github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github-mirrors:v1.1.4
Branches Tags
github-mirrors:master github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0
..
compare: github-mirrors:v1.2.3
Branches Tags
github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:master github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0

180 Commits
v1.1.4 ... v1.2.3

Author SHA1 Message Date
Jeremy Long
0badbfc4a0 version 1.2.3 
Former-commit-id: c355adf9813220c4b3dac3450e80a83a245209a6
 2014-06-28 06:06:33 -04:00
Jeremy Long
e042148c62 Merge branch 'colezlaw-master' 
Former-commit-id: 5654a0e5cd8b8524ac317a55a2af5a52408bc8ca
 2014-06-26 20:33:45 -04:00
Jeremy Long
d8ba04ae7f Merge branch 'master' of github.com:colezlaw/DependencyCheck into colezlaw-master 
Former-commit-id: 27bac793e5284df49c0804361c07d4ef559cb251
 2014-06-26 20:33:35 -04:00
Jeremy Long
314d5fdad2 Merge branch 'colezlaw-suppression-fix' 
Former-commit-id: 1e7d9df774347ea043fef8ef3f5d6ca4aebaa15a
 2014-06-26 20:32:07 -04:00
Will Stranathan
5c874cafd1 Fixed suppression analyzer to load from input stream fixing failure 
Former-commit-id: 4e6f8d7fddcf7ed26ad60b7aa8bc3a6b22ae19cc
 2014-06-26 15:14:55 -04:00
Will Stranathan
8cafc14d09 Updated to 1.1 of GrokAssembly.exe to deal with exceptions 
Former-commit-id: 8c1d6ad04e378f2a19e2fcdc9ebc1eab12be9aef
 2014-06-24 10:16:53 -04:00
Jeremy Long
25ac5033fc snapshot version 1.2.3 
Former-commit-id: 58f96e7ef71987a53626287f95b332f04b60a6f6
 2014-06-22 21:33:58 -04:00
Jeremy Long
848be0db6c version 1.2.2 
Former-commit-id: 8da06e1a2f4b41bccc22105d7bc758442bb14e57
 2014-06-22 21:31:58 -04:00
Jeremy Long
0f9da0731e updated text 
Former-commit-id: 7749b9ec6b0ce9502e1c7129bdec902ce5b43595
 2014-06-22 21:22:32 -04:00
Jeremy Long
8bc2364cce added site information to the dependency-check utils 
Former-commit-id: 7d8c4c3c2b98e0d492f4447e5f1dc1f071a2241a
 2014-06-22 19:56:14 -04:00
Jeremy Long
b64916ce3f added file analyzer documentation 
Former-commit-id: c0c29021cd1197f26942ff36c8b63220d1267c21
 2014-06-22 19:55:21 -04:00
Jeremy Long
452955667c checkstyle correction 
Former-commit-id: e5a891ea5b438e64e8a3aa5e697cb859d1a1f09a
 2014-06-22 19:54:25 -04:00
Jeremy Long
f38bbf4cc7 minor javadoc correction 
Former-commit-id: 45e621682304820fe17c17e92bd0aa5ac5dfd023
 2014-06-22 19:53:59 -04:00
Jeremy Long
25eaa11a52 updated description 
Former-commit-id: c8cb8b041ce351c2d33a3621f772e75d02950193
 2014-06-22 19:53:38 -04:00
Jeremy Long
4b4da8d467 checkstyle/pmd/etc. corrections 
Former-commit-id: 59883bd0b03c8690ce9a20120eafefe7c61384cd
 2014-06-22 19:03:33 -04:00
Jeremy Long
13116c5381 added support for suppression by GAV (issue #124), created base suppression.xml (issue #123), and fixed false positives related to spring security (issue #130) 
Former-commit-id: 330134211d022fec336dc1ca39205a94a088ee84
 2014-06-22 16:34:39 -04:00
Jeremy Long
d2cd406a62 added additional test resources 
Former-commit-id: b788c7420b82d8a108cd2335c536be667c2ab293
 2014-06-22 16:32:48 -04:00
Jeremy Long
acbce05fbf updated to support suppression by maven coordinates (GAV) per issue #124 
Former-commit-id: 3cff74ded9b0c352fb1d45e784d89c3c20f55467
 2014-06-20 06:47:46 -04:00
Jeremy Long
bee4d3a338 fixed bug that left false positive, previously fixed, due to the file name modifications that the archive analyzer makes - regex needed updating to not just look for the start of the filename 
Former-commit-id: 922a9edaf9123524585b97e6cb9f8efd4a389031
 2014-06-14 07:04:02 -04:00
Jeremy Long
bce226002b added data.zip back after cleaning up history 
Former-commit-id: 6d227bf38e8023eeb134c965f48fbf859aeb9600
 2014-06-01 11:31:09 -04:00
Jeremy Long
a417db7c7a updated documentation to replace deprecated proxyUrl with proxyServer 
Former-commit-id: 165e14fcb6b57d8a522875eaa65f5ee766c9b1af
 2014-05-31 06:43:07 -04:00
Jeremy Long
0ffef12a8b deprecated the proxyUrl field replacing it with proxyServer; getter and setter for proxyUrl now just wrap proxyServer 
Former-commit-id: 5f1fbdf2eda6f05252f81dd8bf7acd44c01b7b6f
 2014-05-31 06:42:27 -04:00
Jeremy Long
4539b040e0 deprecated proxyUrl and replaced it with proxyServer 
Former-commit-id: 3330de9b2c36742a0b93d478b7dadaccea00cd4a
 2014-05-31 06:39:36 -04:00
Jeremy Long
f85014a86d deprecated proxyUrl and replaced it with proxyServer - using the deprecated configuration will still work but will generate a warning 
Former-commit-id: d9ff32d6b6e2f4d088f95d52ee33f1d0df3457fd
 2014-05-31 06:38:50 -04:00
Jeremy Long
d90d07c68b added code to disable the analyzer if initialization fails 
Former-commit-id: 202baa329f07fb24921ce83660d596d46b71b663
 2014-05-30 05:26:03 -04:00
Jeremy Long
ce292b84fa fixed spelling error in property name 
Former-commit-id: 106e8e9128bc371ff78f3a73c3f0da6012761cba
 2014-05-30 05:25:20 -04:00
Jeremy Long
01690860db renamed PROXY_URL to PROXY_SERVER to avoid confusion 
Former-commit-id: 1fbc025fba68aff644a8b8582657e5ef30024a24
 2014-05-24 07:06:59 -04:00
Jeremy Long
89fb2d4915 fixed error messages and added status code checks 
Former-commit-id: d21ff11466908f07ca02a50269f08d76f16a243e
 2014-05-24 07:06:46 -04:00
Jeremy Long
5cc3a42832 renamed PROXY_URL to PROXY_SERVER to avoid confusion 
Former-commit-id: 730eebed21baddfbd90c42a95769f8781de95b56
 2014-05-24 07:05:05 -04:00
Jeremy Long
60b0145e04 added a new initialize method that accepts a properties file path to load to make the class more versatile 
Former-commit-id: 00ec19b51a20c4ce3329a7c3c075a1f3ba16859e
 2014-05-21 06:42:43 -04:00
Jeremy Long
ce48823d38 Moved some of the utility classes from core to a new utils module 
Former-commit-id: 2e6ff9631ff4c843f10db1e022e41e728394e420
 2014-05-21 06:29:46 -04:00
Jeremy Long
d43fee5585 renamed CallableDownloadTask to DownloadTask 
Former-commit-id: 4ed8987945722d99e0f23b2f379321a652f76348
 2014-05-20 21:08:15 -04:00
Jeremy Long
5dc9e51dd4 fixed test cases 
Former-commit-id: 081ea17023cef3313ce59dbf8ce7f2a8cff706eb
 2014-05-17 08:04:20 -04:00
Jeremy Long
235fcccbd7 if maven identifier already exists we now update it with a hyperlink instead of adding a new one - the Jar analyzer may add a maven identifier based on the pom.xml 
Former-commit-id: db0ae1145d000089fb10e0357566f03632a559b9
 2014-05-17 08:04:03 -04:00
Jeremy Long
91c971b8fd cleaned up pom evidence collection and added a maven identifier if the GAV is available from the pom.xml 
Former-commit-id: 0400863fea2cfe86a5601b3ae134e7e98a4b29c7
 2014-05-17 08:03:04 -04:00
Jeremy Long
e43003cadc fixed false positives related to Apache POI and MS Office CPE/CVE per issue #126 
Former-commit-id: cfde8d86cb339a9f2cf0b8c1f72f5ca198efab8a
 2014-05-14 19:17:47 -04:00
Jeremy Long
9a96165655 Update JarAnalyze to resolve issue #127 
Updated JarAnalyzer to resolve issue #127 - duplicate package and package name evidence in the report.

Former-commit-id: 067643f7e99a7a4f36438b18c07e92a5e8544089
 2014-05-14 18:01:12 -04:00
Jeremy Long
994aef411c updated version to 1.2.2-SNAPSHOT 
Former-commit-id: e1b07457515dcab0f00c6a0b36fadb58ecc3deeb
 2014-05-10 08:41:37 -04:00
Jeremy Long
094a180935 updated to release version 1.2.1 
Former-commit-id: d908eed4538f0928c8b108348d9d46ce6d2f57e0
 2014-05-10 08:32:34 -04:00
Jeremy Long
74e9de6370 updated sample report 
Former-commit-id: c55ddb623e21f046c90493b0724f7eb34225ea29
 2014-05-10 07:25:42 -04:00
Jeremy Long
c7f31b3d79 fixed typo in log statement 
Former-commit-id: 08192210f3c5bb322160fba678a56acb36af3198
 2014-05-10 07:23:18 -04:00
Jeremy Long
98d0239d03 pmd correction to logger 
Former-commit-id: 3c3b26ec8fbf4d2602c681ff02f460fe7e712914
 2014-05-10 07:16:50 -04:00
Jeremy Long
ffeab147ce checkstyle corrections 
Former-commit-id: f9ae61d41ba01b6931892a339a9b701ae3c91ce2
 2014-05-10 07:13:07 -04:00
Jeremy Long
90bdbd6b84 updated version of presentation 
Former-commit-id: ec47594f35f5cca92888e6c8578b0d123d31b898
 2014-05-10 07:12:56 -04:00
Jeremy Long
e29dd3cd33 added additional test file 
Former-commit-id: 8487a2f4ba7287f54f0b5f69bc39e63bee455172
 2014-05-10 07:01:24 -04:00
Jeremy Long
23b95178ff updated to remove archive files from the list of dependencies - additionally, if a zip file appears to be a jar it will now make a copy of the zip and scan it as a jar 
Former-commit-id: d927daea530abad2d578dbe0ff38b97d044b4775
 2014-05-10 07:00:43 -04:00
Jeremy Long
9bde80357f patch to remove additional false positives due to SCM entries in the pom 
Former-commit-id: 6101fae1b5957254ddbece5afc2db8edeb7bf9b8
 2014-05-10 06:59:34 -04:00
Jeremy Long
1485733715 updated to use displayFileName field instead of FileName when writing information about dependencies 
Former-commit-id: bd3383ac4831bc44db6b63083e47802cce04b520
 2014-05-10 06:58:51 -04:00
Jeremy Long
d125a7f09d added displayFileName field to the dependency class 
Former-commit-id: 248f5397d37ea6e2f333dc0fe357188865bdb446
 2014-05-10 06:57:44 -04:00
Jeremy Long
77486dffd4 removed additional false positives as part of patch for issue #93 and #119 
Former-commit-id: 86f48b30150f2ba4db99dfc2eb15a0ac50a6e383
 2014-05-10 06:56:53 -04:00
Jeremy Long
c84bcb433f fixed spelling error 
Former-commit-id: d3aed24d6691b58ef132e00f9827e27fceb9fc73
 2014-05-07 19:33:59 -04:00
Jeremy Long
f1e5221257 Merge pull request #122 from colezlaw/master 
Fixed logging order of GrokAssembly for bad assemblies. Using resources ...

Former-commit-id: 65a41d23df6ccfa8c4f05235da3d7c613e4290a0
 2014-05-07 19:31:59 -04:00
Jeremy Long
b8bf01acc3 added checks before warning that a file could not be deleted 
Former-commit-id: 098ea1889b49ade0c73385919906398c86627ab2
 2014-05-07 19:31:21 -04:00
Jeremy Long
65aa7bd1de fixed display bug when only one CPE exists for a given CVE 
Former-commit-id: 18535dc408a51e516626ec4c43a3e72b01fd28f0
 2014-05-07 19:30:45 -04:00
Jeremy Long
6f511444a7 fixed display bug when only one CPE exists for a given CVE 
Former-commit-id: 3b791d0a0fbe2587390e048cffc4453567ddf74a
 2014-05-07 19:29:52 -04:00
Jeremy Long
ef5174d89f fixed bug causing vulnerabilities to be missed 
Former-commit-id: 5c6421ea8475db16f7184340fa5b8b2033d53b29
 2014-05-07 07:05:37 -04:00
Jeremy Long
e2a97e75d8 moved duplicated code to a method 
Former-commit-id: f6cb80dc56ef86294f2490729bb84658d98e6c9a
 2014-05-07 07:03:38 -04:00
Jeremy Long
9fc6e265eb fixed off by one string truncation issue 
Former-commit-id: f25894627402e9e2d310b25163dae7d7db1457d9
 2014-05-07 07:03:02 -04:00
Will Stranathan
f81c42b1fd Fixed logging order of GrokAssembly for bad assemblies. Using resources for logging 
Former-commit-id: 611d665c7f5312462c19c8dcf8e87dc672184f67
 2014-05-03 19:12:39 -04:00
Jeremy Long
8594e146eb updates to help resolve issue 119 
Former-commit-id: c8778008b91b7999cb8d88382efe8a83ebe87102
 2014-05-03 14:46:48 -04:00
Jeremy Long
cda0dfdafe updated test case and related data 
Former-commit-id: 513602f48b6d599b43848f0a88537190084e9cbf
 2014-05-03 12:30:29 -04:00
Jeremy Long
363568b02c updated to begin fixes for issue #90 and #119 
Former-commit-id: 1ceae6236ecd83e15f91ddab549027082e269e0b
 2014-05-03 12:30:07 -04:00
Jeremy Long
443ab02788 added local copies of the NVD CVE data to speed up some of the test cases 
Former-commit-id: 54a264872bf151034706f6ed52de3a99ed961b04
 2014-05-03 11:02:23 -04:00
Jeremy Long
65784d6dc4 updated to use local copy of data files to speedup the test case 
Former-commit-id: 5bb1d67156500ba74124ced18bcae599e4c5dc7a
 2014-05-03 11:01:31 -04:00
Jeremy Long
da805d037f removed duplicative test 
Former-commit-id: e403e85cef541416ccb3cf13704d019f4c2b5f92
 2014-05-03 11:00:48 -04:00
Jeremy Long
d383776245 added additional informational log statements 
Former-commit-id: 9dfe02f737cffc05838dcffeec1cfca77c3100e1
 2014-05-03 11:00:21 -04:00
Jeremy Long
51eba8da73 updated settings cleanup to prevent issue with the update process 
Former-commit-id: e883b7d37c583b581b41da368dbe9b8d1bafae89
 2014-05-03 10:59:47 -04:00
Jeremy Long
14b4d64244 updated the URL for the NVD CVE external link 
Former-commit-id: 18cd71abd7a1f0d94dde8dba2a3076b28405ab00
 2014-05-03 10:58:41 -04:00
Jeremy Long
7cb7f68cda updated the URL for the NVD CVE external link 
Former-commit-id: 83ad77fb9fe6029fdb95ba7ffc96663d88234631
 2014-05-03 10:58:16 -04:00
Jeremy Long
83300d028b updated the URL for the NVD CVE external link 
Former-commit-id: 7527c31dab810145d8aebc1225ba302aca9fc80e
 2014-05-03 10:57:44 -04:00
Jeremy Long
e891ce39c0 updated settings cleanup to prevent issue with the update process 
Former-commit-id: 3452aec55b778224e10879175e1aba8060da4e42
 2014-05-03 10:55:56 -04:00
Jeremy Long
e58b7782ac updated settings cleanup to prevent issue with the update process 
Former-commit-id: 07122c535d47f3f414659013555fa826ce0e9b9c
 2014-05-03 10:55:15 -04:00
Jeremy Long
1ddb468a08 applied part of PR for issue #121 - classpath issue with some invocations of the ant client 
Former-commit-id: 129a5fd9cd55c8a0abf393d0ae8405ddec412d51
 2014-05-03 09:54:11 -04:00
Jeremy Long
95e3f0e0d9 added additional dependencies for testing 
Former-commit-id: 99be1ef0f35f040ca13b204e2a1689cbaa3cf41a
 2014-05-03 09:52:57 -04:00
Jeremy Long
0edf017ddc patched for issue #120 - duplicate evidence listed in reports 
Former-commit-id: 3cdc1854af586029911b70fb4b8ff54669bac022
 2014-05-03 08:52:45 -04:00
Jeremy Long
ad601fd1ee Merge branch 'bkimminich-master' 
Former-commit-id: d4f3bd1ebe5237060251b1f81111b26b5f653f65
 2014-04-30 19:23:23 -04:00
Jeremy Long
e7eaccb5e0 Merge branch 'master' of github.com:bkimminich/DependencyCheck into bkimminich-master 
Former-commit-id: 7fe67ea5fa1b94824d2f2c8df5bd099d89dbaf85
 2014-04-30 19:23:13 -04:00
Jeremy Long
6b201da3ff version 1.2.1-SNAPSHOT 
Former-commit-id: 62ed08de9077505ef8e5350b0470eb5c61089dc3
 2014-04-30 18:30:46 -04:00
Jeremy Long
a85a47bc20 fixed issue #118 
Former-commit-id: dceb807f182be921c2d85338c1d8192361dc2c1f
 2014-04-30 18:13:04 -04:00
Jeremy Long
69b8f51319 fixed issue #118 
Former-commit-id: 6f7b38b0945c6bcf47ffae0b8a6be53b144269cc
 2014-04-30 18:10:56 -04:00
Björn Kimminich
0d943ba805 Update AbstractSuppressionAnalyzerTest.java 
Former-commit-id: 640d50086e6b5cd9302ca4a24ffed881c614fd54
 2014-04-29 14:37:52 +02:00
Björn Kimminich
56fe3b5892 simplified exception testing 
Former-commit-id: f43f211c4cc3133e5dfc466a4badfb3606a3be0c
 2014-04-29 14:29:46 +02:00
Björn Kimminich
c177f12e1d added test case for classpath suppression file and missing file 
Former-commit-id: 975cbe1f480ad52b0e527148c4fd30b76d5baa0e
 2014-04-29 11:48:07 +02:00
Jeremy Long
72f9564757 version 1.2.0 
Former-commit-id: b678810925b242d0ab9c17cc43c7edc4583ef8e3
 2014-04-28 08:58:09 -04:00
Jeremy Long
ab1a80152d excluded HelpMojo from PMD 
Former-commit-id: 01cd292267305c6b6ed017dfcbe40ea53d4313e8
 2014-04-28 08:20:11 -04:00
Jeremy Long
a87c677a35 checkstyle correction 
Former-commit-id: 542c5817a18cc0f372dabd8e8010c4c93b5ef34b
 2014-04-28 08:19:54 -04:00
Jeremy Long
9e0ed57cec checkstyle corrections... javadoc, final variables, etc. 
Former-commit-id: 87905c8a957efb5b57e1c142eda9e7c2e7312f78
 2014-04-27 17:16:49 -04:00
Jeremy Long
767f4797b0 moved checkstyle configuration to match pmd 
Former-commit-id: ef4ac52a2fa483d776b6191356ce98486832a250
 2014-04-27 09:31:16 -04:00
Jeremy Long
8f8c9c4582 updated to reduce exception messages during build when mono isn't available 
Former-commit-id: b6701c012669d3b5fc9e8b7cc168ac8d5df4d8f0
 2014-04-27 09:18:50 -04:00
Jeremy Long
9acfe3afdb Merge branch 'master' of github.com:jeremylong/DependencyCheck 
Former-commit-id: 45916cc4a0b3334ac9d0fe5d849032556db59f8e
 2014-04-27 08:51:31 -04:00
Jeremy Long
9c03962c26 Merge branch 'master' of github.com:bkimminich/DependencyCheck into bkimminich-master 
Former-commit-id: a25a71286aed7adb384e7efde40278006e67d847
 2014-04-27 08:50:59 -04:00
Jeremy Long
a135460caa moved pmd rules to follow the maven directory structure 
Former-commit-id: 71f80a18aad5c92662a2eab142009f243e7416bf
 2014-04-27 08:50:03 -04:00
Jeremy Long
7f72ef88e0 removed code duplication ensuring temporary directory exists 
Former-commit-id: fba6dfcd3a133378c5f46f4126fa97c02ab110be
 2014-04-27 08:42:02 -04:00
Steve Springett
fa1adc5294 Cleaning up Velocity. Minor change to Engine and ServiceLoaders to optionally use custom ClassLoader. 
Former-commit-id: 8c1a58247faeaa032ca7389106378b095ac45edf
 2014-04-26 01:25:56 -05:00
Björn Kimminich
579b526196 organized imports 
extracted exception handling


Former-commit-id: 5fa0d46fc4241e8feae58e4f1e8fd365aedb27f5
 2014-04-25 14:39:56 +02:00
Björn Kimminich
654e6942cb attempt to locate suppressions in classpath when they cannot be found via URL or file path 
Former-commit-id: 03e7f14d9561940bb83a38faab926a5e45f2748b
 2014-04-25 14:33:15 +02:00
Jeremy Long
b7ed1429de added new test case for the hint analyzer 
Former-commit-id: 019194943dd81b11201ef41e00bb4f5d9aa6fe73
 2014-04-24 07:23:39 -04:00
Will Stranathan
6642c23761 Updated PMD configuration to work with all the projects. 
Former-commit-id: 80b9aac40019ef95d95ac5dcd3cb417290c37d7e
 2014-04-22 20:50:06 -04:00
Jeremy Long
f2b908c859 checkstyle corrections 
Former-commit-id: 8833f928a384474df1dd5b306e835ec8919a572a
 2014-04-22 09:01:53 -04:00
Jeremy Long
709840ca02 removed unused variable and inner assignment 
Former-commit-id: 24b669e885ae51c2812ed1b31d86241b0a13509d
 2014-04-22 08:14:30 -04:00
Jeremy Long
9fe596f3de checkstyle corrections 
Former-commit-id: 2f6fb660cd0152de284b55de3aab9cbb1b22b0b0
 2014-04-22 08:10:54 -04:00
Jeremy Long
228bb2fc86 converted long running tests to integration tests 
Former-commit-id: 36a20d08b8de14b369a083d1c52e0f458b276d47
 2014-04-21 21:46:54 -04:00
Jeremy Long
d07947f712 spelling corrections 
Former-commit-id: 6b3c1ae8e8150cca82449f5e5b4448a9a829e680
 2014-04-21 21:01:10 -04:00
Jeremy Long
70022088fb spelling corrections 
Former-commit-id: 43b77de6e21a4d586f7b66b6da0045572c097f42
 2014-04-21 20:59:18 -04:00
Jeremy Long
9143564d41 merged update from Will 
Former-commit-id: ee4020e643221aa4ea403a6fb59314e65ab9e1b5
 2014-04-21 20:42:58 -04:00
Jeremy Long
55440ae32b Merge branch 'master' of github.com:jeremylong/DependencyCheck 
Former-commit-id: ddb7a60c533bf82e5f6faa9a5fbd794ca7dfaf5f
 2014-04-21 20:31:48 -04:00
Jeremy Long
db65c0b422 spelling corrections 
Former-commit-id: 35f1650765a5e8de33ef078a13b20bfa2994eb71
 2014-04-21 20:31:26 -04:00
Jeremy Long
f0297938b6 spelling corrections 
Former-commit-id: 56795c1f9276347f4b383e911c8c1b35918d55d9
 2014-04-21 20:21:53 -04:00
Steve Springett
4d390b65fe Removing Jenkins workaround for previous snapshot's race condition 
Former-commit-id: 69304c08687945ebecaf3f253e16861dd9627d43
 2014-04-21 14:19:30 -05:00
Will Stranathan
294df359d5 Added PMD rule to find Loggers that weren't fields and corrected existing instances. 
Former-commit-id: d1844676a9e2f9ccbbc584d51f9dc13ecc255c11
 2014-04-19 22:08:17 -04:00
Jeremy Long
a855d53542 checkstyle corrections 
Former-commit-id: 8caae0e4f0dd1828419c84b081fbc32d4d7be93c
 2014-04-19 12:49:57 -04:00
Jeremy Long
57a0c48293 speed up test by disabling auto-update 
Former-commit-id: 55e2cbff478577b7e2fc49b91f1e58c2e1563da7
 2014-04-19 10:00:06 -04:00
Jeremy Long
bbc82d827e speed up test by disabling auto-update 
Former-commit-id: 709c870c42d8b67b1e02ef8669981f2726c653e1
 2014-04-19 09:59:45 -04:00
Jeremy Long
742b49e302 updated test case to perform autoupdate 
Former-commit-id: 3e93783a97af223a1c63cde2b8f5916158a729e9
 2014-04-19 09:59:09 -04:00
Jeremy Long
8716f14941 updated settings initialization 
Former-commit-id: f53733aa65df96d09a817b74fd440da133b8be08
 2014-04-19 09:58:40 -04:00
Jeremy Long
8b7b41de47 removed singleton pattern from service loaders 
Former-commit-id: 0e7b90141333548c47fbb4c9944b44fe295acfec
 2014-04-19 09:58:16 -04:00
Jeremy Long
36fd4dbcf4 updated to initialize the settings object 
Former-commit-id: 7920a16418cb0b539571058942606dfd3b142525
 2014-04-19 08:59:04 -04:00
Jeremy Long
291a8c2bfb Merge branch 'master' of github.com:bkimminich/DependencyCheck into bkimminich-master 
Former-commit-id: 4b8d77255bef86d4cb4243eefd80eedadf5ca8f7
 2014-04-19 08:22:47 -04:00
Jeremy Long
a1db394d93 added a mechanism to copy the global settings object to forked threads 
Former-commit-id: 2932ae216d79d3cd08f4fb57695f3bd979c95c59
 2014-04-19 08:21:59 -04:00
Jeremy Long
0933d96954 updated to use BaseTest to initialize the Settings correctly 
Former-commit-id: 473e0db1cc94efe745c1d4664d2c204731e1b931
 2014-04-19 08:08:53 -04:00
Björn Kimminich
c4fcb6c88c fixed documentation of suppressionFile parameter 
Former-commit-id: 937974c6952f8ba4d90ece584c46ada635da1d50
 2014-04-17 11:17:17 +02:00
Björn Kimminich
2390b20e68 extracted logger as field 
Former-commit-id: 3a9819dcd526191bb7156d2012c248bb7914cf29
 2014-04-16 16:35:40 +02:00
Jeremy Long
a6fd0434de made the settings ThreadLocal to solve a threading issue 
Former-commit-id: 052839b76cd6d914e66c79b2fe88321eef735146
 2014-04-16 08:19:35 -04:00
Jeremy Long
53b36472a0 initial base test class to support the new Settings implementation 
Former-commit-id: 5414eb1c0b4b4e6c9462728f3ed0be270b2c8c01
 2014-04-16 08:18:40 -04:00
Jeremy Long
ccefea6b59 added additional error handling 
Former-commit-id: 7853689d3273afaa348a7e16c26d3c2cf14b5c9b
 2014-04-16 08:13:38 -04:00
Jeremy Long
b24c63cb49 updated to support the new Settings implementation 
Former-commit-id: 2e275cd7333b0e44b46745d5f51f89f3f1687b8f
 2014-04-16 08:12:36 -04:00
Jeremy Long
38f69fd7cc updated to support the new Settings implementation 
Former-commit-id: e2a2b98e2742580e52750a1a1bcdbeddae3c5787
 2014-04-16 08:12:16 -04:00
Jeremy Long
6a9ea3bc0f updated to support the new Settings implementation 
Former-commit-id: 7382682e8fe7ab4d93c19dc35c7e1c300fd02886
 2014-04-16 08:11:56 -04:00
Jeremy Long
d1b4e93f9e updated to support the new Settings implementation 
Former-commit-id: 50235f22de97afc2a352f8dc7d2de9120cf73c75
 2014-04-16 08:11:09 -04:00
Jeremy Long
9a6a61151d minor javadoc update 
Former-commit-id: 0611618b0abde40a3f8fd5cb98c63ae5cc71c387
 2014-04-16 08:10:50 -04:00
Jeremy Long
497d0f0c74 removed un-needed methods 
Former-commit-id: 8276c1e9554a1c69c764103611c53ef85803a006
 2014-04-16 08:10:24 -04:00
Jeremy Long
ecf1c90c22 updated to support the new Settings implementation 
Former-commit-id: 8ec7546bb8437406da724d7296fea765781a9640
 2014-04-16 08:09:47 -04:00
Jeremy Long
1aa13c1c8c updated to support the new Settings implementation 
Former-commit-id: 3e39bbadb32b7f3d447676ce04dfb7d4a22a4478
 2014-04-16 08:09:24 -04:00
Jeremy Long
251ad23a9e removed unused methods 
Former-commit-id: 9b66b0a3362d6299c9c9b61ad9267f80bfe6cdc4
 2014-04-16 08:08:54 -04:00
Jeremy Long
22876e5a25 removed unused methods 
Former-commit-id: 70d7e89ae7f62b42eb7fe2cd8085caa270c8f381
 2014-04-16 08:08:36 -04:00
Jeremy Long
12162e2aae updated to support the new Settings implementation 
Former-commit-id: 572697ad9f84f341e1ac5a4f4e6036df0ed02f3a
 2014-04-16 08:07:52 -04:00
Jeremy Long
2af09fb49d updated to support the new Settings implementation 
Former-commit-id: 58ea4b5d184999aa7c2f67e00374a7c52fef639f
 2014-04-16 08:07:32 -04:00
Jeremy Long
c58589026c updated to support the new Settings implementation 
Former-commit-id: 00b11fb5e4eb3c288d4017e8974dac39e7a6f2c6
 2014-04-16 08:07:09 -04:00
Jeremy Long
5b83919eb2 updated to support the new Settings implementation 
Former-commit-id: d559571b5adf664155b12075c7f42644c001d4be
 2014-04-16 08:06:52 -04:00
Jeremy Long
f26f02c986 removed unused methods 
Former-commit-id: cb23f2dbc928c46149be608144aa79fcdcd6e815
 2014-04-16 08:04:46 -04:00
Jeremy Long
c5d16a49d0 updated to support the new Settings implementation 
Former-commit-id: 00ccc5ae2b0ceac9b1bffae27e25dfb55b262f08
 2014-04-16 08:04:13 -04:00
Jeremy Long
260b2c3532 updated to support the new Settings implementation 
Former-commit-id: 9cbc15ce470881f316a8ede89b94c7122c1381c1
 2014-04-16 08:03:55 -04:00
Jeremy Long
420da8f476 updated to support the new Settings implementation 
Former-commit-id: 8eccff73254d27425813dfac1646b8832fac8604
 2014-04-16 08:03:36 -04:00
Jeremy Long
c2a39d3296 updated to support the new Settings implementation 
Former-commit-id: b2b4137934983f3688f115f31ced54004d33d2e9
 2014-04-16 08:03:15 -04:00
Jeremy Long
6cd4bf337e updated to support the new Settings implementation 
Former-commit-id: a530f8ae502e47345f36c1e563c001797b223280
 2014-04-16 08:02:50 -04:00
Jeremy Long
095c48a942 updated to support the new Settings implementation 
Former-commit-id: e34221085daf9880ce658cd71df15f9f8b0def9d
 2014-04-16 08:02:24 -04:00
Jeremy Long
e61ef1ae85 updated to support the new Settings implementation 
Former-commit-id: 9715d8c76c5667d813a64c56d74a366fa83d2470
 2014-04-16 08:02:05 -04:00
Jeremy Long
886b21af68 updated to support the new Settings implementation 
Former-commit-id: bc891a90f8e0d234fbefcd19bc559bf828af5636
 2014-04-16 08:01:45 -04:00
Jeremy Long
7bba66737f updated to support the new Settings implementation 
Former-commit-id: d6e86661ae20968179c729fd21bfb07df00858a7
 2014-04-16 08:01:15 -04:00
Jeremy Long
52fd2772cf updated to support the new Settings implementation 
Former-commit-id: c84709a4cf38a6e55166de59b6a8b372c1f082e4
 2014-04-16 08:00:55 -04:00
Jeremy Long
48043b5ec4 updated to support the new Settings implementation 
Former-commit-id: 39536545c92d2c56017a4a8279704f2184b8124c
 2014-04-16 08:00:10 -04:00
Jeremy Long
1f67ae82bd updated to support the new Settings implementation 
Former-commit-id: 624d4c04e4fa208ef0da60245ca20ca755610c81
 2014-04-16 07:59:13 -04:00
Jeremy Long
e7749c161d updated to support the new Settings implementation 
Former-commit-id: dd98df72654badebf3d4b7fa24da718ff588339d
 2014-04-16 07:58:50 -04:00
Jeremy Long
144f913aa9 updated to support the new Settings implementation 
Former-commit-id: 3b0db7eb50c088342b7c49d23f43ba23edd5458f
 2014-04-16 07:58:28 -04:00
Jeremy Long
e28b6b9f73 updated to support the new Settings implementation 
Former-commit-id: dd2d8cdd1c8688482752a8f1df2fc54ef6f638c8
 2014-04-16 07:57:11 -04:00
Jeremy Long
691636de7b removed unused methods 
Former-commit-id: 6e0577ad17ed28f5e6e4f72fa35c10c5250343b4
 2014-04-16 07:56:51 -04:00
Jeremy Long
6f2b1b8f06 updated to support the new Settings implementation 
Former-commit-id: 18ba158d3b4651b424ee2d3ec02907410f7ea8ba
 2014-04-16 07:56:23 -04:00
Jeremy Long
139640e768 updated to support the new Settings implementation 
Former-commit-id: 4731df058a88b10661ea70addb082aced7590e80
 2014-04-16 07:55:56 -04:00
Jeremy Long
ae2fa19c0e updated documentation 
Former-commit-id: c374ee235b5c0e1beff55f678e02523213ef5868
 2014-04-13 07:47:50 -04:00
Jeremy Long
f8867abe49 reordered operations 
Former-commit-id: 1a487bcc4400d881c8dda7118318b183a68a0fe3
 2014-04-13 07:45:54 -04:00
Jeremy Long
fd83e72177 Merge branch 'master' of github.com:jeremylong/DependencyCheck 
Former-commit-id: 3a30dd648eef49290e9290be719fb0eb25f79764
 2014-04-12 05:33:02 -04:00
Jeremy Long
1ff45c8e02 improved error handling 
Former-commit-id: f5086f9ebae6dab987fedf5e87d885c243af188e
 2014-04-11 06:38:13 -04:00
Steve Springett
608c338403 Added archive support for JAR, SAR, and APK file formats. Ticket #106 
Former-commit-id: 19991f8b32e746d9691e48eeac15343178dd3e99
 2014-04-10 23:39:52 -05:00
Jeremy Long
f23da0dd5a updated connection string to use FILE_LOCK=SERIALIZED instead of AUTO_SERVER=TRUE 
Former-commit-id: 59bc2334093063d99c67bcef2c73690895ce9c72
 2014-04-09 06:40:25 -04:00
Jeremy Long
8c3f887cac redirected standard error to hide expected [fatal] message from being displayed during tests 
Former-commit-id: 4a5d1e47a0e613e2b8a14e14fc8cd73b1bd4519a
 2014-04-09 06:34:57 -04:00
Jeremy Long
6e6f16d6ee updated report to show suppressed vulnerabilities and identifiers per issue #66 
Former-commit-id: 0669a01ae3cc11bbeb36951411e95d2a7f8c5cf8
 2014-04-04 06:46:31 -04:00
Jeremy Long
8a83385c7f fixed formating in support of issue #66 
Former-commit-id: 3b27d6fefb6745ffe2e6169d248166a3408791c9
 2014-04-04 06:46:04 -04:00
Jeremy Long
147bc797a2 updated schema to 1.2 to support changes for issue #66 
Former-commit-id: fc7d7e8b8453bb8065be1d83cbc7ce3d5f47ea88
 2014-04-04 06:45:35 -04:00
Jeremy Long
1735f36b82 added to simplify velocity templates 
Former-commit-id: 0d9c1624b7cc81a7843ff7db4488b115405a9e74
 2014-04-02 06:54:25 -04:00
Jeremy Long
a782354874 Merge branch 'master' of github.com:jeremylong/DependencyCheck 
Former-commit-id: 2ff2fbf86c9ebbf7bc1aec2aaf833bdd2ef00851
 2014-04-02 06:52:59 -04:00
Jeremy Long
21a709cf89 simplified velocity report generation 
Former-commit-id: dc690db1eb9186f1bfbf49472f893137e7602953
 2014-04-02 06:52:26 -04:00
Jeremy Long
76a0c1d96e coveritys copy paste analysis is awsome - identified a real bug that has been fixed 
Former-commit-id: bccecaef9181eeb60a79873ebefc6f8ead259f71
 2014-03-31 21:32:38 -04:00
Jeremy Long
1c30e555dc updated test case to ensure suppressed vulnerabilities were tracked correctly per issue #66 
Former-commit-id: 657213bab4b2f0a9538fb03319ff945971765b47
 2014-03-30 06:31:52 -04:00
Jeremy Long
9bdff89833 Updated to support the tracking of suppressed CPE/CVE per issue #66 
Former-commit-id: 12b514a914a1b1df96e92efd78e6a7ec6b9c42bd
 2014-03-30 06:26:50 -04:00
Jeremy Long
08105eee48 updated to ignore coverity directory 
Former-commit-id: 9db069c9e11d8a387dd944399023cb485ac4e63b
 2014-03-30 06:25:56 -04:00
Steve Springett
40e13184ca Fix to prevent rules from being cached between Jenkins builds even if suppression file is not specified. 
Former-commit-id: 860fded462d768acb207ebe35464936d7f80f59c
 2014-03-29 22:57:44 -05:00
Jeremy Long
b5a65c5e43 updated commons-compress version 
Former-commit-id: 4aeedcf31bb2a99b73c35aa68bd1dd1876512c67
 2014-03-29 08:56:04 -04:00
Jeremy Long
7eac65fec2 specifically set InputStreamReader to use UTF-8 
Former-commit-id: 517159b6d919a98d83ebbf1037b5d375285f8390
 2014-03-29 08:37:39 -04:00
Jeremy Long
9bc974661c updated to version 1.1.5-SNAPSHOT 
Former-commit-id: 529545190847cf43edec6934ab6393583adc6e47
 2014-03-29 08:37:03 -04:00
Jeremy Long
b8c41a91e1 updated to version 1.1.5-SNAPSHOT 
Former-commit-id: 09c36d34a5390b22e3a870c8317e8e309083b5f2
 2014-03-29 08:36:43 -04:00
151 changed files with 28660 additions and 7469 deletions
Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -17,4 +17,6 @@ Gemfile
Gemfile.lock
_site/**
#unknown as to why these are showing up... but need to be ignored.
.LCKpom.xml~
.LCKpom.xml~
#coverity
/cov-int/

