github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github-mirrors:v1.2.1
Branches Tags
github-mirrors:master github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0
..
compare: github-mirrors:v1.2.4
Branches Tags
github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:master github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0

87 Commits
v1.2.1 ... v1.2.4

Author SHA1 Message Date
Jeremy Long
f2272730ac version 1.2.4 
Former-commit-id: 4de7e508eb1885bb72e866960fa5402f72bf8e49
 2014-08-05 18:45:36 -04:00
Jeremy Long
fe19c97d86 corrected link syntax 
Former-commit-id: 01b9ea03864248a9c5427af6d7238c435c0a4fa7
 2014-08-05 18:45:25 -04:00
Jeremy Long
56b447493e added additional error messages about the proxy if the download fails per issue #136 
Former-commit-id: 7a5dcc58ab959a70b7e086a984f5d9289d749b99
 2014-08-05 10:58:43 -04:00
Jeremy Long
e45b68eda7 fixed issue #140 - false positive is now suppressed 
Former-commit-id: 4b584884e1eb5efa214b1af87d555e6866db917a
 2014-08-05 10:44:33 -04:00
Jeremy Long
8df1ef5986 removed unused values for variables and fixed javadoc 
Former-commit-id: 1fb0be5d88301c5a1043d88b93c052edcebe3c5c
 2014-08-05 09:26:04 -04:00
Jeremy Long
dac34cda82 checkstyle corrections 
Former-commit-id: a888649ce7d75b721e053d305a406ecddbdcdbc4
 2014-08-05 09:25:08 -04:00
Jeremy Long
9925e30c8b removed useless parens 
Former-commit-id: 00ddea8b437494cc32e47e3066a448015d95467b
 2014-08-05 09:24:48 -04:00
Jeremy Long
dc5566b5ae updated the exclusion list for generated code 
Former-commit-id: eeaccab472347cc5fcfe21552c7fc1e9ab8ea1de
 2014-08-05 09:24:16 -04:00
Jeremy Long
8132ee651a added documentation for issue #139 
Former-commit-id: 95fdcf4d95cbe50ba884be561fbec0e9977578a0
 2014-08-05 09:23:47 -04:00
Jeremy Long
f49a134a3d updated sample report 
Former-commit-id: 7f312fec5ffbd8daa609299efdc53b83e83e6bd6
 2014-08-05 09:22:54 -04:00
Jeremy Long
bd955cda06 improved TOC per issue #138 
Former-commit-id: 7cc7ccb9d0dd8257588438220bf61d78caa2bcec
 2014-08-05 09:22:28 -04:00
Jeremy Long
c6dbc01912 ensured FileInputStream is correctly closed 
Former-commit-id: 6e0362476f456e5af07e686fdccf04e600a97de8
 2014-08-05 09:19:35 -04:00
Jeremy Long
fabe1aa940 checkstyle corrections 
Former-commit-id: d23c5d17629f8484c1c07d328c9c1b74a678e062
 2014-08-05 09:19:00 -04:00
Jeremy Long
ba5dbb94b8 removed fully qualified class name from jaxb instantiation 
Former-commit-id: 15d5f9e2013daba62f7e32618958743e87e8ea79
 2014-08-05 09:18:35 -04:00
Jeremy Long
6ccc053d7e added more documentation 
Former-commit-id: 87a761ffe89d36fb2011d5a38d607c35178d70ec
 2014-08-05 09:16:38 -04:00
Jeremy Long
cf21dfaa3a changed warning log message 
Former-commit-id: 9a7fd59cd15e627ed103a6e797bc47518805276b
 2014-08-04 08:05:31 -04:00
Jeremy Long
54ceb630de fixed project descriptions and corrected site deployment issues 
Former-commit-id: 39373b0805b84b99c3e84dbad1c8a2301f277221
 2014-08-04 06:24:00 -04:00
Jeremy Long
0a0c302cb2 re-orered the module listing 
Former-commit-id: 1ec7ccbc98463c5b2af09c973a1bc83319630ec8
 2014-08-04 06:22:11 -04:00
Jeremy Long
f6eef54566 added fix for issue #136 
Former-commit-id: c259a419769b41e138d3cbb3811f1c24652601d5
 2014-08-01 15:09:41 -04:00
Jeremy Long
a69804f84d updated documentation 
Former-commit-id: e8b6c86e47cff66f72ffb53ccba4bef18479b43e
 2014-08-01 14:31:19 -04:00
Jeremy Long
0b06b194b0 added XmlRootElement attribute 
Former-commit-id: a3263e63c8c7b12c90ad388c8eda1ab09e43786c
 2014-08-01 14:22:40 -04:00
Jeremy Long
73f6ce304c corrected jaxb newInstance 
Former-commit-id: 32a1b759ad1e127784ae9bff902cca01c6faaad7
 2014-08-01 14:21:55 -04:00
Jeremy Long
195818a432 minor changes to logger and added a catch for throwable 
Former-commit-id: 0ca337442a3f60db9655c3527711ba16af3096a6
 2014-08-01 06:02:22 -04:00
Jeremy Long
47c817de1c performance improvement for checksum calculations - using MappedByteBuffer 
Former-commit-id: 5024926737f1abbae47da5e95615dd2f2bddbcc6
 2014-07-20 07:54:54 -04:00
Jeremy Long
8b3894f213 removed version from maven usage 
Former-commit-id: 234d0bc0e147cdb9ebf7d1c59e5ef53421589d42
 2014-07-20 06:49:31 -04:00
Jeremy Long
a411252f07 Merge branch 'bkimminich-patch-1' 
Former-commit-id: abe645b3693a6a387de9b36ffedf32382bd24f58
 2014-07-20 06:39:13 -04:00
Jeremy Long
d7626aeb3f Merge branch 'patch-1' of github.com:bkimminich/DependencyCheck into bkimminich-patch-1 
Former-commit-id: aa6a0fc0a9352a1a2d3d4a0dfceb428242b455fd
 2014-07-20 06:38:58 -04:00
Jeremy Long
3565098650 converted abstract class to a final class with a private constructor 
Former-commit-id: 582a421e69eac2bfc008ca8ee2fe88c7734c9a31
 2014-07-20 06:36:33 -04:00
Jeremy Long
803fcf146b minor fix to test case 
Former-commit-id: bf20319aed4f100d124cdeb7abeafe6598778891
 2014-07-19 13:58:30 -04:00
Jeremy Long
d9d646c5fb fixed connection string property 
Former-commit-id: 951cf212c80a52909cc2dd66e843b63b35991045
 2014-07-19 13:57:36 -04:00
Jeremy Long
034a274b07 fixed copy paste error 
Former-commit-id: 83c51cb5b43c635088025a2076121911af32a7ec
 2014-07-19 13:57:15 -04:00
Jeremy Long
718d7af8bc updated to use the new getConnectionString implementation 
Former-commit-id: c5bd68b3d2fb4c2470d6c50dc5f8f9f6036b9fce
 2014-07-19 07:38:51 -04:00
Jeremy Long
860d3d9c8b made the ensureDBExists method perform a correct check rather then the previous hack 
Former-commit-id: 5fae859fa7531761e78022eb2e8c4c41e6d5d150
 2014-07-19 07:38:08 -04:00
Jeremy Long
f28b566992 added data.file_name and data.version 
Former-commit-id: e692a13a216ec6808e3fd92397fd3c50854cfa56
 2014-07-19 07:37:11 -04:00
Jeremy Long
1c261c7463 added more tests 
Former-commit-id: 75a4e44d06838221b060c0569716e85e1c6fc996
 2014-07-19 07:36:35 -04:00
Jeremy Long
226b2482b1 added data.file_name and data.version 
Former-commit-id: 6f33c306170f96f344bb85aa7820cc94cd4d5eeb
 2014-07-19 07:36:16 -04:00
Jeremy Long
ff346dc429 changed getConnectionString to allow a more dynamically constructed string based on more setting keys 
Former-commit-id: 1fb18720ab1a1c6d947bc94366b8ee2ca9cb711e
 2014-07-19 07:35:48 -04:00
Jeremy Long
2dcef25175 performance improvements for large files 
Former-commit-id: 6a49a7066cb01c613b5c6f07c8497601a88e7f8d
 2014-07-19 07:34:50 -04:00
Jeremy Long
46702bbb5c moved checkSumTest.file, checksum.java, and checksumTest.java to dependency-check-utils 
Former-commit-id: 0c05e466b5fe071ca55552660d471431572c0558
 2014-07-17 06:03:21 -04:00
Jeremy Long
5600c9bc69 removed commented out property 
Former-commit-id: 2a07ced007c986d3ab127d8ff216f49c332f41c3
 2014-07-17 06:01:59 -04:00
Jeremy Long
d7e46b1693 corrected the connection string in the test properties 
Former-commit-id: 1c37d4bd4de49cddc34b92a27875e0a07eee600f
 2014-07-17 06:00:59 -04:00
Jeremy Long
fe8c60ade1 added additional setting keys and methods getDataDirectory and getConnectionString 
Former-commit-id: 5e8a55c498fa7ae5331ba4fbeb86cd68b9fd8eda
 2014-07-17 06:00:06 -04:00
Jeremy Long
288892441f corrected javadoc 
Former-commit-id: c0c7d8da486a08dfc3e9232b57166d4c496bb798
 2014-07-17 05:59:10 -04:00
Jeremy Long
e1179a8e22 moved getConnectionString to the Settings class 
Former-commit-id: d35df6d103505888ac4d87f964d8d615996ce614
 2014-07-13 06:56:40 -04:00
Jeremy Long
4b06d0fd87 upgraded version on commons-compress to 1.8.1 
Former-commit-id: 2dc8698035e18764e101b36b11faf9e5c7188c5b
 2014-07-13 06:54:59 -04:00
Jeremy Long
464d91f45a fixed resource leaks found by coverity 
Former-commit-id: 0e2d3b866853e2b906b9683e27602fd244298e55
 2014-07-08 06:17:36 -04:00
Björn Kimminich
5cc7aa25cc Update README.md 
- set version in POM snippet from 1.0.2 to 1.2.3
- set URL to Ant Task docs to http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html

Former-commit-id: 8a2176aee9948b5bfd0c1f08c6c7bb9fdadc45a1
 2014-07-04 14:17:57 +02:00
Jeremy Long
20ec224070 updated version to 1.2.4-SNAPSHOT 
Former-commit-id: 65d0e1ba5ed781e9f70ec7fd0c115a027e3bbc00
 2014-06-28 08:14:49 -04:00
Jeremy Long
9cbcc29ddb added utils to the parent site 
Former-commit-id: 2a80ad86f5ab94fb21131786d9dce3439269f8cb
 2014-06-28 08:14:35 -04:00
Jeremy Long
0badbfc4a0 version 1.2.3 
Former-commit-id: c355adf9813220c4b3dac3450e80a83a245209a6
 2014-06-28 06:06:33 -04:00
Jeremy Long
e042148c62 Merge branch 'colezlaw-master' 
Former-commit-id: 5654a0e5cd8b8524ac317a55a2af5a52408bc8ca
 2014-06-26 20:33:45 -04:00
Jeremy Long
d8ba04ae7f Merge branch 'master' of github.com:colezlaw/DependencyCheck into colezlaw-master 
Former-commit-id: 27bac793e5284df49c0804361c07d4ef559cb251
 2014-06-26 20:33:35 -04:00
Jeremy Long
314d5fdad2 Merge branch 'colezlaw-suppression-fix' 
Former-commit-id: 1e7d9df774347ea043fef8ef3f5d6ca4aebaa15a
 2014-06-26 20:32:07 -04:00
Will Stranathan
5c874cafd1 Fixed suppression analyzer to load from input stream fixing failure 
Former-commit-id: 4e6f8d7fddcf7ed26ad60b7aa8bc3a6b22ae19cc
 2014-06-26 15:14:55 -04:00
Will Stranathan
8cafc14d09 Updated to 1.1 of GrokAssembly.exe to deal with exceptions 
Former-commit-id: 8c1d6ad04e378f2a19e2fcdc9ebc1eab12be9aef
 2014-06-24 10:16:53 -04:00
Jeremy Long
25ac5033fc snapshot version 1.2.3 
Former-commit-id: 58f96e7ef71987a53626287f95b332f04b60a6f6
 2014-06-22 21:33:58 -04:00
Jeremy Long
848be0db6c version 1.2.2 
Former-commit-id: 8da06e1a2f4b41bccc22105d7bc758442bb14e57
 2014-06-22 21:31:58 -04:00
Jeremy Long
0f9da0731e updated text 
Former-commit-id: 7749b9ec6b0ce9502e1c7129bdec902ce5b43595
 2014-06-22 21:22:32 -04:00
Jeremy Long
8bc2364cce added site information to the dependency-check utils 
Former-commit-id: 7d8c4c3c2b98e0d492f4447e5f1dc1f071a2241a
 2014-06-22 19:56:14 -04:00
Jeremy Long
b64916ce3f added file analyzer documentation 
Former-commit-id: c0c29021cd1197f26942ff36c8b63220d1267c21
 2014-06-22 19:55:21 -04:00
Jeremy Long
452955667c checkstyle correction 
Former-commit-id: e5a891ea5b438e64e8a3aa5e697cb859d1a1f09a
 2014-06-22 19:54:25 -04:00
Jeremy Long
f38bbf4cc7 minor javadoc correction 
Former-commit-id: 45e621682304820fe17c17e92bd0aa5ac5dfd023
 2014-06-22 19:53:59 -04:00
Jeremy Long
25eaa11a52 updated description 
Former-commit-id: c8cb8b041ce351c2d33a3621f772e75d02950193
 2014-06-22 19:53:38 -04:00
Jeremy Long
4b4da8d467 checkstyle/pmd/etc. corrections 
Former-commit-id: 59883bd0b03c8690ce9a20120eafefe7c61384cd
 2014-06-22 19:03:33 -04:00
Jeremy Long
13116c5381 added support for suppression by GAV (issue #124), created base suppression.xml (issue #123), and fixed false positives related to spring security (issue #130) 
Former-commit-id: 330134211d022fec336dc1ca39205a94a088ee84
 2014-06-22 16:34:39 -04:00
Jeremy Long
d2cd406a62 added additional test resources 
Former-commit-id: b788c7420b82d8a108cd2335c536be667c2ab293
 2014-06-22 16:32:48 -04:00
Jeremy Long
acbce05fbf updated to support suppression by maven coordinates (GAV) per issue #124 
Former-commit-id: 3cff74ded9b0c352fb1d45e784d89c3c20f55467
 2014-06-20 06:47:46 -04:00
Jeremy Long
bee4d3a338 fixed bug that left false positive, previously fixed, due to the file name modifications that the archive analyzer makes - regex needed updating to not just look for the start of the filename 
Former-commit-id: 922a9edaf9123524585b97e6cb9f8efd4a389031
 2014-06-14 07:04:02 -04:00
Jeremy Long
bce226002b added data.zip back after cleaning up history 
Former-commit-id: 6d227bf38e8023eeb134c965f48fbf859aeb9600
 2014-06-01 11:31:09 -04:00
Jeremy Long
a417db7c7a updated documentation to replace deprecated proxyUrl with proxyServer 
Former-commit-id: 165e14fcb6b57d8a522875eaa65f5ee766c9b1af
 2014-05-31 06:43:07 -04:00
Jeremy Long
0ffef12a8b deprecated the proxyUrl field replacing it with proxyServer; getter and setter for proxyUrl now just wrap proxyServer 
Former-commit-id: 5f1fbdf2eda6f05252f81dd8bf7acd44c01b7b6f
 2014-05-31 06:42:27 -04:00
Jeremy Long
4539b040e0 deprecated proxyUrl and replaced it with proxyServer 
Former-commit-id: 3330de9b2c36742a0b93d478b7dadaccea00cd4a
 2014-05-31 06:39:36 -04:00
Jeremy Long
f85014a86d deprecated proxyUrl and replaced it with proxyServer - using the deprecated configuration will still work but will generate a warning 
Former-commit-id: d9ff32d6b6e2f4d088f95d52ee33f1d0df3457fd
 2014-05-31 06:38:50 -04:00
Jeremy Long
d90d07c68b added code to disable the analyzer if initialization fails 
Former-commit-id: 202baa329f07fb24921ce83660d596d46b71b663
 2014-05-30 05:26:03 -04:00
Jeremy Long
ce292b84fa fixed spelling error in property name 
Former-commit-id: 106e8e9128bc371ff78f3a73c3f0da6012761cba
 2014-05-30 05:25:20 -04:00
Jeremy Long
01690860db renamed PROXY_URL to PROXY_SERVER to avoid confusion 
Former-commit-id: 1fbc025fba68aff644a8b8582657e5ef30024a24
 2014-05-24 07:06:59 -04:00
Jeremy Long
89fb2d4915 fixed error messages and added status code checks 
Former-commit-id: d21ff11466908f07ca02a50269f08d76f16a243e
 2014-05-24 07:06:46 -04:00
Jeremy Long
5cc3a42832 renamed PROXY_URL to PROXY_SERVER to avoid confusion 
Former-commit-id: 730eebed21baddfbd90c42a95769f8781de95b56
 2014-05-24 07:05:05 -04:00
Jeremy Long
60b0145e04 added a new initialize method that accepts a properties file path to load to make the class more versatile 
Former-commit-id: 00ec19b51a20c4ce3329a7c3c075a1f3ba16859e
 2014-05-21 06:42:43 -04:00
Jeremy Long
ce48823d38 Moved some of the utility classes from core to a new utils module 
Former-commit-id: 2e6ff9631ff4c843f10db1e022e41e728394e420
 2014-05-21 06:29:46 -04:00
Jeremy Long
d43fee5585 renamed CallableDownloadTask to DownloadTask 
Former-commit-id: 4ed8987945722d99e0f23b2f379321a652f76348
 2014-05-20 21:08:15 -04:00
Jeremy Long
5dc9e51dd4 fixed test cases 
Former-commit-id: 081ea17023cef3313ce59dbf8ce7f2a8cff706eb
 2014-05-17 08:04:20 -04:00
Jeremy Long
235fcccbd7 if maven identifier already exists we now update it with a hyperlink instead of adding a new one - the Jar analyzer may add a maven identifier based on the pom.xml 
Former-commit-id: db0ae1145d000089fb10e0357566f03632a559b9
 2014-05-17 08:04:03 -04:00
Jeremy Long
91c971b8fd cleaned up pom evidence collection and added a maven identifier if the GAV is available from the pom.xml 
Former-commit-id: 0400863fea2cfe86a5601b3ae134e7e98a4b29c7
 2014-05-17 08:03:04 -04:00
Jeremy Long
e43003cadc fixed false positives related to Apache POI and MS Office CPE/CVE per issue #126 
Former-commit-id: cfde8d86cb339a9f2cf0b8c1f72f5ca198efab8a
 2014-05-14 19:17:47 -04:00
Jeremy Long
9a96165655 Update JarAnalyze to resolve issue #127 
Updated JarAnalyzer to resolve issue #127 - duplicate package and package name evidence in the report.

