends BaseTest {
/**
* Test of getSupportedExtensions method, of class JavaScriptAnalyzer.

5
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java
View File

@@ -22,13 +22,14 @@ import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
public class NuspecAnalyzerTest {
public class NuspecAnalyzerTest extends BaseTest {
private NuspecAnalyzer instance;
@Before
public void setUp() {
public void setUp() throws Exception {
instance = new NuspecAnalyzer();
instance.setEnabled(true);
}

43
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.java
View File

@@ -18,10 +18,8 @@
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
@@ -33,38 +31,7 @@ import org.owasp.dependencycheck.utils.Settings;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class VulnerabilitySuppressionAnalyzerTest extends AbstractDatabaseTestCase {
public VulnerabilitySuppressionAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
private boolean update = true;
private boolean nexus = false;
@Before
@Override
public void setUp() throws Exception {
super.setUp();
update = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
nexus = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, update);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexus);
}
public class VulnerabilitySuppressionAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
/**
* Test of getName method, of class VulnerabilitySuppressionAnalyzer.
@@ -83,7 +50,7 @@ public class VulnerabilitySuppressionAnalyzerTest extends AbstractDatabaseTestCa
@Test
public void testGetAnalysisPhase() {
VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
AnalysisPhase expResult = AnalysisPhase.POST_FINDING_ANALYSIS;;
AnalysisPhase expResult = AnalysisPhase.POST_FINDING_ANALYSIS;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
}
@@ -96,7 +63,7 @@ public class VulnerabilitySuppressionAnalyzerTest extends AbstractDatabaseTestCa
File file = new File(this.getClass().getClassLoader().getResource("FileHelpers.2.0.0.0.nupkg").getPath());
File suppression = new File(this.getClass().getClassLoader().getResource("FileHelpers.2.0.0.0.suppression.xml").getPath());
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Engine engine = new Engine();
engine.scan(file);
engine.analyzeDependencies();

22
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/cpe/AbstractDatabaseTestCase.java
View File

@@ -17,11 +17,8 @@
*/
package org.owasp.dependencycheck.data.cpe;
import junit.framework.TestCase;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
/**
@@ -30,26 +27,11 @@ import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public abstract class AbstractDatabaseTestCase extends TestCase {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
public abstract class AbstractDatabaseTestCase extends BaseTest {
@Before
@Override
public void setUp() throws Exception {
BaseDBTestCase.ensureDBExists();
super.setUp();
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
}
}

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java
View File

@@ -69,6 +69,8 @@ public class TokenPairConcatenatingFilterTest extends BaseTokenStreamTestCase {
/**
* Test of clear method, of class TokenPairConcatenatingFilter.
*
* @throws java.io.IOException
*/
@Test
public void testClear() throws IOException {

9
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusSearchTest.java
View File

@@ -17,19 +17,18 @@
*/
package org.owasp.dependencycheck.data.nexus;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import java.io.FileNotFoundException;
import java.net.URL;
import java.util.logging.Logger;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.utils.Settings;
public class NexusSearchTest {
public class NexusSearchTest extends BaseTest {
private static final Logger LOGGER = Logger.getLogger(NexusSearchTest.class.getName());
private NexusSearch searcher;

31
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java
View File

@@ -17,21 +17,23 @@
*/
package org.owasp.dependencycheck.data.nuget;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.PrintStream;
import static org.junit.Assert.assertEquals;
import org.junit.Test;
import static org.junit.Assert.*;
import org.owasp.dependencycheck.BaseTest;
/**
*
*
* @author colezlaw
*
*/
public class XPathNuspecParserTest {
public class XPathNuspecParserTest extends BaseTest {
/**
* Test all the valid components.
*
*
* @throws Exception if anything goes sideways.
*/
@Test
@@ -46,25 +48,30 @@ public class XPathNuspecParserTest {
assertEquals("Apache Software Foundation", np.getOwners());
assertEquals("http://logging.apache.org/log4net/license.html", np.getLicenseUrl());
}
/**
* Expect a NuspecParseException when what we pass isn't even XML.
*
*
* @throws Exception we expect this.
*/
@Test(expected=NuspecParseException.class)
@Test(expected = NuspecParseException.class)
public void testMissingDocument() throws Exception {
NuspecParser parser = new XPathNuspecParser();
InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("dependencycheck.properties");
//hide the fatal message from the core parser
final ByteArrayOutputStream myOut = new ByteArrayOutputStream();
System.setErr(new PrintStream(myOut));
NugetPackage np = parser.parse(is);
}
/**
* Expect a NuspecParseException when it's valid XML, but not a Nuspec.
*
*
* @throws Exception we expect this.
*/
@Test(expected=NuspecParseException.class)
@Test(expected = NuspecParseException.class)
public void testNotNuspec() throws Exception {
NuspecParser parser = new XPathNuspecParser();
InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("suppressions.xml");