9
dependency-check-ant/config/checkstyle-suppressions.xml
View File

@@ -1,9 +0,0 @@
<?xml version="1.0"?>
<!DOCTYPE suppressions PUBLIC
"-//Puppy Crawl//DTD Suppressions 1.0//EN"
"http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
<suppressions>
<suppress checks=".*" files=".*[\\/]package-info\.java" />
</suppressions>

22
dependency-check-ant/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.4</version>
<version>1.2.3</version>
</parent>
<artifactId>dependency-check-ant</artifactId>
@@ -398,9 +398,9 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
@@ -412,6 +412,15 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
@@ -430,6 +439,11 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<artifactId>dependency-check-core</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-utils</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-core</artifactId>

77
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
View File

@@ -62,6 +62,10 @@ public class DependencyCheckTask extends Task {
* System specific new line character.
*/
private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(DependencyCheckTask.class.getName());
/**
* Construct a new DependencyCheckTask.
@@ -281,26 +285,50 @@ public class DependencyCheckTask extends Task {
this.reportFormat = reportFormat.getValue();
}
/**
* The Proxy URL.
* The Proxy Server.
*/
private String proxyUrl;
private String proxyServer;
/**
* Get the value of proxyUrl.
* Get the value of proxyServer.
*
* @return the value of proxyUrl
* @return the value of proxyServer
*/
public String getProxyUrl() {
return proxyUrl;
public String getProxyServer() {
return proxyServer;
}
/**
* Set the value of proxyUrl.
* Set the value of proxyServer.
*
* @param proxyUrl new value of proxyUrl
* @param server new value of proxyServer
*/
public void setProxyServer(String server) {
this.proxyServer = server;
}
/**
* Get the value of proxyServer.
*
* @return the value of proxyServer
* @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#getProxyServer()} instead
*/
@Deprecated
public String getProxyUrl() {
return proxyServer;
}
/**
* Set the value of proxyServer.
*
* @param proxyUrl new value of proxyServer
* @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)}
* instead
*/
@Deprecated
public void setProxyUrl(String proxyUrl) {
this.proxyUrl = proxyUrl;
LOGGER.warning("A deprecated configuration option 'proxyUrl' was detected; use 'proxyServer' instead.");
this.proxyServer = proxyUrl;
}
/**
* The Proxy Port.
@@ -862,7 +890,7 @@ public class DependencyCheckTask extends Task {
Engine engine = null;
try {
engine = new Engine();
engine = new Engine(DependencyCheckTask.class.getClassLoader());
for (Resource resource : path) {
final FileProvider provider = resource.as(FileProvider.class);
@@ -882,7 +910,7 @@ public class DependencyCheckTask extends Task {
cve.open();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
} finally {
if (cve != null) {
cve.close();
@@ -898,19 +926,17 @@ public class DependencyCheckTask extends Task {
showSummary(engine.getDependencies());
}
} catch (IOException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
"Unable to generate dependency-check report", ex);
LOGGER.log(Level.FINE, "Unable to generate dependency-check report", ex);
throw new BuildException("Unable to generate dependency-check report", ex);
} catch (Exception ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
"An exception occurred; unable to continue task", ex);
LOGGER.log(Level.FINE, "An exception occurred; unable to continue task", ex);
throw new BuildException("An exception occurred; unable to continue task", ex);
}
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE,
"Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
LOGGER.log(Level.FINE, "", ex);
} finally {
Settings.cleanup(true);
if (engine != null) {
engine.cleanup();
}
@@ -933,22 +959,23 @@ public class DependencyCheckTask extends Task {
/**
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
* properties required to change the proxy url, port, and connection timeout.
* properties required to change the proxy server, port, and connection timeout.
*/
private void populateSettings() {
Settings.initialize();
InputStream taskProperties = null;
try {
taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
Settings.mergeProperties(taskProperties);
} catch (IOException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
LOGGER.log(Level.FINE, null, ex);
} finally {
if (taskProperties != null) {
try {
taskProperties.close();
} catch (IOException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}
@@ -964,8 +991,8 @@ public class DependencyCheckTask extends Task {
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
if (proxyUrl != null && !proxyUrl.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
if (proxyServer != null && !proxyServer.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
}
if (proxyPort != null && !proxyPort.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
@@ -1098,7 +1125,7 @@ public class DependencyCheckTask extends Task {
final String msg = String.format("%n%n"
+ "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+ "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, msg);
LOGGER.log(Level.WARNING, msg);
}
}

2
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -32,7 +32,7 @@ failBuildOnCVSS | Specifies if the build should be failed if a CVSS score a
format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
logFile | The file path to write verbose logging information. | &nbsp;
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp;
proxyUrl | The Proxy URL. | &nbsp;
proxyServer | The Proxy Server. | &nbsp;
proxyPort | The Proxy Port. | &nbsp;
proxyUsername | Defines the proxy user name. | &nbsp;
proxyPassword | Defines the proxy password. | &nbsp;

17
dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
View File

@@ -18,14 +18,12 @@
package org.owasp.dependencycheck.taskdefs;
import java.io.File;
import static junit.framework.TestCase.assertTrue;
import org.apache.tools.ant.BuildFileTest;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
import org.owasp.dependencycheck.utils.Settings;
/**
*
@@ -33,20 +31,10 @@ import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
*/
public class DependencyCheckTaskTest extends BuildFileTest {
public DependencyCheckTaskTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
@Override
public void setUp() throws Exception {
Settings.initialize();
BaseDBTestCase.ensureDBExists();
final String buildFile = this.getClass().getClassLoader().getResource("build.xml").getPath();
configureProject(buildFile);
@@ -57,6 +45,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
public void tearDown() {
//no cleanup...
//executeTarget("cleanup");
Settings.cleanup(true);
}
/**

223
dependency-check-cli/config/checkstyle-checks.xml
View File

@@ -1,223 +0,0 @@
<?xml version="1.0"?>
<!DOCTYPE module PUBLIC
"-//Puppy Crawl//DTD Check Configuration 1.3//EN"
"http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
<module name="Checker">
<!--
If you set the basedir property below, then all reported file
names will be relative to the specified directory. See
http://checkstyle.sourceforge.net/5.x/config.html#Checker
<property name="basedir" value="${basedir}"/>
-->
<property name="severity" value="error"/>
<module name="SuppressionFilter">
<property name="file" value="${checkstyle.suppressions.file}"/>
</module>
<module name="JavadocPackage">
<property name="allowLegacy" value="false"/>
</module>
<module name="Translation">
<property name="severity" value="warning"/>
</module>
<module name="FileTabCharacter">
<property name="eachLine" value="false"/>
</module>
<module name="FileLength">
<property name="fileExtensions" value="java"/>
</module>
<module name="NewlineAtEndOfFile">
<property name="fileExtensions" value="java"/>
<property name="lineSeparator" value="lf"/>
</module>
<module name="RegexpHeader">
<property name="headerFile" value="${checkstyle.header.file}"/>
<property name="fileExtensions" value="java"/>
<property name="id" value="header"/>
</module>
<module name="RegexpSingleline">
<property name="format" value="\s+$"/>
<property name="minimum" value="0"/>
<property name="maximum" value="0"/>
</module>
<module name="TreeWalker">
<property name="tabWidth" value="4"/>
<module name="AvoidStarImport"/>
<module name="ConstantName"/>
<module name="EmptyBlock"/>
<module name="EmptyForIteratorPad"/>
<module name="EqualsHashCode"/>
<module name="OneStatementPerLine"/>
<!-- module name="IllegalCatch"/ -->
<!--module name="ImportControl">
<property name="file" value="${checkstyle.importcontrol.file}"/>
</module-->
<module name="IllegalImport"/>
<module name="IllegalInstantiation"/>
<module name="IllegalThrows"/>
<module name="InnerAssignment"/>
<module name="JavadocType">
<property name="authorFormat" value="\S"/>
</module>
<module name="JavadocMethod">
<property name="allowUndeclaredRTE" value="true"/>
<property name="allowThrowsTagsForSubclasses" value="true"/>
<property name="allowMissingPropertyJavadoc" value="true"/>
</module>
<module name="JavadocVariable"/>
<module name="JavadocStyle">
<property name="scope" value="public"/>
</module>
<module name="LeftCurly">
<property name="option" value="eol"/>
<property name="tokens" value="CLASS_DEF"/>
<property name="tokens" value="CTOR_DEF"/>
<property name="tokens" value="INTERFACE_DEF"/>
<property name="tokens" value="METHOD_DEF"/>
<property name="tokens" value="LITERAL_CATCH"/>
<property name="tokens" value="LITERAL_DO"/>
<property name="tokens" value="LITERAL_ELSE"/>
<property name="tokens" value="LITERAL_FINALLY"/>
<property name="tokens" value="LITERAL_FOR"/>
<property name="tokens" value="LITERAL_IF"/>
<property name="tokens" value="LITERAL_SWITCH"/>
<property name="tokens" value="LITERAL_SYNCHRONIZED"/>
<property name="tokens" value="LITERAL_TRY"/>
<property name="tokens" value="LITERAL_WHILE"/>
</module>
<module name="OuterTypeNumber"/>
<module name="LineLength">
<property name="ignorePattern" value="^ *\* *[^ ]+$"/>
<property name="max" value="150"/>
</module>
<module name="MethodCount">
<property name="maxTotal" value="40"/>
</module>
<module name="LocalFinalVariableName"/>
<module name="LocalVariableName"/>
<module name="MemberName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="MethodLength">
<property name="max" value="160"/>
<property name="countEmpty" value="false"/>
</module>
<module name="MethodName"/>
<module name="MethodParamPad"/>
<module name="ModifierOrder"/>
<module name="NeedBraces"/>
<module name="NoWhitespaceAfter">
<property name="tokens" value="ARRAY_INIT"/>
<property name="tokens" value="BNOT"/>
<property name="tokens" value="DEC"/>
<property name="tokens" value="DOT"/>
<property name="tokens" value="INC"/>
<property name="tokens" value="LNOT"/>
<property name="tokens" value="UNARY_MINUS"/>
<property name="tokens" value="UNARY_PLUS"/>
</module>
<module name="NoWhitespaceBefore"/>
<module name="NoWhitespaceBefore">
<property name="tokens" value="DOT"/>
<property name="allowLineBreaks" value="true"/>
</module>
<module name="OperatorWrap"/>
<module name="OperatorWrap">
<property name="tokens" value="ASSIGN"/>
<property name="tokens" value="DIV_ASSIGN"/>
<property name="tokens" value="PLUS_ASSIGN"/>
<property name="tokens" value="MINUS_ASSIGN"/>
<property name="tokens" value="STAR_ASSIGN"/>
<property name="tokens" value="MOD_ASSIGN"/>
<property name="tokens" value="SR_ASSIGN"/>
<property name="tokens" value="BSR_ASSIGN"/>
<property name="tokens" value="SL_ASSIGN"/>
<property name="tokens" value="BXOR_ASSIGN"/>
<property name="tokens" value="BOR_ASSIGN"/>
<property name="tokens" value="BAND_ASSIGN"/>
<property name="option" value="eol"/>
</module>
<module name="PackageName"/>
<module name="ParameterName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="ParameterNumber">
<property name="id" value="paramNum"/>
</module>
<module name="ParenPad"/>
<module name="TypecastParenPad"/>
<module name="RedundantImport"/>
<module name="RedundantModifier"/>
<module name="RightCurly">
<property name="option" value="same"/>
</module>
<module name="SimplifyBooleanExpression"/>
<module name="SimplifyBooleanReturn"/>
<module name="StaticVariableName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="TypeName"/>
<module name="UnusedImports"/>
<module name="UpperEll"/>
<module name="VisibilityModifier"/>
<module name="WhitespaceAfter"/>
<module name="WhitespaceAround"/>
<module name="GenericWhitespace"/>
<module name="FinalClass"/>
<module name="MissingSwitchDefault"/>
<!--module name="MagicNumber"/-->
<!--module name="Indentation">
<property name="basicOffset" value="4"/>
<property name="braceAdjustment" value="0"/>
<property name="caseIndent" value="0"/>
</module-->
<module name="ArrayTrailingComma"/>
<module name="FinalLocalVariable"/>
<module name="EqualsAvoidNull"/>
<module name="ParameterAssignment"/>
<!-- Generates quite a few errors -->
<module name="CyclomaticComplexity">
<property name="severity" value="ignore"/>
</module>
<module name="NestedForDepth">
<property name="max" value="2"/>
</module>
<module name="NestedIfDepth">
<property name="max" value="4"/>
</module>
<module name="NestedTryDepth">
<property name="max" value="2"/>
</module>
<!--module name="ExplicitInitialization"/-->
<module name="AnnotationUseStyle"/>
<module name="MissingDeprecated"/>
<module name="MissingOverride">
<property name="javaFiveCompatibility" value="true"/>
</module>
<module name="PackageAnnotation"/>
<module name="SuppressWarnings"/>
<module name="OuterTypeFilename"/>
<module name="HideUtilityClassConstructor"/>
</module>
</module>

18
dependency-check-cli/config/checkstyle-header.txt
View File

@@ -1,18 +0,0 @@
^/\*\s*$
^ \* This file is part of dependency-check-cli\.\s*$
^ \*\s*$
^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
^ \* you may not use this file except in compliance with the License.\s*$
^ \* You may obtain a copy of the License at\s*$
^ \*\s*$
^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
^ \*\s*$
^ \* Unless required by applicable law or agreed to in writing, software\s*$
^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
^ \* See the License for the specific language governing permissions and\s*$
^ \* limitations under the License\.\s*$
^ \*\s*$
^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
^ \*/\s*$
^package

9
dependency-check-cli/config/checkstyle-suppressions.xml
View File

@@ -1,9 +0,0 @@
<?xml version="1.0"?>
<!DOCTYPE suppressions PUBLIC
"-//Puppy Crawl//DTD Suppressions 1.0//EN"
"http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
<suppressions>
<suppress checks=".*" files=".*[\\/]package-info\.java" />
</suppressions>

21
dependency-check-cli/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.4</version>
<version>1.2.3</version>
</parent>
<artifactId>dependency-check-cli</artifactId>
@@ -248,16 +248,16 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.0.1</version>
<version>3.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
@@ -265,6 +265,12 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
@@ -335,5 +341,10 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<artifactId>dependency-check-core</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-utils</artifactId>
<version>${project.parent.version}</version>
</dependency>
</dependencies>
</project>

48
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -46,14 +46,24 @@ public class App {
*/
private static final String LOG_PROPERTIES_FILE = "log.properties";
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(App.class.getName());
/**
* The main method for the application.
*
* @param args the command line arguments
*/
public static void main(String[] args) {
final App app = new App();
app.run(args);
try {
Settings.initialize();
final App app = new App();
app.run(args);
} finally {
Settings.cleanup(true);
}
}
/**
@@ -62,8 +72,8 @@ public class App {
* @param args the command line arguments
*/
public void run(String[] args) {
final CliParser cli = new CliParser();
try {
cli.parse(args);
} catch (FileNotFoundException ex) {
@@ -82,7 +92,7 @@ public class App {
if (cli.isGetVersion()) {
cli.printVersionInfo();
} else if (cli.isRunScan()) {
updateSettings(cli);
populateSettings(cli);
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
} else {
cli.printHelp();
@@ -115,7 +125,7 @@ public class App {
cve.open();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
Logger.getLogger(App.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
} finally {
if (cve != null) {
cve.close();
@@ -125,15 +135,15 @@ public class App {
try {
report.generateReports(reportDirectory, outputFormat);
} catch (IOException ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
LOGGER.log(Level.FINE, null, ex);
} catch (Throwable ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, "There was an error while attempting to generate the report.");
LOGGER.log(Level.FINE, null, ex);
}
} catch (DatabaseException ex) {
Logger.getLogger(App.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(App.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
LOGGER.log(Level.FINE, "", ex);
} finally {
if (scanner != null) {
scanner.cleanup();
@@ -147,11 +157,11 @@ public class App {
* @param cli a reference to the CLI Parser that contains the command line arguments used to set the corresponding
* settings in the core engine.
*/
private void updateSettings(CliParser cli) {
private void populateSettings(CliParser cli) {
final boolean autoUpdate = cli.isAutoUpdate();
final String connectionTimeout = cli.getConnectionTimeout();
final String proxyUrl = cli.getProxyUrl();
final String proxyServer = cli.getProxyServer();
final String proxyPort = cli.getProxyPort();
final String proxyUser = cli.getProxyUsername();
final String proxyPass = cli.getProxyPassword();
@@ -177,12 +187,12 @@ public class App {
Settings.mergeProperties(propertiesFile);
} catch (FileNotFoundException ex) {
final String msg = String.format("Unable to load properties file '%s'", propertiesFile.getPath());
Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
} catch (IOException ex) {
final String msg = String.format("Unable to find properties file '%s'", propertiesFile.getPath());
Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
}
}
// We have to wait until we've merged the properties before attempting to set whether we use
@@ -202,8 +212,8 @@ public class App {
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
}
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
if (proxyUrl != null && !proxyUrl.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
if (proxyServer != null && !proxyServer.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
}
if (proxyPort != null && !proxyPort.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);