Former-commit-id: 067643f7e99a7a4f36438b18c07e92a5e8544089
 2014-05-14 18:01:12 -04:00
Jeremy Long
994aef411c updated version to 1.2.2-SNAPSHOT 
Former-commit-id: e1b07457515dcab0f00c6a0b36fadb58ecc3deeb
 2014-05-10 08:41:37 -04:00
84 changed files with 12436 additions and 13043 deletions
Expand all files Collapse all files

5
README.md
View File

@@ -40,7 +40,6 @@ The plugin can be configured using the following:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>1.0.2</version>
<executions>
<execution>
<goals>
@@ -59,7 +58,7 @@ The plugin can be configured using the following:
### Ant Task
For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/installation.html).
For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html).
Development Usage
-------------
@@ -106,4 +105,4 @@ Dependency-Check makes use of several other open source libraries. Please see th
[wiki]: https://github.com/jeremylong/DependencyCheck/wiki
[subscribe]: mailto:dependency-check+subscribe@googlegroups.com
[post]: mailto:dependency-check@googlegroups.com
[notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
[notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt

12
dependency-check-ant/pom.xml
View File

@@ -21,14 +21,14 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.1</version>
<version>1.2.4</version>
</parent>
<artifactId>dependency-check-ant</artifactId>
<packaging>jar</packaging>
<name>Dependency-Check Ant Task</name>
<description>Dependency-check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
<description>dependency-check-ant is an Ant Task that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The task will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
<!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
<distributionManagement>
<site>
@@ -324,6 +324,9 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
@@ -439,6 +442,11 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<artifactId>dependency-check-core</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-utils</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-core</artifactId>

48
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
View File

@@ -285,26 +285,50 @@ public class DependencyCheckTask extends Task {
this.reportFormat = reportFormat.getValue();
}
/**
* The Proxy URL.
* The Proxy Server.
*/
private String proxyUrl;
private String proxyServer;
/**
* Get the value of proxyUrl.
* Get the value of proxyServer.
*
* @return the value of proxyUrl
* @return the value of proxyServer
*/
public String getProxyUrl() {
return proxyUrl;
public String getProxyServer() {
return proxyServer;
}
/**
* Set the value of proxyUrl.
* Set the value of proxyServer.
*
* @param proxyUrl new value of proxyUrl
* @param server new value of proxyServer
*/
public void setProxyServer(String server) {
this.proxyServer = server;
}
/**
* Get the value of proxyServer.
*
* @return the value of proxyServer
* @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#getProxyServer()} instead
*/
@Deprecated
public String getProxyUrl() {
return proxyServer;
}
/**
* Set the value of proxyServer.
*
* @param proxyUrl new value of proxyServer
* @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)}
* instead
*/
@Deprecated
public void setProxyUrl(String proxyUrl) {
this.proxyUrl = proxyUrl;
LOGGER.warning("A deprecated configuration option 'proxyUrl' was detected; use 'proxyServer' instead.");
this.proxyServer = proxyUrl;
}
/**
* The Proxy Port.
@@ -935,7 +959,7 @@ public class DependencyCheckTask extends Task {
/**
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
* properties required to change the proxy url, port, and connection timeout.
* properties required to change the proxy server, port, and connection timeout.
*/
private void populateSettings() {
Settings.initialize();
@@ -967,8 +991,8 @@ public class DependencyCheckTask extends Task {
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
if (proxyUrl != null && !proxyUrl.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
if (proxyServer != null && !proxyServer.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
}
if (proxyPort != null && !proxyPort.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);

2
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -32,7 +32,7 @@ failBuildOnCVSS | Specifies if the build should be failed if a CVSS score a
format | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
logFile | The file path to write verbose logging information. | &nbsp;
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp;
proxyUrl | The Proxy URL. | &nbsp;
proxyServer | The Proxy Server. | &nbsp;
proxyPort | The Proxy Port. | &nbsp;
proxyUsername | Defines the proxy user name. | &nbsp;
proxyPassword | Defines the proxy password. | &nbsp;

15
dependency-check-ant/src/site/markdown/installation.md.vm
View File

@@ -3,7 +3,20 @@ Installation
Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}.jar).
To install dependency-check-ant place the dependency-check-ant-${project.version}.jar into
the lib directory of your Ant instalation directory. Once installed you can add
the taskdef to you build.xml and add the task to a new or existing target.
the taskdef to you build.xml and add the task to a new or existing target:
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
```
If you do not want to install dependency-check-ant into your ant's lib directory when you define the task def you
must add the classpath to the taskdef:
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask">
<classpath path="[path]/[to]/dependency-check-ant-${project.version}.jar"/>
</taskdef>
```
It is important to understand that the first time this task is executed it may
take 20 minutes or more as it downloads and processes the data from the National

10
dependency-check-ant/src/site/markdown/usage.md → dependency-check-ant/src/site/markdown/usage.md.vm
View File

@@ -1,11 +1,19 @@
Usage
====================
First, add the dependency-check-ant taskdef to your build.xml:
First, add the dependency-check-ant taskdef to your build.xml (see the [installation guide](installation.html):
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
```
Or
```xml
<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask">
<classpath path="[path]/[to]/dependency-check-ant-${project.version}.jar"/>
</taskdef>
```
Next, add the task to a target of your choosing:
```xml

12
dependency-check-cli/pom.xml
View File

@@ -21,14 +21,14 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.1</version>
<version>1.2.4</version>
</parent>
<artifactId>dependency-check-cli</artifactId>
<packaging>jar</packaging>
<name>Dependency-Check Command Line</name>
<description>Dependency-Check-Maven is a Maven Plugin that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
<description>dependency-check-cli is an command line tool that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
<!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
<distributionManagement>
<site>
@@ -174,6 +174,9 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
@@ -341,5 +344,10 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<artifactId>dependency-check-core</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-utils</artifactId>
<version>${project.parent.version}</version>
</dependency>
</dependencies>
</project>

6
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -161,7 +161,7 @@ public class App {
final boolean autoUpdate = cli.isAutoUpdate();
final String connectionTimeout = cli.getConnectionTimeout();
final String proxyUrl = cli.getProxyUrl();
final String proxyServer = cli.getProxyServer();
final String proxyPort = cli.getProxyPort();
final String proxyUser = cli.getProxyUsername();
final String proxyPass = cli.getProxyPassword();
@@ -212,8 +212,8 @@ public class App {
Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
}
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
if (proxyUrl != null && !proxyUrl.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
if (proxyServer != null && !proxyServer.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
}
if (proxyPort != null && !proxyPort.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);