10
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java
View File

@@ -26,20 +26,20 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import junit.framework.TestCase;
import org.junit.Before;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public abstract class BaseDBTestCase extends TestCase {
public abstract class BaseDBTestCase extends BaseTest {
protected final static int BUFFER_SIZE = 2048;
@Override
protected void setUp() throws Exception {
super.setUp();
@Before
public void setUp() throws Exception {
ensureDBExists();
}

27
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
View File

@@ -19,10 +19,7 @@ package org.owasp.dependencycheck.data.nvdcve;
import java.util.List;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
@@ -30,27 +27,7 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class CveDBTest extends BaseDBTestCase {
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
@Override
public void setUp() throws Exception {
super.setUp();
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
}
public class CveDBIntegrationTest extends BaseDBTestCase {
/**
* Pretty useless tests of open, commit, and close methods, of class CveDB.

28
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
View File

@@ -18,10 +18,8 @@
package org.owasp.dependencycheck.data.nvdcve;
import java.util.Properties;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
@@ -29,27 +27,7 @@ import org.owasp.dependencycheck.data.update.NvdCveInfo;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class DatabasePropertiesTest extends BaseDBTestCase {
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
@Override
public void setUp() throws Exception {
super.setUp();
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
}
public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
/**
* Test of isEmpty method, of class DatabaseProperties.

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveInfoTest.java
View File

@@ -17,38 +17,16 @@
*/
package org.owasp.dependencycheck.data.update;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
* Rigorous test of setters/getters.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class NvdCveInfoTest {
public NvdCveInfoTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class NvdCveInfoTest extends BaseTest {
/**
* Test of setId and getId method, of class NvdCveInfo.

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveUpdaterIntegrationTest.java
View File

@@ -17,36 +17,14 @@
*/
package org.owasp.dependencycheck.data.update;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class NvdCveUpdaterIntegrationTest {
public NvdCveUpdaterIntegrationTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class NvdCveUpdaterIntegrationTest extends BaseTest {
/**
* Test of update method, of class NvdCveUpdater.

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/StandardUpdateIntegrationTest.java
View File

@@ -19,13 +19,10 @@ package org.owasp.dependencycheck.data.update;
import java.net.MalformedURLException;
import java.util.Calendar;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.DownloadFailedException;
@@ -33,26 +30,7 @@ import org.owasp.dependencycheck.utils.DownloadFailedException;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class StandardUpdateIntegrationTest {
public StandardUpdateIntegrationTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class StandardUpdateIntegrationTest extends BaseTest {
public StandardUpdate getStandardUpdateTask() throws MalformedURLException, DownloadFailedException, UpdateException {
StandardUpdate instance = new StandardUpdate();

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/UpdateableNvdCveTest.java
View File

@@ -20,40 +20,18 @@ package org.owasp.dependencycheck.data.update;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.utils.DownloadFailedException;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class UpdateableNvdCveTest {
public UpdateableNvdCveTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class UpdateableNvdCveTest extends BaseTest {
/**
* Test of isUpdateNeeded method, of class UpdateableNvdCve.

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java
View File

@@ -24,35 +24,23 @@ import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class ReportGeneratorTest {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
public class ReportGeneratorIntegrationTest extends BaseTest {
@Before
public void setUp() {
}
@After
public void tearDown() {
public void setUp() throws Exception {
org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
}
/**
@@ -136,7 +124,11 @@ public class ReportGeneratorTest {
File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
File jetty = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Engine engine = new Engine();
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
engine.scan(struts);
engine.scan(axis);
engine.scan(jetty);

Some files were not shown because too many files have changed in this diff Show More