221
dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
View File

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.cli;
import java.io.File;
import java.io.FileNotFoundException;
import java.util.logging.Logger;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;
import org.apache.commons.cli.HelpFormatter;
@@ -39,6 +40,10 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public final class CliParser {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(CliParser.class.getName());
/**
* The command line.
*/
@@ -85,16 +90,16 @@ public final class CliParser {
*/
private void validateArgs() throws FileNotFoundException, ParseException {
if (isRunScan()) {
validatePathExists(getScanFiles(), ArgumentName.SCAN);
validatePathExists(getReportDirectory(), ArgumentName.OUT);
validatePathExists(getScanFiles(), ARGUMENT.SCAN);
validatePathExists(getReportDirectory(), ARGUMENT.OUT);
if (getPathToMono() != null) {
validatePathExists(getPathToMono(), ArgumentName.PATH_TO_MONO);
validatePathExists(getPathToMono(), ARGUMENT.PATH_TO_MONO);
}
if (!line.hasOption(ArgumentName.APP_NAME)) {
if (!line.hasOption(ARGUMENT.APP_NAME)) {
throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
}
if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
if (line.hasOption(ARGUMENT.OUTPUT_FORMAT)) {
final String format = line.getOptionValue(ARGUMENT.OUTPUT_FORMAT);
try {
Format.valueOf(format);
} catch (IllegalArgumentException ex) {
@@ -150,7 +155,7 @@ public final class CliParser {
final Options options = new Options();
addStandardOptions(options);
addAdvancedOptions(options);
addDeprecatedOptions(options);
return options;
}
@@ -162,44 +167,44 @@ public final class CliParser {
*/
@SuppressWarnings("static-access")
private void addStandardOptions(final Options options) throws IllegalArgumentException {
final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false,
"Print this message.");
final Option advancedHelp = OptionBuilder.withLongOpt(ArgumentName.ADVANCED_HELP)
final Option advancedHelp = OptionBuilder.withLongOpt(ARGUMENT.ADVANCED_HELP)
.withDescription("Print the advanced help message.").create();
final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
final Option version = new Option(ARGUMENT.VERSION_SHORT, ARGUMENT.VERSION,
false, "Print the version information.");
final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE,
false, "Disables the automatic updating of the CPE data.");
final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME)
.withDescription("The name of the application being scanned. This is a required argument.")
.create(ArgumentName.APP_NAME_SHORT);
.create(ARGUMENT.APP_NAME_SHORT);
final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN)
.withDescription("The path to scan - this option can be specified multiple times. To limit the scan"
+ " to specific file types *.[ext] can be added to the end of the path.")
.create(ArgumentName.SCAN_SHORT);
.create(ARGUMENT.SCAN_SHORT);
final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP)
.withDescription("A property file to load.")
.create(ArgumentName.PROP_SHORT);
.create(ARGUMENT.PROP_SHORT);
final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ARGUMENT.OUT)
.withDescription("The folder to write reports to. This defaults to the current directory.")
.create(ArgumentName.OUT_SHORT);
.create(ARGUMENT.OUT_SHORT);
final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ARGUMENT.OUTPUT_FORMAT)
.withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
.create(ArgumentName.OUTPUT_FORMAT_SHORT);
.create(ARGUMENT.OUTPUT_FORMAT_SHORT);
final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.VERBOSE_LOG)
final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.VERBOSE_LOG)
.withDescription("The file path to write verbose logging information.")
.create(ArgumentName.VERBOSE_LOG_SHORT);
.create(ARGUMENT.VERBOSE_LOG_SHORT);
final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESION_FILE)
final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.SUPPRESSION_FILE)
.withDescription("The file path to the suppression XML file.")
.create();
@@ -230,87 +235,87 @@ public final class CliParser {
@SuppressWarnings("static-access")
private void addAdvancedOptions(final Options options) throws IllegalArgumentException {
final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DATA_DIRECTORY)
final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DATA_DIRECTORY)
.withDescription("The location of the H2 Database file. This option should generally not be set.")
.create(ArgumentName.DATA_DIRECTORY_SHORT);
.create(ARGUMENT.DATA_DIRECTORY_SHORT);
final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ARGUMENT.CONNECTION_TIMEOUT)
.withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
.create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
.create(ARGUMENT.CONNECTION_TIMEOUT_SHORT);
final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
.withDescription("The proxy url to use when downloading resources.")
.create(ArgumentName.PROXY_URL_SHORT);
final Option proxyServer = OptionBuilder.withArgName("server").hasArg().withLongOpt(ARGUMENT.PROXY_SERVER)
.withDescription("The proxy server to use when downloading resources.")
.create();
final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ARGUMENT.PROXY_PORT)
.withDescription("The proxy port to use when downloading resources.")
.create(ArgumentName.PROXY_PORT_SHORT);
.create();
final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.PROXY_USERNAME)
final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.PROXY_USERNAME)
.withDescription("The proxy username to use when downloading resources.")
.create();
final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ArgumentName.PROXY_PASSWORD)
final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ARGUMENT.PROXY_PASSWORD)
.withDescription("The proxy password to use when downloading resources.")
.create();
final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ArgumentName.CONNECTION_STRING)
final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ARGUMENT.CONNECTION_STRING)
.withDescription("The connection string to the database.")
.create();
final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.DB_NAME)
final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.DB_NAME)
.withDescription("The username used to connect to the database.")
.create();
final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ArgumentName.DB_PASSWORD)
final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ARGUMENT.DB_PASSWORD)
.withDescription("The password for connecting to the database.")
.create();
final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ArgumentName.DB_DRIVER)
final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ARGUMENT.DB_DRIVER)
.withDescription("The database driver name.")
.create();
final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DB_DRIVER_PATH)
final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DB_DRIVER_PATH)
.withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
.create();
final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_JAR)
final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_JAR)
.withDescription("Disable the Jar Analyzer.")
.create();
final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_ARCHIVE)
final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ARCHIVE)
.withDescription("Disable the Archive Analyzer.")
.create();
final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NUSPEC)
final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NUSPEC)
.withDescription("Disable the Nuspec Analyzer.")
.create();
final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_ASSEMBLY)
final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ASSEMBLY)
.withDescription("Disable the .NET Assembly Analyzer.")
.create();
final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS)
final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS)
.withDescription("Disable the Nexus Analyzer.")
.create();
final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL)
final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.NEXUS_URL)
.withDescription("The url to the Nexus Server.")
.create();
final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ARGUMENT.NEXUS_USES_PROXY)
.withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
.create();
final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
.withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
.withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
.withLongOpt(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS)
.withDescription("A comma separated list of additional extensions to be scanned as ZIP files "
+ "(ZIP, EAR, WAR are already treated as zip files)")
.create();
final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.PATH_TO_MONO)
final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.PATH_TO_MONO)
.withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
.create();
options.addOption(proxyPort)
.addOption(proxyUrl)
.addOption(proxyServer)
.addOption(proxyUsername)
.addOption(proxyPassword)
.addOption(connectionTimeout)
@@ -331,13 +336,30 @@ public final class CliParser {
.addOption(pathToMono);
}
/**
* Adds the deprecated command line options to the given options collection. These are split out for purposes of not
* including them in the help message. We need to add the deprecated options so as not to break existing scripts.
*
* @param options a collection of command line arguments
* @throws IllegalArgumentException thrown if there is an exception
*/
@SuppressWarnings("static-access")
private void addDeprecatedOptions(final Options options) throws IllegalArgumentException {
final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL)
.withDescription("The proxy url argument is deprecated, use proxyserver instead.")
.create();
options.addOption(proxyServer);
}
/**
* Determines if the 'version' command line argument was passed in.
*
* @return whether or not the 'version' command line argument was passed in
*/
public boolean isGetVersion() {
return (line != null) && line.hasOption(ArgumentName.VERSION);
return (line != null) && line.hasOption(ARGUMENT.VERSION);
}
/**
@@ -346,7 +368,7 @@ public final class CliParser {
* @return whether or not the 'help' command line argument was passed in
*/
public boolean isGetHelp() {
return (line != null) && line.hasOption(ArgumentName.HELP);
return (line != null) && line.hasOption(ARGUMENT.HELP);
}
/**
@@ -355,7 +377,7 @@ public final class CliParser {
* @return whether or not the 'scan' command line argument was passed in
*/
public boolean isRunScan() {
return (line != null) && isValid && line.hasOption(ArgumentName.SCAN);
return (line != null) && isValid && line.hasOption(ARGUMENT.SCAN);
}
/**
@@ -364,7 +386,7 @@ public final class CliParser {
* @return true if the disableJar command line argument was specified; otherwise false
*/
public boolean isJarDisabled() {
return (line != null) && line.hasOption(ArgumentName.DISABLE_JAR);
return (line != null) && line.hasOption(ARGUMENT.DISABLE_JAR);
}
/**
@@ -373,7 +395,7 @@ public final class CliParser {
* @return true if the disableArchive command line argument was specified; otherwise false
*/
public boolean isArchiveDisabled() {
return (line != null) && line.hasOption(ArgumentName.DISABLE_ARCHIVE);
return (line != null) && line.hasOption(ARGUMENT.DISABLE_ARCHIVE);
}
/**
@@ -382,7 +404,7 @@ public final class CliParser {
* @return true if the disableNuspec command line argument was specified; otherwise false
*/
public boolean isNuspecDisabled() {
return (line != null) && line.hasOption(ArgumentName.DISABLE_NUSPEC);
return (line != null) && line.hasOption(ARGUMENT.DISABLE_NUSPEC);
}
/**
@@ -391,7 +413,7 @@ public final class CliParser {
* @return true if the disableAssembly command line argument was specified; otherwise false
*/
public boolean isAssemblyDisabled() {
return (line != null) && line.hasOption(ArgumentName.DISABLE_ASSEMBLY);
return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
}
/**
@@ -400,7 +422,7 @@ public final class CliParser {
* @return true if the disableNexus command line argument was specified; otherwise false
*/
public boolean isNexusDisabled() {
return (line != null) && line.hasOption(ArgumentName.DISABLE_NEXUS);
return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS);
}
/**
@@ -409,10 +431,10 @@ public final class CliParser {
* @return the url to the nexus server; if none was specified this will return null;
*/
public String getNexusUrl() {
if (line == null || !line.hasOption(ArgumentName.NEXUS_URL)) {
if (line == null || !line.hasOption(ARGUMENT.NEXUS_URL)) {
return null;
} else {
return line.getOptionValue(ArgumentName.NEXUS_URL);
return line.getOptionValue(ARGUMENT.NEXUS_URL);
}
}
@@ -425,14 +447,14 @@ public final class CliParser {
public boolean isNexusUsesProxy() {
// If they didn't specify whether Nexus needs to use the proxy, we should
// still honor the property if it's set.
if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
if (line == null || !line.hasOption(ARGUMENT.NEXUS_USES_PROXY)) {
try {
return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
} catch (InvalidSettingException ise) {
return true;
}
} else {
return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
return Boolean.parseBoolean(line.getOptionValue(ARGUMENT.NEXUS_USES_PROXY));
}
}
@@ -443,7 +465,7 @@ public final class CliParser {
final HelpFormatter formatter = new HelpFormatter();
final Options options = new Options();
addStandardOptions(options);
if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
if (line != null && line.hasOption(ARGUMENT.ADVANCED_HELP)) {
addAdvancedOptions(options);
}
final String helpMsg = String.format("%n%s"
@@ -466,7 +488,7 @@ public final class CliParser {
* @return the file paths specified on the command line for scan
*/
public String[] getScanFiles() {
return line.getOptionValues(ArgumentName.SCAN);
return line.getOptionValues(ARGUMENT.SCAN);
}
/**
@@ -475,7 +497,7 @@ public final class CliParser {
* @return the path to the reports directory.
*/
public String getReportDirectory() {
return line.getOptionValue(ArgumentName.OUT, ".");
return line.getOptionValue(ARGUMENT.OUT, ".");
}
/**
@@ -484,7 +506,7 @@ public final class CliParser {
* @return the path to Mono
*/
public String getPathToMono() {
return line.getOptionValue(ArgumentName.PATH_TO_MONO);
return line.getOptionValue(ARGUMENT.PATH_TO_MONO);
}
/**
@@ -493,7 +515,7 @@ public final class CliParser {
* @return the output format name.
*/
public String getReportFormat() {
return line.getOptionValue(ArgumentName.OUTPUT_FORMAT, "HTML");
return line.getOptionValue(ARGUMENT.OUTPUT_FORMAT, "HTML");
}
/**
@@ -502,7 +524,7 @@ public final class CliParser {
* @return the application name.
*/
public String getApplicationName() {
return line.getOptionValue(ArgumentName.APP_NAME);
return line.getOptionValue(ARGUMENT.APP_NAME);
}
/**
@@ -511,16 +533,24 @@ public final class CliParser {
* @return the connection timeout
*/
public String getConnectionTimeout() {
return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
return line.getOptionValue(ARGUMENT.CONNECTION_TIMEOUT);
}
/**
* Returns the proxy url.
* Returns the proxy server.
*
* @return the proxy url
* @return the proxy server
*/
public String getProxyUrl() {
return line.getOptionValue(ArgumentName.PROXY_URL);
public String getProxyServer() {
String server = line.getOptionValue(ARGUMENT.PROXY_SERVER);
if (server == null) {
server = line.getOptionValue(ARGUMENT.PROXY_URL);
if (server != null) {
LOGGER.warning("An old command line argument 'proxyurl' was detected; use proxyserver instead");
}
}
return server;
}
/**
@@ -529,7 +559,7 @@ public final class CliParser {
* @return the proxy port
*/
public String getProxyPort() {
return line.getOptionValue(ArgumentName.PROXY_PORT);
return line.getOptionValue(ARGUMENT.PROXY_PORT);
}
/**
@@ -538,7 +568,7 @@ public final class CliParser {
* @return the proxy username
*/
public String getProxyUsername() {
return line.getOptionValue(ArgumentName.PROXY_USERNAME);
return line.getOptionValue(ARGUMENT.PROXY_USERNAME);
}
/**
@@ -547,7 +577,7 @@ public final class CliParser {
* @return the proxy password
*/
public String getProxyPassword() {
return line.getOptionValue(ArgumentName.PROXY_PASSWORD);
return line.getOptionValue(ARGUMENT.PROXY_PASSWORD);
}
/**
@@ -556,7 +586,7 @@ public final class CliParser {
* @return the value of dataDirectory
*/
public String getDataDirectory() {
return line.getOptionValue(ArgumentName.DATA_DIRECTORY);
return line.getOptionValue(ARGUMENT.DATA_DIRECTORY);
}
/**
@@ -565,7 +595,7 @@ public final class CliParser {
* @return the properties file specified on the command line
*/
public File getPropertiesFile() {
final String path = line.getOptionValue(ArgumentName.PROP);
final String path = line.getOptionValue(ARGUMENT.PROP);
if (path != null) {
return new File(path);
}
@@ -578,7 +608,7 @@ public final class CliParser {
* @return the path to the verbose log file
*/
public String getVerboseLog() {
return line.getOptionValue(ArgumentName.VERBOSE_LOG);
return line.getOptionValue(ARGUMENT.VERBOSE_LOG);
}
/**
@@ -587,7 +617,7 @@ public final class CliParser {
* @return the path to the suppression file
*/
public String getSuppressionFile() {
return line.getOptionValue(ArgumentName.SUPPRESION_FILE);
return line.getOptionValue(ARGUMENT.SUPPRESSION_FILE);
}
/**
@@ -610,7 +640,7 @@ public final class CliParser {
* @return if auto-update is allowed.
*/
public boolean isAutoUpdate() {
return (line == null) || !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE);
return (line == null) || !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
}
/**
@@ -619,7 +649,7 @@ public final class CliParser {
* @return the database driver name if specified; otherwise null is returned
*/
public String getDatabaseDriverName() {
return line.getOptionValue(ArgumentName.DB_DRIVER);
return line.getOptionValue(ARGUMENT.DB_DRIVER);
}
/**
@@ -628,7 +658,7 @@ public final class CliParser {
* @return the database driver name if specified; otherwise null is returned
*/
public String getDatabaseDriverPath() {
return line.getOptionValue(ArgumentName.DB_DRIVER_PATH);
return line.getOptionValue(ARGUMENT.DB_DRIVER_PATH);
}
/**
@@ -637,7 +667,7 @@ public final class CliParser {
* @return the database connection string if specified; otherwise null is returned
*/
public String getConnectionString() {
return line.getOptionValue(ArgumentName.CONNECTION_STRING);
return line.getOptionValue(ARGUMENT.CONNECTION_STRING);
}
/**
@@ -646,7 +676,7 @@ public final class CliParser {
* @return the database database user name if specified; otherwise null is returned
*/
public String getDatabaseUser() {
return line.getOptionValue(ArgumentName.DB_NAME);
return line.getOptionValue(ARGUMENT.DB_NAME);
}
/**
@@ -655,7 +685,7 @@ public final class CliParser {
* @return the database database password if specified; otherwise null is returned
*/
public String getDatabasePassword() {
return line.getOptionValue(ArgumentName.DB_PASSWORD);
return line.getOptionValue(ARGUMENT.DB_PASSWORD);
}
/**
@@ -664,13 +694,13 @@ public final class CliParser {
* @return the additional Extensions; otherwise null is returned
*/
public String getAdditionalZipExtensions() {
return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS);
return line.getOptionValue(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS);
}
/**
* A collection of static final strings that represent the possible command line arguments.
*/
public static class ArgumentName {
public static class ARGUMENT {
/**
* The long CLI argument name specifying the directory/file to scan.
@@ -732,21 +762,20 @@ public final class CliParser {
* The short CLI argument name asking for the version.
*/
public static final String VERSION = "version";
/**
* The short CLI argument name indicating the proxy port.
*/
public static final String PROXY_PORT_SHORT = "p";
/**
* The CLI argument name indicating the proxy port.
*/
public static final String PROXY_PORT = "proxyport";
/**
* The short CLI argument name indicating the proxy url.
* The CLI argument name indicating the proxy server.
*/
public static final String PROXY_URL_SHORT = "u";
public static final String PROXY_SERVER = "proxyserver";
/**
* The CLI argument name indicating the proxy url.
*
* @deprecated use {@link org.owasp.dependencycheck.cli.CliParser.ArgumentName#PROXY_SERVER} instead
*/
@Deprecated
public static final String PROXY_URL = "proxyurl";
/**
* The CLI argument name indicating the proxy username.
@@ -791,7 +820,7 @@ public final class CliParser {
/**
* The CLI argument name for setting the location of the suppression file.
*/
public static final String SUPPRESION_FILE = "suppression";
public static final String SUPPRESSION_FILE = "suppression";
/**
* Disables the Jar Analyzer.
*/

6
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -3,7 +3,7 @@ Command Line Arguments
The following table lists the command line arguments:
Short | Argument Name | Parameter | Description | Requirement
Short | Argument&nbsp;Name&nbsp;&nbsp; | Parameter | Description | Requirement
-------|-----------------------|-----------------|-------------|------------
\-a | \-\-app | \<name\> | The name of the application being scanned. This is a required argument. | Required
\-s | \-\-scan | \<path\> | The path to scan \- this option can be specified multiple times. It is also possible to specify specific file types that should be scanned by supplying a scan path of '[path]/[to]/[scan]/*.zip'. The wild card can only be used to denote any file-name with a specific extension. | Required
@@ -18,7 +18,7 @@ Short | Argument Name | Parameter | Description | Requirement
Advanced Options
================
Short | Argument Name | Parameter | Description | Default Value
Short | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Parameter | Description | Default&nbsp;Value
-------|-----------------------|-----------------|-------------|---------------
| \-\-disableArchive | | Sets whether the Archive Analyzer will be used. | false
| \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
@@ -30,7 +30,7 @@ Short | Argument Name | Parameter | Description | Default Value
| \-\-disableNuspec | | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | false
| \-\-disableAssembly | | Sets whether or not the .NET Assembly Analyzer should be used. | false
| \-\-pathToMono | \<path\> | The path to Mono for .NET Assembly analysis on non-windows systems. | &nbsp;
| \-\-proxyurl | \<url\> | The proxy url to use when downloading resources. | &nbsp;
| \-\-proxyserver | \<server\> | The proxy server to use when downloading resources. | &nbsp;
| \-\-proxyport | \<port\> | The proxy port to use when downloading resources. | &nbsp;
| \-\-connectiontimeout | \<timeout\> | The connection timeout (in milliseconds) to use when downloading resources. | &nbsp;
| \-\-proxypass | \<pass\> | The proxy password to use when downloading resources. | &nbsp;

3
dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java
View File

@@ -29,6 +29,7 @@ import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.utils.Settings;
/**
*
@@ -38,10 +39,12 @@ public class CliParserTest {
@BeforeClass
public static void setUpClass() throws Exception {
Settings.initialize();
}
@AfterClass
public static void tearDownClass() throws Exception {
Settings.cleanup(true);
}
@Before

223
dependency-check-core/config/checkstyle-checks.xml
View File

@@ -1,223 +0,0 @@
<?xml version="1.0"?>
<!DOCTYPE module PUBLIC
"-//Puppy Crawl//DTD Check Configuration 1.3//EN"
"http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
<module name="Checker">
<!--
If you set the basedir property below, then all reported file
names will be relative to the specified directory. See
http://checkstyle.sourceforge.net/5.x/config.html#Checker
<property name="basedir" value="${basedir}"/>
-->
<property name="severity" value="error"/>
<module name="SuppressionFilter">
<property name="file" value="${checkstyle.suppressions.file}"/>
</module>
<module name="JavadocPackage">
<property name="allowLegacy" value="false"/>
</module>
<module name="Translation">
<property name="severity" value="warning"/>
</module>
<module name="FileTabCharacter">
<property name="eachLine" value="false"/>
</module>
<module name="FileLength">
<property name="fileExtensions" value="java"/>
</module>
<module name="NewlineAtEndOfFile">
<property name="fileExtensions" value="java"/>
<property name="lineSeparator" value="lf"/>
</module>
<module name="RegexpHeader">
<property name="headerFile" value="${checkstyle.header.file}"/>
<property name="fileExtensions" value="java"/>
<property name="id" value="header"/>
</module>
<module name="RegexpSingleline">
<property name="format" value="\s+$"/>
<property name="minimum" value="0"/>
<property name="maximum" value="0"/>
</module>
<module name="TreeWalker">
<property name="tabWidth" value="4"/>
<module name="AvoidStarImport"/>
<module name="ConstantName"/>
<module name="EmptyBlock"/>
<module name="EmptyForIteratorPad"/>
<module name="EqualsHashCode"/>
<module name="OneStatementPerLine"/>
<!-- module name="IllegalCatch"/ -->
<!--module name="ImportControl">
<property name="file" value="${checkstyle.importcontrol.file}"/>
</module-->
<module name="IllegalImport"/>
<module name="IllegalInstantiation"/>
<module name="IllegalThrows"/>
<module name="InnerAssignment"/>
<module name="JavadocType">
<property name="authorFormat" value="\S"/>
</module>
<module name="JavadocMethod">
<property name="allowUndeclaredRTE" value="true"/>
<property name="allowThrowsTagsForSubclasses" value="true"/>
<property name="allowMissingPropertyJavadoc" value="true"/>
</module>
<module name="JavadocVariable"/>
<module name="JavadocStyle">
<property name="scope" value="public"/>
</module>
<module name="LeftCurly">
<property name="option" value="eol"/>
<property name="tokens" value="CLASS_DEF"/>
<property name="tokens" value="CTOR_DEF"/>
<property name="tokens" value="INTERFACE_DEF"/>
<property name="tokens" value="METHOD_DEF"/>
<property name="tokens" value="LITERAL_CATCH"/>
<property name="tokens" value="LITERAL_DO"/>
<property name="tokens" value="LITERAL_ELSE"/>
<property name="tokens" value="LITERAL_FINALLY"/>
<property name="tokens" value="LITERAL_FOR"/>
<property name="tokens" value="LITERAL_IF"/>
<property name="tokens" value="LITERAL_SWITCH"/>
<property name="tokens" value="LITERAL_SYNCHRONIZED"/>
<property name="tokens" value="LITERAL_TRY"/>
<property name="tokens" value="LITERAL_WHILE"/>
</module>
<module name="OuterTypeNumber"/>
<module name="LineLength">
<property name="ignorePattern" value="^ *\* *[^ ]+$"/>
<property name="max" value="150"/>
</module>
<module name="MethodCount">
<property name="maxTotal" value="40"/>
</module>
<module name="LocalFinalVariableName"/>
<module name="LocalVariableName"/>
<module name="MemberName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="MethodLength">
<property name="max" value="160"/>
<property name="countEmpty" value="false"/>
</module>
<module name="MethodName"/>
<module name="MethodParamPad"/>
<module name="ModifierOrder"/>
<module name="NeedBraces"/>
<module name="NoWhitespaceAfter">
<property name="tokens" value="ARRAY_INIT"/>
<property name="tokens" value="BNOT"/>
<property name="tokens" value="DEC"/>
<property name="tokens" value="DOT"/>
<property name="tokens" value="INC"/>
<property name="tokens" value="LNOT"/>
<property name="tokens" value="UNARY_MINUS"/>
<property name="tokens" value="UNARY_PLUS"/>
</module>
<module name="NoWhitespaceBefore"/>
<module name="NoWhitespaceBefore">
<property name="tokens" value="DOT"/>
<property name="allowLineBreaks" value="true"/>
</module>
<module name="OperatorWrap"/>
<module name="OperatorWrap">
<property name="tokens" value="ASSIGN"/>
<property name="tokens" value="DIV_ASSIGN"/>
<property name="tokens" value="PLUS_ASSIGN"/>
<property name="tokens" value="MINUS_ASSIGN"/>
<property name="tokens" value="STAR_ASSIGN"/>
<property name="tokens" value="MOD_ASSIGN"/>
<property name="tokens" value="SR_ASSIGN"/>
<property name="tokens" value="BSR_ASSIGN"/>
<property name="tokens" value="SL_ASSIGN"/>
<property name="tokens" value="BXOR_ASSIGN"/>
<property name="tokens" value="BOR_ASSIGN"/>
<property name="tokens" value="BAND_ASSIGN"/>
<property name="option" value="eol"/>
</module>
<module name="PackageName"/>
<module name="ParameterName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="ParameterNumber">
<property name="id" value="paramNum"/>
</module>
<module name="ParenPad"/>
<module name="TypecastParenPad"/>
<module name="RedundantImport"/>
<module name="RedundantModifier"/>
<module name="RightCurly">
<property name="option" value="same"/>
</module>
<module name="SimplifyBooleanExpression"/>
<module name="SimplifyBooleanReturn"/>
<module name="StaticVariableName">
<property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
</module>
<module name="TypeName"/>
<module name="UnusedImports"/>
<module name="UpperEll"/>
<module name="VisibilityModifier"/>
<module name="WhitespaceAfter"/>
<module name="WhitespaceAround"/>
<module name="GenericWhitespace"/>
<module name="FinalClass"/>
<module name="MissingSwitchDefault"/>
<!--module name="MagicNumber"/-->
<!--module name="Indentation">
<property name="basicOffset" value="4"/>
<property name="braceAdjustment" value="0"/>
<property name="caseIndent" value="0"/>
</module-->
<module name="ArrayTrailingComma"/>
<module name="FinalLocalVariable"/>
<module name="EqualsAvoidNull"/>
<module name="ParameterAssignment"/>
<!-- Generates quite a few errors -->
<module name="CyclomaticComplexity">
<property name="severity" value="ignore"/>
</module>
<module name="NestedForDepth">
<property name="max" value="2"/>
</module>
<module name="NestedIfDepth">
<property name="max" value="4"/>
</module>
<module name="NestedTryDepth">
<property name="max" value="2"/>
</module>
<!--module name="ExplicitInitialization"/-->
<module name="AnnotationUseStyle"/>
<module name="MissingDeprecated"/>
<module name="MissingOverride">
<property name="javaFiveCompatibility" value="true"/>
</module>
<module name="PackageAnnotation"/>
<module name="SuppressWarnings"/>
<module name="OuterTypeFilename"/>
<module name="HideUtilityClassConstructor"/>
</module>
</module>

18
dependency-check-core/config/checkstyle-header.txt
View File

@@ -1,18 +0,0 @@
^/\*\s*$
^ \* This file is part of dependency-check-core\.\s*$
^ \*\s*$
^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
^ \* you may not use this file except in compliance with the License.\s*$
^ \* You may obtain a copy of the License at\s*$
^ \*\s*$
^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
^ \*\s*$
^ \* Unless required by applicable law or agreed to in writing, software\s*$
^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
^ \* See the License for the specific language governing permissions and\s*$
^ \* limitations under the License\.\s*$
^ \*\s*$
^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
^ \*/\s*$
^package

83
dependency-check-core/pom.xml
View File

@@ -15,13 +15,12 @@ limitations under the License.
Copyright (c) 2012 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.1.4</version>
<version>1.2.3</version>
</parent>
<artifactId>dependency-check-core</artifactId>
@@ -220,6 +219,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<name>data.directory</name>
<value>${project.build.directory}/data</value>
</property>
<property>
<name>temp.directory</name>
<value>${project.build.directory}/temp</value>
</property>
</systemProperties>
<includes>
<include>**/*IntegrationTest.java</include>
@@ -348,16 +352,16 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.0.1</version>
<version>3.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
@@ -365,6 +369,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
@@ -393,6 +403,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</plugins>
</build>
<dependencies>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-utils</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-test-framework</artifactId>
@@ -410,6 +425,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<artifactId>commons-cli</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.8</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
@@ -495,11 +515,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<version>1.7.2</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.5</version>
</dependency>
<!-- The following dependencies are only used during testing -->
<dependency>
<groupId>org.apache.maven.scm</groupId>
@@ -515,6 +530,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.0.0.RELEASE</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.hazelcast</groupId>
<artifactId>hazelcast</artifactId>
@@ -588,6 +610,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
<version>3.0</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
</dependencies>
<profiles>
<profile>
@@ -649,11 +678,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
Additionally, these are only added when using "allTests" to
make the build slightly faster in most cases. -->
<id>False Positive Tests</id>
<!--activation>
<activation>
<property>
<name>allTests</name>
</property>
</activation-->
</activation>
<dependencies>
<dependency>
<groupId>org.apache.xmlgraphics</groupId>
@@ -676,6 +705,34 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.ganyo</groupId>
<artifactId>gcm-server</artifactId>
<version>1.0.2</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.python</groupId>
<artifactId>jython-standalone</artifactId>
<version>2.7-b1</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.jruby</groupId>
<artifactId>jruby-complete</artifactId>
<version>1.7.4</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.jruby</groupId>
<artifactId>jruby</artifactId>
<version>1.6.3</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
</dependencies>
</profile>
</profiles>

78
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -66,6 +66,14 @@ public class Engine {
* A Map of analyzers grouped by Analysis phase.
*/
private final Set<FileTypeAnalyzer> fileTypeAnalyzers;
/**
* The ClassLoader to use when dynamically loading Analyzer and Update services.
*/
private ClassLoader serviceClassLoader;
/**
* The Logger for use throughout the class.
*/
private static final Logger LOGGER = Logger.getLogger(Engine.class.getName());
/**
* Creates a new Engine.
@@ -73,9 +81,20 @@ public class Engine {
* @throws DatabaseException thrown if there is an error connecting to the database
*/
public Engine() throws DatabaseException {
this(Thread.currentThread().getContextClassLoader());
}
/**
* Creates a new Engine using the specified classloader to dynamically load Analyzer and Update services.
*
* @param serviceClassLoader the ClassLoader to use when dynamically loading Analyzer and Update services
* @throws DatabaseException thrown if there is an error connecting to the database
*/
public Engine(ClassLoader serviceClassLoader) throws DatabaseException {
this.dependencies = new ArrayList<Dependency>();
this.analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
this.fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
this.serviceClassLoader = serviceClassLoader;
ConnectionFactory.initialize();
@@ -83,7 +102,7 @@ public class Engine {
try {
autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
} catch (InvalidSettingException ex) {
Logger.getLogger(Engine.class.getName()).log(Level.FINE, "Invalid setting for auto-update; using true.");
LOGGER.log(Level.FINE, "Invalid setting for auto-update; using true.");
}
if (autoUpdate) {
doUpdates();
@@ -107,7 +126,7 @@ public class Engine {
analyzers.put(phase, new ArrayList<Analyzer>());
}
final AnalyzerService service = AnalyzerService.getInstance();
final AnalyzerService service = new AnalyzerService(serviceClassLoader);
final Iterator<Analyzer> iterator = service.getAnalyzers();
while (iterator.hasNext()) {
final Analyzer a = iterator.next();
@@ -175,7 +194,7 @@ public class Engine {
scan(files);
} else {
final String msg = String.format("Invalid file path provided to scan '%s'", path);
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
LOGGER.log(Level.SEVERE, msg);
}
} else {
final File file = new File(path);
@@ -269,7 +288,7 @@ public class Engine {
protected void scanFile(File file) {
if (!file.isFile()) {
final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
return;
}
final String fileName = file.getName();
@@ -282,7 +301,7 @@ public class Engine {
} else {
final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.",
file.toString());
Logger.getLogger(Engine.class.getName()).log(Level.FINEST, msg);
LOGGER.log(Level.FINEST, msg);
}
}
@@ -295,13 +314,13 @@ public class Engine {
ensureDataExists();
} catch (NoDataException ex) {
final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
return;
} catch (DatabaseException ex) {
final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
return;
}
@@ -310,8 +329,8 @@ public class Engine {
+ "----------------------------------------------------%n"
+ "BEGIN ANALYSIS%n"
+ "----------------------------------------------------");
Logger.getLogger(Engine.class.getName()).log(Level.FINE, logHeader);
Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Starting");
LOGGER.log(Level.FINE, logHeader);
LOGGER.log(Level.INFO, "Analysis Starting");
// analysis phases
for (AnalysisPhase phase : AnalysisPhase.values()) {
@@ -325,7 +344,7 @@ public class Engine {
* This is okay for adds/deletes because it happens per analyzer.
*/
final String msg = String.format("Begin Analyzer '%s'", a.getName());
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
final Set<Dependency> dependencySet = new HashSet<Dependency>();
dependencySet.addAll(dependencies);
for (Dependency d : dependencySet) {
@@ -336,18 +355,18 @@ public class Engine {
}
if (shouldAnalyze) {
final String msgFile = String.format("Begin Analysis of '%s'", d.getActualFilePath());
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msgFile);
LOGGER.log(Level.FINE, msgFile);
try {
a.analyze(d, this);
} catch (AnalysisException ex) {
final String exMsg = String.format("An error occured while analyzing '%s'.", d.getActualFilePath());
Logger.getLogger(Engine.class.getName()).log(Level.WARNING, exMsg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
final String exMsg = String.format("An error occurred while analyzing '%s'.", d.getActualFilePath());
LOGGER.log(Level.WARNING, exMsg);
LOGGER.log(Level.FINE, "", ex);
} catch (Throwable ex) {
final String axMsg = String.format("An unexpected error occurred during analysis of '%s'", d.getActualFilePath());
//final AnalysisException ax = new AnalysisException(axMsg, ex);
Logger.getLogger(Engine.class.getName()).log(Level.WARNING, axMsg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.WARNING, axMsg);
LOGGER.log(Level.FINE, "", ex);
}
}
}
@@ -365,8 +384,8 @@ public class Engine {
+ "----------------------------------------------------%n"
+ "END ANALYSIS%n"
+ "----------------------------------------------------");
Logger.getLogger(Engine.class.getName()).log(Level.FINE, logFooter);
Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Complete");
LOGGER.log(Level.FINE, logFooter);
LOGGER.log(Level.INFO, "Analysis Complete");
}
/**
@@ -377,16 +396,16 @@ public class Engine {
private void initializeAnalyzer(Analyzer analyzer) {
try {
final String msg = String.format("Initializing %s", analyzer.getName());
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
analyzer.initialize();
} catch (Throwable ex) {
final String msg = String.format("Exception occurred initializing %s.", analyzer.getName());
Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
try {
analyzer.close();
} catch (Throwable ex1) {
Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex1);
LOGGER.log(Level.FINEST, null, ex1);
}
}
}
@@ -398,11 +417,11 @@ public class Engine {
*/
private void closeAnalyzer(Analyzer analyzer) {
final String msg = String.format("Closing Analyzer '%s'", analyzer.getName());
Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
try {
analyzer.close();
} catch (Throwable ex) {
Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
@@ -410,16 +429,16 @@ public class Engine {
* Cycles through the cached web data sources and calls update on all of them.
*/
private void doUpdates() {
final UpdateService service = UpdateService.getInstance();
final UpdateService service = new UpdateService(serviceClassLoader);
final Iterator<CachedWebDataSource> iterator = service.getDataSources();
while (iterator.hasNext()) {
final CachedWebDataSource source = iterator.next();
try {
source.update();
} catch (UpdateException ex) {
Logger.getLogger(Engine.class.getName()).log(Level.WARNING,
LOGGER.log(Level.WARNING,
"Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
Logger.getLogger(Engine.class.getName()).log(Level.FINE,
LOGGER.log(Level.FINE,
String.format("Unable to update details for %s", source.getClass().getName()), ex);
}
}
@@ -483,5 +502,4 @@ public class Engine {
throw new NoDataException("No documents exist");
}
}
}