217
dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
View File

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.cli;
import java.io.File;
import java.io.FileNotFoundException;
import java.util.logging.Logger;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;
import org.apache.commons.cli.HelpFormatter;
@@ -39,6 +40,10 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public final class CliParser {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(CliParser.class.getName());
/**
* The command line.
*/
@@ -85,16 +90,16 @@ public final class CliParser {
*/
private void validateArgs() throws FileNotFoundException, ParseException {
if (isRunScan()) {
validatePathExists(getScanFiles(), ArgumentName.SCAN);
validatePathExists(getReportDirectory(), ArgumentName.OUT);
validatePathExists(getScanFiles(), ARGUMENT.SCAN);
validatePathExists(getReportDirectory(), ARGUMENT.OUT);
if (getPathToMono() != null) {
validatePathExists(getPathToMono(), ArgumentName.PATH_TO_MONO);
validatePathExists(getPathToMono(), ARGUMENT.PATH_TO_MONO);
}
if (!line.hasOption(ArgumentName.APP_NAME)) {
if (!line.hasOption(ARGUMENT.APP_NAME)) {
throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
}
if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
if (line.hasOption(ARGUMENT.OUTPUT_FORMAT)) {
final String format = line.getOptionValue(ARGUMENT.OUTPUT_FORMAT);
try {
Format.valueOf(format);
} catch (IllegalArgumentException ex) {
@@ -150,7 +155,7 @@ public final class CliParser {
final Options options = new Options();
addStandardOptions(options);
addAdvancedOptions(options);
addDeprecatedOptions(options);
return options;
}
@@ -162,44 +167,44 @@ public final class CliParser {
*/
@SuppressWarnings("static-access")
private void addStandardOptions(final Options options) throws IllegalArgumentException {
final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false,
"Print this message.");
final Option advancedHelp = OptionBuilder.withLongOpt(ArgumentName.ADVANCED_HELP)
final Option advancedHelp = OptionBuilder.withLongOpt(ARGUMENT.ADVANCED_HELP)
.withDescription("Print the advanced help message.").create();
final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
final Option version = new Option(ARGUMENT.VERSION_SHORT, ARGUMENT.VERSION,
false, "Print the version information.");
final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE,
false, "Disables the automatic updating of the CPE data.");
final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME)
.withDescription("The name of the application being scanned. This is a required argument.")
.create(ArgumentName.APP_NAME_SHORT);
.create(ARGUMENT.APP_NAME_SHORT);
final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN)
.withDescription("The path to scan - this option can be specified multiple times. To limit the scan"
+ " to specific file types *.[ext] can be added to the end of the path.")
.create(ArgumentName.SCAN_SHORT);
.create(ARGUMENT.SCAN_SHORT);
final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP)
.withDescription("A property file to load.")
.create(ArgumentName.PROP_SHORT);
.create(ARGUMENT.PROP_SHORT);
final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ARGUMENT.OUT)
.withDescription("The folder to write reports to. This defaults to the current directory.")
.create(ArgumentName.OUT_SHORT);
.create(ARGUMENT.OUT_SHORT);
final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ARGUMENT.OUTPUT_FORMAT)
.withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
.create(ArgumentName.OUTPUT_FORMAT_SHORT);
.create(ARGUMENT.OUTPUT_FORMAT_SHORT);
final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.VERBOSE_LOG)
final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.VERBOSE_LOG)
.withDescription("The file path to write verbose logging information.")
.create(ArgumentName.VERBOSE_LOG_SHORT);
.create(ARGUMENT.VERBOSE_LOG_SHORT);
final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESSION_FILE)
final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.SUPPRESSION_FILE)
.withDescription("The file path to the suppression XML file.")
.create();
@@ -230,87 +235,87 @@ public final class CliParser {
@SuppressWarnings("static-access")
private void addAdvancedOptions(final Options options) throws IllegalArgumentException {
final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DATA_DIRECTORY)
final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DATA_DIRECTORY)
.withDescription("The location of the H2 Database file. This option should generally not be set.")
.create(ArgumentName.DATA_DIRECTORY_SHORT);
.create(ARGUMENT.DATA_DIRECTORY_SHORT);
final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ARGUMENT.CONNECTION_TIMEOUT)
.withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
.create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
.create(ARGUMENT.CONNECTION_TIMEOUT_SHORT);
final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
.withDescription("The proxy url to use when downloading resources.")
.create(ArgumentName.PROXY_URL_SHORT);
final Option proxyServer = OptionBuilder.withArgName("server").hasArg().withLongOpt(ARGUMENT.PROXY_SERVER)
.withDescription("The proxy server to use when downloading resources.")
.create();
final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ARGUMENT.PROXY_PORT)
.withDescription("The proxy port to use when downloading resources.")
.create(ArgumentName.PROXY_PORT_SHORT);
.create();
final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.PROXY_USERNAME)
final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.PROXY_USERNAME)
.withDescription("The proxy username to use when downloading resources.")
.create();
final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ArgumentName.PROXY_PASSWORD)
final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ARGUMENT.PROXY_PASSWORD)
.withDescription("The proxy password to use when downloading resources.")
.create();
final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ArgumentName.CONNECTION_STRING)
final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ARGUMENT.CONNECTION_STRING)
.withDescription("The connection string to the database.")
.create();
final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.DB_NAME)
final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.DB_NAME)
.withDescription("The username used to connect to the database.")
.create();
final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ArgumentName.DB_PASSWORD)
final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ARGUMENT.DB_PASSWORD)
.withDescription("The password for connecting to the database.")
.create();
final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ArgumentName.DB_DRIVER)
final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ARGUMENT.DB_DRIVER)
.withDescription("The database driver name.")
.create();
final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DB_DRIVER_PATH)
final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DB_DRIVER_PATH)
.withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
.create();
final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_JAR)
final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_JAR)
.withDescription("Disable the Jar Analyzer.")
.create();
final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_ARCHIVE)
final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ARCHIVE)
.withDescription("Disable the Archive Analyzer.")
.create();
final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NUSPEC)
final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NUSPEC)
.withDescription("Disable the Nuspec Analyzer.")
.create();
final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_ASSEMBLY)
final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ASSEMBLY)
.withDescription("Disable the .NET Assembly Analyzer.")
.create();
final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS)
final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS)
.withDescription("Disable the Nexus Analyzer.")
.create();
final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL)
final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.NEXUS_URL)
.withDescription("The url to the Nexus Server.")
.create();
final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ARGUMENT.NEXUS_USES_PROXY)
.withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
.create();
final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
.withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
.withLongOpt(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS)
.withDescription("A comma separated list of additional extensions to be scanned as ZIP files "
+ "(ZIP, EAR, WAR are already treated as zip files)")
.create();
final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.PATH_TO_MONO)
final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.PATH_TO_MONO)
.withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
.create();
options.addOption(proxyPort)
.addOption(proxyUrl)
.addOption(proxyServer)
.addOption(proxyUsername)
.addOption(proxyPassword)
.addOption(connectionTimeout)
@@ -331,13 +336,30 @@ public final class CliParser {
.addOption(pathToMono);
}
/**
* Adds the deprecated command line options to the given options collection. These are split out for purposes of not
* including them in the help message. We need to add the deprecated options so as not to break existing scripts.
*
* @param options a collection of command line arguments
* @throws IllegalArgumentException thrown if there is an exception
*/
@SuppressWarnings("static-access")
private void addDeprecatedOptions(final Options options) throws IllegalArgumentException {
final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL)
.withDescription("The proxy url argument is deprecated, use proxyserver instead.")
.create();
options.addOption(proxyServer);
}
/**
* Determines if the 'version' command line argument was passed in.
*
* @return whether or not the 'version' command line argument was passed in
*/
public boolean isGetVersion() {
return (line != null) && line.hasOption(ArgumentName.VERSION);
return (line != null) && line.hasOption(ARGUMENT.VERSION);
}
/**
@@ -346,7 +368,7 @@ public final class CliParser {
* @return whether or not the 'help' command line argument was passed in
*/
public boolean isGetHelp() {
return (line != null) && line.hasOption(ArgumentName.HELP);
return (line != null) && line.hasOption(ARGUMENT.HELP);
}
/**
@@ -355,7 +377,7 @@ public final class CliParser {
* @return whether or not the 'scan' command line argument was passed in
*/
public boolean isRunScan() {
return (line != null) && isValid && line.hasOption(ArgumentName.SCAN);
return (line != null) && isValid && line.hasOption(ARGUMENT.SCAN);
}
/**
@@ -364,7 +386,7 @@ public final class CliParser {
* @return true if the disableJar command line argument was specified; otherwise false
*/
public boolean isJarDisabled() {
return (line != null) && line.hasOption(ArgumentName.DISABLE_JAR);
return (line != null) && line.hasOption(ARGUMENT.DISABLE_JAR);
}
/**
@@ -373,7 +395,7 @@ public final class CliParser {
* @return true if the disableArchive command line argument was specified; otherwise false
*/
public boolean isArchiveDisabled() {
return (line != null) && line.hasOption(ArgumentName.DISABLE_ARCHIVE);
return (line != null) && line.hasOption(ARGUMENT.DISABLE_ARCHIVE);
}
/**
@@ -382,7 +404,7 @@ public final class CliParser {
* @return true if the disableNuspec command line argument was specified; otherwise false
*/
public boolean isNuspecDisabled() {
return (line != null) && line.hasOption(ArgumentName.DISABLE_NUSPEC);
return (line != null) && line.hasOption(ARGUMENT.DISABLE_NUSPEC);
}
/**
@@ -391,7 +413,7 @@ public final class CliParser {
* @return true if the disableAssembly command line argument was specified; otherwise false
*/
public boolean isAssemblyDisabled() {
return (line != null) && line.hasOption(ArgumentName.DISABLE_ASSEMBLY);
return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
}
/**
@@ -400,7 +422,7 @@ public final class CliParser {
* @return true if the disableNexus command line argument was specified; otherwise false
*/
public boolean isNexusDisabled() {
return (line != null) && line.hasOption(ArgumentName.DISABLE_NEXUS);
return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS);
}
/**
@@ -409,10 +431,10 @@ public final class CliParser {
* @return the url to the nexus server; if none was specified this will return null;
*/
public String getNexusUrl() {
if (line == null || !line.hasOption(ArgumentName.NEXUS_URL)) {
if (line == null || !line.hasOption(ARGUMENT.NEXUS_URL)) {
return null;
} else {
return line.getOptionValue(ArgumentName.NEXUS_URL);
return line.getOptionValue(ARGUMENT.NEXUS_URL);
}
}
@@ -425,14 +447,14 @@ public final class CliParser {
public boolean isNexusUsesProxy() {
// If they didn't specify whether Nexus needs to use the proxy, we should
// still honor the property if it's set.
if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
if (line == null || !line.hasOption(ARGUMENT.NEXUS_USES_PROXY)) {
try {
return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
} catch (InvalidSettingException ise) {
return true;
}
} else {
return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
return Boolean.parseBoolean(line.getOptionValue(ARGUMENT.NEXUS_USES_PROXY));
}
}
@@ -443,7 +465,7 @@ public final class CliParser {
final HelpFormatter formatter = new HelpFormatter();
final Options options = new Options();
addStandardOptions(options);
if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
if (line != null && line.hasOption(ARGUMENT.ADVANCED_HELP)) {
addAdvancedOptions(options);
}
final String helpMsg = String.format("%n%s"
@@ -466,7 +488,7 @@ public final class CliParser {
* @return the file paths specified on the command line for scan
*/
public String[] getScanFiles() {
return line.getOptionValues(ArgumentName.SCAN);
return line.getOptionValues(ARGUMENT.SCAN);
}
/**
@@ -475,7 +497,7 @@ public final class CliParser {
* @return the path to the reports directory.
*/
public String getReportDirectory() {
return line.getOptionValue(ArgumentName.OUT, ".");
return line.getOptionValue(ARGUMENT.OUT, ".");
}
/**
@@ -484,7 +506,7 @@ public final class CliParser {
* @return the path to Mono
*/
public String getPathToMono() {
return line.getOptionValue(ArgumentName.PATH_TO_MONO);
return line.getOptionValue(ARGUMENT.PATH_TO_MONO);
}
/**
@@ -493,7 +515,7 @@ public final class CliParser {
* @return the output format name.
*/
public String getReportFormat() {
return line.getOptionValue(ArgumentName.OUTPUT_FORMAT, "HTML");
return line.getOptionValue(ARGUMENT.OUTPUT_FORMAT, "HTML");
}
/**
@@ -502,7 +524,7 @@ public final class CliParser {
* @return the application name.
*/
public String getApplicationName() {
return line.getOptionValue(ArgumentName.APP_NAME);
return line.getOptionValue(ARGUMENT.APP_NAME);
}
/**
@@ -511,16 +533,24 @@ public final class CliParser {
* @return the connection timeout
*/
public String getConnectionTimeout() {
return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
return line.getOptionValue(ARGUMENT.CONNECTION_TIMEOUT);
}
/**
* Returns the proxy url.
* Returns the proxy server.
*
* @return the proxy url
* @return the proxy server
*/
public String getProxyUrl() {
return line.getOptionValue(ArgumentName.PROXY_URL);
public String getProxyServer() {
String server = line.getOptionValue(ARGUMENT.PROXY_SERVER);
if (server == null) {
server = line.getOptionValue(ARGUMENT.PROXY_URL);
if (server != null) {
LOGGER.warning("An old command line argument 'proxyurl' was detected; use proxyserver instead");
}
}
return server;
}
/**
@@ -529,7 +559,7 @@ public final class CliParser {
* @return the proxy port
*/
public String getProxyPort() {
return line.getOptionValue(ArgumentName.PROXY_PORT);
return line.getOptionValue(ARGUMENT.PROXY_PORT);
}
/**
@@ -538,7 +568,7 @@ public final class CliParser {
* @return the proxy username
*/
public String getProxyUsername() {
return line.getOptionValue(ArgumentName.PROXY_USERNAME);
return line.getOptionValue(ARGUMENT.PROXY_USERNAME);
}
/**
@@ -547,7 +577,7 @@ public final class CliParser {
* @return the proxy password
*/
public String getProxyPassword() {
return line.getOptionValue(ArgumentName.PROXY_PASSWORD);
return line.getOptionValue(ARGUMENT.PROXY_PASSWORD);
}
/**
@@ -556,7 +586,7 @@ public final class CliParser {
* @return the value of dataDirectory
*/
public String getDataDirectory() {
return line.getOptionValue(ArgumentName.DATA_DIRECTORY);
return line.getOptionValue(ARGUMENT.DATA_DIRECTORY);
}
/**
@@ -565,7 +595,7 @@ public final class CliParser {
* @return the properties file specified on the command line
*/
public File getPropertiesFile() {
final String path = line.getOptionValue(ArgumentName.PROP);
final String path = line.getOptionValue(ARGUMENT.PROP);
if (path != null) {
return new File(path);
}
@@ -578,7 +608,7 @@ public final class CliParser {
* @return the path to the verbose log file
*/
public String getVerboseLog() {
return line.getOptionValue(ArgumentName.VERBOSE_LOG);
return line.getOptionValue(ARGUMENT.VERBOSE_LOG);
}
/**
@@ -587,7 +617,7 @@ public final class CliParser {
* @return the path to the suppression file
*/
public String getSuppressionFile() {
return line.getOptionValue(ArgumentName.SUPPRESSION_FILE);
return line.getOptionValue(ARGUMENT.SUPPRESSION_FILE);
}
/**
@@ -610,7 +640,7 @@ public final class CliParser {
* @return if auto-update is allowed.
*/
public boolean isAutoUpdate() {
return (line == null) || !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE);
return (line == null) || !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
}
/**
@@ -619,7 +649,7 @@ public final class CliParser {
* @return the database driver name if specified; otherwise null is returned
*/
public String getDatabaseDriverName() {
return line.getOptionValue(ArgumentName.DB_DRIVER);
return line.getOptionValue(ARGUMENT.DB_DRIVER);
}
/**
@@ -628,7 +658,7 @@ public final class CliParser {
* @return the database driver name if specified; otherwise null is returned
*/
public String getDatabaseDriverPath() {
return line.getOptionValue(ArgumentName.DB_DRIVER_PATH);
return line.getOptionValue(ARGUMENT.DB_DRIVER_PATH);
}
/**
@@ -637,7 +667,7 @@ public final class CliParser {
* @return the database connection string if specified; otherwise null is returned
*/
public String getConnectionString() {
return line.getOptionValue(ArgumentName.CONNECTION_STRING);
return line.getOptionValue(ARGUMENT.CONNECTION_STRING);
}
/**
@@ -646,7 +676,7 @@ public final class CliParser {
* @return the database database user name if specified; otherwise null is returned
*/
public String getDatabaseUser() {
return line.getOptionValue(ArgumentName.DB_NAME);
return line.getOptionValue(ARGUMENT.DB_NAME);
}
/**
@@ -655,7 +685,7 @@ public final class CliParser {
* @return the database database password if specified; otherwise null is returned
*/
public String getDatabasePassword() {
return line.getOptionValue(ArgumentName.DB_PASSWORD);
return line.getOptionValue(ARGUMENT.DB_PASSWORD);
}
/**
@@ -664,13 +694,13 @@ public final class CliParser {
* @return the additional Extensions; otherwise null is returned
*/
public String getAdditionalZipExtensions() {
return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS);
return line.getOptionValue(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS);
}
/**
* A collection of static final strings that represent the possible command line arguments.
*/
public static class ArgumentName {
public static class ARGUMENT {
/**
* The long CLI argument name specifying the directory/file to scan.
@@ -732,21 +762,20 @@ public final class CliParser {
* The short CLI argument name asking for the version.
*/
public static final String VERSION = "version";
/**
* The short CLI argument name indicating the proxy port.
*/
public static final String PROXY_PORT_SHORT = "p";
/**
* The CLI argument name indicating the proxy port.
*/
public static final String PROXY_PORT = "proxyport";
/**
* The short CLI argument name indicating the proxy url.
* The CLI argument name indicating the proxy server.
*/
public static final String PROXY_URL_SHORT = "u";
public static final String PROXY_SERVER = "proxyserver";
/**
* The CLI argument name indicating the proxy url.
*
* @deprecated use {@link org.owasp.dependencycheck.cli.CliParser.ArgumentName#PROXY_SERVER} instead
*/
@Deprecated
public static final String PROXY_URL = "proxyurl";
/**
* The CLI argument name indicating the proxy username.

6
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -3,7 +3,7 @@ Command Line Arguments
The following table lists the command line arguments:
Short | Argument Name | Parameter | Description | Requirement
Short | Argument&nbsp;Name&nbsp;&nbsp; | Parameter | Description | Requirement
-------|-----------------------|-----------------|-------------|------------
\-a | \-\-app | \<name\> | The name of the application being scanned. This is a required argument. | Required
\-s | \-\-scan | \<path\> | The path to scan \- this option can be specified multiple times. It is also possible to specify specific file types that should be scanned by supplying a scan path of '[path]/[to]/[scan]/*.zip'. The wild card can only be used to denote any file-name with a specific extension. | Required
@@ -18,7 +18,7 @@ Short | Argument Name | Parameter | Description | Requirement
Advanced Options
================
Short | Argument Name | Parameter | Description | Default Value
Short | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Parameter | Description | Default&nbsp;Value
-------|-----------------------|-----------------|-------------|---------------
| \-\-disableArchive | | Sets whether the Archive Analyzer will be used. | false
| \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
@@ -30,7 +30,7 @@ Short | Argument Name | Parameter | Description | Default Value
| \-\-disableNuspec | | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | false
| \-\-disableAssembly | | Sets whether or not the .NET Assembly Analyzer should be used. | false
| \-\-pathToMono | \<path\> | The path to Mono for .NET Assembly analysis on non-windows systems. | &nbsp;
| \-\-proxyurl | \<url\> | The proxy url to use when downloading resources. | &nbsp;
| \-\-proxyserver | \<server\> | The proxy server to use when downloading resources. | &nbsp;
| \-\-proxyport | \<port\> | The proxy port to use when downloading resources. | &nbsp;
| \-\-connectiontimeout | \<timeout\> | The connection timeout (in milliseconds) to use when downloading resources. | &nbsp;
| \-\-proxypass | \<pass\> | The proxy password to use when downloading resources. | &nbsp;

26
dependency-check-core/pom.xml
View File

@@ -15,19 +15,19 @@ limitations under the License.
Copyright (c) 2012 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.1</version>
<version>1.2.4</version>
</parent>
<artifactId>dependency-check-core</artifactId>
<packaging>jar</packaging>
<name>Dependency-Check Core</name>
<description>dependency-check-core is the engine and reporting tool used to identify and report if there are any known, publicly disclosed vulnerabilities in the scanned project's dependencies. The engine extracts meta-data from the dependencies and uses this to do fuzzy key-word matching against the Common Platfrom Enumeration (CPE), if any CPE identifiers are found the associated Common Vulnerability and Exposure (CVE) entries are added to the generated report.</description>
<!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
<distributionManagement>
<site>
@@ -220,6 +220,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<name>data.directory</name>
<value>${project.build.directory}/data</value>
</property>
<property>
<name>temp.directory</name>
<value>${project.build.directory}/temp</value>
</property>
</systemProperties>
<includes>
<include>**/*IntegrationTest.java</include>
@@ -267,6 +272,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
@@ -399,6 +407,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</plugins>
</build>
<dependencies>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-utils</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-test-framework</artifactId>
@@ -419,7 +432,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.8</version>
<version>1.8.1</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
@@ -521,6 +534,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.0.0.RELEASE</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.hazelcast</groupId>
<artifactId>hazelcast</artifactId>

49
dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
View File

@@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
* Copyright (c) 2014 Steve Springett. All Rights Reserved.
*/
package org.owasp.dependencycheck.agent;
@@ -234,26 +234,49 @@ public class DependencyCheckScanAgent {
}
/**
* The Proxy URL.
* The Proxy Server.
*/
private String proxyUrl;
private String proxyServer;
/**
* Get the value of proxyUrl.
* Get the value of proxyServer.
*
* @return the value of proxyUrl
* @return the value of proxyServer
*/
public String getProxyUrl() {
return proxyUrl;
public String getProxyServer() {
return proxyServer;
}
/**
* Set the value of proxyUrl.
* Set the value of proxyServer.
*
* @param proxyUrl new value of proxyUrl
* @param proxyServer new value of proxyServer
*/
public void setProxyServer(String proxyServer) {
this.proxyServer = proxyServer;
}
/**
* Get the value of proxyServer.
*
* @return the value of proxyServer
* @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#getProxyServer()} instead
*/
@Deprecated
public String getProxyUrl() {
return proxyServer;
}
/**
* Set the value of proxyServer.
*
* @param proxyUrl new value of proxyServer
* @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#setProxyServer(java.lang.String)
* } instead
*/
@Deprecated
public void setProxyUrl(String proxyUrl) {
this.proxyUrl = proxyUrl;
this.proxyServer = proxyUrl;
}
/**
@@ -792,7 +815,7 @@ public class DependencyCheckScanAgent {
/**
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
* properties required to change the proxy url, port, and connection timeout.
* properties required to change the proxy server, port, and connection timeout.
*/
private void populateSettings() {
Settings.initialize();
@@ -808,8 +831,8 @@ public class DependencyCheckScanAgent {
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
if (proxyUrl != null && !proxyUrl.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
if (proxyServer != null && !proxyServer.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
}
if (proxyPort != null && !proxyPort.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
View File

@@ -98,11 +98,17 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
* @throws SuppressionParseException thrown if the XML cannot be parsed.
*/
private void loadSuppressionData() throws SuppressionParseException {
final SuppressionParser parser = new SuppressionParser();
File file = null;
try {
rules = parser.parseSuppressionRules(this.getClass().getClassLoader().getResourceAsStream("dependencycheck-base-suppression.xml"));
} catch (SuppressionParseException ex) {
LOGGER.log(Level.FINE, "Unable to parse the base suppression data file", ex);
}
final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
if (suppressionFilePath == null) {
return;
}
File file = null;
boolean deleteTempFile = false;
try {
final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
@@ -132,9 +138,9 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
}
if (file != null) {
final SuppressionParser parser = new SuppressionParser();
try {
rules = parser.parseSuppressionRules(file);
//rules = parser.parseSuppressionRules(file);
rules.addAll(parser.parseSuppressionRules(file));
LOGGER.log(Level.FINE, rules.size() + " suppression rules were loaded.");
} catch (SuppressionParseException ex) {
final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -242,7 +242,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
final File tdir = getNextTempDirectory();
final String fileName = dependency.getFileName();
LOGGER.info(String.format("The zip file '%s' appears to be a JAR file, making a deep copy and analyzing it as a JAR.", fileName));
LOGGER.info(String.format("The zip file '%s' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName));
final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
try {

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -205,6 +205,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
grokAssemblyExe.deleteOnExit();
LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.deployed", grokAssemblyExe.getPath());
} catch (IOException ioe) {
this.setEnabled(false);
LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.notdeployed", ioe.getMessage());
throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
} finally {
@@ -242,6 +243,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
LOGGER.warning("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.");
LOGGER.fine("GrokAssembly.exe is not working properly");
grokAssemblyExe = null;
this.setEnabled(false);
throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
}
} catch (Throwable e) {
@@ -250,6 +252,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
} else {
LOGGER.warning("analyzer.AssemblyAnalyzer.grokassembly.initialization.failed");
LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.initialization.message", e.getMessage());
this.setEnabled(false);
throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
}
} finally {
@@ -261,7 +264,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
}
}
}
builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
}

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -531,7 +531,6 @@ public class CPEAnalyzer implements Analyzer {
if (dbVer == null //special case, no version specified - everything is vulnerable
|| evVer.equals(dbVer)) { //yeah! exact match
//final String url = String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(vs.getName(), "UTF-8"));
final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
collected.add(match);

26
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -161,11 +161,20 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
*/
public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
+ "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+ "jdk|jre|jsf|jsse)($|:.*)");
+ "jdk|jre|jsse)($|:.*)");
/**
* Regex to identify core jsf libraries.
*/
public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
/**
* Regex to identify core java library files. This is currently incomplete.
*/
public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt|jsf[-].*|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
/**
* Regex to identify core jsf java library files. This is currently incomplete.
*/
public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");
/**
* Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
@@ -182,6 +191,11 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
if (coreCPE.matches() && !coreFiles.matches()) {
itr.remove();
}
final Matcher coreJsfCPE = CORE_JAVA_JSF.matcher(i.getValue());
final Matcher coreJsfFiles = CORE_JSF_FILES.matcher(dependency.getFileName());
if (coreJsfCPE.matches() && !coreJsfFiles.matches()) {
itr.remove();
}
}
}
@@ -250,6 +264,14 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
|| dependency.getFileName().toLowerCase().endsWith(".dll")
|| dependency.getFileName().toLowerCase().endsWith(".exe"))) {
itr.remove();
} else if ((i.getValue().startsWith("cpe:/a:microsoft:excel")
|| i.getValue().startsWith("cpe:/a:microsoft:word")
|| i.getValue().startsWith("cpe:/a:microsoft:visio")
|| i.getValue().startsWith("cpe:/a:microsoft:powerpoint")
|| i.getValue().startsWith("cpe:/a:microsoft:office"))
&& (dependency.getFileName().toLowerCase().endsWith(".jar")
|| dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
itr.remove();
} else if (i.getValue().startsWith("cpe:/a:apache:maven")
&& !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) {
itr.remove();

177
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -64,7 +64,6 @@ import org.owasp.dependencycheck.jaxb.pom.MavenNamespaceFilter;
import org.owasp.dependencycheck.jaxb.pom.generated.License;
import org.owasp.dependencycheck.jaxb.pom.generated.Model;
import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
import org.owasp.dependencycheck.jaxb.pom.generated.Parent;
import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.NonClosingStream;
import org.owasp.dependencycheck.utils.Settings;
@@ -74,7 +73,6 @@ import org.xml.sax.XMLFilter;
import org.xml.sax.XMLReader;
/**
*
* Used to load a JAR file and collect information that can be used to determine the associated CPE.
*
* @author Jeremy Long <jeremy.long@owasp.org>
@@ -171,7 +169,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
*/
public JarAnalyzer() {
try {
final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
//final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
final JAXBContext jaxbContext = JAXBContext.newInstance(Model.class);
pomUnmarshaller = jaxbContext.createUnmarshaller();
} catch (JAXBException ex) { //guess we will just have a null pointer exception later...
LOGGER.log(Level.SEVERE, "Unable to load parser. See the log for more details.");
@@ -322,7 +321,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
newDependency.setFileName(displayName);
newDependency.setFilePath(displayPath);
addPomEvidence(newDependency, pom, pomProperties);
setPomEvidence(newDependency, pom, pomProperties, null);
engine.getDependencies().add(newDependency);
Collections.sort(engine.getDependencies());
} else {
@@ -346,16 +345,25 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @return a Properties object or null if no pom.properties was found
* @throws IOException thrown if there is an exception reading the pom.properties
*/
@edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "OS_OPEN_STREAM",
justification = "The reader is closed by closing the zipEntry")
private Properties retrievePomProperties(String path, final JarFile jar) throws IOException {
Properties pomProperties = null;
final String propPath = path.substring(0, path.length() - 7) + "pom.properies";
final ZipEntry propEntry = jar.getEntry(propPath);
if (propEntry != null) {
final Reader reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8");
pomProperties = new Properties();
pomProperties.load(reader);
Reader reader = null;
try {
reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8");
pomProperties = new Properties();
pomProperties.load(reader);
} finally {
if (reader != null) {
try {
reader.close();
} catch (IOException ex) {
LOGGER.log(Level.FINEST, "close error", ex);
}
}
}
}
return pomProperties;
}
@@ -559,10 +567,21 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
*/
private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
boolean foundSomething = false;
boolean addAsIdentifier = true;
if (pom == null) {
return foundSomething;
}
String groupid = interpolateString(pom.getGroupId(), pomProperties);
String parentGroupId = null;
if (pom.getParent() != null) {
parentGroupId = interpolateString(pom.getParent().getGroupId(), pomProperties);
if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
groupid = parentGroupId;
}
}
final String originalGroupID = groupid;
if (groupid != null && !groupid.isEmpty()) {
if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
groupid = groupid.substring(4);
@@ -572,8 +591,26 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
addMatchingValues(classes, groupid, dependency.getVendorEvidence());
addMatchingValues(classes, groupid, dependency.getProductEvidence());
if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW);
addMatchingValues(classes, parentGroupId, dependency.getVendorEvidence());
addMatchingValues(classes, parentGroupId, dependency.getProductEvidence());
}
} else {
addAsIdentifier = false;
}
String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
String parentArtifactId = null;
if (pom.getParent() != null) {
parentArtifactId = interpolateString(pom.getParent().getArtifactId(), pomProperties);
if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
artifactid = parentArtifactId;
}
}
final String originalArtifactID = artifactid;
if (artifactid != null && !artifactid.isEmpty()) {
if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
artifactid = artifactid.substring(4);
@@ -583,13 +620,40 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
addMatchingValues(classes, artifactid, dependency.getVendorEvidence());
addMatchingValues(classes, artifactid, dependency.getProductEvidence());
if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
addMatchingValues(classes, parentArtifactId, dependency.getVendorEvidence());
addMatchingValues(classes, parentArtifactId, dependency.getProductEvidence());
}
} else {
addAsIdentifier = false;
}
//version
final String version = interpolateString(pom.getVersion(), pomProperties);
String version = interpolateString(pom.getVersion(), pomProperties);
String parentVersion = null;
if (pom.getParent() != null) {
parentVersion = interpolateString(pom.getParent().getVersion(), pomProperties);
if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
version = parentVersion;
}
}
if (version != null && !version.isEmpty()) {
foundSomething = true;
dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) {
dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW);
}
} else {
addAsIdentifier = false;
}
if (addAsIdentifier) {
dependency.addIdentifier("maven", String.format("%s:%s:%s", originalGroupID, originalArtifactID, version), null, Confidence.LOW);
}
// org name
final Organization org = pom.getOrganization();
if (org != null && org.getName() != null) {
@@ -648,7 +712,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
//TODO remove weighting
vendor.addWeighting(entry.getKey());
if (addPackagesAsEvidence && entry.getKey().length() > 1) {
vendor.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
vendor.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
}
}
}
@@ -657,7 +721,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
if (ratio > 0.5) {
product.addWeighting(entry.getKey());
if (addPackagesAsEvidence && entry.getKey().length() > 1) {
product.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
product.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
}
}
}
@@ -1113,7 +1177,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @param evidence the evidence collection to add new entries too
*/
private void addMatchingValues(ArrayList<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
if (value == null || value.isEmpty()) {
if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
return;
}
final String text = value.toLowerCase();
@@ -1140,93 +1204,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Adds evidence from the POM to the dependency. This includes the GAV and in some situations the parent GAV if
* specified.
*
* @param dependency the dependency being analyzed
* @param pom the POM data
* @param pomProperties the properties file associated with the pom
*/
private void addPomEvidence(Dependency dependency, Model pom, Properties pomProperties) {
if (pom == null) {
return;
}
String groupid = interpolateString(pom.getGroupId(), pomProperties);
if (groupid != null && !groupid.isEmpty()) {
if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
groupid = groupid.substring(4);
}
dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGH);
dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
}
String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
if (artifactid != null && !artifactid.isEmpty()) {
if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
artifactid = artifactid.substring(4);
}
dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
}
final String version = interpolateString(pom.getVersion(), pomProperties);
if (version != null && !version.isEmpty()) {
dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
}
final Parent parent = pom.getParent(); //grab parent GAV
if (parent != null) {
final String parentGroupId = interpolateString(parent.getGroupId(), pomProperties);
if (parentGroupId != null && !parentGroupId.isEmpty()) {
if (groupid == null || groupid.isEmpty()) {
dependency.getVendorEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.HIGH);
} else {
dependency.getVendorEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.MEDIUM);
}
dependency.getProductEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.LOW);
}
final String parentArtifactId = interpolateString(parent.getArtifactId(), pomProperties);
if (parentArtifactId != null && !parentArtifactId.isEmpty()) {
if (artifactid == null || artifactid.isEmpty()) {
dependency.getProductEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.HIGH);
} else {
dependency.getProductEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.MEDIUM);
}
dependency.getVendorEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.LOW);
}
final String parentVersion = interpolateString(parent.getVersion(), pomProperties);
if (parentVersion != null && !parentVersion.isEmpty()) {
if (version == null || version.isEmpty()) {
dependency.getVersionEvidence().addEvidence("pom", "parent.version", parentVersion, Confidence.HIGH);
} else {
dependency.getVersionEvidence().addEvidence("pom", "parent.version", parentVersion, Confidence.LOW);
}
}
}
// org name
final Organization org = pom.getOrganization();
if (org != null && org.getName() != null) {
final String orgName = interpolateString(org.getName(), pomProperties);
if (orgName != null && !orgName.isEmpty()) {
dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
}
}
//pom name
final String pomName = interpolateString(pom.getName(), pomProperties);
if (pomName != null && !pomName.isEmpty()) {
dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
}
//Description
if (pom.getDescription() != null) {
final String description = interpolateString(pom.getDescription(), pomProperties);
if (description != null && !description.isEmpty()) {
addDescription(dependency, description, "pom", "description");
}
}
extractLicense(pom, pomProperties, dependency);
}
/**
* Extracts the license information from the pom and adds it to the dependency.
*

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -30,6 +30,7 @@ import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.nexus.NexusSearch;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.utils.Settings;
/**
@@ -161,7 +162,18 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
}
if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
boolean found = false;
for (Identifier i : dependency.getIdentifiers()) {
if ("maven".equals(i.getType()) && i.getValue().equals(ma.toString())) {
found = true;
i.setConfidence(Confidence.HIGHEST);
i.setUrl(ma.getArtifactUrl());
break;
}
}
if (!found) {
dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
}
}
} catch (IllegalArgumentException iae) {
//dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java
View File

@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.cpe;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public abstract class Fields {
public final class Fields {
/**
* The key for the name document id.
@@ -36,7 +36,10 @@ public abstract class Fields {
* The key for the product field.
*/
public static final String PRODUCT = "product";
/**
* The key for the version field.
* Private constructor as this is more of an enumeration rather then a full class.
*/
private Fields() {
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
View File

@@ -64,7 +64,7 @@ public class NexusSearch {
public NexusSearch(URL rootURL) {
this.rootURL = rootURL;
try {
if (null != Settings.getString(Settings.KEYS.PROXY_URL)
if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)
&& Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY)) {
useProxy = true;
LOGGER.fine("Using proxy");

54
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
View File

@@ -42,6 +42,7 @@ import org.owasp.dependencycheck.utils.Settings;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class ConnectionFactory {
/**
* The Logger.
*/
@@ -49,7 +50,7 @@ public final class ConnectionFactory {
/**
* The version of the current DB Schema.
*/
public static final String DB_SCHEMA_VERSION = "2.9";
public static final String DB_SCHEMA_VERSION = Settings.getString(Settings.KEYS.DB_VERSION);
/**
* Resource location for SQL file used to create the database schema.
*/
@@ -111,7 +112,10 @@ public final class ConnectionFactory {
//yes, yes - hard-coded password - only if there isn't one in the properties file.
password = Settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
try {
connectionString = getConnectionString();
connectionString = Settings.getConnectionString(
Settings.KEYS.DB_CONNECTION_STRING,
Settings.KEYS.DB_FILE_NAME,
Settings.KEYS.DB_VERSION);
} catch (IOException ex) {
LOGGER.log(Level.FINE,
"Unable to retrieve the database connection string", ex);
@@ -120,7 +124,7 @@ public final class ConnectionFactory {
boolean shouldCreateSchema = false;
try {
if (connectionString.startsWith("jdbc:h2:file:")) { //H2
shouldCreateSchema = !dbSchemaExists();
shouldCreateSchema = !h2DataFileExists();
LOGGER.log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
}
} catch (IOException ioex) {
@@ -217,51 +221,17 @@ public final class ConnectionFactory {
return conn;
}
/**
* Returns the configured connection string. If using the embedded H2 database this function will also ensure the
* data directory exists and if not create it.
*
* @return the connection string
* @throws IOException thrown the data directory cannot be created
*/
private static String getConnectionString() throws IOException {
final String connStr = Settings.getString(Settings.KEYS.DB_CONNECTION_STRING, "jdbc:h2:file:%s;AUTO_SERVER=TRUE");
if (connStr.contains("%s")) {
final String directory = getDataDirectory().getCanonicalPath();
final File dataFile = new File(directory, "cve." + DB_SCHEMA_VERSION);
LOGGER.log(Level.FINE, String.format("File path for H2 file: '%s'", dataFile.toString()));
return String.format(connStr, dataFile.getAbsolutePath());
}
return connStr;
}
/**
* Retrieves the directory that the JAR file exists in so that we can ensure we always use a common data directory
* for the embedded H2 database. This is public solely for some unit tests; otherwise this should be private.
*
* @return the data directory to store data files
* @throws IOException is thrown if an IOException occurs of course...
*/
public static File getDataDirectory() throws IOException {
final File path = Settings.getDataFile(Settings.KEYS.DATA_DIRECTORY);
if (!path.exists()) {
if (!path.mkdirs()) {
throw new IOException("Unable to create NVD CVE Data directory");
}
}
return path;
}
/**
* Determines if the H2 database file exists. If it does not exist then the data structure will need to be created.
*
* @return true if the H2 database file does not exist; otherwise false
* @throws IOException thrown if the data directory does not exist and cannot be created
*/
private static boolean dbSchemaExists() throws IOException {
final File dir = getDataDirectory();
final String name = String.format("cve.%s.h2.db", DB_SCHEMA_VERSION);
final File file = new File(dir, name);
private static boolean h2DataFileExists() throws IOException {
final File dir = Settings.getDataDirectory();
final String name = Settings.getString(Settings.KEYS.DB_FILE_NAME);
final String fileName = String.format(name, DB_SCHEMA_VERSION);
final File file = new File(dir, fileName);
return file.exists();
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -248,6 +248,7 @@ public class CveDB {
/**
* SQL Statement to retrieve a property from the database.
*/
@SuppressWarnings("unused")
private static final String SELECT_PROPERTY = "SELECT id, value FROM properties WHERE id = ?";
/**
* SQL Statement to insert a new property.
@@ -260,6 +261,7 @@ public class CveDB {
/**
* SQL Statement to delete a property.
*/
@SuppressWarnings("unused")
private static final String DELETE_PROPERTY = "DELETE FROM properties WHERE id = ?";
//</editor-fold>