85
dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
View File

@@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
* Copyright (c) 2014 Steve Springett. All Rights Reserved.
*/
package org.owasp.dependencycheck.agent;
@@ -64,7 +64,10 @@ public class DependencyCheckScanAgent {
* System specific new line character.
*/
private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
/**
* Logger for use throughout the class.
*/
private static final Logger LOGGER = Logger.getLogger(DependencyCheckScanAgent.class.getName());
/**
* The application name for the report.
*/
@@ -231,26 +234,49 @@ public class DependencyCheckScanAgent {
}
/**
* The Proxy URL.
* The Proxy Server.
*/
private String proxyUrl;
private String proxyServer;
/**
* Get the value of proxyUrl.
* Get the value of proxyServer.
*
* @return the value of proxyUrl
* @return the value of proxyServer
*/
public String getProxyUrl() {
return proxyUrl;
public String getProxyServer() {
return proxyServer;
}
/**
* Set the value of proxyUrl.
* Set the value of proxyServer.
*
* @param proxyUrl new value of proxyUrl
* @param proxyServer new value of proxyServer
*/
public void setProxyServer(String proxyServer) {
this.proxyServer = proxyServer;
}
/**
* Get the value of proxyServer.
*
* @return the value of proxyServer
* @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#getProxyServer()} instead
*/
@Deprecated
public String getProxyUrl() {
return proxyServer;
}
/**
* Set the value of proxyServer.
*
* @param proxyUrl new value of proxyServer
* @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#setProxyServer(java.lang.String)
* } instead
*/
@Deprecated
public void setProxyUrl(String proxyUrl) {
this.proxyUrl = proxyUrl;
this.proxyServer = proxyUrl;
}
/**
@@ -747,16 +773,9 @@ public class DependencyCheckScanAgent {
private Engine executeDependencyCheck() throws DatabaseException {
populateSettings();
Engine engine = null;
try {
engine = new Engine();
engine.setDependencies(this.dependencies);
engine.analyzeDependencies();
} finally {
if (engine != null) {
engine.cleanup();
}
}
engine = new Engine();
engine.setDependencies(this.dependencies);
engine.analyzeDependencies();
return engine;
}
@@ -774,7 +793,7 @@ public class DependencyCheckScanAgent {
cve.open();
prop = cve.getDatabaseProperties();
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
} finally {
if (cve != null) {
cve.close();
@@ -784,21 +803,22 @@ public class DependencyCheckScanAgent {
try {
r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
} catch (IOException ex) {
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
LOGGER.log(Level.SEVERE,
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
} catch (Throwable ex) {
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
LOGGER.log(Level.SEVERE,
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
}
}
/**
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
* properties required to change the proxy url, port, and connection timeout.
* properties required to change the proxy server, port, and connection timeout.
*/
private void populateSettings() {
Settings.initialize();
if (dataDirectory != null) {
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
} else {
@@ -811,8 +831,8 @@ public class DependencyCheckScanAgent {
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
if (proxyUrl != null && !proxyUrl.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
if (proxyServer != null && !proxyServer.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
}
if (proxyPort != null && !proxyPort.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
@@ -887,10 +907,11 @@ public class DependencyCheckScanAgent {
checkForFailure(engine.getDependencies());
}
} catch (DatabaseException ex) {
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
LOGGER.log(Level.SEVERE,
"Unable to connect to the dependency-check database; analysis has stopped");
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.FINE, "", ex);
} finally {
Settings.cleanup(true);
if (engine != null) {
engine.cleanup();
}
@@ -966,7 +987,7 @@ public class DependencyCheckScanAgent {
final String msg = String.format("%n%n"
+ "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+ "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.WARNING, msg);
LOGGER.log(Level.WARNING, msg);
}
}

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
View File

@@ -45,7 +45,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
try {
enabled = Settings.getBoolean(key, true);
} catch (InvalidSettingException ex) {
String msg = String.format("Invalid settting for property '%s'", key);
String msg = String.format("Invalid setting for property '%s'", key);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, "", ex);
msg = String.format("%s has been disabled", getName());
@@ -54,7 +54,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
}
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Field defentitions">
//<editor-fold defaultstate="collapsed" desc="Field definitions">
/**
* The logger.
*/
@@ -194,7 +194,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
if (ext == null) {
final String msg = String.format("The '%s' analyzer is misconfigured and does not have any file extensions;"
+ " it will be disabled", getName());
Logger.getLogger(AbstractFileTypeAnalyzer.class.getName()).log(Level.SEVERE, msg);
LOGGER.log(Level.SEVERE, msg);
return false;
} else {
final boolean match = ext.contains(extension);

67
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
View File

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.List;
@@ -41,6 +42,11 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
/**
* The Logger for use throughout the class
*/
private static final Logger LOGGER = Logger.getLogger(AbstractSuppressionAnalyzer.class.getName());
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* Returns a list of file EXTENSIONS supported by this analyzer.
@@ -62,6 +68,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
super.initialize();
loadSuppressionData();
}
/**
* The list of suppression rules
*/
@@ -91,11 +98,17 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
* @throws SuppressionParseException thrown if the XML cannot be parsed.
*/
private void loadSuppressionData() throws SuppressionParseException {
final SuppressionParser parser = new SuppressionParser();
File file = null;
try {
rules = parser.parseSuppressionRules(this.getClass().getClassLoader().getResourceAsStream("dependencycheck-base-suppression.xml"));
} catch (SuppressionParseException ex) {
LOGGER.log(Level.FINE, "Unable to parse the base suppression data file", ex);
}
final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
if (suppressionFilePath == null) {
return;
}
File file = null;
boolean deleteTempFile = false;
try {
final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
@@ -110,40 +123,56 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
}
} else {
file = new File(suppressionFilePath);
if (!file.exists()) {
final InputStream suppressionsFromClasspath = this.getClass().getClassLoader().getResourceAsStream(suppressionFilePath);
if (suppressionsFromClasspath != null) {
deleteTempFile = true;
file = FileUtils.getTempFile("suppression", "xml");
try {
org.apache.commons.io.FileUtils.copyInputStreamToFile(suppressionsFromClasspath, file);
} catch (IOException ex) {
throwSuppressionParseException("Unable to locate suppressions file in classpath", ex);
}
}
}
}
if (file != null) {
final SuppressionParser parser = new SuppressionParser();
try {
rules = parser.parseSuppressionRules(file);
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, rules.size() + " suppression rules were loaded.");
//rules = parser.parseSuppressionRules(file);
rules.addAll(parser.parseSuppressionRules(file));
LOGGER.log(Level.FINE, rules.size() + " suppression rules were loaded.");
} catch (SuppressionParseException ex) {
final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, ex.getMessage());
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.WARNING, ex.getMessage());
LOGGER.log(Level.FINE, "", ex);
throw ex;
}
}
} catch (DownloadFailedException ex) {
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
"Unable to fetch the configured suppression file");
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
throw new SuppressionParseException("Unable to fetch the configured suppression file", ex);
throwSuppressionParseException("Unable to fetch the configured suppression file", ex);
} catch (MalformedURLException ex) {
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
"Configured suppression file has an invalid URL");
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
throw new SuppressionParseException("Configured suppression file has an invalid URL", ex);
throwSuppressionParseException("Configured suppression file has an invalid URL", ex);
} catch (IOException ex) {
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
"Unable to create temp file for suppressions");
Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
throw new SuppressionParseException("Unable to create temp file for suppressions", ex);
throwSuppressionParseException("Unable to create temp file for suppressions", ex);
} finally {
if (deleteTempFile && file != null) {
FileUtils.delete(file);
}
}
}
/**
* Utility method to throw parse exceptions.
*
* @param message the exception message
* @param exception the cause of the exception
* @throws SuppressionParseException throws the generated SuppressionParseException
*/
private void throwSuppressionParseException(String message, Exception exception) throws SuppressionParseException {
LOGGER.log(Level.WARNING, message);
LOGGER.log(Level.FINE, "", exception);
throw new SuppressionParseException(message, exception);
}
}

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
View File

@@ -21,15 +21,13 @@ import java.util.Iterator;
import java.util.ServiceLoader;
/**
* The Analyzer Service Loader. This class loads all services that implement
* org.owasp.dependencycheck.analyzer.Analyzer.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class AnalyzerService {
public class AnalyzerService {
/**
* The analyzer service singleton.
*/
private static AnalyzerService service;
/**
* The service loader for analyzers.
*/
@@ -37,21 +35,11 @@ public final class AnalyzerService {
/**
* Creates a new instance of AnalyzerService.
*/
private AnalyzerService() {
loader = ServiceLoader.load(Analyzer.class);
}
/**
* Retrieve the singleton instance of AnalyzerService.
*
* @return a singleton AnalyzerService.
* @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
*/
public static synchronized AnalyzerService getInstance() {
if (service == null) {
service = new AnalyzerService();
}
return service;
public AnalyzerService(ClassLoader classLoader) {
loader = ServiceLoader.load(Analyzer.class, classLoader);
}
/**

99
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -27,6 +27,7 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
@@ -35,7 +36,9 @@ import java.util.logging.Logger;
import org.apache.commons.compress.archivers.ArchiveEntry;
import org.apache.commons.compress.archivers.ArchiveInputStream;
import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
import org.apache.commons.compress.archivers.zip.ZipFile;
import org.apache.commons.compress.compressors.CompressorInputStream;
import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
import org.apache.commons.compress.compressors.gzip.GzipUtils;
@@ -92,13 +95,18 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The set of things we can handle with Zip methods
*/
private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "nupkg");
private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
/**
* The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
* to be explicitly handled in extractFiles().
*/
private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz");
/**
* The set of file extensions to remove from the engine's collection of dependencies.
*/
private static final Set<String> REMOVE_FROM_ANALYSIS = newHashSet("zip", "tar", "gz", "tgz"); //TODO add nupkg, apk, sar?
static {
final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
if (additionalZipExt != null) {
@@ -157,12 +165,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
@Override
public void initializeFileTypeAnalyzer() throws Exception {
final File baseDir = Settings.getTempDirectory();
if (!baseDir.exists()) {
if (!baseDir.mkdirs()) {
final String msg = String.format("Unable to make a temporary folder '%s'", baseDir.getPath());
throw new AnalysisException(msg);
}
}
tempFileLocation = File.createTempFile("check", "tmp", baseDir);
if (!tempFileLocation.delete()) {
final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
@@ -184,7 +186,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
if (tempFileLocation != null && tempFileLocation.exists()) {
LOGGER.log(Level.FINE, "Attempting to delete temporary files");
final boolean success = FileUtils.delete(tempFileLocation);
if (!success) {
if (!success && tempFileLocation != null & tempFileLocation.exists()) {
LOGGER.log(Level.WARNING, "Failed to delete some temporary files, see the log for more details");
}
}
@@ -205,9 +207,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
extractFiles(f, tmpDir, engine);
//make a copy
final List<Dependency> dependencies = new ArrayList<Dependency>(engine.getDependencies());
List<Dependency> dependencies = new ArrayList<Dependency>(engine.getDependencies());
engine.scan(tmpDir);
final List<Dependency> newDependencies = engine.getDependencies();
List<Dependency> newDependencies = engine.getDependencies();
if (dependencies.size() != newDependencies.size()) {
//get the new dependencies
final Set<Dependency> dependencySet = new HashSet<Dependency>();
@@ -235,6 +237,40 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
}
}
}
if (this.REMOVE_FROM_ANALYSIS.contains(dependency.getFileExtension())) {
if ("zip".equals(dependency.getFileExtension()) && isZipFileActuallyJarFile(dependency)) {
final File tdir = getNextTempDirectory();
final String fileName = dependency.getFileName();
LOGGER.info(String.format("The zip file '%s' appears to be a JAR file, making a deep copy and analyzing it as a JAR.", fileName));
final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
try {
org.apache.commons.io.FileUtils.copyFile(tdir, tmpLoc);
dependencies = new ArrayList<Dependency>(engine.getDependencies());
engine.scan(tmpLoc);
newDependencies = engine.getDependencies();
if (dependencies.size() != newDependencies.size()) {
//get the new dependencies
final Set<Dependency> dependencySet = new HashSet<Dependency>();
dependencySet.addAll(newDependencies);
dependencySet.removeAll(dependencies);
if (dependencySet.size() != 1) {
LOGGER.info("Deep copy of ZIP to JAR file resulted in more then one dependency?");
}
for (Dependency d : dependencySet) {
//fix the dependency's display name and path
d.setFilePath(dependency.getFilePath());
d.setDisplayFileName(dependency.getFileName());
}
}
} catch (IOException ex) {
final String msg = String.format("Unable to perform deep copy on '%s'", dependency.getActualFile().getPath());
LOGGER.log(Level.FINE, msg, ex);
}
}
engine.getDependencies().remove(dependency);
}
Collections.sort(engine.getDependencies());
}
@@ -351,13 +387,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
}
bos.flush();
} catch (FileNotFoundException ex) {
Logger.getLogger(ArchiveAnalyzer.class
.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("Unable to find file '%s'.", file.getName());
throw new AnalysisException(msg, ex);
} catch (IOException ex) {
Logger.getLogger(ArchiveAnalyzer.class
.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
throw new AnalysisException(msg, ex);
} finally {
@@ -365,8 +399,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
try {
bos.close();
} catch (IOException ex) {
Logger.getLogger(ArchiveAnalyzer.class
.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}
@@ -420,4 +453,38 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
}
}
}
/**
* Attempts to determine if a zip file is actually a JAR file.
*
* @param dependency the dependency to check
* @return true if the dependency appears to be a JAR file; otherwise false
*/
private boolean isZipFileActuallyJarFile(Dependency dependency) {
boolean isJar = false;
ZipFile zip = null;
try {
zip = new ZipFile(dependency.getActualFilePath());
if (zip.getEntry("META-INF/MANIFEST.MF") != null
|| zip.getEntry("META-INF/maven") != null) {
final Enumeration<ZipArchiveEntry> entries = zip.getEntries();
while (entries.hasMoreElements()) {
final ZipArchiveEntry entry = entries.nextElement();
if (!entry.isDirectory()) {
final String name = entry.getName().toLowerCase();
if (name.endsWith(".class")) {
isJar = true;
break;
}
}
}
}
} catch (IOException ex) {
LOGGER.log(Level.FINE, String.format("Unable to unzip zip file '%s'", dependency.getFilePath()), ex);
} finally {
ZipFile.closeQuietly(zip);
}
return isJar;
}
}

78
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -61,7 +61,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The list of supported extensions
*/
private static final Set<String> SUPORTED_EXTENSIONS = newHashSet("dll", "exe");
private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("dll", "exe");
/**
* The temp value for GrokAssembly.exe
*/
@@ -73,7 +73,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Logger
*/
private static final Logger LOG = Logger.getLogger(AssemblyAnalyzer.class.getName());
private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzer.class.getName(), "dependencycheck-resources");
/**
* Builds the beginnings of a List for ProcessBuilder
@@ -106,7 +106,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
public void analyzeFileType(Dependency dependency, Engine engine)
throws AnalysisException {
if (grokAssemblyExe == null) {
LOG.warning("GrokAssembly didn't get deployed");
LOGGER.warning("analyzer.AssemblyAnalyzer.notdeployed");
return;
}
@@ -114,16 +114,30 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
args.add(dependency.getActualFilePath());
final ProcessBuilder pb = new ProcessBuilder(args);
BufferedReader rdr = null;
Document doc = null;
try {
final Process proc = pb.start();
// Try evacuating the error stream
rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream()));
rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
String line = null;
while (rdr.ready() && (line = rdr.readLine()) != null) {
LOG.log(Level.WARNING, "Error from GrokAssembly: {0}", line);
LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.stderr", line);
}
int rc = 0;
final Document doc = builder.parse(proc.getInputStream());
doc = builder.parse(proc.getInputStream());
try {
rc = proc.waitFor();
} catch (InterruptedException ie) {
return;
}
if (rc == 3) {
LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.notassembly", dependency.getActualFilePath());
return;
} else if (rc != 0) {
LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.rc", rc);
}
final XPath xpath = XPathFactory.newInstance().newXPath();
// First, see if there was an error
@@ -150,18 +164,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
product, Confidence.HIGH));
}
try {
rc = proc.waitFor();
} catch (InterruptedException ie) {
return;
}
if (rc == 3) {
LOG.log(Level.INFO, "{0} is not a valid assembly", dependency.getActualFilePath());
return;
} else if (rc != 0) {
LOG.log(Level.WARNING, "Return code {0} from GrokAssembly", rc);
}
} catch (IOException ioe) {
throw new AnalysisException(ioe);
} catch (SAXException saxe) {
@@ -174,7 +176,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
try {
rdr.close();
} catch (IOException ex) {
Logger.getLogger(AssemblyAnalyzer.class.getName()).log(Level.FINEST, "ignore", ex);
LOGGER.log(Level.FINEST, "ignore", ex);
}
}
}
@@ -201,23 +203,24 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
grokAssemblyExe = tempFile;
// Set the temp file to get deleted when we're done
grokAssemblyExe.deleteOnExit();
LOG.log(Level.FINE, "Extracted GrokAssembly.exe to {0}", grokAssemblyExe.getPath());
LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.deployed", grokAssemblyExe.getPath());
} catch (IOException ioe) {
LOG.log(Level.WARNING, "Could not extract GrokAssembly.exe: {0}", ioe.getMessage());
this.setEnabled(false);
LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.notdeployed", ioe.getMessage());
throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
} finally {
if (fos != null) {
try {
fos.close();
} catch (Throwable e) {
LOG.fine("Error closing output stream");
LOGGER.fine("Error closing output stream");
}
}
if (is != null) {
try {
is.close();
} catch (Throwable e) {
LOG.fine("Error closing input stream");
LOGGER.fine("Error closing input stream");
}
}
}
@@ -229,35 +232,38 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
final ProcessBuilder pb = new ProcessBuilder(args);
final Process p = pb.start();
// Try evacuating the error stream
rdr = new BufferedReader(new InputStreamReader(p.getErrorStream()));
String line;
while (rdr.ready() && (line = rdr.readLine()) != null) {
rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
while (rdr.ready() && rdr.readLine() != null) {
// We expect this to complain
}
final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String error = xpath.evaluate("/assembly/error", doc);
if (p.waitFor() != 1 || error == null || "".equals(error)) {
LOG.warning("An error occured with the .NET AssemblyAnalyzer, please see the log for more details.");
LOG.fine("GrokAssembly.exe is not working properly");
LOGGER.warning("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.");
LOGGER.fine("GrokAssembly.exe is not working properly");
grokAssemblyExe = null;
this.setEnabled(false);
throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
}
} catch (Throwable e) {
LOG.warning("An error occured with the .NET AssemblyAnalyzer; "
+ "this can be ignored unless you are scanning .NET dlls. Please see the log for more details.");
LOG.log(Level.FINE, "Could not execute GrokAssembly {0}", e.getMessage());
throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
if (e instanceof AnalysisException) {
throw (AnalysisException) e;
} else {
LOGGER.warning("analyzer.AssemblyAnalyzer.grokassembly.initialization.failed");
LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.initialization.message", e.getMessage());
this.setEnabled(false);
throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
}
} finally {
if (rdr != null) {
try {
rdr.close();
} catch (IOException ex) {
Logger.getLogger(AssemblyAnalyzer.class.getName()).log(Level.FINEST, "ignore", ex);
LOGGER.log(Level.FINEST, "ignore", ex);
}
}
}
builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
}
@@ -269,7 +275,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
grokAssemblyExe.deleteOnExit();
}
} catch (SecurityException se) {
LOG.fine("Can't delete temporary GrokAssembly.exe");
LOGGER.fine("analyzer.AssemblyAnalyzer.grokassembly.notdeleted");
}
}
@@ -280,7 +286,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
*/
@Override
public Set<String> getSupportedExtensions() {
return SUPORTED_EXTENSIONS;
return SUPPORTED_EXTENSIONS;
}
/**

20
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -58,6 +58,10 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
*/
public class CPEAnalyzer implements Analyzer {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(CPEAnalyzer.class.getName());
/**
* The maximum number of query results to return.
*/
@@ -87,6 +91,11 @@ public class CPEAnalyzer implements Analyzer {
*/
private CveDB cve;
/**
* The URL to perform a search of the NVD CVE data at NIST.
*/
public static final String NVD_SEARCH_URL = "https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=%s";
/**
* Returns the name of this analyzer.
*
@@ -125,15 +134,15 @@ public class CPEAnalyzer implements Analyzer {
* by another process.
*/
public void open() throws IOException, DatabaseException {
Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Opening the CVE Database");
LOGGER.log(Level.FINE, "Opening the CVE Database");
cve = new CveDB();
cve.open();
Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Creating the Lucene CPE Index");
LOGGER.log(Level.FINE, "Creating the Lucene CPE Index");
cpe = CpeMemoryIndex.getInstance();
try {
cpe.open(cve);
} catch (IndexException ex) {
Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "IndexException", ex);
LOGGER.log(Level.FINE, "IndexException", ex);
throw new DatabaseException(ex);
}
}
@@ -521,7 +530,8 @@ public class CPEAnalyzer implements Analyzer {
}
if (dbVer == null //special case, no version specified - everything is vulnerable
|| evVer.equals(dbVer)) { //yeah! exact match
final String url = String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(vs.getName(), "UTF-8"));
final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
collected.add(match);
} else {
@@ -546,7 +556,7 @@ public class CPEAnalyzer implements Analyzer {
}
}
final String cpeName = String.format("cpe:/a:%s:%s:%s", vendor, product, bestGuess.toString());
final String url = null; //String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(cpeName, "UTF-8"));
final String url = null;
if (bestGuessConf == null) {
bestGuessConf = Confidence.LOW;
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
View File

@@ -30,7 +30,7 @@ import org.owasp.dependencycheck.suppression.SuppressionRule;
*/
public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/

25
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
View File

@@ -46,6 +46,11 @@ import org.owasp.dependencycheck.utils.LogUtils;
*/
public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(DependencyBundlingAnalyzer.class.getName());
//<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
/**
* A pattern for obtaining the first part of a filename.
@@ -106,18 +111,18 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
while (subIterator.hasNext()) {
final Dependency nextDependency = subIterator.next();
if (isShadedJar(dependency, nextDependency)) {
if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
dependenciesToRemove.add(dependency);
} else {
dependenciesToRemove.add(nextDependency);
}
} else if (hashesMatch(dependency, nextDependency)) {
if (hashesMatch(dependency, nextDependency)) {
if (isCore(dependency, nextDependency)) {
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
} else {
mergeDependencies(nextDependency, dependency, dependenciesToRemove);
}
} else if (isShadedJar(dependency, nextDependency)) {
if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
dependenciesToRemove.add(dependency);
} else {
dependenciesToRemove.add(nextDependency);
}
} else if (cpeIdentifiersMatch(dependency, nextDependency)
&& hasSameBasePath(dependency, nextDependency)
&& fileNameMatch(dependency, nextDependency)) {
@@ -270,7 +275,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
}
if (LogUtils.isVerboseLoggingEnabled()) {
final String msg = String.format("IdentifiersMatch=%s (%s, %s)", matches, dependency1.getFileName(), dependency2.getFileName());
Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
}
return matches;
}
@@ -341,13 +346,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
* be shorter:
* axis2-saaj-1.4.1.jar
* axis2-1.4.1.jar <-----
* axis2-kernal-1.4.1.jar
* axis2-kernel-1.4.1.jar
*/
returnVal = leftName.length() <= rightName.length();
}
if (LogUtils.isVerboseLoggingEnabled()) {
final String msg = String.format("IsCore=%s (%s, %s)", returnVal, left.getFileName(), right.getFileName());
Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
LOGGER.log(Level.FINE, msg);
}
return returnVal;
}

168
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -42,7 +42,11 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware;
*/
public class FalsePositiveAnalyzer extends AbstractAnalyzer {
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(FalsePositiveAnalyzer.class.getName());
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/
@@ -84,6 +88,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
removeBadMatches(dependency);
removeWrongVersionMatches(dependency);
removeSpuriousCPE(dependency);
removeDuplicativeEntriesFromJar(dependency, engine);
addFalseNegativeCPEs(dependency);
}
@@ -132,8 +137,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
final String nextVersion = nextCpe.getVersion();
if (currentVersion == null && nextVersion == null) {
//how did we get here?
Logger.getLogger(FalsePositiveAnalyzer.class
.getName()).log(Level.FINE, "currentVersion and nextVersion are both null?");
LOGGER.log(Level.FINE, "currentVersion and nextVersion are both null?");
} else if (currentVersion == null && nextVersion != null) {
dependency.getIdentifiers().remove(currentId);
} else if (nextVersion == null && currentVersion != null) {
@@ -156,12 +160,21 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
* Regex to identify core java libraries and a few other commonly misidentified ones.
*/
public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
+ "java(_platfrom_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+ "jdk|jre|jsf|jsse)($|:.*)");
+ "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+ "jdk|jre|jsse)($|:.*)");
/**
* Regex to identify core jsf libraries.
*/
public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
/**
* Regex to identify core java library files. This is currently incomplete.
*/
public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt|jsf[-].*|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
/**
* Regex to identify core jsf java library files. This is currently incomplete.
*/
public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");
/**
* Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
@@ -178,27 +191,11 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
if (coreCPE.matches() && !coreFiles.matches()) {
itr.remove();
}
//replacecd with the regex above.
// if (("cpe:/a:sun:java".equals(i.getValue())
// || "cpe:/a:oracle:java".equals(i.getValue())
// || "cpe:/a:ibm:java".equals(i.getValue())
// || "cpe:/a:sun:j2se".equals(i.getValue())
// || "cpe:/a:oracle:j2se".equals(i.getValue())
// || i.getValue().startsWith("cpe:/a:sun:java:")
// || i.getValue().startsWith("cpe:/a:sun:j2se:")
// || i.getValue().startsWith("cpe:/a:sun:java:jre")
// || i.getValue().startsWith("cpe:/a:sun:java:jdk")
// || i.getValue().startsWith("cpe:/a:sun:java_se")
// || i.getValue().startsWith("cpe:/a:oracle:java_se")
// || i.getValue().startsWith("cpe:/a:oracle:java:")
// || i.getValue().startsWith("cpe:/a:oracle:j2se:")
// || i.getValue().startsWith("cpe:/a:oracle:jre")
// || i.getValue().startsWith("cpe:/a:oracle:jdk")
// || i.getValue().startsWith("cpe:/a:ibm:java:"))
// && !dependency.getFileName().toLowerCase().endsWith("rt.jar")) {
// itr.remove();
// }
final Matcher coreJsfCPE = CORE_JAVA_JSF.matcher(i.getValue());
final Matcher coreJsfFiles = CORE_JSF_FILES.matcher(dependency.getFileName());
if (coreJsfCPE.matches() && !coreJsfFiles.matches()) {
itr.remove();
}
}
}
@@ -217,7 +214,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
try {
cpe.parseName(value);
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
return null;
}
return cpe;
@@ -242,17 +239,36 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
//Set<Evidence> artifactId = dependency.getVendorEvidence().getEvidence("pom", "artifactid");
while (itr.hasNext()) {
final Identifier i = itr.next();
//TODO move this startswith expression to a configuration file?
//TODO move this startsWith expression to a configuration file?
if ("cpe".equals(i.getType())) {
if ((i.getValue().matches(".*c\\+\\+.*")
|| i.getValue().startsWith("cpe:/a:jquery:jquery")
|| i.getValue().startsWith("cpe:/a:prototypejs:prototype")
|| i.getValue().startsWith("cpe:/a:yahoo:yui")
|| i.getValue().startsWith("cpe:/a:file:file")
|| i.getValue().startsWith("cpe:/a:mozilla:mozilla")
|| i.getValue().startsWith("cpe:/a:cvs:cvs")
|| i.getValue().startsWith("cpe:/a:ftp:ftp")
|| i.getValue().startsWith("cpe:/a:ssh:ssh"))
|| i.getValue().startsWith("cpe:/a:tcp:tcp")
|| i.getValue().startsWith("cpe:/a:ssh:ssh")
|| i.getValue().startsWith("cpe:/a:lookup:lookup"))
&& (dependency.getFileName().toLowerCase().endsWith(".jar")
|| dependency.getFileName().toLowerCase().endsWith("pom.xml")
|| dependency.getFileName().toLowerCase().endsWith(".dll")
|| dependency.getFileName().toLowerCase().endsWith(".exe")
|| dependency.getFileName().toLowerCase().endsWith(".nuspec")
|| dependency.getFileName().toLowerCase().endsWith(".nupkg"))) {
itr.remove();
} else if ((i.getValue().startsWith("cpe:/a:jquery:jquery")
|| i.getValue().startsWith("cpe:/a:prototypejs:prototype")
|| i.getValue().startsWith("cpe:/a:yahoo:yui"))
&& (dependency.getFileName().toLowerCase().endsWith(".jar")
|| dependency.getFileName().toLowerCase().endsWith("pom.xml")
|| dependency.getFileName().toLowerCase().endsWith(".dll")
|| dependency.getFileName().toLowerCase().endsWith(".exe"))) {
itr.remove();
} else if ((i.getValue().startsWith("cpe:/a:microsoft:excel")
|| i.getValue().startsWith("cpe:/a:microsoft:word")
|| i.getValue().startsWith("cpe:/a:microsoft:visio")
|| i.getValue().startsWith("cpe:/a:microsoft:powerpoint")
|| i.getValue().startsWith("cpe:/a:microsoft:office"))
&& (dependency.getFileName().toLowerCase().endsWith(".jar")
|| dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
itr.remove();
@@ -263,7 +279,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
&& !dependency.getEvidenceUsed().containsUsedString("m-core")) {
itr.remove();
} else if (i.getValue().startsWith("cpe:/a:jboss:jboss")
&& !dependency.getFileName().toLowerCase().matches("jboss-[\\d\\.]+(GA)?\\.jar")) {
&& !dependency.getFileName().toLowerCase().matches("jboss-?[\\d\\.-]+(GA)?\\.jar")) {
itr.remove();
}
}
@@ -311,6 +327,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
* @param dependency the dependency being analyzed
*/
private void addFalseNegativeCPEs(Dependency dependency) {
//TODO move this to the hint analyzer
final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
while (itr.hasNext()) {
final Identifier i = itr.next();
@@ -326,21 +343,92 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
try {
dependency.addIdentifier("cpe",
newCpe,
String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe, "UTF-8")));
String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe, "UTF-8")));
dependency.addIdentifier("cpe",
newCpe2,
String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe2, "UTF-8")));
String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe2, "UTF-8")));
dependency.addIdentifier("cpe",
newCpe3,
String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe3, "UTF-8")));
String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe3, "UTF-8")));
dependency.addIdentifier("cpe",
newCpe4,
String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe4, "UTF-8")));
String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe4, "UTF-8")));
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(FalsePositiveAnalyzer.class
.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
}
}
}
}
/**
* Removes duplicate entries identified that are contained within JAR files. These occasionally crop up due to POM
* entries or other types of files (such as DLLs and EXEs) being contained within the JAR.
*
* @param dependency the dependency that might be a duplicate
* @param engine the engine used to scan all dependencies
*/
private void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) {
if (dependency.getFileName().toLowerCase().endsWith("pom.xml")
|| "dll".equals(dependency.getFileExtension())
|| "exe".equals(dependency.getFileExtension())) {
String parentPath = dependency.getFilePath().toLowerCase();
if (parentPath.contains(".jar")) {
parentPath = parentPath.substring(0, parentPath.indexOf(".jar") + 4);
final Dependency parent = findDependency(parentPath, engine.getDependencies());
if (parent != null) {
boolean remove = false;
for (Identifier i : dependency.getIdentifiers()) {
if ("cpe".equals(i.getType())) {
final String trimmedCPE = trimCpeToVendor(i.getValue());
for (Identifier parentId : parent.getIdentifiers()) {
if ("cpe".equals(parentId.getType()) && parentId.getValue().startsWith(trimmedCPE)) {
remove |= true;
}
}
}
if (!remove) { //we can escape early
return;
}
}
if (remove) {
engine.getDependencies().remove(dependency);
}
}
}
}
}
/**
* Retrieves a given dependency, based on a given path, from a list of dependencies.
*
* @param dependencyPath the path of the dependency to return
* @param dependencies the collection of dependencies to search
* @return the dependency object for the given path, otherwise null
*/
private Dependency findDependency(String dependencyPath, List<Dependency> dependencies) {
for (Dependency d : dependencies) {
if (d.getFilePath().equalsIgnoreCase(dependencyPath)) {
return d;
}
}
return null;
}
/**
* Takes a full CPE and returns the CPE trimmed to include only vendor and product.
*
* @param value the CPE value to trim
* @return a CPE value that only includes the vendor and product
*/
private String trimCpeToVendor(String value) {
//cpe:/a:jruby:jruby:1.0.8
final int pos1 = value.indexOf(":", 7); //right of vendor
final int pos2 = value.indexOf(":", pos1 + 1); //right of product
if (pos2 < 0) {
return value;
} else {
return value.substring(0, pos2);
}
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
View File