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
View File

@@ -22,6 +22,7 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Settings;
/**
* Class responsible for updating the NVD CVE and CPE data stores.
@@ -54,7 +55,11 @@ public class NvdCveUpdater implements CachedWebDataSource {
LOGGER.log(Level.FINE, null, ex);
} catch (DownloadFailedException ex) {
LOGGER.log(Level.WARNING,
"Unable to download the NVD CVE data, unable to update the data to use the most current data.");
"Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.");
if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
LOGGER.log(Level.INFO,
"If you are behind a proxy you may need to configure dependency-check to use the proxy.");
}
LOGGER.log(Level.FINE, null, ex);
}
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
View File

@@ -34,7 +34,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.data.update.task.CallableDownloadTask;
import org.owasp.dependencycheck.data.update.task.DownloadTask;
import org.owasp.dependencycheck.data.update.task.ProcessTask;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.InvalidSettingException;
@@ -122,7 +122,7 @@ public class StandardUpdate {
final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<Future<Future<ProcessTask>>>(maxUpdates);
for (NvdCveInfo cve : updateable) {
if (cve.getNeedsUpdate()) {
final CallableDownloadTask call = new CallableDownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
final DownloadTask call = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
downloadFutures.add(downloadExecutors.submit(call));
}
}

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java → dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java
View File

@@ -37,12 +37,12 @@ import org.owasp.dependencycheck.utils.Settings;
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
public class DownloadTask implements Callable<Future<ProcessTask>> {
/**
* The Logger.
*/
private static final Logger LOGGER = Logger.getLogger(CallableDownloadTask.class.getName());
private static final Logger LOGGER = Logger.getLogger(DownloadTask.class.getName());
/**
* Simple constructor for the callable download task.
@@ -54,7 +54,7 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
* the dependencies have a correct reference to the global settings.
* @throws UpdateException thrown if temporary files could not be created
*/
public CallableDownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB, Settings settings) throws UpdateException {
public DownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB, Settings settings) throws UpdateException {
this.nvdCveInfo = nvdCveInfo;
this.processorService = processor;
this.cveDB = cveDB;
@@ -188,6 +188,10 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
} catch (DownloadFailedException ex) {
msg = String.format("Download Failed for NVD CVE - %s%nSome CVEs may not be reported.", nvdCveInfo.getId());
LOGGER.log(Level.WARNING, msg);
if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
LOGGER.log(Level.INFO,
"If you are behind a proxy you may need to configure dependency-check to use the proxy.");
}
LOGGER.log(Level.FINE, null, ex);
return null;
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java
View File

@@ -79,7 +79,7 @@ public class ProcessTask implements Callable<ProcessTask> {
/**
* A reference to the callable download task.
*/
private final CallableDownloadTask filePair;
private final DownloadTask filePair;
/**
* A reference to the properties.
*/
@@ -97,7 +97,7 @@ public class ProcessTask implements Callable<ProcessTask> {
* @param settings a reference to the global settings object; this is necessary so that when the thread is started
* the dependencies have a correct reference to the global settings.
*/
public ProcessTask(final CveDB cveDB, final CallableDownloadTask filePair, Settings settings) {
public ProcessTask(final CveDB cveDB, final DownloadTask filePair, Settings settings) {
this.cveDB = cveDB;
this.filePair = filePair;
this.properties = cveDB.getDatabaseProperties();

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java
View File

@@ -48,7 +48,7 @@ public class ScanAgentException extends IOException {
}
/**
* Creates a new NoDataException.
* Creates a new ScanAgentException.
*
* @param ex the cause of the exception.
*/

446
dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/generated/Model.java
View File

File diff suppressed because it is too large Load Diff

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
View File

@@ -54,6 +54,10 @@ public class SuppressionHandler extends DefaultHandler {
* The CWE element name.
*/
public static final String CWE = "cwe";
/**
* The GAV element name.
*/
public static final String GAV = "gav";
/**
* The cvssBelow element name.
*/
@@ -95,13 +99,10 @@ public class SuppressionHandler extends DefaultHandler {
*/
@Override
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
currentAttributes = null;
currentAttributes = attributes;
currentText = new StringBuffer();
if (SUPPRESS.equals(qName)) {
rule = new SuppressionRule();
} else if (FILE_PATH.equals(qName)) {
currentAttributes = attributes;
}
}
@@ -123,6 +124,9 @@ public class SuppressionHandler extends DefaultHandler {
rule.setFilePath(pt);
} else if (SHA1.equals(qName)) {
rule.setSha1(currentText.toString());
} else if (GAV.equals(qName)) {
final PropertyType pt = processPropertyType();
rule.setGav(pt);
} else if (CPE.equals(qName)) {
final PropertyType pt = processPropertyType();
rule.addCpe(pt);

28
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
View File

@@ -66,10 +66,35 @@ public class SuppressionParser {
* @throws SuppressionParseException thrown if the xml file cannot be parsed
*/
public List<SuppressionRule> parseSuppressionRules(File file) throws SuppressionParseException {
FileInputStream fis = null;
try {
fis = new FileInputStream(file);
return parseSuppressionRules(fis);
} catch (IOException ex) {
LOGGER.log(Level.FINE, null, ex);
throw new SuppressionParseException(ex);
} finally {
if (fis != null) {
try {
fis.close();
} catch (IOException ex) {
LOGGER.log(Level.FINE, "Unable to close stream", ex);
}
}
}
}
/**
* Parses the given xml stream and returns a list of the suppression rules contained.
*
* @param inputStream an InputStream containing suppression rues
* @return a list of suppression rules
* @throws SuppressionParseException if the xml cannot be parsed
*/
public List<SuppressionRule> parseSuppressionRules(InputStream inputStream) throws SuppressionParseException {
try {
final InputStream schemaStream = this.getClass().getClassLoader().getResourceAsStream("schema/suppression.xsd");
final SuppressionHandler handler = new SuppressionHandler();
final SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setNamespaceAware(true);
factory.setValidating(true);
@@ -80,7 +105,6 @@ public class SuppressionParser {
xmlReader.setErrorHandler(new SuppressionErrorHandler());
xmlReader.setContentHandler(handler);
final InputStream inputStream = new FileInputStream(file);
final Reader reader = new InputStreamReader(inputStream, "UTF-8");
final InputSource in = new InputSource(reader);
//in.setEncoding("UTF-8");

127
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
View File

@@ -234,6 +234,37 @@ public class SuppressionRule {
public boolean hasCve() {
return cve.size() > 0;
}
/**
* A Maven GAV to suppression.
*/
private PropertyType gav = null;
/**
* Get the value of Maven GAV.
*
* @return the value of gav
*/
public PropertyType getGav() {
return gav;
}
/**
* Set the value of Maven GAV.
*
* @param gav new value of Maven gav
*/
public void setGav(PropertyType gav) {
this.gav = gav;
}
/**
* Returns whether or not this suppression rule as GAV entries.
*
* @return whether or not this suppression rule as GAV entries
*/
public boolean hasGav() {
return gav != null;
}
/**
* Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
@@ -248,12 +279,27 @@ public class SuppressionRule {
if (sha1 != null && !sha1.equalsIgnoreCase(dependency.getSha1sum())) {
return;
}
if (gav != null) {
final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
boolean gavFound = false;
while (itr.hasNext()) {
final Identifier i = itr.next();
if (identifierMatches("maven", this.gav, i)) {
gavFound = true;
break;
}
}
if (!gavFound) {
return;
}
}
if (this.hasCpe()) {
final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
while (itr.hasNext()) {
final Identifier i = itr.next();
for (PropertyType c : this.cpe) {
if (cpeMatches(c, i)) {
if (identifierMatches("cpe", c, i)) {
dependency.addSuppressedIdentifier(i);
itr.remove();
break;
@@ -309,7 +355,7 @@ public class SuppressionRule {
boolean cpeHasNoVersion(PropertyType c) {
if (c.isRegex()) {
return false;
} // cpe:/a:jboss:jboss:1.0.0:
}
if (countCharacter(c.getValue(), ':') == 3) {
return true;
}
@@ -336,26 +382,75 @@ public class SuppressionRule {
/**
* Determines if the cpeEntry specified as a PropertyType matches the given Identifier.
*
* @param cpeEntry a suppression rule entry
* @param identifierType the type of identifier ("cpe", "maven", etc.)
* @param suppressionEntry a suppression rule entry
* @param identifier a CPE identifier to check
* @return true if the entry matches; otherwise false
*/
boolean cpeMatches(PropertyType cpeEntry, Identifier identifier) {
if (cpeEntry.matches(identifier.getValue())) {
return true;
} else if (cpeHasNoVersion(cpeEntry)) {
if (cpeEntry.isCaseSensitive()) {
if (identifier.getValue().startsWith(cpeEntry.getValue())) {
return true;
}
} else {
final String id = identifier.getValue().toLowerCase();
final String check = cpeEntry.getValue().toLowerCase();
if (id.startsWith(check)) {
return true;
boolean identifierMatches(String identifierType, PropertyType suppressionEntry, Identifier identifier) {
if (identifierType.equals(identifier.getType())) {
if (suppressionEntry.matches(identifier.getValue())) {
return true;
} else if ("cpe".equals(identifierType) && cpeHasNoVersion(suppressionEntry)) {
if (suppressionEntry.isCaseSensitive()) {
return identifier.getValue().startsWith(suppressionEntry.getValue());
} else {
final String id = identifier.getValue().toLowerCase();
final String check = suppressionEntry.getValue().toLowerCase();
return id.startsWith(check);
}
}
}
return false;
}
/**
* Standard toString implementation.
*
* @return a string representation of this object
*/
@Override
public String toString() {
final StringBuilder sb = new StringBuilder();
sb.append("SuppressionRule{");
if (filePath != null) {
sb.append("filePath=").append(filePath).append(",");
}
if (sha1 != null) {
sb.append("sha1=").append(sha1).append(",");
}
if (gav != null) {
sb.append("gav=").append(gav).append(",");
}
if (cpe != null && cpe.size() > 0) {
sb.append("cpe={");
for (PropertyType pt : cpe) {
sb.append(pt).append(",");
}
sb.append("}");
}
if (cwe != null && cwe.size() > 0) {
sb.append("cwe={");
for (String s : cwe) {
sb.append(s).append(",");
}
sb.append("}");
}
if (cve != null && cve.size() > 0) {
sb.append("cve={");
for (String s : cve) {
sb.append(s).append(",");
}
sb.append("}");
}
if (cvssBelow != null && cvssBelow.size() > 0) {
sb.append("cvssBelow={");
for (Float s : cvssBelow) {
sb.append(s).append(",");
}
sb.append("}");
}
sb.append("}");
return sb.toString();
}
}

147
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java Normal file
View File

@@ -0,0 +1,147 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import org.owasp.dependencycheck.Engine;
import static org.owasp.dependencycheck.utils.FileUtils.getFileExtension;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public final class ExtractionUtil {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(ExtractionUtil.class.getName());
/**
* The buffer size to use when extracting files from the archive.
*/
private static final int BUFFER_SIZE = 4096;
/**
* Private constructor for a utility class.
*/
private ExtractionUtil() {
}
/**
* Extracts the contents of an archive into the specified directory.
*
* @param archive an archive file such as a WAR or EAR
* @param extractTo a directory to extract the contents to
* @throws ExtractionException thrown if an exception occurs while extracting the files
*/
public static void extractFiles(File archive, File extractTo) throws ExtractionException {
extractFiles(archive, extractTo, null);
}
/**
* Extracts the contents of an archive into the specified directory. The files are only extracted if they are
* supported by the analyzers loaded into the specified engine. If the engine is specified as null then all files
* are extracted.
*
* @param archive an archive file such as a WAR or EAR
* @param extractTo a directory to extract the contents to
* @param engine the scanning engine
* @throws ExtractionException thrown if there is an error extracting the files
*/
public static void extractFiles(File archive, File extractTo, Engine engine) throws ExtractionException {
if (archive == null || extractTo == null) {
return;
}
FileInputStream fis = null;
ZipInputStream zis = null;
try {
fis = new FileInputStream(archive);
} catch (FileNotFoundException ex) {
LOGGER.log(Level.FINE, null, ex);
throw new ExtractionException("Archive file was not found.", ex);
}
zis = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;
try {
while ((entry = zis.getNextEntry()) != null) {
if (entry.isDirectory()) {
final File d = new File(extractTo, entry.getName());
if (!d.exists() && !d.mkdirs()) {
final String msg = String.format("Unable to create '%s'.", d.getAbsolutePath());
throw new ExtractionException(msg);
}
} else {
final File file = new File(extractTo, entry.getName());
final String ext = getFileExtension(file.getName());
if (engine == null || engine.supportsExtension(ext)) {
BufferedOutputStream bos = null;
FileOutputStream fos;
try {
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
int count;
final byte data[] = new byte[BUFFER_SIZE];
while ((count = zis.read(data, 0, BUFFER_SIZE)) != -1) {
bos.write(data, 0, count);
}
bos.flush();
} catch (FileNotFoundException ex) {
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("Unable to find file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} catch (IOException ex) {
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} finally {
if (bos != null) {
try {
bos.close();
} catch (IOException ex) {
LOGGER.log(Level.FINEST, null, ex);
}
}
}
}
}
}
} catch (IOException ex) {
final String msg = String.format("Exception reading archive '%s'.", archive.getName());
LOGGER.log(Level.FINE, msg, ex);
throw new ExtractionException(msg, ex);
} finally {
try {
zis.close();
} catch (IOException ex) {
LOGGER.log(Level.FINEST, null, ex);
}
}
}
}

BIN
dependency-check-core/src/main/resources/GrokAssembly.exe Executable file → Normal file
View File

Binary file not shown.

20
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml Normal file
View File

@@ -0,0 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
<suppress>
<notes><![CDATA[
This suppresses false positives identified on spring security.
]]></notes>
<gav regex="true">org\.springframework\.security:spring.*</gav>
<cpe>cpe:/a:mod_security:mod_security</cpe>
<cpe>cpe:/a:springsource:spring_framework</cpe>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
</suppress>
<suppress>
<notes><![CDATA[
This suppreses additional false positives for the xstream library that occur because spring has a copy of this library.
com.springsource.com.thoughtworks.xstream-1.3.1.jar
]]></notes>
<gav regex="true">com\.thoughtworks\.xstream:xstream:.*</gav>
<cpe>cpe:/a:springsource:spring_framework</cpe>
</suppress>
</suppressions>

2
dependency-check-core/src/main/resources/dependencycheck-resources.properties
View File

@@ -4,7 +4,7 @@ analyzer.AssemblyAnalyzer.notassembly={0} is not a .NET assembly or executable a
analyzer.AssemblyAnalyzer.grokassembly.rc=Return code {0} from GrokAssembly
analyzer.AssemblyAnalyzer.grokassembly.deployed=Extracted GrokAssembly.exe to {0}
analyzer.AssemblyAnalyzer.grokassembly.notdeployed=Could not extract GrokAssembly.exe: {0}
analyzer.AssemblyAnalyzer.grokassembly.initlization.failed=An error occurred with the .NET AssemblyAnalyzer; \
analyzer.AssemblyAnalyzer.grokassembly.initialization.failed=An error occurred with the .NET AssemblyAnalyzer; \
this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.
analyzer.AssemblyAnalyzer.grokassembly.initialization.message=Could not execute GrokAssembly {0}
analyzer.AssemblyAnalyzer.grokassembly.notdeleted=Can't delete temporary GrokAssembly.exe

4
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -13,8 +13,10 @@ max.download.threads=3
# will not be used. The data.directory will be resolved and if the connection string
# below contains a %s then the data.directory will replace the %s.
data.directory=[JAR]/data
#if the filename has a %s it will be replaced with the current expected version
data.file_name=cve.%s.h2.db
data.version=2.9
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
#data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
# user name and password for the database connection. The inherent case is to use H2.

1
dependency-check-core/src/main/resources/schema/suppression.xsd
View File

@@ -41,6 +41,7 @@
<xs:choice minOccurs="0" maxOccurs="1">
<xs:element name="filePath" type="dc:regexStringType"/>
<xs:element name="sha1" type="dc:sha1Type"/>
<xs:element name="gav" type="dc:regexStringType"/>
</xs:choice>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="cpe" type="dc:regexStringType"/>

134
dependency-check-core/src/main/resources/templates/HtmlReport.vsl
View File

@@ -84,13 +84,14 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
$('#modal-text').focus();
$('#modal-text').select();
}
function toggleDisplay(el, clzName) {
function toggleDisplay(el, clzName, all, some) {
$(clzName).toggle();
if (el.innerHTML == 'show all') {
el.innerHTML = 'less';
if (el.innerHTML == all) {
el.innerHTML = some;
} else {
el.innerHTML = 'show all';
el.innerHTML = all;
}
return false;
}
</script>
<style type="text/css">
@@ -427,15 +428,24 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
.indent {
margin-left:20px;
}
td, th {
td{
vertical-align:text-top;
padding:6px;
margin:0px;
}
th {
text-align:left
vertical-align:text-top;
padding:6px;
margin:0px;
border-bottom:1px;
border-color: black;
}
table {
border: 0px;
}
table.lined tr:nth-child(even) {
background-color: #fbfbfb;
background-color: #f3f3f3;
}
.fullwidth {
width:100%;
@@ -448,10 +458,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
margin-bottom:3px;
}
.vulnerable {
color: #f00;
}
.vulnerable li {
color: #000;
color: #000;
}
.notvulnerable {
display:none;
@@ -481,7 +488,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<div id="modal-content">
<div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
<textarea id="modal-text" cols="50" rows="10"></textarea><br/>
<button id="modal-add-header" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
<button id="modal-add-header" title="Add the parent XML nodes to create the complete XML file that can be used to suppress this finding" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
</div>
<div class="wrapper">
<h1>Dependency-Check Report</h1>
@@ -513,7 +520,7 @@ arising out of or in connection with the use of this tool, the analysis performe
#set($vulnSuppressedCount=$vulnSuppressedCount+$dependency.getSuppressedVulnerabilities().size())
#end
#end
Scan Information (<a href="#" onclick="toggleDisplay(this, '.scaninfo'); return false;">show all</a>):<br/>
Scan Information (<a href="#" title="Click to toggle display" onclick="return toggleDisplay(this, '.scaninfo', 'show all', 'show less'); return false;">show all</a>):<br/>
<ul class="indent">
<li><i>dependency-check version</i>: $version</li>
<li><i>Report Generated On</i>: $scanDate</li>
@@ -526,23 +533,96 @@ arising out of or in connection with the use of this tool, the analysis performe
<li class="scaninfo hidden"><i>$enc.html($prop.key)</i>: $enc.html($prop.value)</li>
#end
</ul><br/>
Dependency Display:&nbsp;<a href="#" onclick="toggleDisplay(this,'.notvulnerable'); return false;">show all</a><br/><br/>
<ul class="indent">
Display:&nbsp;<a href="#" title="Click to toggle display" onclick="return toggleDisplay(this,'.notvulnerable', 'Showing Vulnerable Dependencies', 'Showing All Dependencies'); return false;">Showing Vulnerable Dependencies</a><br/><br/>
#set($lnkcnt=0)
#foreach($dependency in $dependencies)
<table class="lined">
<tr style="text-align:left">
<th title="The name of the dependency">Dependency</th>
<th title="The number of related dependencies">#&nbsp;Related</th>
<th title="The Common Platform Enumeration">CPE</th>
<th title="The Maven GAV Coordinates">GAV</th>
<th title="The highest CVE Impact">CVE&nbsp;Impact</th>
<th title="The number of Common Vulnerability and Exposure (CVE) entries">CVE&nbsp;Count</th>
<th title="The confidence rating dependency-check has for the identified CPE">CPE&nbsp;Confidence</th>
<th title="The count of evidence used to identify the CPE">Evidence&nbsp;Count</th>
</tr>
#foreach($dependency in $dependencies)
#set($lnkcnt=$lnkcnt+1)
<li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
<a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.DisplayFileName)</a>
#if($dependency.getRelatedDependencies().size()>0)
<ul>
#foreach($related in $dependency.getRelatedDependencies())
<li>$enc.html($related.DisplayFileName)</li>
<tr class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
<td><a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.DisplayFileName)</a></td>
<td>$dependency.getRelatedDependencies().size()</td>
#set($mavenlink="")
#set($cpeIdCount=0)
#set($cpeIdConf="")
<td>
#foreach($id in $dependency.getIdentifiers())
#if ($id.type=="maven")
#if ($mavenlink=="" || !$mavenlink.url)
#set($mavenlink=$id)
#end
#else
#if ($cpeIdCount>=1)
<br/>
#end
#if( $id.url )
<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
#else
$enc.html($id.value)
#end
#if ($cpeIdConf == "")
#set($cpeIdConf=$id.confidence)
#elseif ($cpeIdConf.compareTo($id.confidence)>0)
#set($cpeIdConf=$id.confidence)
#end
#set($cpeIdCount=$cpeIdCount+1)
#end
#end
</ul>
</td>
<td>#if( $mavenlink.url )
##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
<a href="$enc.html($mavenlink.url)" target="_blank">$enc.html($mavenlink.value)</a>
#elseif ($mavenlink.value)
$enc.html($mavenlink.value)
#end</td>
#set($cveImpact=-1)
#foreach($vuln in $dependency.getVulnerabilities())
#if ($cveImpact<$vuln.cvssScore)
#set($cveImpact=$vuln.cvssScore)
#end
#end
<td>
#if ($cveImpact<0)
&nbsp;
#elseif ($cveImpact<4.0)
Low
#elseif ($cveImpact>=7.0)
High
#else
Medium
#end
</td>
<td>$dependency.getVulnerabilities().size()</td>
<td>$cpeIdConf</td>
<td>$dependency.getEvidenceForDisplay().size()</td>
</tr>
#end
</li>
#end
</ul>
</table>
## <ul class="indent">
## #set($lnkcnt=0)
## #foreach($dependency in $dependencies)
## #set($lnkcnt=$lnkcnt+1)
## <li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
## <a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.DisplayFileName)</a>
## #if($dependency.getRelatedDependencies().size()>0)
## <ul>
## #foreach($related in $dependency.getRelatedDependencies())
## <li>$enc.html($related.DisplayFileName)</li>
## #end
## </ul>
## #end
## </li>
## #end
## </ul>
<h2>Dependencies</h2>
#set($lnkcnt=0)
#set($cnt=0)
@@ -630,7 +710,7 @@ arising out of or in connection with the use of this tool, the analysis performe
#end
#if ($id.type=="cpe")
##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet
&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cpe', '$enc.html($id.value)')">suppress</button>
&nbsp;&nbsp;<button class="copybutton" title="Generate Suppression XML for this CPE for this file" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cpe', '$enc.html($id.value)')">suppress</button>
#end
#if ($id.description)
<br/>$enc.html($id.description)
@@ -646,7 +726,7 @@ arising out of or in connection with the use of this tool, the analysis performe
<div id="content$cnt" class="subsectioncontent standardsubsection">
#foreach($vuln in $dependency.getVulnerabilities())
#set($vsctr=$vsctr+1)
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
<p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" title="Generate Suppression XML for this CCE for this file" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
<p>Severity:
#if ($vuln.cvssScore<4.0)
Low

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
View File

@@ -34,8 +34,8 @@ import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
/**
* @author Jeremy Long <jeremy.long@owasp.org>
@@ -67,7 +67,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
instance.initialize();
int expCount = 5;
List<SuppressionRule> result = instance.getRules();
assertEquals(expCount, result.size());
assertTrue(expCount <= result.size());
}
/**
@@ -79,7 +79,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
instance.initialize();
int expCount = 5;
List<SuppressionRule> result = instance.getRules();
assertEquals(expCount, result.size());
assertTrue(expCount <= result.size());
}
@Test(expected = SuppressionParseException.class)

14
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
View File

@@ -115,16 +115,13 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
FalsePositiveAnalyzer fp = new FalsePositiveAnalyzer();
fp.analyze(dep, null);
// for (Identifier i : dep.getIdentifiers()) {
// System.out.println(i.getValue());
// }
if (expResult != null) {
Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
Assert.assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().contains(expIdentifier));
} else if (dep.getIdentifiers().isEmpty()) {
Assert.assertTrue("Match found when an Identifier should not have been found: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().isEmpty());
} else {
Assert.assertTrue("Match found when an Identifier should not have been found: { dep:'" + dep.getFileName() + "', identifier:'" + dep.getIdentifiers().iterator().next().getValue() + "' }", dep.getIdentifiers().isEmpty());
for (Identifier i : dep.getIdentifiers()) {
Assert.assertFalse(String.format("%s - found a CPE identifier when should have been none (found '%s')", dep.getFileName(), i.getValue()), "cpe".equals(i.getType()));
}
}
}
@@ -170,7 +167,10 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
Assert.assertTrue("Apache Common Validator - found an identifier?", commonValidator.getIdentifiers().isEmpty());
for (Identifier i : commonValidator.getIdentifiers()) {
Assert.assertFalse("Apache Common Validator - found a CPE identifier?", "cpe".equals(i.getType()));
}
Assert.assertTrue("Incorrect match size - struts", struts.getIdentifiers().size() >= 1);
Assert.assertTrue("Incorrect match - struts", struts.getIdentifiers().contains(expIdentifier));
Assert.assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1);

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
View File

@@ -85,7 +85,7 @@ public class HintAnalyzerTest extends BaseTest {
for (Dependency d : engine.getDependencies()) {
if (d.getActualFile().equals(guice)) {
gdep = d;
} else {
} else if (d.getActualFile().equals(spring)) {
sdep = d;
}
}

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java
View File

@@ -45,8 +45,10 @@ public abstract class BaseDBTestCase extends BaseTest {
public static void ensureDBExists() throws Exception {
java.io.File dataPath = Settings.getDataFile(Settings.KEYS.DATA_DIRECTORY);
if (!dataPath.exists() || (dataPath.isDirectory() && dataPath.listFiles().length < 3)) {
java.io.File dataPath = Settings.getDataDirectory();
String fileName = String.format(Settings.getString(Settings.KEYS.DB_FILE_NAME), Settings.getString(Settings.KEYS.DB_VERSION));
java.io.File dataFile = new File(dataPath, fileName);
if (!dataPath.exists() || !dataFile.exists()) {
dataPath.mkdirs();
FileInputStream fis = null;
ZipInputStream zin = null;

78
dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
View File

@@ -339,55 +339,70 @@ public class SuppressionRuleTest {
}
/**
* Test of cpeMatches method, of class SuppressionRule.
* Test of identifierMatches method, of class SuppressionRule.
*/
@Test
public void testCpeMatches() {
Identifier identifier = new Identifier("cwe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
Identifier identifier = new Identifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
PropertyType cpe = new PropertyType();
cpe.setValue("cpe:/a:microsoft:.net_framework:4.5");
SuppressionRule instance = new SuppressionRule();
boolean expResult = true;
boolean result = instance.cpeMatches(cpe, identifier);
boolean result = instance.identifierMatches("cpe", cpe, identifier);
assertEquals(expResult, result);
cpe.setValue("cpe:/a:microsoft:.net_framework:4.0");
expResult = false;
result = instance.cpeMatches(cpe, identifier);
result = instance.identifierMatches("cpe", cpe, identifier);
assertEquals(expResult, result);
cpe.setValue("CPE:/a:microsoft:.net_framework:4.5");
cpe.setCaseSensitive(true);
expResult = false;
result = instance.cpeMatches(cpe, identifier);
result = instance.identifierMatches("cpe", cpe, identifier);
assertEquals(expResult, result);
cpe.setValue("cpe:/a:microsoft:.net_framework");
cpe.setCaseSensitive(false);
expResult = true;
result = instance.cpeMatches(cpe, identifier);
result = instance.identifierMatches("cpe", cpe, identifier);
assertEquals(expResult, result);
cpe.setValue("cpe:/a:microsoft:.*");
cpe.setRegex(true);
expResult = true;
result = instance.cpeMatches(cpe, identifier);
result = instance.identifierMatches("cpe", cpe, identifier);
assertEquals(expResult, result);
cpe.setValue("CPE:/a:microsoft:.*");
cpe.setRegex(true);
cpe.setCaseSensitive(true);
expResult = false;
result = instance.cpeMatches(cpe, identifier);
result = instance.identifierMatches("cpe", cpe, identifier);
assertEquals(expResult, result);
cpe.setValue("cpe:/a:apache:.*");
cpe.setRegex(true);
cpe.setCaseSensitive(false);
expResult = false;
result = instance.cpeMatches(cpe, identifier);
result = instance.identifierMatches("cpe", cpe, identifier);
assertEquals(expResult, result);
identifier = new Identifier("maven", "org.springframework:spring-core:2.5.5", "https://repository.sonatype.org/service/local/artifact/maven/redirect?r=central-proxy&g=org.springframework&a=spring-core&v=2.5.5&e=jar");
cpe.setValue("org.springframework:spring-core:2.5.5");
cpe.setRegex(false);
cpe.setCaseSensitive(false);
expResult = true;
result = instance.identifierMatches("maven", cpe, identifier);
assertEquals(expResult, result);
cpe.setValue("org\\.springframework\\.security:spring.*");
cpe.setRegex(true);
cpe.setCaseSensitive(false);
expResult = false;
result = instance.identifierMatches("maven", cpe, identifier);
assertEquals(expResult, result);
}
@@ -398,7 +413,7 @@ public class SuppressionRuleTest {
public void testProcess() {
File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
Dependency dependency = new Dependency(struts);
dependency.addIdentifier("cwe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
String sha1 = dependency.getSha1sum();
dependency.setSha1sum("384FAA82E193D4E4B0546059CA09572654BC3970");
Vulnerability v = createVulnerability();
@@ -455,9 +470,9 @@ public class SuppressionRuleTest {
assertTrue(dependency.getIdentifiers().isEmpty());
assertTrue(dependency.getSuppressedIdentifiers().size() == 1);
dependency.addIdentifier("cwe", "cpe:/a:microsoft:.net_framework:4.0", "some url not needed for this test");
dependency.addIdentifier("cwe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
dependency.addIdentifier("cwe", "cpe:/a:microsoft:.net_framework:5.0", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.0", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:5.0", "some url not needed for this test");
pt = new PropertyType();
pt.setValue("cpe:/a:microsoft:.net_framework");
instance.addCpe(pt);
@@ -467,6 +482,43 @@ public class SuppressionRuleTest {
assertTrue(dependency.getSuppressedIdentifiers().size() == 3);
}
/**
* Test of process method, of class SuppressionRule.
*/
@Test
public void testProcessGAV() {
File spring = new File(this.getClass().getClassLoader().getResource("spring-security-web-3.0.0.RELEASE.jar").getPath());
Dependency dependency = new Dependency(spring);
dependency.addIdentifier("cpe", "cpe:/a:vmware:springsource_spring_framework:3.0.0", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:springsource:spring_framework:3.0.0", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:mod_security:mod_security:3.0.0", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:vmware:springsource_spring_security:3.0.0", "some url not needed for this test");
dependency.addIdentifier("maven", "org.springframework.security:spring-security-web:3.0.0.RELEASE", "some url not needed for this test");
//cpe
SuppressionRule instance = new SuppressionRule();
PropertyType pt = new PropertyType();
pt.setValue("org\\.springframework\\.security:spring.*");
pt.setRegex(true);
pt.setCaseSensitive(false);
instance.setGav(pt);
pt = new PropertyType();
pt.setValue("cpe:/a:mod_security:mod_security");
instance.addCpe(pt);
pt = new PropertyType();
pt.setValue("cpe:/a:springsource:spring_framework");
instance.addCpe(pt);
pt = new PropertyType();
pt.setValue("cpe:/a:vmware:springsource_spring_framework");
instance.addCpe(pt);
instance.process(dependency);
assertEquals(2, dependency.getIdentifiers().size());
}
private Vulnerability createVulnerability() {
Vulnerability v = new Vulnerability();
v.setCwe("CWE-287 Improper Authentication");

6
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -13,8 +13,12 @@ max.download.threads=3
# will not be used. The data.directory will be resolved and if the connection string
# below contains a %s then the data.directory will replace the %s.
data.directory=[JAR]/data
# if the filename has a %s it will be replaced with the current expected version. For file
# based databases the below filename will be added to the data directory above and then
# if the connection string has a %s it will be replaced by the directory/filename path.
data.file_name=cve.%s.h2.db
data.version=2.9
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
#data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
# user name and password for the database connection. The inherent case is to use H2.