@@ -33,7 +33,7 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
*/
public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.dependency.Evidence;
*/
public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/

190
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -64,7 +64,6 @@ import org.owasp.dependencycheck.jaxb.pom.MavenNamespaceFilter;
import org.owasp.dependencycheck.jaxb.pom.generated.License;
import org.owasp.dependencycheck.jaxb.pom.generated.Model;
import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
import org.owasp.dependencycheck.jaxb.pom.generated.Parent;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.NonClosingStream;
import org.owasp.dependencycheck.utils.Settings;
@@ -74,7 +73,6 @@ import org.xml.sax.XMLFilter;
import org.xml.sax.XMLReader;
/**
*
* Used to load a JAR file and collect information that can be used to determine the associated CPE.
*
* @author Jeremy Long <jeremy.long@owasp.org>
@@ -138,7 +136,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
"include-resource",
"embed-dependency",
"ipojo-components",
"ipojo-extension");
"ipojo-extension",
"eclipse-sourcereferences");
/**
* item in some manifest, should be considered medium confidence.
*/
@@ -321,7 +320,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
newDependency.setFileName(displayName);
newDependency.setFilePath(displayPath);
addPomEvidence(newDependency, pom, pomProperties);
setPomEvidence(newDependency, pom, pomProperties, null);
engine.getDependencies().add(newDependency);
Collections.sort(engine.getDependencies());
} else {
@@ -364,7 +363,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
*
* @param jar the JarFile to search
* @return a list of pom.xml entries
* @throws IOException thrown if there is an exception reading a JarEntryf
* @throws IOException thrown if there is an exception reading a JarEntry
*/
private List<String> retrievePomListing(final JarFile jar) throws IOException {
final List<String> pomEntries = new ArrayList<String>();
@@ -408,7 +407,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
bos.flush();
dependency.setActualFilePath(file.getAbsolutePath());
} catch (IOException ex) {
final String msg = String.format("An error occured reading '%s' from '%s'.", path, dependency.getFilePath());
final String msg = String.format("An error occurred reading '%s' from '%s'.", path, dependency.getFilePath());
LOGGER.warning(msg);
LOGGER.log(Level.SEVERE, "", ex);
} finally {
@@ -496,11 +495,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
model = readPom(source);
} catch (SecurityException ex) {
final String msg = String.format("Unable to parse pom '%s' in jar '%s'; invalid signature", path, jar.getName());
Logger
.getLogger(JarAnalyzer.class
.getName()).log(Level.WARNING, msg);
Logger.getLogger(JarAnalyzer.class
.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
throw new AnalysisException(ex);
} catch (IOException ex) {
final String msg = String.format("Unable to parse pom '%s' in jar '%s' (IO Exception)", path, jar.getName());
@@ -561,10 +557,21 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
*/
private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
boolean foundSomething = false;
boolean addAsIdentifier = true;
if (pom == null) {
return foundSomething;
}
String groupid = interpolateString(pom.getGroupId(), pomProperties);
String parentGroupId = null;
if (pom.getParent() != null) {
parentGroupId = interpolateString(pom.getParent().getGroupId(), pomProperties);
if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
groupid = parentGroupId;
}
}
final String originalGroupID = groupid;
if (groupid != null && !groupid.isEmpty()) {
if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
groupid = groupid.substring(4);
@@ -574,8 +581,26 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
addMatchingValues(classes, groupid, dependency.getVendorEvidence());
addMatchingValues(classes, groupid, dependency.getProductEvidence());
if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW);
addMatchingValues(classes, parentGroupId, dependency.getVendorEvidence());
addMatchingValues(classes, parentGroupId, dependency.getProductEvidence());
}
} else {
addAsIdentifier = false;
}
String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
String parentArtifactId = null;
if (pom.getParent() != null) {
parentArtifactId = interpolateString(pom.getParent().getArtifactId(), pomProperties);
if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
artifactid = parentArtifactId;
}
}
final String originalArtifactID = artifactid;
if (artifactid != null && !artifactid.isEmpty()) {
if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
artifactid = artifactid.substring(4);
@@ -585,13 +610,40 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
addMatchingValues(classes, artifactid, dependency.getVendorEvidence());
addMatchingValues(classes, artifactid, dependency.getProductEvidence());
if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
addMatchingValues(classes, parentArtifactId, dependency.getVendorEvidence());
addMatchingValues(classes, parentArtifactId, dependency.getProductEvidence());
}
} else {
addAsIdentifier = false;
}
//version
final String version = interpolateString(pom.getVersion(), pomProperties);
String version = interpolateString(pom.getVersion(), pomProperties);
String parentVersion = null;
if (pom.getParent() != null) {
parentVersion = interpolateString(pom.getParent().getVersion(), pomProperties);
if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
version = parentVersion;
}
}
if (version != null && !version.isEmpty()) {
foundSomething = true;
dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) {
dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW);
}
} else {
addAsIdentifier = false;
}
if (addAsIdentifier) {
dependency.addIdentifier("maven", String.format("%s:%s:%s", originalGroupID, originalArtifactID, version), null, Confidence.LOW);
}
// org name
final Organization org = pom.getOrganization();
if (org != null && org.getName() != null) {
@@ -650,7 +702,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
//TODO remove weighting
vendor.addWeighting(entry.getKey());
if (addPackagesAsEvidence && entry.getKey().length() > 1) {
vendor.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
vendor.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
}
}
}
@@ -659,7 +711,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
if (ratio > 0.5) {
product.addWeighting(entry.getKey());
if (addPackagesAsEvidence && entry.getKey().length() > 1) {
product.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
product.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
}
}
}
@@ -693,10 +745,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
&& !dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
&& !dependency.getFileName().toLowerCase().endsWith("-src.jar")
&& !dependency.getFileName().toLowerCase().endsWith("-doc.jar")) {
Logger.getLogger(JarAnalyzer.class
.getName()).log(Level.INFO,
String.format("Jar file '%s' does not contain a manifest.",
dependency.getFileName()));
LOGGER.log(Level.FINE,
String.format("Jar file '%s' does not contain a manifest.",
dependency.getFileName()));
}
return false;
}
@@ -768,6 +819,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
&& !key.endsWith("class-path")
&& !key.endsWith("-scm") //todo change this to a regex?
&& !key.startsWith("scm-")
&& !value.trim().startsWith("scm:")
&& !isImportPackage(key, value)
&& !isPackage(key, value)) {
@@ -924,12 +976,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
@Override
public void initializeFileTypeAnalyzer() throws Exception {
final File baseDir = Settings.getTempDirectory();
if (!baseDir.exists()) {
if (!baseDir.mkdirs()) {
final String msg = String.format("Unable to make a temporary folder '%s'", baseDir.getPath());
throw new AnalysisException(msg);
}
}
tempFileLocation = File.createTempFile("check", "tmp", baseDir);
if (!tempFileLocation.delete()) {
final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
@@ -1050,11 +1096,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
} catch (IOException ex) {
final String msg = String.format("Unable to open jar file '%s'.", dependency.getFileName());
Logger
.getLogger(JarAnalyzer.class
.getName()).log(Level.WARNING, msg);
Logger.getLogger(JarAnalyzer.class
.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
} finally {
if (jar != null) {
try {
@@ -1124,7 +1167,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @param evidence the evidence collection to add new entries too
*/
private void addMatchingValues(ArrayList<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
if (value == null || value.isEmpty()) {
if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
return;
}
final String text = value.toLowerCase();
@@ -1151,93 +1194,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Adds evidence from the POM to the dependency. This includes the GAV and in some situations the parent GAV if
* specified.
*
* @param dependency the dependency being analyzed
* @param pom the POM data
* @param pomProperties the properties file associated with the pom
*/
private void addPomEvidence(Dependency dependency, Model pom, Properties pomProperties) {
if (pom == null) {
return;
}
String groupid = interpolateString(pom.getGroupId(), pomProperties);
if (groupid != null && !groupid.isEmpty()) {
if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
groupid = groupid.substring(4);
}
dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGH);
dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
}
String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
if (artifactid != null && !artifactid.isEmpty()) {
if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
artifactid = artifactid.substring(4);
}
dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
}
final String version = interpolateString(pom.getVersion(), pomProperties);
if (version != null && !version.isEmpty()) {
dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
}
final Parent parent = pom.getParent(); //grab parent GAV
if (parent != null) {
final String parentGroupId = interpolateString(parent.getGroupId(), pomProperties);
if (parentGroupId != null && !parentGroupId.isEmpty()) {
if (groupid == null || groupid.isEmpty()) {
dependency.getVendorEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.HIGH);
} else {
dependency.getVendorEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.MEDIUM);
}
dependency.getProductEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.LOW);
}
final String parentArtifactId = interpolateString(parent.getArtifactId(), pomProperties);
if (parentArtifactId != null && !parentArtifactId.isEmpty()) {
if (artifactid == null || artifactid.isEmpty()) {
dependency.getProductEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.HIGH);
} else {
dependency.getProductEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.MEDIUM);
}
dependency.getVendorEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.LOW);
}
final String parentVersion = interpolateString(parent.getVersion(), pomProperties);
if (parentVersion != null && !parentVersion.isEmpty()) {
if (version == null || version.isEmpty()) {
dependency.getVersionEvidence().addEvidence("pom", "parent.version", parentVersion, Confidence.HIGH);
} else {
dependency.getVersionEvidence().addEvidence("pom", "parent.version", parentVersion, Confidence.LOW);
}
}
}
// org name
final Organization org = pom.getOrganization();
if (org != null && org.getName() != null) {
final String orgName = interpolateString(org.getName(), pomProperties);
if (orgName != null && !orgName.isEmpty()) {
dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
}
}
//pom name
final String pomName = interpolateString(pom.getName(), pomProperties);
if (pomName != null && !pomName.isEmpty()) {
dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
}
//Description
if (pom.getDescription() != null) {
final String description = interpolateString(pom.getDescription(), pomProperties);
if (description != null && !description.isEmpty()) {
addDescription(dependency, description, "pom", "description");
}
}
extractLicense(pom, pomProperties, dependency);
}
/**
* Extracts the license information from the pom and adds it to the dependency.
*

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
View File

@@ -44,7 +44,7 @@ public class JavaScriptAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final Logger LOGGER = Logger.getLogger(JavaScriptAnalyzer.class.getName());
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/
@@ -107,7 +107,7 @@ public class JavaScriptAnalyzer extends AbstractFileTypeAnalyzer {
*/
@Override
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
BufferedReader fin = null;;
BufferedReader fin = null;
try {
// /\*([^\*][^/]|[\r\n\f])+?\*/
final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)", Pattern.MULTILINE);

16
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -30,6 +30,7 @@ import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.nexus.NexusSearch;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.utils.Settings;
/**
@@ -161,14 +162,25 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
}
if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
boolean found = false;
for (Identifier i : dependency.getIdentifiers()) {
if ("maven".equals(i.getType()) && i.getValue().equals(ma.toString())) {
found = true;
i.setConfidence(Confidence.HIGHEST);
i.setUrl(ma.getArtifactUrl());
break;
}
}
if (!found) {
dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
}
}
} catch (IllegalArgumentException iae) {
//dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
} catch (FileNotFoundException fnfe) {
//dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
LOGGER.fine(String.format("Artificat not found in repository '%s'", dependency.getFileName()));
LOGGER.fine(String.format("Artifact not found in repository '%s'", dependency.getFileName()));
LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
} catch (IOException ioe) {
//dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
View File

@@ -109,6 +109,17 @@ public class NvdCveAnalyzer implements Analyzer {
}
}
}
for (Identifier id : dependency.getSuppressedIdentifiers()) {
if ("cpe".equals(id.getType())) {
try {
final String value = id.getValue();
final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
dependency.getSuppressedVulnerabilities().addAll(vulns);
} catch (DatabaseException ex) {
throw new AnalysisException(ex);
}
}
}
}
/**

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
View File

@@ -54,7 +54,10 @@ import org.owasp.dependencycheck.utils.Pair;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class CpeMemoryIndex {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(CpeMemoryIndex.class.getName());
/**
* singleton instance.
*/
@@ -197,7 +200,7 @@ public final class CpeMemoryIndex {
try {
indexReader.close();
} catch (IOException ex) {
Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
indexReader = null;
}
@@ -229,7 +232,7 @@ public final class CpeMemoryIndex {
saveEntry(pair.getLeft(), pair.getRight(), indexWriter);
}
} catch (DatabaseException ex) {
Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new IndexException("Error reading CPE data", ex);
}
} catch (CorruptIndexException ex) {

15
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
View File

@@ -29,7 +29,10 @@ import java.util.logging.Logger;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class CweDB {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(CweDB.class.getName());
/**
* Empty private constructor as this is a utility class.
*/
@@ -54,17 +57,17 @@ public final class CweDB {
oin = new ObjectInputStream(input);
return (HashMap<String, String>) oin.readObject();
} catch (ClassNotFoundException ex) {
Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
LOGGER.log(Level.FINE, null, ex);
} catch (IOException ex) {
Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
LOGGER.log(Level.FINE, null, ex);
} finally {
if (oin != null) {
try {
oin.close();
} catch (IOException ex) {
Logger.getLogger(CweDB.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java
View File

@@ -36,7 +36,10 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(UrlTokenizingFilter.class.getName());
/**
* Constructs a new VersionTokenizingFilter.
*
@@ -67,7 +70,7 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
final List<String> data = UrlStringUtils.extractImportantUrlData(part);
tokens.addAll(data);
} catch (MalformedURLException ex) {
Logger.getLogger(UrlTokenizingFilter.class.getName()).log(Level.FINE, "error parsing " + part, ex);
LOGGER.log(Level.FINE, "error parsing " + part, ex);
tokens.add(part);
}
} else {

72
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
View File

@@ -21,7 +21,6 @@ import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLConnection;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.parsers.DocumentBuilder;
@@ -65,7 +64,7 @@ public class NexusSearch {
public NexusSearch(URL rootURL) {
this.rootURL = rootURL;
try {
if (null != Settings.getString(Settings.KEYS.PROXY_URL)
if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)
&& Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY)) {
useProxy = true;
LOGGER.fine("Using proxy");
@@ -84,7 +83,7 @@ public class NexusSearch {
*
* @param sha1 The SHA-1 hash string for which to search
* @return the populated Maven coordinates
* @throws IOException if it's unable to connect to the specified repositor or if the specified artifact is not
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
* found.
*/
public MavenArtifact searchSha1(String sha1) throws IOException {
@@ -102,8 +101,7 @@ public class NexusSearch {
// 2) Otherwise, don't use the proxy (either the proxy isn't configured,
// or proxy is specifically
// set to false
URLConnection conn = null;
conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
conn.setDoOutput(true);
@@ -112,36 +110,40 @@ public class NexusSearch {
conn.addRequestProperty("Accept", "application/xml");
conn.connect();
try {
final DocumentBuilder builder = DocumentBuilderFactory
.newInstance().newDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String groupId = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/groupId",
doc);
final String artifactId = xpath.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactId",
doc);
final String version = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/version",
doc);
final String link = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
doc);
return new MavenArtifact(groupId, artifactId, version, link);
} catch (FileNotFoundException fnfe) {
/* This is what we get when the SHA1 they sent doesn't exist in
* Nexus. This is useful upstream for recovery, so we just re-throw it
*/
throw fnfe;
} catch (Throwable e) {
// Anything else is jacked-up XML stuff that we really can't recover
// from well
throw new IOException(e.getMessage(), e);
if (conn.getResponseCode() == 200) {
try {
final DocumentBuilder builder = DocumentBuilderFactory
.newInstance().newDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String groupId = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/groupId",
doc);
final String artifactId = xpath.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactId",
doc);
final String version = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/version",
doc);
final String link = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
doc);
return new MavenArtifact(groupId, artifactId, version, link);
} catch (Throwable e) {
// Anything else is jacked-up XML stuff that we really can't recover
// from well
throw new IOException(e.getMessage(), e);
}
} else if (conn.getResponseCode() == 404) {
throw new FileNotFoundException("Artifact not found in Nexus");
} else {
final String msg = String.format("Could not connect to Nexus received response code: %d %s",
conn.getResponseCode(), conn.getResponseMessage());
LOGGER.fine(msg);
throw new IOException(msg);
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java
View File

@@ -56,7 +56,7 @@ public class NuspecParseException extends Exception {
* Note that the detail message associated with <code>cause</code> is <em>not</em>
* automatically incorporated in this exception's detail message.
*
* @param message the detail message (whcih is saved for later retrieval by the
* @param message the detail message (which is saved for later retrieval by the
* {@link java.lang.Throwable#getMessage()} method.
* @param cause the cause (which is saved for later retrieval by the {@link java.lang.Throwable#getCause()} method).
* (A <code>null</code> value is permitted, and indicates that the cause is nonexistent or unknown).

52
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
View File

@@ -42,7 +42,10 @@ import org.owasp.dependencycheck.utils.Settings;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class ConnectionFactory {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(ConnectionFactory.class.getName());
/**
* The version of the current DB Schema.
*/
@@ -90,17 +93,17 @@ public final class ConnectionFactory {
//load the driver if necessary
final String driverName = Settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
if (!driverName.isEmpty()) { //likely need to load the correct driver
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver: {0}", driverName);
LOGGER.log(Level.FINE, "Loading driver: {0}", driverName);
final String driverPath = Settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
try {
if (!driverPath.isEmpty()) {
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver from: {0}", driverPath);
LOGGER.log(Level.FINE, "Loading driver from: {0}", driverPath);
driver = DriverLoader.load(driverName, driverPath);
} else {
driver = DriverLoader.load(driverName);
}
} catch (DriverLoadException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to load database driver", ex);
LOGGER.log(Level.FINE, "Unable to load database driver", ex);
throw new DatabaseException("Unable to load database driver");
}
}
@@ -110,7 +113,7 @@ public final class ConnectionFactory {
try {
connectionString = getConnectionString();
} catch (IOException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
LOGGER.log(Level.FINE,
"Unable to retrieve the database connection string", ex);
throw new DatabaseException("Unable to retrieve the database connection string");
}
@@ -118,15 +121,15 @@ public final class ConnectionFactory {
try {
if (connectionString.startsWith("jdbc:h2:file:")) { //H2
shouldCreateSchema = !dbSchemaExists();
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
LOGGER.log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
}
} catch (IOException ioex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to verify database exists", ioex);
LOGGER.log(Level.FINE, "Unable to verify database exists", ioex);
throw new DatabaseException("Unable to verify database exists");
}
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading database connection");
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Connection String: {0}", connectionString);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Database User: {0}", userName);
LOGGER.log(Level.FINE, "Loading database connection");
LOGGER.log(Level.FINE, "Connection String: {0}", connectionString);
LOGGER.log(Level.FINE, "Database User: {0}", userName);
try {
conn = DriverManager.getConnection(connectionString, userName, password);
@@ -136,14 +139,14 @@ public final class ConnectionFactory {
try {
conn = DriverManager.getConnection(connectionString, userName, password);
Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
LOGGER.log(Level.FINE,
"Unable to start the database in server mode; reverting to single user mode");
} catch (SQLException sqlex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
LOGGER.log(Level.FINE, "Unable to connect to the database", ex);
throw new DatabaseException("Unable to connect to the database");
}
} else {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
LOGGER.log(Level.FINE, "Unable to connect to the database", ex);
throw new DatabaseException("Unable to connect to the database");
}
}
@@ -152,14 +155,14 @@ public final class ConnectionFactory {
try {
createTables(conn);
} catch (DatabaseException dex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
LOGGER.log(Level.FINE, null, dex);
throw new DatabaseException("Unable to create the database structure");
}
} else {
try {
ensureSchemaVersion(conn);
} catch (DatabaseException dex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
LOGGER.log(Level.FINE, null, dex);
throw new DatabaseException("Database schema does not match this version of dependency-check");
}
}
@@ -168,7 +171,7 @@ public final class ConnectionFactory {
try {
conn.close();
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured closing the connection", ex);
LOGGER.log(Level.FINE, "An error occurred closing the connection", ex);
}
}
}
@@ -184,7 +187,10 @@ public final class ConnectionFactory {
try {
DriverManager.deregisterDriver(driver);
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured unloading the databse driver", ex);
LOGGER.log(Level.FINE, "An error occurred unloading the database driver", ex);
} catch (Throwable unexpected) {
LOGGER.log(Level.FINE,
"An unexpected throwable occurred unloading the database driver", unexpected);
}
driver = null;
}
@@ -205,7 +211,7 @@ public final class ConnectionFactory {
try {
conn = DriverManager.getConnection(connectionString, userName, password);
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new DatabaseException("Unable to connect to the database");
}
return conn;
@@ -223,7 +229,7 @@ public final class ConnectionFactory {
if (connStr.contains("%s")) {
final String directory = getDataDirectory().getCanonicalPath();
final File dataFile = new File(directory, "cve." + DB_SCHEMA_VERSION);
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, String.format("File path for H2 file: '%s'", dataFile.toString()));
LOGGER.log(Level.FINE, String.format("File path for H2 file: '%s'", dataFile.toString()));
return String.format(connStr, dataFile.getAbsolutePath());
}
return connStr;
@@ -266,7 +272,7 @@ public final class ConnectionFactory {
* @throws DatabaseException thrown if there is a Database Exception
*/
private static void createTables(Connection conn) throws DatabaseException {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Creating database structure");
LOGGER.log(Level.FINE, "Creating database structure");
InputStream is;
InputStreamReader reader;
BufferedReader in = null;
@@ -284,7 +290,7 @@ public final class ConnectionFactory {
statement = conn.createStatement();
statement.execute(sb.toString());
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new DatabaseException("Unable to create database statement", ex);
} finally {
DBUtils.closeStatement(statement);
@@ -296,7 +302,7 @@ public final class ConnectionFactory {
try {
in.close();
} catch (IOException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}
@@ -323,7 +329,7 @@ public final class ConnectionFactory {
throw new DatabaseException("Database schema is missing");
}
} catch (SQLException ex) {
Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new DatabaseException("Unable to check the database schema version");
} finally {
DBUtils.closeResultSet(rs);

60
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -47,6 +47,10 @@ import org.owasp.dependencycheck.utils.Pair;
*/
public class CveDB {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(CveDB.class.getName());
/**
* Database connection
*/
@@ -95,12 +99,12 @@ public class CveDB {
conn.close();
} catch (SQLException ex) {
final String msg = "There was an error attempting to close the CveDB, see the log for more details.";
Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
} catch (Throwable ex) {
final String msg = "There was an exception attempting to close the CveDB, see the log for more details.";
Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
}
conn = null;
}
@@ -135,7 +139,7 @@ public class CveDB {
@Override
@SuppressWarnings("FinalizeDeclaration")
protected void finalize() throws Throwable {
Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, "Entering finalize");
LOGGER.log(Level.FINE, "Entering finalize");
close();
super.finalize();
}
@@ -244,6 +248,7 @@ public class CveDB {
/**
* SQL Statement to retrieve a property from the database.
*/
@SuppressWarnings("unused")
private static final String SELECT_PROPERTY = "SELECT id, value FROM properties WHERE id = ?";
/**
* SQL Statement to insert a new property.
@@ -256,6 +261,7 @@ public class CveDB {
/**
* SQL Statement to delete a property.
*/
@SuppressWarnings("unused")
private static final String DELETE_PROPERTY = "DELETE FROM properties WHERE id = ?";
//</editor-fold>
@@ -284,8 +290,8 @@ public class CveDB {
}
} catch (SQLException ex) {
final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
} finally {
DBUtils.closeResultSet(rs);
DBUtils.closeStatement(ps);
@@ -336,8 +342,8 @@ public class CveDB {
}
} catch (SQLException ex) {
final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
} finally {
DBUtils.closeStatement(ps);
DBUtils.closeResultSet(rs);
@@ -358,8 +364,8 @@ public class CveDB {
updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
} catch (SQLException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
LOGGER.log(Level.WARNING, "Unable to save properties to the database");
LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
return;
}
for (Entry<Object, Object> entry : props.entrySet()) {
@@ -374,8 +380,8 @@ public class CveDB {
}
} catch (SQLException ex) {
final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
}
}
} finally {
@@ -397,8 +403,8 @@ public class CveDB {
try {
updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
} catch (SQLException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
LOGGER.log(Level.WARNING, "Unable to save properties to the database");
LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
return;
}
try {
@@ -408,8 +414,8 @@ public class CveDB {
try {
insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
} catch (SQLException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
LOGGER.log(Level.WARNING, "Unable to save properties to the database");
LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
return;
}
insertProperty.setString(1, key);
@@ -418,8 +424,8 @@ public class CveDB {
}
} catch (SQLException ex) {
final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
}
} finally {
DBUtils.closeStatement(updateProperty);
@@ -440,7 +446,7 @@ public class CveDB {
try {
cpe.parseName(cpeStr);
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
final DependencyVersion detectedVersion = parseDependencyVersion(cpe);
final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
@@ -678,7 +684,7 @@ public class CveDB {
} catch (SQLException ex) {
final String msg = String.format("Error updating '%s'", vuln.getName());
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new DatabaseException(msg, ex);
} finally {
DBUtils.closeStatement(selectVulnerabilityId);
@@ -707,8 +713,8 @@ public class CveDB {
}
} catch (SQLException ex) {
final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
} finally {
DBUtils.closeStatement(ps);
}
@@ -730,8 +736,10 @@ public class CveDB {
final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
final DependencyVersion v = parseDependencyVersion(cpeId);
final boolean prevAffected = previous != null && !previous.isEmpty();
if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
if (v == null || "-".equals(v.toString())) {
if (v == null || "-".equals(v.toString())) { //all versions
affected = true;
} else if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
if (prevAffected) {
affected = true;
}
} else if (identifiedVersion.equals(v) || (prevAffected && identifiedVersion.compareTo(v) < 0)) {
@@ -763,7 +771,7 @@ public class CveDB {
cpe.parseName(cpeStr);
} catch (UnsupportedEncodingException ex) {
//never going to happen.
Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
return parseDependencyVersion(cpe);
}

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
View File

@@ -17,7 +17,6 @@
*/
package org.owasp.dependencycheck.data.nvdcve;
import com.hazelcast.logging.Logger;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
@@ -26,6 +25,7 @@ import java.util.Map.Entry;
import java.util.Properties;
import java.util.TreeMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
@@ -36,6 +36,10 @@ import org.owasp.dependencycheck.data.update.exception.UpdateException;
*/
public class DatabaseProperties {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(DatabaseProperties.class.getName());
/**
* Modified key word, used as a key to store information about the modified file (i.e. the containing the last 8
* days of updates)..
@@ -150,8 +154,8 @@ public class DatabaseProperties {
final DateFormat format = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
final String formatted = format.format(date);
map.put(key, formatted);
} catch (Throwable ex) { //deliberatly being broad in this catch clause
Logger.getLogger(DatabaseProperties.class.getName()).log(Level.FINE, "Unable to parse timestamp from DB", ex);
} catch (Throwable ex) { //deliberately being broad in this catch clause
LOGGER.log(Level.FINE, "Unable to parse timestamp from DB", ex);
map.put(key, entry.getValue());
}
} else {

19
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
View File

@@ -37,6 +37,11 @@ import java.util.logging.Logger;
*/
public final class DriverLoader {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(DriverLoader.class.getName());
/**
* Private constructor for a utility class.
*/
@@ -58,7 +63,7 @@ public final class DriverLoader {
/**
* Loads the specified class by registering the supplied paths to the class loader and then registers the driver
* with the driver manager. The pathToDriver argument is added to the class loader so that an external driver can be
* loaded. Note, the pathTodriver can contain a semi-colon separated list of paths so any dependencies can be added
* loaded. Note, the pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added
* as needed. If a path in the pathToDriver argument is a directory all files in the directory are added to the
* class path.
*
@@ -83,7 +88,7 @@ public final class DriverLoader {
} catch (MalformedURLException ex) {
final String msg = String.format("Unable to load database driver '%s'; invalid path provided '%s'",
className, f.getAbsoluteFile());
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
}
}
@@ -93,7 +98,7 @@ public final class DriverLoader {
} catch (MalformedURLException ex) {
final String msg = String.format("Unable to load database driver '%s'; invalid path provided '%s'",
className, file.getAbsoluteFile());
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
}
}
@@ -127,19 +132,19 @@ public final class DriverLoader {
return shim;
} catch (ClassNotFoundException ex) {
final String msg = String.format("Unable to load database driver '%s'", className);
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
} catch (InstantiationException ex) {
final String msg = String.format("Unable to load database driver '%s'", className);
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
} catch (IllegalAccessException ex) {
final String msg = String.format("Unable to load database driver '%s'", className);
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
} catch (SQLException ex) {
final String msg = String.format("Unable to load database driver '%s'", className);
Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DriverLoadException(msg, ex);
}
}

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java
View File

@@ -39,6 +39,10 @@ import java.util.logging.Logger;
*/
class DriverShim implements Driver {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(DriverShim.class.getName());
/**
* The database driver being wrapped.
*/
@@ -123,11 +127,11 @@ class DriverShim implements Driver {
try {
return (Logger) m.invoke(m);
} catch (IllegalAccessException ex) {
Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
LOGGER.log(Level.FINER, null, ex);
} catch (IllegalArgumentException ex) {
Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
LOGGER.log(Level.FINER, null, ex);
} catch (InvocationTargetException ex) {
Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
LOGGER.log(Level.FINER, null, ex);
}
}
throw new SQLFeatureNotSupportedException();

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
View File

@@ -30,6 +30,11 @@ import org.owasp.dependencycheck.utils.DownloadFailedException;
*/
public class NvdCveUpdater implements CachedWebDataSource {
/**
* The logger
*/
private static final Logger LOGGER = Logger.getLogger(NvdCveUpdater.class.getName());
/**
* <p>
* Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.</p>
@@ -44,13 +49,13 @@ public class NvdCveUpdater implements CachedWebDataSource {
task.update();
}
} catch (MalformedURLException ex) {
Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.WARNING,
LOGGER.log(Level.WARNING,
"NVD CVE properties files contain an invalid URL, unable to update the data to use the most current data.");
Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
} catch (DownloadFailedException ex) {
Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.WARNING,
LOGGER.log(Level.WARNING,
"Unable to download the NVD CVE data, unable to update the data to use the most current data.");
Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
}
}
}

38
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
View File

@@ -34,7 +34,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.data.update.task.CallableDownloadTask;
import org.owasp.dependencycheck.data.update.task.DownloadTask;
import org.owasp.dependencycheck.data.update.task.ProcessTask;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.InvalidSettingException;
@@ -47,6 +47,10 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public class StandardUpdate {
/**
* Static logger.
*/
private static final Logger LOGGER = Logger.getLogger(StandardUpdate.class.getName());
/**
* The max thread pool size to use when downloading files.
*/
@@ -104,7 +108,7 @@ public class StandardUpdate {
return;
}
if (maxUpdates > 3) {
Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO,
LOGGER.log(Level.INFO,
"NVD CVE requires several updates; this could take a couple of minutes.");
}
if (maxUpdates > 0) {
@@ -118,7 +122,7 @@ public class StandardUpdate {
final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<Future<Future<ProcessTask>>>(maxUpdates);
for (NvdCveInfo cve : updateable) {
if (cve.getNeedsUpdate()) {
final CallableDownloadTask call = new CallableDownloadTask(cve, processExecutor, cveDB);
final DownloadTask call = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
downloadFutures.add(downloadExecutors.submit(call));
}
}
@@ -134,19 +138,19 @@ public class StandardUpdate {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download", ex);
LOGGER.log(Level.FINE, "Thread was interrupted during download", ex);
throw new UpdateException("The download was interrupted", ex);
} catch (ExecutionException ex) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download execution", ex);
LOGGER.log(Level.FINE, "Thread was interrupted during download execution", ex);
throw new UpdateException("The execution of the download was interrupted", ex);
}
if (task == null) {
downloadExecutors.shutdownNow();
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download");
LOGGER.log(Level.FINE, "Thread was interrupted during download");
throw new UpdateException("The download was interrupted; unable to complete the update");
} else {
processFutures.add(task);
@@ -161,11 +165,11 @@ public class StandardUpdate {
}
} catch (InterruptedException ex) {
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during processing", ex);
LOGGER.log(Level.FINE, "Thread was interrupted during processing", ex);
throw new UpdateException(ex);
} catch (ExecutionException ex) {
processExecutor.shutdownNow();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Execution Exception during process", ex);
LOGGER.log(Level.FINE, "Execution Exception during process", ex);
throw new UpdateException(ex);
} finally {
processExecutor.shutdown();
@@ -174,7 +178,9 @@ public class StandardUpdate {
if (maxUpdates >= 1) { //ensure the modified file date gets written (we may not have actually updated it)
properties.save(updateable.get(MODIFIED));
LOGGER.log(Level.INFO, "Begin database maintenance.");
cveDB.cleanupDatabase();
LOGGER.log(Level.INFO, "End database maintenance.");
}
} finally {
closeDataStores();
@@ -197,10 +203,10 @@ public class StandardUpdate {
updates = retrieveCurrentTimestampsFromWeb();
} catch (InvalidDataException ex) {
final String msg = "Unable to retrieve valid timestamp from nvd cve downloads page";
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
throw new DownloadFailedException(msg, ex);
} catch (InvalidSettingException ex) {
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Invalid setting found when retrieving timestamps", ex);
LOGGER.log(Level.FINE, "Invalid setting found when retrieving timestamps", ex);
throw new DownloadFailedException("Invalid settings", ex);
}
@@ -233,9 +239,7 @@ public class StandardUpdate {
} catch (NumberFormatException ex) {
final String msg = String.format("Error parsing '%s' '%s' from nvdcve.lastupdated",
DatabaseProperties.LAST_UPDATED_BASE, entry.getId());
Logger
.getLogger(StandardUpdate.class
.getName()).log(Level.FINE, msg, ex);
LOGGER.log(Level.FINE, msg, ex);
}
if (currentTimestamp == entry.getTimestamp()) {
entry.setNeedsUpdate(false);
@@ -245,8 +249,8 @@ public class StandardUpdate {
}
} catch (NumberFormatException ex) {
final String msg = "An invalid schema version or timestamp exists in the data.properties file.";
Logger.getLogger(StandardUpdate.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "", ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, "", ex);
}
}
return updates;
@@ -290,7 +294,7 @@ public class StandardUpdate {
try {
cveDB.close();
} catch (Throwable ignore) {
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINEST, "Error closing the cveDB", ignore);
LOGGER.log(Level.FINEST, "Error closing the cveDB", ignore);
}
}
}
@@ -309,7 +313,7 @@ public class StandardUpdate {
cveDB.open();
} catch (DatabaseException ex) {
closeDataStores();
Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Database Exception opening databases", ex);
LOGGER.log(Level.FINE, "Database Exception opening databases", ex);
throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
}
}

26
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java
View File

@@ -21,37 +21,25 @@ import java.util.Iterator;
import java.util.ServiceLoader;
/**
* The CachedWebDataSource Service Loader. This class loads all services that implement
* org.owasp.dependencycheck.data.update.CachedWebDataSource.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class UpdateService {
public class UpdateService {
/**
* the singleton reference to the service.
*/
private static UpdateService service;
/**
* the service loader for CachedWebDataSource.
*/
private final ServiceLoader<CachedWebDataSource> loader;
/**
* Creates a new instance of UpdateService
*/
private UpdateService() {
loader = ServiceLoader.load(CachedWebDataSource.class);
}
/**
* Retrieve the singleton instance of UpdateService.
* Creates a new instance of UpdateService.
*
* @return a singleton UpdateService.
* @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
*/
public static synchronized UpdateService getInstance() {
if (service == null) {
service = new UpdateService();
}
return service;
public UpdateService(ClassLoader classLoader) {
loader = ServiceLoader.load(CachedWebDataSource.class, classLoader);
}
/**

37
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java → dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java
View File

@@ -27,6 +27,7 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.Settings;
@@ -36,7 +37,12 @@ import org.owasp.dependencycheck.utils.Settings;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
public class DownloadTask implements Callable<Future<ProcessTask>> {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(DownloadTask.class.getName());
/**
* Simple constructor for the callable download task.
@@ -44,11 +50,15 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
* @param nvdCveInfo the NVD CVE info
* @param processor the processor service to submit the downloaded files to
* @param cveDB the CVE DB to use to store the vulnerability data
* @param settings a reference to the global settings object; this is necessary so that when the thread is started
* the dependencies have a correct reference to the global settings.
* @throws UpdateException thrown if temporary files could not be created
*/
public CallableDownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB) {
public DownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB, Settings settings) throws UpdateException {
this.nvdCveInfo = nvdCveInfo;
this.processorService = processor;
this.cveDB = cveDB;
this.settings = settings;
final File file1;
final File file2;
@@ -57,7 +67,7 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
} catch (IOException ex) {
return;
throw new UpdateException("Unable to create temporary files", ex);
}
this.first = file1;
this.second = file2;
@@ -75,6 +85,10 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
* The NVD CVE Meta Data.
*/
private NvdCveInfo nvdCveInfo;
/**
* A reference to the global settings object.
*/
private Settings settings;
/**
* Get the value of nvdCveInfo.
@@ -163,30 +177,33 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
@Override
public Future<ProcessTask> call() throws Exception {
try {
Settings.setInstance(settings);
final URL url1 = new URL(nvdCveInfo.getUrl());
final URL url2 = new URL(nvdCveInfo.getOldSchemaVersionUrl());
String msg = String.format("Download Started for NVD CVE - %s", nvdCveInfo.getId());
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.INFO, msg);
LOGGER.log(Level.INFO, msg);
try {
Downloader.fetchFile(url1, first);
Downloader.fetchFile(url2, second);
} catch (DownloadFailedException ex) {
msg = String.format("Download Failed for NVD CVE - %s%nSome CVEs may not be reported.", nvdCveInfo.getId());
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
return null;
}
msg = String.format("Download Complete for NVD CVE - %s", nvdCveInfo.getId());
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.INFO, msg);
LOGGER.log(Level.INFO, msg);
final ProcessTask task = new ProcessTask(cveDB, this);
final ProcessTask task = new ProcessTask(cveDB, this, settings);
return this.processorService.submit(task);
} catch (Throwable ex) {
final String msg = String.format("An exception occurred downloading NVD CVE - %s%nSome CVEs may not be reported.", nvdCveInfo.getId());
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.FINE, "Download Task Failed", ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, "Download Task Failed", ex);
} finally {
Settings.cleanup(false);
}
return null;
}

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java
View File

@@ -32,11 +32,11 @@ import javax.xml.parsers.SAXParserFactory;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.StandardUpdate;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.data.update.xml.NvdCve12Handler;
import org.owasp.dependencycheck.data.update.xml.NvdCve20Handler;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.Settings;
import org.xml.sax.SAXException;
/**
@@ -46,6 +46,10 @@ import org.xml.sax.SAXException;
*/
public class ProcessTask implements Callable<ProcessTask> {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(ProcessTask.class.getName());
/**
* A field to store any update exceptions that occur during the "call".
*/
@@ -75,22 +79,29 @@ public class ProcessTask implements Callable<ProcessTask> {
/**
* A reference to the callable download task.
*/
private final CallableDownloadTask filePair;
private final DownloadTask filePair;
/**
* A reference to the properties.
*/
private final DatabaseProperties properties;
/**
* A reference to the global settings object.
*/
private Settings settings;
/**
* Constructs a new ProcessTask used to process an NVD CVE update.
*
* @param cveDB the data store object
* @param filePair the download task that contains the URL references to download
* @param settings a reference to the global settings object; this is necessary so that when the thread is started
* the dependencies have a correct reference to the global settings.
*/
public ProcessTask(final CveDB cveDB, final CallableDownloadTask filePair) {
public ProcessTask(final CveDB cveDB, final DownloadTask filePair, Settings settings) {
this.cveDB = cveDB;
this.filePair = filePair;
this.properties = cveDB.getDatabaseProperties();
this.settings = settings;
}
/**
@@ -103,9 +114,12 @@ public class ProcessTask implements Callable<ProcessTask> {
@Override
public ProcessTask call() throws Exception {
try {
Settings.setInstance(settings);
processFiles();
} catch (UpdateException ex) {
this.exception = ex;
} finally {
Settings.cleanup(false);
}
return this;
}
@@ -145,7 +159,7 @@ public class ProcessTask implements Callable<ProcessTask> {
*/
private void processFiles() throws UpdateException {
String msg = String.format("Processing Started for NVD CVE - %s", filePair.getNvdCveInfo().getId());
Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO, msg);
LOGGER.log(Level.INFO, msg);
try {
importXML(filePair.getFirst(), filePair.getSecond());
cveDB.commit();
@@ -168,6 +182,6 @@ public class ProcessTask implements Callable<ProcessTask> {
filePair.cleanup();
}
msg = String.format("Processing Complete for NVD CVE - %s", filePair.getNvdCveInfo().getId());
Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO, msg);
LOGGER.log(Level.INFO, msg);
}
}

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/NvdCve20Handler.java
View File

@@ -40,6 +40,10 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class NvdCve20Handler extends DefaultHandler {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(NvdCve20Handler.class.getName());
/**
* the current supported schema version.
*/
@@ -168,8 +172,8 @@ public class NvdCve20Handler extends DefaultHandler {
final float score = Float.parseFloat(nodeText.toString());
vulnerability.setCvssScore(score);
} catch (NumberFormatException ex) {
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, "Error parsing CVSS Score.");
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, "Error parsing CVSS Score.");
LOGGER.log(Level.FINE, null, ex);
}
nodeText = null;
} else if (current.isCVSSAccessVectorNode()) {

113
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -37,6 +37,10 @@ import org.owasp.dependencycheck.utils.FileUtils;
*/
public class Dependency implements Comparable<Dependency> {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(Dependency.class.getName());
/**
* The actual file path of the dependency on disk.
*/
@@ -87,6 +91,8 @@ public class Dependency implements Comparable<Dependency> {
versionEvidence = new EvidenceCollection();
identifiers = new TreeSet<Identifier>();
vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
suppressedIdentifiers = new TreeSet<Identifier>();
suppressedVulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
}
/**
@@ -171,6 +177,33 @@ public class Dependency implements Comparable<Dependency> {
this.filePath = filePath;
}
/**
* The file name to display in reports.
*/
private String displayName = null;
/**
* Sets the file name to display in reports.
*
* @param displayName the name to display
*/
public void setDisplayFileName(String displayName) {
this.displayName = displayName;
}
/**
* Returns the file name to display in reports; if no display file name has been set it will default to the actual
* file name.
*
* @return the file name to display
*/
public String getDisplayFileName() {
if (displayName == null) {
return this.fileName;
}
return this.displayName;
}
/**
* <p>
* Gets the file path of the dependency.</p>
@@ -290,6 +323,69 @@ public class Dependency implements Comparable<Dependency> {
public void addIdentifier(Identifier identifier) {
this.identifiers.add(identifier);
}
/**
* A set of identifiers that have been suppressed.
*/
private Set<Identifier> suppressedIdentifiers;
/**
* Get the value of suppressedIdentifiers.
*
* @return the value of suppressedIdentifiers
*/
public Set<Identifier> getSuppressedIdentifiers() {
return suppressedIdentifiers;
}
/**
* Set the value of suppressedIdentifiers.
*
* @param suppressedIdentifiers new value of suppressedIdentifiers
*/
public void setSuppressedIdentifiers(Set<Identifier> suppressedIdentifiers) {
this.suppressedIdentifiers = suppressedIdentifiers;
}
/**
* Adds an identifier to the list of suppressed identifiers.
*
* @param identifier an identifier that was suppressed.
*/
public void addSuppressedIdentifier(Identifier identifier) {
this.suppressedIdentifiers.add(identifier);
}
/**
* A set of vulnerabilities that have been suppressed.
*/
private SortedSet<Vulnerability> suppressedVulnerabilities;
/**
* Get the value of suppressedVulnerabilities.
*
* @return the value of suppressedVulnerabilities
*/
public SortedSet<Vulnerability> getSuppressedVulnerabilities() {
return suppressedVulnerabilities;
}
/**
* Set the value of suppressedVulnerabilities.
*
* @param suppressedVulnerabilities new value of suppressedVulnerabilities
*/
public void setSuppressedVulnerabilities(SortedSet<Vulnerability> suppressedVulnerabilities) {
this.suppressedVulnerabilities = suppressedVulnerabilities;
}
/**
* Adds a vulnerability to the set of suppressed vulnerabilities.
*
* @param vulnerability the vulnerability that was suppressed
*/
public void addSuppressedVulnerability(Vulnerability vulnerability) {
this.suppressedVulnerabilities.add(vulnerability);
}
/**
* Returns the evidence used to identify this dependency.
@@ -300,6 +396,15 @@ public class Dependency implements Comparable<Dependency> {
return EvidenceCollection.merge(this.productEvidence, this.vendorEvidence, this.versionEvidence);
}
/**
* Returns the evidence used to identify this dependency.
*
* @return an EvidenceCollection.
*/
public Set<Evidence> getEvidenceForDisplay() {
return EvidenceCollection.mergeForDisplay(this.productEvidence, this.vendorEvidence, this.versionEvidence);
}
/**
* Returns the evidence used to identify this dependency.
*
@@ -415,12 +520,12 @@ public class Dependency implements Comparable<Dependency> {
sha1 = Checksum.getSHA1Checksum(file);
} catch (IOException ex) {
final String msg = String.format("Unable to read '%s' to determine hashes.", file.getName());
Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
} catch (NoSuchAlgorithmException ex) {
final String msg = "Unable to use MD5 of SHA1 checksums.";
Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
}
this.setMd5sum(md5);
this.setSha1sum(sha1);

89
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
View File

@@ -220,22 +220,95 @@ public class Evidence implements Comparable<Evidence> {
* @return an integer indicating the ordering of the two objects
*/
public int compareTo(Evidence o) {
if (source.equals(o.source)) {
if (name.equals(o.name)) {
if (value.equals(o.value)) {
if (confidence.equals(o.confidence)) {
if (o == null) {
return 1;
}
if (equalsWithNullCheck(source, o.source)) {
if (equalsWithNullCheck(name, o.name)) {
if (equalsWithNullCheck(value, o.value)) {
if (equalsWithNullCheck(confidence, o.confidence)) {
return 0; //they are equal
} else {
return confidence.compareTo(o.confidence);
return compareToWithNullCheck(confidence, o.confidence);
}
} else {
return value.compareToIgnoreCase(o.value);
return compareToIgnoreCaseWithNullCheck(value, o.value);
}
} else {
return name.compareToIgnoreCase(o.name);
return compareToIgnoreCaseWithNullCheck(name, o.name);
}
} else {
return source.compareToIgnoreCase(o.source);
return compareToIgnoreCaseWithNullCheck(source, o.source);
}
}
/**
* Equality check with an exhaustive, possibly duplicative, check against nulls.
*
* @param me the value to be compared
* @param other the other value to be compared
* @return true if the values are equal; otherwise false
*/
private boolean equalsWithNullCheck(String me, String other) {
if (me == null && other == null) {
return true;
} else if (me == null || other == null) {
return false;
}
return me.equals(other);
}
/**
* Equality check with an exhaustive, possibly duplicative, check against nulls.
*
* @param me the value to be compared
* @param other the other value to be compared
* @return true if the values are equal; otherwise false
*/
private boolean equalsWithNullCheck(Confidence me, Confidence other) {
if (me == null && other == null) {
return true;
} else if (me == null || other == null) {
return false;
}
return me.equals(other);
}
/**
* Wrapper around {@link java.lang.String#compareToIgnoreCase(java.lang.String) String.compareToIgnoreCase} with an
* exhaustive, possibly duplicative, check against nulls.
*
* @param me the value to be compared
* @param other the other value to be compared
* @return true if the values are equal; otherwise false
*/
private int compareToIgnoreCaseWithNullCheck(String me, String other) {
if (me == null && other == null) {
return 0;
} else if (me == null) {
return -1; //the other string is greater then me
} else if (other == null) {
return 1; //me is greater then the other string
}
return me.compareToIgnoreCase(other);
}
/**
* Wrapper around {@link java.lang.Enum#compareTo(java.lang.Enum) Enum.compareTo} with an exhaustive, possibly
* duplicative, check against nulls.
*
* @param me the value to be compared
* @param other the other value to be compared
* @return true if the values are equal; otherwise false
*/
private int compareToWithNullCheck(Confidence me, Confidence other) {
if (me == null && other == null) {
return 0;
} else if (me == null) {
return -1; //the other string is greater then me
} else if (other == null) {
return 1; //me is greater then the other string
}
return me.compareTo(other);
}
}

26
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -38,6 +38,10 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
*/
public class EvidenceCollection implements Iterable<Evidence> {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(EvidenceCollection.class.getName());
/**
* Used to iterate over highest confidence evidence contained in the collection.
*/
@@ -307,6 +311,26 @@ public class EvidenceCollection implements Iterable<Evidence> {
return ret;
}
/**
* Merges multiple EvidenceCollections together; flattening all of the evidence items by removing the confidence.
*
* @param ec One or more EvidenceCollections
* @return new set of evidence resulting from merging the evidence in the collections
*/
public static Set<Evidence> mergeForDisplay(EvidenceCollection... ec) {
final Set<Evidence> ret = new TreeSet<Evidence>();
for (EvidenceCollection col : ec) {
for (Evidence e : col) {
if (e.isUsed()) {
final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null);
newEvidence.setUsed(true);
ret.add(newEvidence);
}
}
}
return ret;
}
/**
* Returns a string of evidence 'values'.
*
@@ -360,7 +384,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
final List<String> data = UrlStringUtils.extractImportantUrlData(part);
sb.append(' ').append(StringUtils.join(data, ' '));
} catch (MalformedURLException ex) {
Logger.getLogger(EvidenceCollection.class.getName()).log(Level.FINE, "error parsing " + part, ex);
LOGGER.log(Level.FINE, "error parsing " + part, ex);
sb.append(' ').append(part);
}
} else {

39
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
View File

@@ -31,6 +31,10 @@ import org.owasp.dependencycheck.data.cpe.IndexEntry;
*/
public class VulnerableSoftware extends IndexEntry implements Serializable, Comparable<VulnerableSoftware> {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(VulnerableSoftware.class.getName());
/**
* The serial version UID.
*/
@@ -46,8 +50,8 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
parseName(cpe);
} catch (UnsupportedEncodingException ex) {
final String msg = String.format("Character encoding is unsupported for CPE '%s'.", cpe);
Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.WARNING, msg);
Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
setName(cpe);
}
}
@@ -73,19 +77,19 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
if (cpeName != null && cpeName.length() > 7) {
final String[] data = cpeName.substring(7).split(":");
if (data.length >= 1) {
this.setVendor(URLDecoder.decode(data[0].replace("+", "%2B"), "UTF-8"));
this.setVendor(urlDecode(data[0]));
}
if (data.length >= 2) {
this.setProduct(URLDecoder.decode(data[1].replace("+", "%2B"), "UTF-8"));
this.setProduct(urlDecode(data[1]));
}
if (data.length >= 3) {
version = URLDecoder.decode(data[2].replace("+", "%2B"), "UTF-8");
version = urlDecode(data[2]);
}
if (data.length >= 4) {
revision = URLDecoder.decode(data[3].replace("+", "%2B"), "UTF-8");
revision = urlDecode(data[3]);
}
if (data.length >= 5) {
edition = URLDecoder.decode(data[4].replace("+", "%2B"), "UTF-8");
edition = urlDecode(data[4]);
}
}
}
@@ -337,4 +341,25 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
public void setEdition(String edition) {
this.edition = edition;
}
/**
* Replaces '+' with '%2B' and then URL Decodes the string attempting first UTF-8, then ASCII, then default.
*
* @param string the string to URL Decode
* @return the URL Decoded string
*/
private String urlDecode(String string) {
final String text = string.replace("+", "%2B");
String result;
try {
result = URLDecoder.decode(text, "UTF-8");
} catch (UnsupportedEncodingException ex) {
try {
result = URLDecoder.decode(text, "ASCII");
} catch (UnsupportedEncodingException ex1) {
result = URLDecoder.decode(text);
}
}
return result;
}
}

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/MavenNamespaceFilter.java
View File

@@ -56,16 +56,16 @@ public class MavenNamespaceFilter extends XMLFilterImpl {
* @param uri the uri
* @param localName the localName
* @param qName the qualified name
* @param atts the attributes
* @param attributes the attributes
* @throws SAXException thrown if there is a SAXException
*/
@Override
public void startElement(String uri, String localName, String qName, Attributes atts) throws SAXException {
super.startElement(NAMESPACE, localName, qName, atts);
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
super.startElement(NAMESPACE, localName, qName, attributes);
}
/**
* Indicatees the start of the document.
* Indicates the start of the document.
*
* @param uri the uri
* @param localName the localName

74
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java Normal file
View File

@@ -0,0 +1,74 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.reporting;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.lang.StringEscapeUtils;
/**
* An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This
* class was created to simplify the velocity configuration and avoid using the "built-in" escape tool.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class EscapeTool {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(EscapeTool.class.getName());
/**
* URL Encodes the provided text.
*
* @param text the text to encode
* @return the URL encoded text
*/
public String url(String text) {
try {
return URLEncoder.encode(text, "UTF-8");
} catch (UnsupportedEncodingException ex) {
LOGGER.log(Level.WARNING, "UTF-8 is not supported?");
LOGGER.log(Level.INFO, null, ex);
}
return "";
}
/**
* HTML Encodes the provided text.
*
* @param text the text to encode
* @return the HTML encoded text
*/
public String html(String text) {
return StringEscapeUtils.escapeHtml(text);
}
/**
* XML Encodes the provided text.
*
* @param text the text to encode
* @return the XML encoded text
*/
public String xml(String text) {
return StringEscapeUtils.escapeXml(text);
}
}

53
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
View File

@@ -26,15 +26,16 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.context.Context;
import org.apache.velocity.runtime.RuntimeConstants;
import org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader;
import org.apache.velocity.tools.ToolManager;
import org.apache.velocity.tools.config.EasyFactoryConfiguration;
import org.owasp.dependencycheck.analyzer.Analyzer;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -48,6 +49,11 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public class ReportGenerator {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(ReportGenerator.class.getName());
/**
* An enumeration of the report formats.
*/
@@ -93,10 +99,20 @@ public class ReportGenerator {
engine.init();
final DateFormat dateFormat = new SimpleDateFormat("MMM d, yyyy 'at' HH:mm:ss z");
final DateFormat dateFormatXML = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
final Date d = new Date();
final String scanDate = dateFormat.format(d);
final String scanDateXML = dateFormatXML.format(d);
final EscapeTool enc = new EscapeTool();
context.put("applicationName", applicationName);
context.put("dependencies", dependencies);
context.put("analyzers", analyzers);
context.put("properties", properties);
context.put("scanDate", scanDate);
context.put("scanDateXML", scanDateXML);
context.put("enc", enc);
context.put("version", Settings.getString("application.version", "Unknown"));
}
@@ -106,28 +122,19 @@ public class ReportGenerator {
* @return a velocity engine.
*/
private VelocityEngine createVelocityEngine() {
final VelocityEngine ve = new VelocityEngine();
ve.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, VelocityLoggerRedirect.class.getName());
ve.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
ve.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName());
return ve;
final VelocityEngine engine = new VelocityEngine();
// Logging redirection for Velocity - Required by Jenkins and other server applications
engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, VelocityLoggerRedirect.class.getName());
return engine;
}
/**
* Creates a new Velocity Context initialized with escape and date tools.
* Creates a new Velocity Context.
*
* @return a Velocity Context.
*/
@edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "RV_RETURN_VALUE_IGNORED_INFERRED",
justification = "No plan to fix this style issue")
private Context createContext() {
final ToolManager manager = new ToolManager();
final Context c = manager.createContext();
final EasyFactoryConfiguration config = new EasyFactoryConfiguration();
config.addDefaultTools();
config.toolbox("application").tool("esc", "org.apache.velocity.tools.generic.EscapeTool").tool("org.apache.velocity.tools.generic.DateTool");
manager.configure(config);
return c;
return new VelocityContext();
}
/**
@@ -196,8 +203,8 @@ public class ReportGenerator {
input = new FileInputStream(f);
} catch (FileNotFoundException ex) {
final String msg = "Unable to generate the report, the report template file could not be found.";
Logger.getLogger(ReportGenerator.class.getName()).log(Level.SEVERE, msg);
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.SEVERE, msg);
LOGGER.log(Level.FINE, null, ex);
}
} else {
templatePath = "templates/" + templateName + ".vsl";
@@ -232,20 +239,20 @@ public class ReportGenerator {
try {
writer.close();
} catch (IOException ex) {
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
if (outputStream != null) {
try {
outputStream.close();
} catch (IOException ex) {
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
try {
reader.close();
} catch (IOException ex) {
Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
LOGGER.log(Level.FINEST, null, ex);
}
}
}

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java
View File

@@ -19,7 +19,6 @@ package org.owasp.dependencycheck.reporting;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.velocity.app.Velocity;
import org.apache.velocity.runtime.RuntimeServices;
import org.apache.velocity.runtime.log.LogChute;
@@ -37,6 +36,11 @@ import org.apache.velocity.runtime.log.LogChute;
*/
public class VelocityLoggerRedirect implements LogChute {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(VelocityLoggerRedirect.class.getName());
/**
* This will be invoked once by the LogManager.
*
@@ -54,7 +58,7 @@ public class VelocityLoggerRedirect implements LogChute {
* @param message the message to be logged
*/
public void log(int level, String message) {
Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message);
LOGGER.log(getLevel(level), message);
}
/**
@@ -66,7 +70,7 @@ public class VelocityLoggerRedirect implements LogChute {
* @param t a throwable to log
*/
public void log(int level, String message, Throwable t) {
Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message, t);
LOGGER.log(getLevel(level), message, t);
}
/**

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionErrorHandler.java
View File

@@ -30,6 +30,11 @@ import org.xml.sax.SAXParseException;
*/
public class SuppressionErrorHandler implements ErrorHandler {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(SuppressionErrorHandler.class.getName());
/**
* Builds a prettier exception message.
*
@@ -65,7 +70,7 @@ public class SuppressionErrorHandler implements ErrorHandler {
*/
@Override
public void warning(SAXParseException ex) throws SAXException {
Logger.getLogger(SuppressionErrorHandler.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
}
/**