27
dependency-check-jenkins/pom.xml
View File

@@ -1,17 +1,25 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<description>This plug-in can independently execute a Dependency-Check analysis and visualize the results.</description>
<url>http://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin</url>
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.1</version>
<version>1.2.4</version>
</parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-jenkins</artifactId>
<name>Dependency-Check Jenkins Plugin</name>
<url>http://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin</url>
<description>dependency-check-jenkins is a Jenkins plugin that runs dependency-check-core on a project to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries. This module is simply a placeholder and does not contain the actual plugin source code. The source code and distribution of the plugin is handled via https://github.com/jenkinsci/dependency-check-jenkins and Jenkin's plugin management.</description>
<!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
<distributionManagement>
<site>
<id>github-pages-site</id>
<name>Deployment through GitHub's site deployment plugin</name>
<url>${basedir}/../target/site/${project.version}/dependency-check-jenkins</url>
</site>
</distributionManagement>
<!-- end copy -->
<packaging>pom</packaging>
<inceptionYear>2012</inceptionYear>
<organization>
@@ -31,15 +39,6 @@
</roles>
</developer>
</developers>
<!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
<distributionManagement>
<site>
<id>github-pages-site</id>
<name>Deployment through GitHub's site deployment plugin</name>
<url>${basedir}/../target/site/${project.version}/dependency-check-maven</url>
</site>
</distributionManagement>
<!-- end copy -->
<scm>
<connection>scm:git:git@github.com:jenkinsci/dependency-check-jenkins.git</connection>
<url>https://github.com/jenkinsci/dependency-check-jenkins</url>

15
dependency-check-maven/pom.xml
View File

@@ -15,7 +15,6 @@ limitations under the License.
Copyright (c) 2013 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<url>http://maven.apache.org</url>
@@ -23,14 +22,14 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.1</version>
<version>1.2.4</version>
</parent>
<artifactId>dependency-check-maven</artifactId>
<packaging>maven-plugin</packaging>
<name>Dependency-Check Maven Plugin</name>
<description>Dependency-Check-Maven is a Maven Plugin that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
<description>dependency-check-maven is a Maven Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
<inceptionYear>2013</inceptionYear>
<!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
<distributionManagement>
@@ -150,6 +149,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
@@ -239,7 +241,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/generated/*.java</exclude>
<exclude>**/generated/**/*.java</exclude>
<exclude>**/HelpMojo.java</exclude>
</excludes>
<rulesets>
@@ -277,6 +279,11 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<artifactId>dependency-check-core</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-utils</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-plugin-api</artifactId>

68
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
View File

@@ -147,15 +147,6 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "externalReport", defaultValue = "false", required = true)
private boolean externalReport = false;
/**
* The Proxy URL.
*
* @deprecated Please use mavenSettings instead
*/
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "proxyUrl", defaultValue = "", required = false)
@Deprecated
private String proxyUrl = null;
/**
* The maven settings.
@@ -171,33 +162,6 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
@Parameter(property = "mavenSettingsProxyId", required = false)
private String mavenSettingsProxyId;
/**
* The Proxy Port.
*
* @deprecated Please use mavenSettings instead
*/
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "proxyPort", defaultValue = "", required = false)
@Deprecated
private String proxyPort = null;
/**
* The Proxy username.
*
* @deprecated Please use mavenSettings instead
*/
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "proxyUsername", defaultValue = "", required = false)
@Deprecated
private String proxyUsername = null;
/**
* The Proxy password.
*
* @deprecated Please use mavenSettings instead
*/
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "proxyPassword", defaultValue = "", required = false)
@Deprecated
private String proxyPassword = null;
/**
* The Connection Timeout.
*/
@@ -348,6 +312,16 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
@Parameter(property = "pathToMono", defaultValue = "", required = false)
private String pathToMono;
/**
* The Proxy URL.
*
* @deprecated Please use mavenSettings instead
*/
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "proxyUrl", defaultValue = "", required = false)
@Deprecated
private String proxyUrl = null;
// </editor-fold>
/**
* Executes the Dependency-Check on the dependent libraries.
@@ -777,12 +751,12 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
// </editor-fold>
/**
* Returns the maven settings proxy url.
* Returns the maven settings proxy server.
*
* @param proxy the maven proxy
* @return the proxy url
*/
private String getMavenSettingsProxyUrl(Proxy proxy) {
private String getMavenSettingsProxyServer(Proxy proxy) {
return new StringBuilder(proxy.getProtocol()).append("://").append(proxy.getHost()).toString();
}
@@ -836,9 +810,13 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
if (proxyUrl != null && !proxyUrl.isEmpty()) {
logger.warning("Deprecated configuration detected, proxyUrl will be ignored; use the maven settings to configure the proxy instead");
}
final Proxy proxy = getMavenProxy();
if (proxy != null) {
Settings.setString(Settings.KEYS.PROXY_URL, getMavenSettingsProxyUrl(proxy));
Settings.setString(Settings.KEYS.PROXY_SERVER, getMavenSettingsProxyServer(proxy));
Settings.setString(Settings.KEYS.PROXY_PORT, Integer.toString(proxy.getPort()));
final String userName = proxy.getUsername();
final String password = proxy.getPassword();
@@ -848,18 +826,6 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
}
}
if (proxyUrl != null && !proxyUrl.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
}
if (proxyPort != null && !proxyPort.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
}
if (proxyUsername != null && !proxyUsername.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
}
if (proxyPassword != null && !proxyPassword.isEmpty()) {
Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
}
if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
}

15
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -55,17 +55,6 @@ databaseUser | The username used when connecting to the database.
databasePassword | The password used when connecting to the database. | &nbsp;
Deprecated Configuration
Proxy Configuration
====================
The following properties have been deprecated. These can still be set in
the dependency-check-maven plugin's configuration. However, future versions
will remove these properties. Instead using these properties you should
use [Maven's settings](https://maven.apache.org/settings.html#Proxies) to
configure a proxy.
Property | Description | Default Value
---------------------|------------------------------------|------------------
proxyUrl | The Proxy URL. | &nbsp;
proxyPort | The Proxy Port. | &nbsp;
proxyUsername | Defines the proxy user name. | &nbsp;
proxyPassword | Defines the proxy password. | &nbsp;
Use [Maven's settings](https://maven.apache.org/settings.html#Proxies) to configure a proxy server.

283
dependency-check-utils/pom.xml Normal file
View File

@@ -0,0 +1,283 @@
<!--
This file is part of dependency-check-utils.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
-->
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.4</version>
</parent>
<artifactId>dependency-check-utils</artifactId>
<name>Dependency-Check Utils</name>
<description>dependency-check-utils is a collection of common utlity classes used within dependency-check that might be useful in other projects.</description>
<!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
<distributionManagement>
<site>
<id>github-pages-site</id>
<name>Deployment through GitHub's site deployment plugin</name>
<url>${basedir}/../target/site/${project.version}/dependency-check-utils</url>
</site>
</distributionManagement>
<!-- end copy -->
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
<configuration>
<instrumentation>
<ignoreTrivial>true</ignoreTrivial>
</instrumentation>
<check>
<branchRate>85</branchRate>
<lineRate>85</lineRate>
<haltOnFailure>false</haltOnFailure>
<totalBranchRate>85</totalBranchRate>
<totalLineRate>85</totalLineRate>
<packageLineRate>85</packageLineRate>
<packageBranchRate>85</packageBranchRate>
<regexes>
<regex>
<pattern>.*\$.*</pattern>
<branchRate>0</branchRate>
<lineRate>0</lineRate>
</regex>
</regexes>
</check>
</configuration>
<executions>
<execution>
<goals>
<goal>clean</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.16</version>
<configuration>
<systemProperties>
<property>
<name>temp.directory</name>
<value>${project.build.directory}/temp</value>
</property>
</systemProperties>
<excludes>
<exclude>**/*IntegrationTest.java</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>2.16</version>
<configuration>
<systemProperties>
<property>
<name>temp.directory</name>
<value>${project.build.directory}/temp</value>
</property>
</systemProperties>
<includes>
<include>**/*IntegrationTest.java</include>
</includes>
</configuration>
<executions>
<execution>
<goals>
<goal>integration-test</goal>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version>
<configuration>
<showDeprecation>false</showDeprecation>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.3</version>
<dependencies>
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<configuration>
<skipDeploy>true</skipDeploy>
<reportPlugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<reportSets>
<reportSet>
<reports>
<report>index</report>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.0.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
</plugin>
</reportPlugins>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.4</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>

71
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Checksum.java → dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java
View File

@@ -1,9 +1,27 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.MappedByteBuffer;
import java.nio.channels.FileChannel;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.logging.Level;
@@ -12,19 +30,16 @@ import java.util.logging.Logger;
/**
* Includes methods to generate the MD5 and SHA1 checksum.
*
* This code was copied from Real's How To. It has been slightly modified.
*
* Written and compiled by Réal Gagnon ©1998-2012
*
* @author Real's How To: http://www.rgagnon.com/javadetails/java-0416.html
* @author Jeremy Long <jeremy.long@owasp.org>
*
*/
public final class Checksum {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(Checksum.class.getName());
/**
* Private constructor for a utility class.
*/
@@ -32,30 +47,29 @@ public final class Checksum {
}
/**
* <p>Creates the cryptographic checksum of a given file using the specified
* algorithm.</p> <p>This algorithm was copied and heavily modified from
* Real's How To: http://www.rgagnon.com/javadetails/java-0416.html</p>
* <p>
* Creates the cryptographic checksum of a given file using the specified algorithm.</p>
*
* @param algorithm the algorithm to use to calculate the checksum
* @param file the file to calculate the checksum for
* @return the checksum
* @throws IOException when the file does not exist
* @throws NoSuchAlgorithmException when an algorithm is specified that does
* not exist
* @throws NoSuchAlgorithmException when an algorithm is specified that does not exist
*/
@SuppressWarnings("empty-statement")
public static byte[] getChecksum(String algorithm, File file) throws NoSuchAlgorithmException, IOException {
InputStream fis = null;
byte[] buffer = new byte[1024];
MessageDigest complete = MessageDigest.getInstance(algorithm);
int numRead;
MessageDigest digest = MessageDigest.getInstance(algorithm);
FileInputStream fis = null;
try {
fis = new FileInputStream(file);
do {
numRead = fis.read(buffer);
if (numRead > 0) {
complete.update(buffer, 0, numRead);
}
} while (numRead != -1);
FileChannel ch = fis.getChannel();
MappedByteBuffer byteBuffer = ch.map(FileChannel.MapMode.READ_ONLY, 0, file.length());
digest.update(byteBuffer);
// BufferedInputStream bis = new BufferedInputStream(fis);
// DigestInputStream dis = new DigestInputStream(bis, digest);
// //yes, we are reading in a buffer for performance reasons - 1 byte at a time is SLOW
// byte[] buffer = new byte[8192];
// while (dis.read(buffer) != -1);
} finally {
if (fis != null) {
try {
@@ -65,7 +79,7 @@ public final class Checksum {
}
}
}
return complete.digest();
return digest.digest();
}
/**
@@ -93,12 +107,17 @@ public final class Checksum {
byte[] b = getChecksum("SHA1", file);
return getHex(b);
}
/**
* Hex code characters used in getHex.
*/
private static final String HEXES = "0123456789ABCDEF";
/**
* <p>Converts a byte array into a hex string.</p>
* <p>
* Converts a byte array into a hex string.</p>
*
* <p>This method was copied from <a
* <p>
* This method was copied from <a
* href="http://www.rgagnon.com/javadetails/java-0596.html">http://www.rgagnon.com/javadetails/java-0596.html</a></p>
*
* @param raw a byte array
@@ -110,7 +129,7 @@ public final class Checksum {
}
final StringBuilder hex = new StringBuilder(2 * raw.length);
for (final byte b : raw) {
hex.append(HEXES.charAt((b & 0xF0) >> 4)).append(HEXES.charAt((b & 0x0F)));
hex.append(HEXES.charAt((b & 0xF0) >> 4)).append(HEXES.charAt(b & 0x0F));
}
return hex.toString();
}

0
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java → dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java
View File

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Downloader.java → dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -166,7 +166,7 @@ public final class Downloader {
try {
lastModifiedFile = new File(url.toURI());
} catch (URISyntaxException ex) {
final String msg = String.format("Unable to locate '%s'; is the cve.url-2.0.modified property set correctly?", url.toString());
final String msg = String.format("Unable to locate '%s'", url.toString());
throw new DownloadFailedException(msg);
}
timestamp = lastModifiedFile.lastModified();
@@ -176,7 +176,12 @@ public final class Downloader {
conn = URLConnectionFactory.createHttpURLConnection(url);
conn.setRequestMethod("HEAD");
conn.connect();
timestamp = conn.getLastModified();
final int t = conn.getResponseCode();
if (t >= 200 && t < 300) {
timestamp = conn.getLastModified();
} else {
throw new DownloadFailedException("HEAD request returned a non-200 status code");
}
} catch (URLConnectionFailureException ex) {
throw new DownloadFailedException("Error creating URL Connection for HTTP HEAD request.", ex);
} catch (IOException ex) {

0
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionException.java → dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExtractionException.java
View File

106
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java → dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java
View File

@@ -17,21 +17,13 @@
*/
package org.owasp.dependencycheck.utils;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import org.owasp.dependencycheck.Engine;
/**
* A collection of utilities for processing information about files.
@@ -54,11 +46,6 @@ public final class FileUtils {
*/
private static final String BIT_BUCKET_WIN = "NUL";
/**
* The buffer size to use when extracting files from the archive.
*/
private static final int BUFFER_SIZE = 4096;
/**
* Private constructor for a utility class.
*/
@@ -155,99 +142,6 @@ public final class FileUtils {
return jarPath.getParentFile();
}
/**
* Extracts the contents of an archive into the specified directory.
*
* @param archive an archive file such as a WAR or EAR
* @param extractTo a directory to extract the contents to
* @throws ExtractionException thrown if an exception occurs while extracting the files
*/
public static void extractFiles(File archive, File extractTo) throws ExtractionException {
extractFiles(archive, extractTo, null);
}
/**
* Extracts the contents of an archive into the specified directory. The files are only extracted if they are
* supported by the analyzers loaded into the specified engine. If the engine is specified as null then all files
* are extracted.
*
* @param archive an archive file such as a WAR or EAR
* @param extractTo a directory to extract the contents to
* @param engine the scanning engine
* @throws ExtractionException thrown if there is an error extracting the files
*/
public static void extractFiles(File archive, File extractTo, Engine engine) throws ExtractionException {
if (archive == null || extractTo == null) {
return;
}
FileInputStream fis = null;
ZipInputStream zis = null;
try {
fis = new FileInputStream(archive);
} catch (FileNotFoundException ex) {
LOGGER.log(Level.FINE, null, ex);
throw new ExtractionException("Archive file was not found.", ex);
}
zis = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;
try {
while ((entry = zis.getNextEntry()) != null) {
if (entry.isDirectory()) {
final File d = new File(extractTo, entry.getName());
if (!d.exists() && !d.mkdirs()) {
final String msg = String.format("Unable to create '%s'.", d.getAbsolutePath());
throw new ExtractionException(msg);
}
} else {
final File file = new File(extractTo, entry.getName());
final String ext = getFileExtension(file.getName());
if (engine == null || engine.supportsExtension(ext)) {
BufferedOutputStream bos = null;
FileOutputStream fos;
try {
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
int count;
final byte data[] = new byte[BUFFER_SIZE];
while ((count = zis.read(data, 0, BUFFER_SIZE)) != -1) {
bos.write(data, 0, count);
}
bos.flush();
} catch (FileNotFoundException ex) {
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("Unable to find file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} catch (IOException ex) {
LOGGER.log(Level.FINE, null, ex);
final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} finally {
if (bos != null) {
try {
bos.close();
} catch (IOException ex) {
LOGGER.log(Level.FINEST, null, ex);
}
}
}
}
}
}
} catch (IOException ex) {
final String msg = String.format("Exception reading archive '%s'.", archive.getName());
LOGGER.log(Level.FINE, msg, ex);
throw new ExtractionException(msg, ex);
} finally {
try {
zis.close();
} catch (IOException ex) {
LOGGER.log(Level.FINEST, null, ex);
}
}
}
/**
* Return the bit bucket for the OS. '/dev/null' for Unix and 'NUL' for Windows
*

0
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java → dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java
View File

0
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/LogFilter.java → dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/LogFilter.java
View File

18
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/LogUtils.java → dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/LogUtils.java
View File