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
View File

@@ -54,6 +54,10 @@ public class SuppressionHandler extends DefaultHandler {
* The CWE element name.
*/
public static final String CWE = "cwe";
/**
* The GAV element name.
*/
public static final String GAV = "gav";
/**
* The cvssBelow element name.
*/
@@ -95,13 +99,10 @@ public class SuppressionHandler extends DefaultHandler {
*/
@Override
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
currentAttributes = null;
currentAttributes = attributes;
currentText = new StringBuffer();
if (SUPPRESS.equals(qName)) {
rule = new SuppressionRule();
} else if (FILE_PATH.equals(qName)) {
currentAttributes = attributes;
}
}
@@ -123,6 +124,9 @@ public class SuppressionHandler extends DefaultHandler {
rule.setFilePath(pt);
} else if (SHA1.equals(qName)) {
rule.setSha1(currentText.toString());
} else if (GAV.equals(qName)) {
final PropertyType pt = processPropertyType();
rule.setGav(pt);
} else if (CPE.equals(qName)) {
final PropertyType pt = processPropertyType();
rule.addCpe(pt);
@@ -164,7 +168,7 @@ public class SuppressionHandler extends DefaultHandler {
pt.setRegex(Boolean.parseBoolean(regex));
}
final String caseSensitive = currentAttributes.getValue("caseSensitive");
if (regex != null) {
if (caseSensitive != null) {
pt.setCaseSensitive(Boolean.parseBoolean(caseSensitive));
}
}

32
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
View File

@@ -27,9 +27,11 @@ import java.io.Reader;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
@@ -41,6 +43,10 @@ import org.xml.sax.XMLReader;
*/
public class SuppressionParser {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(SuppressionParser.class.getName());
/**
* JAXP Schema Language. Source: http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
*/
@@ -62,10 +68,25 @@ public class SuppressionParser {
* @throws SuppressionParseException thrown if the xml file cannot be parsed
*/
public List<SuppressionRule> parseSuppressionRules(File file) throws SuppressionParseException {
try {
return parseSuppressionRules(new FileInputStream(file));
} catch (IOException ex) {
LOGGER.log(Level.FINE, null, ex);
throw new SuppressionParseException(ex);
}
}
/**
* Parses the given xml stream and returns a list of the suppression rules contained.
*
* @param inputStream an InputStream containing suppression rues
* @return a list of suppression rules
* @throws SuppressionParseException if the xml cannot be parsed
*/
public List<SuppressionRule> parseSuppressionRules(InputStream inputStream) throws SuppressionParseException {
try {
final InputStream schemaStream = this.getClass().getClassLoader().getResourceAsStream("schema/suppression.xsd");
final SuppressionHandler handler = new SuppressionHandler();
final SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setNamespaceAware(true);
factory.setValidating(true);
@@ -76,7 +97,6 @@ public class SuppressionParser {
xmlReader.setErrorHandler(new SuppressionErrorHandler());
xmlReader.setContentHandler(handler);
final InputStream inputStream = new FileInputStream(file);
final Reader reader = new InputStreamReader(inputStream, "UTF-8");
final InputSource in = new InputSource(reader);
//in.setEncoding("UTF-8");
@@ -85,16 +105,16 @@ public class SuppressionParser {
return handler.getSuppressionRules();
} catch (ParserConfigurationException ex) {
Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new SuppressionParseException(ex);
} catch (SAXException ex) {
Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new SuppressionParseException(ex);
} catch (FileNotFoundException ex) {
Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new SuppressionParseException(ex);
} catch (IOException ex) {
Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
LOGGER.log(Level.FINE, null, ex);
throw new SuppressionParseException(ex);
}
}

129
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
View File

@@ -234,6 +234,37 @@ public class SuppressionRule {
public boolean hasCve() {
return cve.size() > 0;
}
/**
* A Maven GAV to suppression.
*/
private PropertyType gav = null;
/**
* Get the value of Maven GAV.
*
* @return the value of gav
*/
public PropertyType getGav() {
return gav;
}
/**
* Set the value of Maven GAV.
*
* @param gav new value of Maven gav
*/
public void setGav(PropertyType gav) {
this.gav = gav;
}
/**
* Returns whether or not this suppression rule as GAV entries.
*
* @return whether or not this suppression rule as GAV entries
*/
public boolean hasGav() {
return gav != null;
}
/**
* Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
@@ -248,12 +279,28 @@ public class SuppressionRule {
if (sha1 != null && !sha1.equalsIgnoreCase(dependency.getSha1sum())) {
return;
}
if (gav != null) {
final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
boolean gavFound = false;
while (itr.hasNext()) {
final Identifier i = itr.next();
if (identifierMatches("maven", this.gav, i)) {
gavFound = true;
break;
}
}
if (!gavFound) {
return;
}
}
if (this.hasCpe()) {
final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
while (itr.hasNext()) {
final Identifier i = itr.next();
for (PropertyType c : this.cpe) {
if (cpeMatches(c, i)) {
if (identifierMatches("cpe", c, i)) {
dependency.addSuppressedIdentifier(i);
itr.remove();
break;
}
@@ -292,6 +339,7 @@ public class SuppressionRule {
}
}
if (remove) {
dependency.addSuppressedVulnerability(v);
itr.remove();
}
}
@@ -307,7 +355,7 @@ public class SuppressionRule {
boolean cpeHasNoVersion(PropertyType c) {
if (c.isRegex()) {
return false;
} // cpe:/a:jboss:jboss:1.0.0:
}
if (countCharacter(c.getValue(), ':') == 3) {
return true;
}
@@ -334,26 +382,75 @@ public class SuppressionRule {
/**
* Determines if the cpeEntry specified as a PropertyType matches the given Identifier.
*
* @param cpeEntry a suppression rule entry
* @param identifierType the type of identifier ("cpe", "maven", etc.)
* @param suppressionEntry a suppression rule entry
* @param identifier a CPE identifier to check
* @return true if the entry matches; otherwise false
*/
boolean cpeMatches(PropertyType cpeEntry, Identifier identifier) {
if (cpeEntry.matches(identifier.getValue())) {
return true;
} else if (cpeHasNoVersion(cpeEntry)) {
if (cpeEntry.isCaseSensitive()) {
if (identifier.getValue().startsWith(cpeEntry.getValue())) {
return true;
}
} else {
final String id = identifier.getValue().toLowerCase();
final String check = cpeEntry.getValue().toLowerCase();
if (id.startsWith(check)) {
return true;
boolean identifierMatches(String identifierType, PropertyType suppressionEntry, Identifier identifier) {
if (identifierType.equals(identifier.getType())) {
if (suppressionEntry.matches(identifier.getValue())) {
return true;
} else if ("cpe".equals(identifierType) && cpeHasNoVersion(suppressionEntry)) {
if (suppressionEntry.isCaseSensitive()) {
return identifier.getValue().startsWith(suppressionEntry.getValue());
} else {
final String id = identifier.getValue().toLowerCase();
final String check = suppressionEntry.getValue().toLowerCase();
return id.startsWith(check);
}
}
}
return false;
}
/**
* Standard toString implementation.
*
* @return a string representation of this object
*/
@Override
public String toString() {
final StringBuilder sb = new StringBuilder();
sb.append("SuppressionRule{");
if (filePath != null) {
sb.append("filePath=").append(filePath).append(",");
}
if (sha1 != null) {
sb.append("sha1=").append(sha1).append(",");
}
if (gav != null) {
sb.append("gav=").append(gav).append(",");
}
if (cpe != null && cpe.size() > 0) {
sb.append("cpe={");
for (PropertyType pt : cpe) {
sb.append(pt).append(",");
}
sb.append("}");
}
if (cwe != null && cwe.size() > 0) {
sb.append("cwe={");
for (String s : cwe) {
sb.append(s).append(",");
}
sb.append("}");
}
if (cve != null && cve.size() > 0) {
sb.append("cve={");
for (String s : cve) {
sb.append(s).append(",");
}
sb.append("}");
}
if (cvssBelow != null && cvssBelow.size() > 0) {
sb.append("cvssBelow={");
for (Float s : cvssBelow) {
sb.append(s).append(",");
}
sb.append("}");
}
sb.append("}");
return sb.toString();
}
}

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Checksum.java
View File

@@ -20,7 +20,11 @@ import java.util.logging.Logger;
*
*/
public final class Checksum {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(Checksum.class.getName());
/**
* Private constructor for a utility class.
*/
@@ -57,7 +61,7 @@ public final class Checksum {
try {
fis.close();
} catch (IOException ex) {
Logger.getLogger(Checksum.class.getName()).log(Level.FINEST, "Error closing file '" + file.getName() + "'.", ex);
LOGGER.log(Level.FINEST, "Error closing file '" + file.getName() + "'.", ex);
}
}
}

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java
View File

@@ -23,7 +23,6 @@ import java.sql.SQLException;
import java.sql.Statement;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
/**
@@ -32,6 +31,11 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
*/
public final class DBUtils {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(DBUtils.class.getName());
/**
* Private constructor for a utility class.
*/
@@ -70,8 +74,7 @@ public final class DBUtils {
try {
statement.close();
} catch (SQLException ex) {
Logger.getLogger(CveDB.class
.getName()).log(Level.FINEST, statement.toString(), ex);
LOGGER.log(Level.FINEST, statement.toString(), ex);
}
}
}
@@ -86,8 +89,7 @@ public final class DBUtils {
try {
rs.close();
} catch (SQLException ex) {
Logger.getLogger(CveDB.class
.getName()).log(Level.FINEST, rs.toString(), ex);
LOGGER.log(Level.FINEST, rs.toString(), ex);
}
}
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
View File

@@ -47,10 +47,10 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
/**
* Constructor for a DependencyVersion that will parse a version string.
* <b>Note</b>, this should only be used when the version passed in is already known to be a well formated version
* <b>Note</b>, this should only be used when the version passed in is already known to be a well formatted version
* number. Otherwise, DependencyVersionUtil.parseVersion() should be used instead.
*
* @param version the well formated version number to parse
* @param version the well formatted version number to parse
*/
public DependencyVersion(String version) {
parseVersion(version);

147
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java Normal file
View File

@@ -0,0 +1,147 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import org.owasp.dependencycheck.Engine;
import static org.owasp.dependencycheck.utils.FileUtils.getFileExtension;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class ExtractionUtil {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(ExtractionUtil.class.getName());
/**
* The buffer size to use when extracting files from the archive.
*/
private static final int BUFFER_SIZE = 4096;
/**
* Private constructor for a utility class.
*/
private ExtractionUtil() {
}
/**
* Extracts the contents of an archive into the specified directory.
*
* @param archive an archive file such as a WAR or EAR
* @param extractTo a directory to extract the contents to
* @throws ExtractionException thrown if an exception occurs while extracting the files
*/
public static void extractFiles(File archive, File extractTo) throws ExtractionException {
extractFiles(archive, extractTo, null);
}
/**
* Extracts the contents of an archive into the specified directory. The files are only extracted if they are
* supported by the analyzers loaded into the specified engine. If the engine is specified as null then all files
* are extracted.
*
* @param archive an archive file such as a WAR or EAR
* @param extractTo a directory to extract the contents to
* @param engine the scanning engine
* @throws ExtractionException thrown if there is an error extracting the files
*/
public static void extractFiles(File archive, File extractTo, Engine engine) throws ExtractionException {
if (archive == null || extractTo == null) {
return;
}
FileInputStream fis = null;
ZipInputStream zis = null;
try {
fis = new FileInputStream(archive);
} catch (FileNotFoundException ex) {
LOGGER.log(Level.FINE, null, ex);
throw new ExtractionException("Archive file was not found.", ex);
}
zis = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;
try {
while ((entry = zis.getNextEntry()) != null) {
if (entry.isDirectory()) {
final File d = new File(extractTo, entry.getName());
if (!d.exists() && !d.mkdirs()) {
final String msg = String.format("Unable to create '%s'.", d.getAbsolutePath());
throw new ExtractionException(msg);
}
} else {
final File file = new File(extractTo, entry.getName());
final String ext = getFileExtension(file.getName());
if (engine == null || engine.supportsExtension(ext)) {
BufferedOutputStream bos = null;
FileOutputStream fos;
try {
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
int count;
final byte data[] = new byte[BUFFER_SIZE];
while ((count = zis.read(data, 0, BUFFER_SIZE)) != -1) {
bos.write(data, 0, count);
}
bos.flush();
} catch (FileNotFoundException ex) {
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("Unable to find file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} catch (IOException ex) {
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} finally {
if (bos != null) {
try {
bos.close();
} catch (IOException ex) {
LOGGER.log(Level.FINEST, null, ex);
}
}
}
}
}
}
} catch (IOException ex) {
final String msg = String.format("Exception reading archive '%s'.", archive.getName());
LOGGER.log(Level.FINE, msg, ex);
throw new ExtractionException(msg, ex);
} finally {
try {
zis.close();
} catch (IOException ex) {
LOGGER.log(Level.FINEST, null, ex);
}
}
}
}

BIN
dependency-check-core/src/main/resources/GrokAssembly.exe Executable file → Normal file
View File

Binary file not shown.

12
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml Normal file
View File

@@ -0,0 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
<suppress>
<notes><![CDATA[
This suppresses false positives identified on spring security.
]]></notes>
<gav regex="true">org\.springframework\.security:spring.*</gav>
<cpe>cpe:/a:mod_security:mod_security</cpe>
<cpe>cpe:/a:springsource:spring_framework</cpe>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
</suppress>
</suppressions>

10
dependency-check-core/src/main/resources/dependencycheck-resources.properties Normal file
View File

@@ -0,0 +1,10 @@
analyzer.AssemblyAnalyzer.notdeployed=GrokAssembly didn't get deployed
analyzer.AssemblyAnalyzer.grokassembly.stderr=Error from GrokAssembly: {0}
analyzer.AssemblyAnalyzer.notassembly={0} is not a .NET assembly or executable and as such cannot be analyzed by dependency-check
analyzer.AssemblyAnalyzer.grokassembly.rc=Return code {0} from GrokAssembly
analyzer.AssemblyAnalyzer.grokassembly.deployed=Extracted GrokAssembly.exe to {0}
analyzer.AssemblyAnalyzer.grokassembly.notdeployed=Could not extract GrokAssembly.exe: {0}
analyzer.AssemblyAnalyzer.grokassembly.initialization.failed=An error occurred with the .NET AssemblyAnalyzer; \
this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.
analyzer.AssemblyAnalyzer.grokassembly.initialization.message=Could not execute GrokAssembly {0}
analyzer.AssemblyAnalyzer.grokassembly.notdeleted=Can't delete temporary GrokAssembly.exe

4
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -13,8 +13,10 @@ max.download.threads=3
# will not be used. The data.directory will be resolved and if the connection string
# below contains a %s then the data.directory will replace the %s.
data.directory=[JAR]/data
data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
#data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
# user name and password for the database connection. The inherent case is to use H2.
# As such, this unsecure username/password exist.
data.user=dcuser

166
dependency-check-core/src/main/resources/schema/DependencyCheck.xsd
View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.1">
<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2">
<xs:element name="analysis">
<xs:complexType>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
@@ -119,64 +119,124 @@
<xs:element name="identifiers" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="identifier" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="type" type="xs:string" use="required" />
<xs:attribute name="confidence" type="xs:string" use="optional" />
</xs:complexType>
</xs:element>
<xs:sequence>
<xs:element name="identifier" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="type" type="xs:string" use="required" />
<xs:attribute name="confidence" type="xs:string" use="optional" />
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:sequence>
<xs:element name="suppressedIdentifier" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="type" type="xs:string" use="required" />
<xs:attribute name="confidence" type="xs:string" use="optional" />
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerabilities" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="vulnerability" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="references" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="software" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="allPreviousVersion" type="xs:boolean" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:sequence>
<xs:element name="vulnerability" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="references" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="software" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="allPreviousVersion" type="xs:boolean" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:sequence>
<xs:element name="suppressedVulnerability" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="references" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="software" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="allPreviousVersion" type="xs:boolean" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>

1
dependency-check-core/src/main/resources/schema/suppression.xsd
View File

@@ -41,6 +41,7 @@
<xs:choice minOccurs="0" maxOccurs="1">
<xs:element name="filePath" type="dc:regexStringType"/>
<xs:element name="sha1" type="dc:sha1Type"/>
<xs:element name="gav" type="dc:regexStringType"/>
</xs:choice>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="cpe" type="dc:regexStringType"/>

274
dependency-check-core/src/main/resources/templates/HtmlReport.vsl
View File

@@ -39,15 +39,23 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
var content = "#content" + h.id.substr(6);
var header = "#" + h.id;
$(content).slideToggle("fast");
var exprx = /expandablesubsection/;
var exprx = /expandable\b/;
if (exprx.exec($(header).attr("class"))) {
$(header).addClass("collapsed");
$(header).removeClass("expandable");
} else {
$(header).addClass("expandable");
$(header).removeClass("collapsed");
}
var essrx = /expandablesubsection/;
var cssrx = /collaspablesubsection/;
if (essrx.exec($(header).attr("class"))) {
$(header).addClass("collaspablesubsection");
$(header).removeClass("expandablesubsection");
} else {
} else if (cssrx.exec($(header).attr("class"))) {
$(header).addClass("expandablesubsection");
$(header).removeClass("collaspablesubsection");
}
});
});
@@ -129,6 +137,19 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
#modal-text:focus {
outline: none;
}
.suppressedLabel {
cursor: default;
padding:1px;
background-color: #eeeeee;
border: 1px solid #555555;
color:#555555;
text-decoration:none;
-moz-border-radius: 3px;
-webkit-border-radius: 3px;
-khtml-border-radius: 3px;
-o-border-radius: 3px;
border-radius: 3px;
}
.copybutton {
padding:1px;
background-color: #eeeeee;
@@ -215,24 +236,25 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
.hidden {
display: none;
}
.exandable {}
.expandablesubsection {
.expandable {
cursor: pointer;
/*background-image: url(img/plus.gif);*/
background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIcjI8Hy22Q1FNwhnpxhW3d2XFWJn2PNiZbyERuAQA7);
background-repeat: no-repeat;
background-position: 98% 50%;
}
.collapsed {
cursor: pointer;
background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
background-repeat: no-repeat;
background-position: 98% 50%;
}
.expandablesubsection {
-moz-border-radius-bottomleft:15px; /* bottom left corner */
-webkit-border-bottom-left-radius:15px; /* bottom left corner */
border-bottom-left-radius: 15px;
border-bottom: 1px solid #cccccc;
}
.collaspablesubsection {
cursor: pointer;
/*background-image: url(img/minus.gif);*/
background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
background-repeat: no-repeat;
background-position: 98% 50%;
-moz-border-radius-bottomleft:0px; /* bottom left corner */
-webkit-border-bottom-left-radius:0px; /* bottom left corner */
border-bottom-left-radius: 0px;
@@ -244,7 +266,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
border-bottom-left-radius: 0px;
border-bottom: 0px solid #ffffff;
}
.content {
margin-top:0px;
margin-left:20px;
@@ -471,26 +492,38 @@ implied or otherwise, with regard to the analysis or its use. Any use of the too
is at the users risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
]]#
<h2 class="">Project:&nbsp;$esc.html($applicationName)</h2>
<h2 class="">Project:&nbsp;$enc.html($applicationName)</h2>
<div class="">
#set($depCount=$dependencies.size())
#set($vulnDepCount=0)
#set($vulnCount=0)
#set($vulnSuppressedCount=0)
#set($cpeSuppressedCount=0)
#foreach($dependency in $dependencies)
#set($depCount=$depCount+$dependency.getRelatedDependencies().size())
#if($dependency.getVulnerabilities().size()>0)
#set($vulnCount=$vulnCount+1)
#set($vulnDepCount=$vulnDepCount+1)
#set($vulnCount=$vulnCount+$dependency.getVulnerabilities().size())
#end
#if($dependency.getSuppressedIdentifiers().size()>0)
#set($cpeSuppressedCount=$cpeSuppressedCount+1)
#end
#if($dependency.getSuppressedVulnerabilities().size()>0)
#set($vulnSuppressedCount=$vulnSuppressedCount+$dependency.getSuppressedVulnerabilities().size())
#end
#end
Scan Information (<a href="#" onclick="toggleDisplay(this, '.scaninfo'); return false;">show all</a>):<br/>
<ul class="indent">
<li><i>dependency-check version</i>: $version</li>
<li><i>Report Generated On</i>: $date</li>
<li><i>Report Generated On</i>: $scanDate</li>
<li><i>Dependencies Scanned</i>:&nbsp;$depCount</li>
<li><i>Vulnerable Dependencies</i>:&nbsp;$vulnCount</li>
<li><i>Vulnerable Dependencies</i>:&nbsp;$vulnDepCount</li>
<li><i>Vulnerabilities Found</i>:&nbsp;$vulnCount</li>
<li><i>Vulnerabilities Suppressed</i>:&nbsp;$vulnSuppressedCount</li>
<li class="scaninfo">...</li>
#foreach($prop in $properties.getMetaData().entrySet())
<li class="scaninfo hidden"><i>$esc.html($prop.key)</i>: $esc.html($prop.value)</li>
<li class="scaninfo hidden"><i>$enc.html($prop.key)</i>: $enc.html($prop.value)</li>
#end
</ul><br/>
Dependency Display:&nbsp;<a href="#" onclick="toggleDisplay(this,'.notvulnerable'); return false;">show all</a><br/><br/>
@@ -499,11 +532,11 @@ arising out of or in connection with the use of this tool, the analysis performe
#foreach($dependency in $dependencies)
#set($lnkcnt=$lnkcnt+1)
<li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
<a href="#l${lnkcnt}_$esc.html($esc.url($dependency.Sha1sum))">$esc.html($dependency.FileName)</a>
<a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.DisplayFileName)</a>
#if($dependency.getRelatedDependencies().size()>0)
<ul>
#foreach($related in $dependency.getRelatedDependencies())
<li>$esc.html($related.FileName)</li>
<li>$enc.html($related.DisplayFileName)</li>
#end
</ul>
#end
@@ -516,30 +549,30 @@ arising out of or in connection with the use of this tool, the analysis performe
#set($vsctr=0) ##counter to create unique groups for vulnerable software
#foreach($dependency in $dependencies)
#set($lnkcnt=$lnkcnt+1)
<h3 class="subsectionheader standardsubsection#if($dependency.getVulnerabilities().size()==0) notvulnerable#end"><a name="l${lnkcnt}_$esc.html($dependency.Sha1sum)"></a>$esc.html($dependency.FileName)</h3>
<h3 class="subsectionheader standardsubsection#if($dependency.getVulnerabilities().size()==0) notvulnerable#end"><a name="l${lnkcnt}_$enc.html($dependency.Sha1sum)"></a>$enc.html($dependency.DisplayFileName)</h3>
<div class="subsectioncontent#if($dependency.getVulnerabilities().size()==0) notvulnerable#end">
#if ($dependency.description)
<p><b>Description:</b>&nbsp;$esc.html($dependency.description)<br/></p>
<p><b>Description:</b>&nbsp;$enc.html($dependency.description)<br/></p>
#end
<p>
#if ($dependency.license)
#if ($dependency.license.startsWith("http://"))
<b>License:</b><pre class="indent"><a href="$esc.html($dependency.license)">$esc.html($dependency.license)</a></pre>
<b>License:</b><pre class="indent"><a href="$enc.html($dependency.license)">$enc.html($dependency.license)</a></pre>
#else
<b>License:</b><pre class="indent">$esc.html($dependency.license)</pre>
<b>License:</b><pre class="indent">$enc.html($dependency.license)</pre>
#end
#end
<b>File&nbsp;Path:</b>&nbsp;$esc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$esc.html($dependency.Md5sum)<br/>
<b>SHA1:</b>&nbsp;$esc.html($dependency.Sha1sum)
<b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
<b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
</p>
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<table class="lined fullwidth" border="0">
<tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
#foreach($evidence in $dependency.getEvidenceUsed())
<tr><td>$esc.html($evidence.getSource())</td><td>$esc.html($evidence.getName())</td><td>$esc.html($evidence.getValue())</td></tr>
#foreach($evidence in $dependency.getEvidenceForDisplay())
<tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
#end
</table>
</div>
@@ -549,18 +582,18 @@ arising out of or in connection with the use of this tool, the analysis performe
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<ul>
#foreach($related in $dependency.getRelatedDependencies())
<li>$esc.html($related.FileName)
<li>$enc.html($related.DisplayFileName)
<ul>
<li>File Path:&nbsp;$esc.html($related.FilePath)</li>
<li>SHA1:&nbsp;$esc.html($related.Sha1sum)</li>
<li>MD5:&nbsp;$esc.html($related.Md5sum)</li>
<li>File Path:&nbsp;$enc.html($related.FilePath)</li>
<li>SHA1:&nbsp;$enc.html($related.Sha1sum)</li>
<li>MD5:&nbsp;$enc.html($related.Md5sum)</li>
#foreach($id in $related.getIdentifiers())
#if ($id.type=="maven")
#if( $id.url )
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
<li>$esc.html($id.type):&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a>
<li>$enc.html($id.type):&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
#else
<li>$esc.html($id.type):&nbsp;$esc.html($id.value)
<li>$enc.html($id.type):&nbsp;$enc.html($id.value)
#end
</li>
#end
@@ -579,7 +612,7 @@ arising out of or in connection with the use of this tool, the analysis performe
#end
#end
<h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
##:&nbsp;<a href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($cpevalue)" target="_blank">$esc.html($cpevalue)</a></h4>
##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
<div id="content$cnt" class="subsectioncontent standardsubsection">
#if ($dependency.getIdentifiers().size()==0)
<ul><li><b>None</b></li></ul>
@@ -588,19 +621,19 @@ arising out of or in connection with the use of this tool, the analysis performe
#foreach($id in $dependency.getIdentifiers())
#if( $id.url )
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
<li><b>$esc.html($id.type):</b>&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a>
<li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
#else
<li><b>$esc.html($id.type):</b>&nbsp;$esc.html($id.value)
<li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)
#end
#if ($id.confidence)
&nbsp;&nbsp;<i>Confidence</i>:$id.confidence
#end
#if ($id.type=="cpe")
##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet
&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$esc.html($dependency.FileNameForJavaScript)', '$esc.html($dependency.Sha1sum)', 'cpe', '$esc.html($id.value)')">suppress</button>
&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cpe', '$enc.html($id.value)')">suppress</button>
#end
#if ($id.description)
<br/>$esc.html($id.description)
<br/>$enc.html($id.description)
#end
</li>
#end
@@ -613,7 +646,7 @@ arising out of or in connection with the use of this tool, the analysis performe
<div id="content$cnt" class="subsectioncontent standardsubsection">
#foreach($vuln in $dependency.getVulnerabilities())
#set($vsctr=$vsctr+1)
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$esc.html($dependency.FileNameForJavaScript)', '$esc.html($dependency.Sha1sum)', 'cve', '$esc.html($vuln.name)')">suppress</button></p>
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
<p>Severity:
#if ($vuln.cvssScore<4.0)
Low
@@ -626,27 +659,172 @@ arising out of or in connection with the use of this tool, the analysis performe
#if ($vuln.cwe)
<br/>CWE: $vuln.cwe
#end</p>
<p>$esc.html($vuln.description)
<p>$enc.html($vuln.description)
#if ($vuln.getReferences().size()>0)
<ul>
#foreach($ref in $vuln.getReferences())
<li>$esc.html($ref.source) - <a target="_blank" href="$esc.html($ref.url)">$ref.name</a></li>
<li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
#end
</ul>
#end
</p>
<p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
<li class="vs$vsctr"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($vuln.matchedCPE)">$esc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
<li class="vs$vsctr">...</li>
#foreach($vs in $vuln.getVulnerableSoftware())
<li class="vs$vsctr hidden"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($vs.name)">$esc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
#if ($vuln.getVulnerableSoftware().size()<2)
<p>Vulnerable Software &amp; Versions:<ul>
<li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
</ul></p>
#else
<p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
<li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
<li class="vs$vsctr">...</li>
#foreach($vs in $vuln.getVulnerableSoftware())
<li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
#end
</ul></p>
#end
</ul></p>
#end
</div>
#end
</div>
#end
## BEGIN SUPPRESSED VULNERABILITIES
#if ($vulnSuppressedCount>0 || $cpeSuppressedCount>0)
#set($cnt=$cnt+1)
<h2 id="header$cnt" class="expandable">Suppressed Vulnerabilities</h3>
<div id="content$cnt" class="hidden">
#foreach($dependency in $dependencies)
#if ($dependency.getSuppressedIdentifiers().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
#set($lnkcnt=$lnkcnt+1)
<h3 class="subsectionheader standardsubsection">$enc.html($dependency.DisplayFileName)</h3>
<div class="subsectioncontent">
#if ($dependency.description)
<p><b>Description:</b>&nbsp;$enc.html($dependency.description)<br/></p>
#end
<p>
#if ($dependency.license)
#if ($dependency.license.startsWith("http://"))
<b>License:</b><pre class="indent"><a href="$enc.html($dependency.license)">$enc.html($dependency.license)</a></pre>
#else
<b>License:</b><pre class="indent">$enc.html($dependency.license)</pre>
#end
#end
<b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
<b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
</p>
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<table class="lined fullwidth" border="0">
<tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
#foreach($evidence in $dependency.getEvidenceForDisplay())
<tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
#end
</table>
</div>
#if($dependency.getRelatedDependencies().size()>0)
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Related Dependencies</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection hidden">
<ul>
#foreach($related in $dependency.getRelatedDependencies())
<li>$enc.html($related.DisplayFileName)
<ul>
<li>File Path:&nbsp;$enc.html($related.FilePath)</li>
<li>SHA1:&nbsp;$enc.html($related.Sha1sum)</li>
<li>MD5:&nbsp;$enc.html($related.Md5sum)</li>
</ul>
</li>
#end
</ul>
</div>
#end
#set($cnt=$cnt+1)
#set($cpeCount=0)
#foreach($id in $dependency.getSuppressedIdentifiers())
#if($id.type.equals("cpe"))
#set($cpeCount=$cpeCount+1)
#end
#end
<h4 id="header$cnt" class="subsectionheader white">Suppressed Identifiers</h4>
##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
<div id="content$cnt" class="subsectioncontent standardsubsection">
#if ($dependency.getSuppressedIdentifiers().size()==0)
<ul><li><b>None</b></li></ul>
#else ## ($dependency.getSuppressedIdentifiers().size()>0)
<ul>
#foreach($id in $dependency.getSuppressedIdentifiers())
#if( $id.url )
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
<li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span>
#else
<li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span>
#end
#if ($id.confidence)
&nbsp;&nbsp;<i>Confidence</i>:$id.confidence
#end
#if ($id.description)
<br/>$enc.html($id.description)
#end
</li>
#end
</ul>
#end
</div>
#if($dependency.getSuppressedVulnerabilities().size()>0)
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable collaspablesubsection white">Suppressed Vulnerabilities</h4>
<div id="content$cnt" class="subsectioncontent standardsubsection">
#foreach($vuln in $dependency.getSuppressedVulnerabilities())
#set($vsctr=$vsctr+1)
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span></p>
<p>Severity:
#if ($vuln.cvssScore<4.0)
Low
#elseif ($vuln.cvssScore>=7.0)
High
#else
Medium
#end
<br/>CVSS Score: $vuln.cvssScore
#if ($vuln.cwe)
<br/>CWE: $vuln.cwe
#end</p>
<p>$enc.html($vuln.description)
#if ($vuln.getReferences().size()>0)
<ul>
#foreach($ref in $vuln.getReferences())
<li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
#end
</ul>
#end
</p>
#if ($vuln.getVulnerableSoftware().size()<2)
<p>Vulnerable Software &amp; Versions:<ul>
git st<li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
</ul></p>
#else
<p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
<li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
<li class="vs$vsctr">...</li>
#foreach($vs in $vuln.getVulnerableSoftware())
<li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
#end
</ul></p>
#end
#end
</div>
#end
</div>
#end
#end
</div>
#end
## END SUPPRESSED VULNERABILITIES
</div>
</div>
<div><br/><br/>This report contains data retrieved from the <a href="nvd.nist.gov">National Vulnerability Database</a>.</div>

10
dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl
View File

@@ -178,8 +178,8 @@ implied or otherwise, with regard to the analysis or its use. Any use of the too
is at the users risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
]]#
<h2 class="sectionheader white">Project:&nbsp;$esc.html($applicationName)</h2>
<div class="sectioncontent">Report Generated On: $date<br/><br/>
<h2 class="sectionheader white">Project:&nbsp;$enc.html($applicationName)</h2>
<div class="sectioncontent">Report Generated On: $scanDate<br/><br/>
#set($depCount=$dependencies.size())
#set($vulnCount=0)
@@ -205,7 +205,7 @@ arising out of or in connection with the use of this tool, the analysis performe
#if($dependency.getVulnerabilities().size()>0)
#foreach($vuln in $dependency.getVulnerabilities())
<tr>
<td><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></td>
<td><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></td>
<td>
#if ($vuln.cwe)
$vuln.cwe
@@ -222,10 +222,10 @@ arising out of or in connection with the use of this tool, the analysis performe
($vuln.cvssScore)
<td>#set($cnt=$cnt+1)
#if($dependency.getRelatedDependencies().size()>0)<span id="header$cnt" class="expandable collapsedList">#end
$esc.html($dependency.FileName)
$enc.html($dependency.DisplayFileName)
#if($dependency.getRelatedDependencies().size()>0)&nbsp;&nbsp;&nbsp;</span><div id="content$cnt" class="hidden">#end
#foreach($related in $dependency.getRelatedDependencies())
$esc.html($related.FileName)<br/>
$enc.html($related.DisplayFileName)<br/>
#end
#if($dependency.getRelatedDependencies().size()>0)</div#end
</td>

104
dependency-check-core/src/main/resources/templates/XmlReport.vsl
View File

@@ -18,47 +18,47 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@author Jeremy Long <jeremy.long@owasp.org>
@version 1.1
*#<?xml version="1.0"?>
<analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.1">
<analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2">
<scanInfo>
<engineVersion>$version</engineVersion>
#foreach($prop in $properties.getMetaData().entrySet())
<dataSource>
<name>$esc.xml($prop.key)</name>
<timestamp>$esc.xml($prop.value)</timestamp>
<name>$enc.xml($prop.key)</name>
<timestamp>$enc.xml($prop.value)</timestamp>
</dataSource>
#end
</scanInfo>
<projectInfo>
<name>$esc.xml($applicationName)</name>
<reportDate>$date</reportDate>
<name>$enc.xml($applicationName)</name>
<reportDate>$scanDateXML</reportDate>
<credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
</projectInfo>
<dependencies>
#foreach($dependency in $dependencies)
<dependency>
<fileName>$esc.xml($dependency.FileName)</fileName>
<filePath>$esc.xml($dependency.FilePath)</filePath>
<md5>$esc.xml($dependency.Md5sum)</md5>
<sha1>$esc.xml($dependency.Sha1sum)</sha1>
<fileName>$enc.xml($dependency.DisplayFileName)</fileName>
<filePath>$enc.xml($dependency.FilePath)</filePath>
<md5>$enc.xml($dependency.Md5sum)</md5>
<sha1>$enc.xml($dependency.Sha1sum)</sha1>
#if ($dependency.description)
<description>$esc.xml($dependency.description)</description>
<description>$enc.xml($dependency.description)</description>
#end
#if ($dependency.license)
<license>$esc.xml($dependency.license)</license>
<license>$enc.xml($dependency.license)</license>
#end
#if ($dependency.getRelatedDependencies().size()>0)
<relatedDependencies>
#foreach($related in $dependency.getRelatedDependencies())
<relatedDependency>
<filePath>$esc.xml($related.FilePath)</filePath>
<sha1>$esc.xml($related.Sha1sum)</sha1>
<md5>$esc.xml($related.Md5sum)</md5>
<filePath>$enc.xml($related.FilePath)</filePath>
<sha1>$enc.xml($related.Sha1sum)</sha1>
<md5>$enc.xml($related.Md5sum)</md5>
#foreach($id in $related.getIdentifiers())
#if ($id.type=="maven")
<identifier type="$esc.xml($id.type)">
<identifier type="$enc.xml($id.type)">
<name>($id.value)</name>
#if( $id.url )
<url>$esc.xml($id.url)</url>
<url>$enc.xml($id.url)</url>
#end
</identifier>
#end
@@ -68,34 +68,45 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</relatedDependencies>
#end
<evidenceCollected>
#foreach($evidence in $dependency.getEvidenceUsed())
#foreach($evidence in $dependency.getEvidenceForDisplay())
<evidence>
<source>$esc.xml($evidence.getSource())</source>
<name>$esc.xml($evidence.getName())</name>
<value>$esc.xml($evidence.getValue().trim())</value>
<source>$enc.xml($evidence.getSource())</source>
<name>$enc.xml($evidence.getName())</name>
<value>$enc.xml($evidence.getValue().trim())</value>
</evidence>
#end
</evidenceCollected>
#if($dependency.getIdentifiers().size()>0)
<identifiers>
#foreach($id in $dependency.getIdentifiers())
<identifier type="$esc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
<identifier type="$enc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
<name>($id.value)</name>
#if( $id.url )
<url>$esc.xml($id.url)</url>
<url>$enc.xml($id.url)</url>
#end
#if( $id.description )
<description>$esc.xml($id.description)</description>
<description>$enc.xml($id.description)</description>
#end
</identifier>
#end
#foreach($id in $dependency.getSuppressedIdentifiers())
<suppressedIdentifier type="$enc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
<name>($id.value)</name>
#if( $id.url )
<url>$enc.xml($id.url)</url>
#end
#if( $id.description )
<description>$enc.xml($id.description)</description>
#end
</suppressedIdentifier>
#end
</identifiers>
#end
#if($dependency.getVulnerabilities().size()>0)
#if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
<vulnerabilities>
#foreach($vuln in $dependency.getVulnerabilities())
<vulnerability>
<name>$esc.xml($vuln.name)</name>
<name>$enc.xml($vuln.name)</name>
<cvssScore>$vuln.cvssScore</cvssScore>
#if ($vuln.cvssScore<4.0)
<severity>Low</severity>
@@ -105,24 +116,55 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<severity>Medium</severity>
#end
#if ($vuln.cwe)
<cwe>$esc.xml($vuln.cwe)</cwe>
<cwe>$enc.xml($vuln.cwe)</cwe>
#end
<description>$esc.xml($vuln.description)</description>
<description>$enc.xml($vuln.description)</description>
<references>
#foreach($ref in $vuln.getReferences())
<reference>
<source>$esc.xml($ref.source)</source>
<url>$esc.xml($ref.url)</url>
<name>$esc.xml($ref.name)</name>
<source>$enc.xml($ref.source)</source>
<url>$enc.xml($ref.url)</url>
<name>$enc.xml($ref.name)</name>
</reference>
#end
</references>
<vulnerableSoftware>
#foreach($vs in $vuln.getVulnerableSoftware())
<software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$esc.xml($vs.name)</software>
<software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
#end
</vulnerableSoftware>
</vulnerability>
#end
#foreach($vuln in $dependency.getSuppressedVulnerabilities())
<suppressedVulnerability>
<name>$enc.xml($vuln.name)</name>
<cvssScore>$vuln.cvssScore</cvssScore>
#if ($vuln.cvssScore<4.0)
<severity>Low</severity>
#elseif ($vuln.cvssScore>=7.0)
<severity>High</severity>
#else
<severity>Medium</severity>
#end
#if ($vuln.cwe)
<cwe>$enc.xml($vuln.cwe)</cwe>
#end
<description>$enc.xml($vuln.description)</description>
<references>
#foreach($ref in $vuln.getReferences())
<reference>
<source>$enc.xml($ref.source)</source>
<url>$enc.xml($ref.url)</url>
<name>$enc.xml($ref.name)</name>
</reference>
#end
</references>
<vulnerableSoftware>
#foreach($vs in $vuln.getVulnerableSoftware())
<software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
#end
</vulnerableSoftware>
</suppressedVulnerability>
#end
</vulnerabilities>
#end

37
dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseTest.java Normal file
View File

@@ -0,0 +1,37 @@
/*
* Copyright 2014 OWASP.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.owasp.dependencycheck;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class BaseTest {
@BeforeClass
public static void setUpClass() throws Exception {
Settings.initialize();
}
@AfterClass
public static void tearDownClass() throws Exception {
Settings.cleanup(true);
}
}

15
dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java
View File

@@ -18,10 +18,8 @@
package org.owasp.dependencycheck;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
@@ -33,15 +31,7 @@ import org.owasp.dependencycheck.utils.Settings;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class EngineIntegrationTest {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
public class EngineIntegrationTest extends BaseTest {
@Before
public void setUp() throws Exception {
@@ -80,7 +70,10 @@ public class EngineIntegrationTest {
@Test
public void testEngine() throws Exception {
String testClasses = "target/test-classes";
// boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
// Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Engine instance = new Engine();
// Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
instance.scan(testClasses);
assertTrue(instance.getDependencies().size() > 0);
instance.analyzeDependencies();

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java
View File

@@ -18,38 +18,16 @@
package org.owasp.dependencycheck.analyzer;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class AbstractFileTypeAnalyzerTest {
public AbstractFileTypeAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class AbstractFileTypeAnalyzerTest extends BaseTest {
/**
* Test of newHashSet method, of class AbstractAnalyzer.

117
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
View File

@@ -17,44 +17,78 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.suppression.SuppressionParseException;
import org.owasp.dependencycheck.suppression.SuppressionRule;
import org.owasp.dependencycheck.utils.Settings;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNull;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.suppression.SuppressionRule;
import org.owasp.dependencycheck.utils.Settings;
import static org.junit.Assert.assertTrue;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class AbstractSuppressionAnalyzerTest {
public class AbstractSuppressionAnalyzerTest extends BaseTest {
public AbstractSuppressionAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
private AbstractSuppressionAnalyzer instance;
@Before
public void setUp() {
public void createObjectUnderTest() throws Exception {
instance = new AbstractSuppressionAnalyzerImpl();
}
/**
* Test of getSupportedExtensions method, of class AbstractSuppressionAnalyzer.
*/
@Test
public void testGetSupportedExtensions() {
Set<String> result = instance.getSupportedExtensions();
assertNull(result);
}
/**
* Test of getRules method, of class AbstractSuppressionAnalyzer for suppression file declared as URL.
*/
@Test
public void testGetRulesFromSuppressionFileFromURL() throws Exception {
setSupressionFileFromURL();
instance.initialize();
int expCount = 5;
List<SuppressionRule> result = instance.getRules();
assertTrue(expCount <= result.size());
}
/**
* Test of getRules method, of class AbstractSuppressionAnalyzer for suppression file declared as URL.
*/
@Test
public void testGetRulesFromSuppressionFileInClasspath() throws Exception {
Settings.setString(Settings.KEYS.SUPPRESSION_FILE, "suppressions.xml");
instance.initialize();
int expCount = 5;
List<SuppressionRule> result = instance.getRules();
assertTrue(expCount <= result.size());
}
@Test(expected = SuppressionParseException.class)
public void testFailureToLocateSuppressionFileAnywhere() throws Exception {
Settings.setString(Settings.KEYS.SUPPRESSION_FILE, "doesnotexist.xml");
instance.initialize();
}
private void setSupressionFileFromURL() throws Exception {
try {
final String uri = this.getClass().getClassLoader().getResource("suppressions.xml").toURI().toURL().toString();
Settings.setString(Settings.KEYS.SUPPRESSION_FILE, uri);
@@ -65,41 +99,6 @@ public class AbstractSuppressionAnalyzerTest {
}
}
@After
public void tearDown() {
}
/**
* Test of getSupportedExtensions method, of class AbstractSuppressionAnalyzer.
*/
@Test
public void testGetSupportedExtensions() {
AbstractSuppressionAnalyzer instance = new AbstractSuppressionAnalyzerImpl();
Set<String> result = instance.getSupportedExtensions();
assertNull(result);
}
/**
* Test of initialize method, of class AbstractSuppressionAnalyzer.
*/
@Test
public void testInitialize() throws Exception {
AbstractSuppressionAnalyzer instance = new AbstractSuppressionAnalyzerImpl();
instance.initialize();
}
/**
* Test of getRules method, of class AbstractSuppressionAnalyzer.
*/
@Test
public void testGetRules() throws Exception {
AbstractSuppressionAnalyzer instance = new AbstractSuppressionAnalyzerImpl();
instance.initialize();
int expCount = 5;
List<SuppressionRule> result = instance.getRules();
assertEquals(expCount, result.size());
}
public class AbstractSuppressionAnalyzerImpl extends AbstractSuppressionAnalyzer {
@Override

28
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
View File

@@ -18,44 +18,22 @@
package org.owasp.dependencycheck.analyzer;
import java.util.Iterator;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class AnalyzerServiceTest {
public AnalyzerServiceTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class AnalyzerServiceTest extends BaseTest {
/**
* Test of getAnalyzers method, of class AnalyzerService.
*/
@Test
public void testGetAnalyzers() {
AnalyzerService instance = AnalyzerService.getInstance();
AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
Iterator<Analyzer> result = instance.getAnalyzers();
boolean found = false;

34
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
View File

@@ -20,10 +20,8 @@ package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.util.HashSet;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
@@ -34,30 +32,7 @@ import org.owasp.dependencycheck.utils.Settings;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class ArchiveAnalyzerTest extends AbstractDatabaseTestCase {
public ArchiveAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
@Override
public void setUp() throws Exception {
super.setUp();
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
}
public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
/**
* Test of getSupportedExtensions method, of class ArchiveAnalyzer.
@@ -69,6 +44,9 @@ public class ArchiveAnalyzerTest extends AbstractDatabaseTestCase {
expResult.add("zip");
expResult.add("war");
expResult.add("ear");
expResult.add("jar");
expResult.add("sar");
expResult.add("apk");
expResult.add("nupkg");
expResult.add("tar");
expResult.add("gz");

23
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
View File

@@ -17,19 +17,18 @@
*/
package org.owasp.dependencycheck.analyzer;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.junit.Assume.assumeFalse;
import java.io.File;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.junit.After;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import org.junit.Assume;
import static org.junit.Assume.assumeFalse;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -42,7 +41,7 @@ import org.owasp.dependencycheck.utils.Settings;
* @author colezlaw
*
*/
public class AssemblyAnalyzerTest {
public class AssemblyAnalyzerTest extends BaseTest {
private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzerTest.class.getName());
@@ -54,13 +53,17 @@ public class AssemblyAnalyzerTest {
* @throws Exception if anything goes sideways
*/
@Before
public void setUp() {
public void setUp() throws Exception {
try {
analyzer = new AssemblyAnalyzer();
analyzer.supportsExtension("dll");
analyzer.initialize();
} catch (Exception e) {
LOGGER.log(Level.WARNING, "Exception setting up AssemblyAnalyzer. Tests will be incomplete", e);
if (e.getMessage().contains("Could not execute .NET AssemblyAnalyzer")) {
LOGGER.log(Level.WARNING, "Exception setting up AssemblyAnalyzer. Tests will be incomplete");
} else {
LOGGER.log(Level.WARNING, "Exception setting up AssemblyAnalyzer. Tests will be incomplete", e);
}
Assume.assumeNoException("Is mono installed? TESTS WILL BE INCOMPLETE", e);
}
}
@@ -85,7 +88,7 @@ public class AssemblyAnalyzerTest {
}
}
assertTrue(foundVendor);
boolean foundProduct = false;
for (Evidence e : d.getProductEvidence().getEvidence("grokassembly", "product")) {
if ("GrokAssembly".equals(e.getValue())) {

40
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
View File

@@ -24,11 +24,7 @@ import java.util.List;
import java.util.Set;
import org.apache.lucene.index.CorruptIndexException;
import org.apache.lucene.queryparser.classic.ParseException;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
import org.owasp.dependencycheck.data.cpe.IndexEntry;
@@ -39,27 +35,7 @@ import org.owasp.dependencycheck.dependency.Identifier;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class CPEAnalyzerTest extends AbstractDatabaseTestCase {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
@Override
public void setUp() throws Exception {
super.setUp();
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
}
public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
/**
* Tests of buildSearch of class CPEAnalyzer.
@@ -139,16 +115,13 @@ public class CPEAnalyzerTest extends AbstractDatabaseTestCase {
FalsePositiveAnalyzer fp = new FalsePositiveAnalyzer();
fp.analyze(dep, null);
// for (Identifier i : dep.getIdentifiers()) {
// System.out.println(i.getValue());
// }
if (expResult != null) {
Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
Assert.assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().contains(expIdentifier));
} else if (dep.getIdentifiers().isEmpty()) {
Assert.assertTrue("Match found when an Identifier should not have been found: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().isEmpty());
} else {
Assert.assertTrue("Match found when an Identifier should not have been found: { dep:'" + dep.getFileName() + "', identifier:'" + dep.getIdentifiers().iterator().next().getValue() + "' }", dep.getIdentifiers().isEmpty());
for (Identifier i : dep.getIdentifiers()) {
Assert.assertFalse(String.format("%s - found a CPE identifier when should have been none (found '%s')", dep.getFileName(), i.getValue()), "cpe".equals(i.getType()));
}
}
}
@@ -194,7 +167,10 @@ public class CPEAnalyzerTest extends AbstractDatabaseTestCase {
String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
Assert.assertTrue("Apache Common Validator - found an identifier?", commonValidator.getIdentifiers().isEmpty());
for (Identifier i : commonValidator.getIdentifiers()) {
Assert.assertFalse("Apache Common Validator - found a CPE identifier?", "cpe".equals(i.getType()));
}
Assert.assertTrue("Incorrect match size - struts", struts.getIdentifiers().size() >= 1);
Assert.assertTrue("Incorrect match - struts", struts.getIdentifiers().contains(expIdentifier));
Assert.assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1);

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
View File

@@ -17,38 +17,16 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.Dependency;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class DependencyBundlingAnalyzerTest {
public DependencyBundlingAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class DependencyBundlingAnalyzerTest extends BaseTest {
/**
* Test of getName method, of class DependencyBundlingAnalyzer.

24
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java
View File

@@ -15,12 +15,8 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -31,25 +27,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
*/
public class FalsePositiveAnalyzerTest {
public FalsePositiveAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of getName method, of class FalsePositiveAnalyzer.
*/
@@ -79,6 +56,7 @@ public class FalsePositiveAnalyzerTest {
public void testAnalyze() throws Exception {
Dependency dependency = new Dependency();
dependency.setFileName("pom.xml");
dependency.setFilePath("pom.xml");
dependency.addIdentifier("cpe", "cpe:/a:file:file:1.2.1", "http://some.org/url");
Engine engine = null;
FalsePositiveAnalyzer instance = new FalsePositiveAnalyzer();

23
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
View File

@@ -18,12 +18,8 @@
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -33,25 +29,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
*/
public class FileNameAnalyzerTest {
public FileNameAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of getName method, of class FileNameAnalyzer.
*/

114
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java Normal file
View File

@@ -0,0 +1,114 @@
/*
* Copyright 2014 OWASP.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.util.Set;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class HintAnalyzerTest extends BaseTest {
@Before
public void setUp() throws Exception {
org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
}
/**
* Test of getName method, of class HintAnalyzer.
*/
@Test
public void testGetName() {
HintAnalyzer instance = new HintAnalyzer();
String expResult = "Hint Analyzer";
String result = instance.getName();
assertEquals(expResult, result);
}
/**
* Test of getAnalysisPhase method, of class HintAnalyzer.
*/
@Test
public void testGetAnalysisPhase() {
HintAnalyzer instance = new HintAnalyzer();
AnalysisPhase expResult = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
}
/**
* Test of analyze method, of class HintAnalyzer.
*/
@Test
public void testAnalyze() throws Exception {
HintAnalyzer instance = new HintAnalyzer();
File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
//Dependency guice = new Dependency(fileg);
File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
//Dependency spring = new Dependency(files);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Engine engine = new Engine();
engine.scan(guice);
engine.scan(spring);
engine.analyzeDependencies();
Dependency gdep = null;
Dependency sdep = null;
for (Dependency d : engine.getDependencies()) {
if (d.getActualFile().equals(guice)) {
gdep = d;
} else {
sdep = d;
}
}
final Evidence springTest1 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
final Evidence springTest2 = new Evidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
Set<Evidence> evidence = gdep.getEvidence().getEvidence();
assertFalse(evidence.contains(springTest1));
assertFalse(evidence.contains(springTest2));
assertFalse(evidence.contains(springTest3));
assertFalse(evidence.contains(springTest4));
assertFalse(evidence.contains(springTest5));
evidence = sdep.getEvidence().getEvidence();
assertTrue(evidence.contains(springTest1));
assertTrue(evidence.contains(springTest2));
assertTrue(evidence.contains(springTest3));
//assertTrue(evidence.contains(springTest4));
//assertTrue(evidence.contains(springTest5));
}
}

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
View File

@@ -21,13 +21,10 @@ import java.io.File;
import java.util.HashSet;
import java.util.Properties;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
@@ -35,26 +32,7 @@ import org.owasp.dependencycheck.dependency.Evidence;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class JarAnalyzerTest {
public JarAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class JarAnalyzerTest extends BaseTest {
/**
* Test of inspect method, of class JarAnalyzer.

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
View File

@@ -20,12 +20,9 @@ package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.util.HashSet;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -33,26 +30,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class JavaScriptAnalyzerTest {
public JavaScriptAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class JavaScriptAnalyzerTest extends BaseTest {
/**
* Test of getSupportedExtensions method, of class JavaScriptAnalyzer.

5
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java
View File

@@ -22,13 +22,14 @@ import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
public class NuspecAnalyzerTest {
public class NuspecAnalyzerTest extends BaseTest {
private NuspecAnalyzer instance;
@Before
public void setUp() {
public void setUp() throws Exception {
instance = new NuspecAnalyzer();
instance.setEnabled(true);
}

58
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.java
View File

@@ -18,10 +18,8 @@
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
@@ -33,38 +31,7 @@ import org.owasp.dependencycheck.utils.Settings;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class VulnerabilitySuppressionAnalyzerTest extends AbstractDatabaseTestCase {
public VulnerabilitySuppressionAnalyzerTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
private boolean update = true;
private boolean nexus = false;
@Before
@Override
public void setUp() throws Exception {
super.setUp();
update = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
nexus = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, update);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexus);
}
public class VulnerabilitySuppressionAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
/**
* Test of getName method, of class VulnerabilitySuppressionAnalyzer.
@@ -83,7 +50,7 @@ public class VulnerabilitySuppressionAnalyzerTest extends AbstractDatabaseTestCa
@Test
public void testGetAnalysisPhase() {
VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
AnalysisPhase expResult = AnalysisPhase.POST_FINDING_ANALYSIS;;
AnalysisPhase expResult = AnalysisPhase.POST_FINDING_ANALYSIS;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
}
@@ -94,19 +61,26 @@ public class VulnerabilitySuppressionAnalyzerTest extends AbstractDatabaseTestCa
@Test
public void testAnalyze() throws Exception {
File file = new File(this.getClass().getClassLoader().getResource("FileHelpers.2.0.0.0.nupkg").getPath());
File suppression = new File(this.getClass().getClassLoader().getResource("FileHelpers.2.0.0.0.suppression.xml").getPath());
File file = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.jar").getPath());
File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Engine engine = new Engine();
engine.scan(file);
engine.analyzeDependencies();
Dependency dependency = getDependency(engine, file);
assertTrue(dependency.getVulnerabilities().size() > 0);
int cveSize = dependency.getVulnerabilities().size();
int cpeSize = dependency.getIdentifiers().size();
assertTrue(cveSize > 0);
assertTrue(cpeSize > 0);
Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
instance.initialize();
instance.analyze(dependency, engine);
assertTrue(dependency.getVulnerabilities().size() == 0);
cveSize = cveSize > 1 ? cveSize - 2 : 0;
cpeSize = cpeSize > 0 ? cpeSize - 1 : 0;
assertTrue(dependency.getVulnerabilities().size() == cveSize);
assertTrue(dependency.getIdentifiers().size() == cpeSize);
engine.cleanup();
}

22
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/cpe/AbstractDatabaseTestCase.java
View File

@@ -17,11 +17,8 @@
*/
package org.owasp.dependencycheck.data.cpe;
import junit.framework.TestCase;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
/**
@@ -30,26 +27,11 @@ import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public abstract class AbstractDatabaseTestCase extends TestCase {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
public abstract class AbstractDatabaseTestCase extends BaseTest {
@Before
@Override
public void setUp() throws Exception {
BaseDBTestCase.ensureDBExists();
super.setUp();
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
}
}

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java
View File

@@ -69,6 +69,8 @@ public class TokenPairConcatenatingFilterTest extends BaseTokenStreamTestCase {
/**
* Test of clear method, of class TokenPairConcatenatingFilter.
*
* @throws java.io.IOException
*/
@Test
public void testClear() throws IOException {

9
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusSearchTest.java
View File

@@ -17,19 +17,18 @@
*/
package org.owasp.dependencycheck.data.nexus;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import java.io.FileNotFoundException;
import java.net.URL;
import java.util.logging.Logger;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.utils.Settings;
public class NexusSearchTest {
public class NexusSearchTest extends BaseTest {
private static final Logger LOGGER = Logger.getLogger(NexusSearchTest.class.getName());
private NexusSearch searcher;

31
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java
View File

@@ -17,21 +17,23 @@
*/
package org.owasp.dependencycheck.data.nuget;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.PrintStream;
import static org.junit.Assert.assertEquals;
import org.junit.Test;
import static org.junit.Assert.*;
import org.owasp.dependencycheck.BaseTest;
/**
*
*
* @author colezlaw
*
*/
public class XPathNuspecParserTest {
public class XPathNuspecParserTest extends BaseTest {
/**
* Test all the valid components.
*
*
* @throws Exception if anything goes sideways.
*/
@Test
@@ -46,25 +48,30 @@ public class XPathNuspecParserTest {
assertEquals("Apache Software Foundation", np.getOwners());
assertEquals("http://logging.apache.org/log4net/license.html", np.getLicenseUrl());
}
/**
* Expect a NuspecParseException when what we pass isn't even XML.
*
*
* @throws Exception we expect this.
*/
@Test(expected=NuspecParseException.class)
@Test(expected = NuspecParseException.class)
public void testMissingDocument() throws Exception {
NuspecParser parser = new XPathNuspecParser();
InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("dependencycheck.properties");
//hide the fatal message from the core parser
final ByteArrayOutputStream myOut = new ByteArrayOutputStream();
System.setErr(new PrintStream(myOut));
NugetPackage np = parser.parse(is);
}
/**
* Expect a NuspecParseException when it's valid XML, but not a Nuspec.
*
*
* @throws Exception we expect this.
*/
@Test(expected=NuspecParseException.class)
@Test(expected = NuspecParseException.class)
public void testNotNuspec() throws Exception {
NuspecParser parser = new XPathNuspecParser();
InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("suppressions.xml");

10
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java
View File

@@ -26,20 +26,20 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import junit.framework.TestCase;
import org.junit.Before;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public abstract class BaseDBTestCase extends TestCase {
public abstract class BaseDBTestCase extends BaseTest {
protected final static int BUFFER_SIZE = 2048;
@Override
protected void setUp() throws Exception {
super.setUp();
@Before
public void setUp() throws Exception {
ensureDBExists();
}

27
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
View File

@@ -19,10 +19,7 @@ package org.owasp.dependencycheck.data.nvdcve;
import java.util.List;
import java.util.Set;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
@@ -30,27 +27,7 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class CveDBTest extends BaseDBTestCase {
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
@Override
public void setUp() throws Exception {
super.setUp();
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
}
public class CveDBIntegrationTest extends BaseDBTestCase {
/**
* Pretty useless tests of open, commit, and close methods, of class CveDB.

28
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesTest.java → dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
View File

@@ -18,10 +18,8 @@
package org.owasp.dependencycheck.data.nvdcve;
import java.util.Properties;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.data.update.NvdCveInfo;
@@ -29,27 +27,7 @@ import org.owasp.dependencycheck.data.update.NvdCveInfo;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class DatabasePropertiesTest extends BaseDBTestCase {
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
@Override
public void setUp() throws Exception {
super.setUp();
}
@After
@Override
public void tearDown() throws Exception {
super.tearDown();
}
public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
/**
* Test of isEmpty method, of class DatabaseProperties.

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveInfoTest.java
View File

@@ -17,38 +17,16 @@
*/
package org.owasp.dependencycheck.data.update;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertEquals;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
* Rigorous test of setters/getters.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class NvdCveInfoTest {
public NvdCveInfoTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
public class NvdCveInfoTest extends BaseTest {
/**
* Test of setId and getId method, of class NvdCveInfo.

46
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveUpdaterIntegrationTest.java
View File

@@ -17,35 +17,43 @@
*/
package org.owasp.dependencycheck.data.update;
import org.junit.After;
import org.junit.AfterClass;
import java.io.File;
import java.util.Calendar;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class NvdCveUpdaterIntegrationTest {
public NvdCveUpdaterIntegrationTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
public class NvdCveUpdaterIntegrationTest extends BaseTest {
@Before
public void setUp() {
}
public void setUp() throws Exception {
int year = Calendar.getInstance().get(Calendar.YEAR);
if (year <= 2014) {
File f = new File(NvdCveUpdaterIntegrationTest.class.getClassLoader().getResource("nvdcve-2.0-2014.xml").getPath());
String baseURL = f.toURI().toURL().toString();
String modified12 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-modified.xml");
String modified20 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-2.0-modified.xml");
String full12 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-%d.xml");
String full20 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-2.0-%d.xml");
// cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
// cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
// cve.startyear=2014
// cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
// cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
@After
public void tearDown() {
Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, modified12);
Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, modified20);
Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, full12);
Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, full20);
Settings.setString(Settings.KEYS.CVE_START_YEAR, "2014");
} else {
System.err.println("Consider updating the local data files to make the NvdCveUpdaterIntegrationTest perform faster");
}
}
/**

Some files were not shown because too many files have changed in this diff Show More