@@ -53,20 +53,24 @@ public final class LogUtils {
try {
LogManager.getLogManager().reset();
LogManager.getLogManager().readConfiguration(in);
if (verboseLogFile != null && !verboseLogFile.isEmpty()) {
verboseLoggingEnabled = true;
final Logger logger = Logger.getLogger("");
final FileHandler handler = new FileHandler(verboseLogFile, true);
handler.setFormatter(new SimpleFormatter());
handler.setLevel(Level.FINE);
handler.setFilter(new LogFilter());
logger.addHandler(handler);
final FileHandler fileHandler = new FileHandler(verboseLogFile, true);
fileHandler.setFormatter(new SimpleFormatter());
fileHandler.setLevel(Level.FINE);
fileHandler.setFilter(new LogFilter());
logger.addHandler(fileHandler);
logger.setLevel(Level.FINE);
}
} catch (IOException ex) {
LOGGER.log(Level.FINE, "IO Error preparing the logger", ex);
LOGGER.log(Level.WARNING, "IO Error preparing the logger", ex);
} catch (SecurityException ex) {
LOGGER.log(Level.FINE, "Error preparing the logger", ex);
LOGGER.log(Level.WARNING, "Error preparing the logger", ex);
} catch (Throwable ex) {
LOGGER.log(Level.WARNING, "Error preparing the logger", ex);
} finally {
if (in != null) {
try {

171
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java → dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -78,6 +78,14 @@ public final class Settings {
* The base path to use for the data directory (for embedded db).
*/
public static final String DATA_DIRECTORY = "data.directory";
/**
* The database file name.
*/
public static final String DB_FILE_NAME = "data.file_name";
/**
* The database schema version.
*/
public static final String DB_VERSION = "data.version";
/**
* The properties key for the URL to retrieve the "meta" data from about the CVE entries.
*/
@@ -97,7 +105,7 @@ public final class Settings {
*/
public static final String CVE_MODIFIED_VALID_FOR_DAYS = "cve.url.modified.validfordays";
/**
* The properties key for the telling us how many cvr.url.* URLs exists. This is used in combination with
* The properties key for the telling us how many cve.url.* URLs exists. This is used in combination with
* CVE_BASE_URL to be able to retrieve the URLs for all of the files that make up the NVD CVE listing.
*/
public static final String CVE_START_YEAR = "cve.startyear";
@@ -110,9 +118,16 @@ public final class Settings {
*/
public static final String CVE_SCHEMA_2_0 = "cve.url-2.0.base";
/**
* The properties key for the proxy url.
* The properties key for the proxy server.
*
* @deprecated use {@link org.owasp.dependencycheck.utils.Settings.KEYS#PROXY_SERVER} instead.
*/
public static final String PROXY_URL = "proxy.url";
@Deprecated
public static final String PROXY_URL = "proxy.server";
/**
* The properties key for the proxy server.
*/
public static final String PROXY_SERVER = "proxy.server";
/**
* The properties key for the proxy port - this must be an integer value.
*/
@@ -193,6 +208,28 @@ public final class Settings {
* The properties key for whether Provided Scope dependencies should be skipped.
*/
public static final String SKIP_PROVIDED_SCOPE = "skip.provided.scope";
/**
* The key to obtain the path to the VFEED data file.
*/
public static final String VFEED_DATA_FILE = "vfeed.data_file";
/**
* The key to obtain the VFEED connection string.
*/
public static final String VFEED_CONNECTION_STRING = "vfeed.connection_string";
/**
* The key to obtain the base download URL for the VFeed data file.
*/
public static final String VFEED_DOWNLOAD_URL = "vfeed.download_url";
/**
* The key to obtain the download file name for the VFeed data.
*/
public static final String VFEED_DOWNLOAD_FILE = "vfeed.download_file";
/**
* The key to obtain the VFeed update status.
*/
public static final String VFEED_UPDATE_STATUS = "vfeed.update_status";
}
//</editor-fold>
@@ -215,12 +252,14 @@ public final class Settings {
/**
* Private constructor for the Settings class. This class loads the properties files.
*
* @param propertiesFilePath the path to the base properties file to load
*/
private Settings() {
private Settings(String propertiesFilePath) {
InputStream in = null;
props = new Properties();
try {
in = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
in = this.getClass().getClassLoader().getResourceAsStream(propertiesFilePath);
props.load(in);
} catch (IOException ex) {
LOGGER.log(Level.SEVERE, "Unable to load default settings.");
@@ -242,7 +281,25 @@ public final class Settings {
* However, you must also call Settings.cleanup() to properly release resources.
*/
public static void initialize() {
localSettings.set(new Settings());
localSettings.set(new Settings(PROPERTIES_FILE));
}
/**
* Initializes the thread local settings object. Note, to use the settings object you must call this method.
* However, you must also call Settings.cleanup() to properly release resources.
*
* @param propertiesFilePath the path to the base properties file to load
*/
public static void initialize(String propertiesFilePath) {
localSettings.set(new Settings(propertiesFilePath));
}
/**
* Cleans up resources to prevent memory leaks.
*
*/
public static void cleanup() {
cleanup(true);
}
/**
@@ -355,8 +412,19 @@ public final class Settings {
* @throws IOException is thrown when there is an exception loading/merging the properties
*/
public static void mergeProperties(File filePath) throws FileNotFoundException, IOException {
final FileInputStream fis = new FileInputStream(filePath);
mergeProperties(fis);
FileInputStream fis = null;
try {
fis = new FileInputStream(filePath);
mergeProperties(fis);
} finally {
if (fis != null) {
try {
fis.close();
} catch (IOException ex) {
LOGGER.log(Level.FINEST, "close error", ex);
}
}
}
}
/**
@@ -369,8 +437,19 @@ public final class Settings {
* @throws IOException is thrown when there is an exception loading/merging the properties
*/
public static void mergeProperties(String filePath) throws FileNotFoundException, IOException {
final FileInputStream fis = new FileInputStream(filePath);
mergeProperties(fis);
FileInputStream fis = null;
try {
fis = new FileInputStream(filePath);
mergeProperties(fis);
} finally {
if (fis != null) {
try {
fis.close();
} catch (IOException ex) {
LOGGER.log(Level.FINEST, "close error", ex);
}
}
}
}
/**
@@ -414,7 +493,7 @@ public final class Settings {
* @param key the key to lookup within the properties file
* @return the property from the properties file converted to a File object
*/
public static File getDataFile(String key) {
protected static File getDataFile(String key) {
final String file = getString(key);
LOGGER.log(Level.FINE, String.format("Settings.getDataFile() - file: '%s'", file));
if (file == null) {
@@ -614,4 +693,74 @@ public final class Settings {
}
return value;
}
/**
* Returns a connection string from the configured properties. If the connection string contains a %s, this method
* will determine the 'data' directory and replace the %s with the path to the data directory. If the data directory
* does not exists it will be created.
*
* @param connectionStringKey the property file key for the connection string
* @param dbFileNameKey the settings key for the db filename
* @param dbVersionKey the settings key for the dbVersion
* @return the connection string
* @throws IOException thrown the data directory cannot be created
* @throws InvalidSettingException thrown if there is an invalid setting
*/
public static String getConnectionString(String connectionStringKey, String dbFileNameKey, String dbVersionKey)
throws IOException, InvalidSettingException {
final String connStr = Settings.getString(connectionStringKey);
if (connStr == null) {
final String msg = String.format("Invalid properties file to get the connection string; '%s' must be defined.",
connectionStringKey);
throw new InvalidSettingException(msg);
}
if (connStr.contains("%s")) {
final File directory = getDataDirectory();
String fileName = null;
if (dbFileNameKey != null) {
fileName = Settings.getString(dbFileNameKey);
}
if (fileName == null) {
final String msg = String.format("Invalid properties file to get a file based connection string; '%s' must be defined.",
dbFileNameKey);
throw new InvalidSettingException(msg);
}
if (fileName.contains("%s")) {
String version = null;
if (dbVersionKey != null) {
version = Settings.getString(dbVersionKey);
}
if (version == null) {
final String msg = String.format("Invalid properties file to get a file based connection string; '%s' must be defined.",
dbFileNameKey);
throw new InvalidSettingException(msg);
}
fileName = String.format(fileName, version);
}
if (connStr.startsWith("jdbc:h2:file:") && fileName.endsWith(".h2.db")) {
fileName = fileName.substring(0, fileName.length() - 6);
}
// yes, for H2 this path won't actually exists - but this is sufficient to get the value needed
final File dbFile = new File(directory, fileName);
final String cString = String.format(connStr, dbFile.getCanonicalPath());
LOGGER.log(Level.FINE, String.format("Connection String: '%s'", cString));
return cString;
}
return connStr;
}
/**
* Retrieves the directory that the JAR file exists in so that we can ensure we always use a common data directory
* for the embedded H2 database. This is public solely for some unit tests; otherwise this should be private.
*
* @return the data directory to store data files
* @throws IOException is thrown if an IOException occurs of course...
*/
public static File getDataDirectory() throws IOException {
final File path = Settings.getDataFile(Settings.KEYS.DATA_DIRECTORY);
if (path.exists() || path.mkdirs()) {
return path;
}
throw new IOException(String.format("Unable to create the data directory '%s'", path.getAbsolutePath()));
}
}

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java → dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
View File

@@ -50,8 +50,8 @@ public final class URLConnectionFactory {
*/
public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
HttpURLConnection conn = null;
Proxy proxy = null;
final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_URL);
Proxy proxy;
final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
try {
if (proxyUrl != null) {
final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
@@ -96,7 +96,7 @@ public final class URLConnectionFactory {
* Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a
* proxy is configured but we don't want to use it (for example, if there's an internal repository configured)
*
* @param url the url to connect to
* @param url the URL to connect to
* @param proxy whether to use the proxy (if configured)
* @return a newly constructed HttpURLConnection
* @throws URLConnectionFailureException thrown if there is an exception

0
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFailureException.java → dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFailureException.java
View File

11
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/package-info.java Normal file
View File

@@ -0,0 +1,11 @@
/**
* <html>
* <head>
* <title>org.owasp.dependencycheck.utils</title>
* </head>
* <body>
* Includes various utility classes such as a Settings wrapper, utilities to make URL Connections, etc.
* </body>
* </html>
*/
package org.owasp.dependencycheck.utils;

30
dependency-check-utils/src/site/site.xml Normal file
View File

@@ -0,0 +1,30 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
This file is part of dependency-check-ant.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2014 Jeremy Long. All Rights Reserved.
-->
<project name="dependency-check-ant">
<bannerLeft>
<name>dependency-check-utils</name>
</bannerLeft>
<body>
<breadcrumbs>
<item name="dependency-check" href="../index.html"/>
</breadcrumbs>
<menu ref="Project Documentation" />
<menu ref="reports" />
</body>
</project>

36
dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/BaseTest.java Normal file
View File

@@ -0,0 +1,36 @@
/*
* Copyright 2014 OWASP.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.owasp.dependencycheck.utils;
import org.junit.AfterClass;
import org.junit.BeforeClass;
/**
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class BaseTest {
@BeforeClass
public static void setUpClass() throws Exception {
Settings.initialize();
}
@AfterClass
public static void tearDownClass() throws Exception {
Settings.cleanup(true);
}
}

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java → dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java
View File

@@ -26,6 +26,8 @@ import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.utils.Checksum;
import org.owasp.dependencycheck.utils.Checksum;
/**
*

3
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java → dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java
View File

@@ -21,7 +21,6 @@ import java.io.File;
import java.net.URL;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*
@@ -39,7 +38,7 @@ public class DownloaderIntegrationTest extends BaseTest {
// Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, "1000");
// Settings.setString(Settings.KEYS.PROXY_PORT, "8080");
// Settings.setString(Settings.KEYS.PROXY_URL, "127.0.0.1");
// Settings.setString(Settings.KEYS.PROXY_SERVER, "127.0.0.1");
URL url = new URL(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
File outputPath = new File("target/downloaded_cve.xml");
Downloader.fetchFile(url, outputPath);

23
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DownloaderTest.java → dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderTest.java
View File

@@ -19,12 +19,9 @@ package org.owasp.dependencycheck.utils;
import java.io.File;
import java.net.URL;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.utils.Downloader;
/**
*
@@ -32,25 +29,9 @@ import org.junit.Test;
*/
public class DownloaderTest {
@BeforeClass
public static void setUpClass() throws Exception {
}
@AfterClass
public static void tearDownClass() throws Exception {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
@Test
public void testGetLastModified_file() throws Exception {
File f = new File("target/test-classes/nvdcve-2.0-2012.xml");
File f = new File("target/test-classes/dependencycheck.properties");
URL url = new URL("file:///" + f.getCanonicalPath());
long timestamp = Downloader.getLastModified(url);
assertTrue("timestamp equal to zero?", timestamp > 0);

1
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java → dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java
View File

@@ -23,7 +23,6 @@ import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*

32
dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java → dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java
View File

@@ -22,7 +22,6 @@ import java.io.IOException;
import java.net.URISyntaxException;
import org.junit.Assert;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*
@@ -158,4 +157,35 @@ public class SettingsTest extends BaseTest {
ret = Settings.getString(key, dfault);
Assert.assertEquals(dfault, ret);
}
/**
* Test of getConnectionString.
*/
@Test
public void testGetConnectionString() throws Exception {
String value = Settings.getConnectionString(Settings.KEYS.DB_CONNECTION_STRING, Settings.KEYS.DB_FILE_NAME, Settings.KEYS.DB_VERSION);
Assert.assertNotNull(value);
String msg = null;
try {
value = Settings.getConnectionString(Settings.KEYS.DB_CONNECTION_STRING, Settings.KEYS.DB_FILE_NAME, null);
} catch (InvalidSettingException e) {
msg = e.getMessage();
}
Assert.assertNotNull(msg, msg);
try {
value = Settings.getConnectionString("invalidKey", null, null);
} catch (InvalidSettingException e) {
msg = e.getMessage();
}
Assert.assertNotNull(msg, msg);
}
/**
* Test of getTempDirectory.
*/
@Test
public void testGetTempDirectory() throws Exception {
File tmp = Settings.getTempDirectory();
Assert.assertTrue(tmp.exists());
}
}

0
dependency-check-core/src/test/resources/checkSumTest.file → dependency-check-utils/src/test/resources/checkSumTest.file
View File

59
dependency-check-utils/src/test/resources/dependencycheck.properties Normal file
View File

@@ -0,0 +1,59 @@
application.name=${pom.name}
application.version=${pom.version}
autoupdate=true
max.download.threads=3
#temp.directory defaults to System.getProperty("java.io.tmpdir")
#temp.directory=[path to temp directory]
# the path to the data directory; the [JAR] signifies to use the relative path
# to the dependency-check-core JAR file. This path is only used to construct
# the connection string for the H2 driver (or other drivers that require a file path
# to be supplied. If you are using another database (MySQL, Oracle, etc.) this property
# will not be used. The data.directory will be resolved and if the connection string
# below contains a %s then the data.directory will replace the %s.
data.directory=[JAR]/data
data.file_name=cve.%s.h2.db
data.version=2.9
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
#data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
# user name and password for the database connection. The inherent case is to use H2.
# As such, this unsecure username/password exist.
data.user=dcuser
data.password=DC-Pass1337!
# The following are only used if the DB Driver is not JDBC4 compliant and/or the driver
# is not in the current classpath. Setting these properties will add the give path(s) to
# the class loader and then register the driver with the DriverManager. If the class is
# not in the path you must specify both the driver name (aka the fully qualified driver name)
# and the driver path. The driver path can be a semi-colon separated list of files/directories
# to ensure any and all needed files can be added to the classpath to load the driver.
# For non-JDBC4 drivers in the classpath only the driver_name needs to be set.
# For MOST situations these properties likely do not need to be set.
data.driver_name=org.h2.Driver
data.driver_path=
# the path to the cpe xml file
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
# the path to the cpe meta data file.
cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
# the number of days that the modified nvd cve data holds data for. We don't need
# to update the other files if we are within this timespan. Per NIST this file
# holds 8 days of updates, we are using 7 just to be safe.
cve.url.modified.validfordays=7
# the path to the modified nvd cve xml file.
cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cve.startyear=2014
cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.enabled=true
analyzer.nexus.url=https://repository.sonatype.org/service/local/
# If set to true, the proxy will still ONLY be used if the proxy properties (proxy.url, proxy.port)
# are configured
analyzer.nexus.proxy=true

1
dependency-check-utils/src/test/resources/test.properties Normal file
View File

@@ -0,0 +1 @@
proxy.port=80

19
pom.xml
View File

@@ -1,3 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of Dependency-Check.
@@ -14,13 +15,12 @@ See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2012 - Jeremy Long
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
--><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.1</version>
<version>1.2.4</version>
<packaging>pom</packaging>
<modules>
@@ -29,10 +29,11 @@ Copyright (c) 2012 - Jeremy Long
<module>dependency-check-ant</module>
<module>dependency-check-maven</module>
<module>dependency-check-jenkins</module>
<module>dependency-check-utils</module>
</modules>
<name>Dependency-Check</name>
<url>https://github.com/jeremylong/DependencyCheck.git</url>
<description>dependency-check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. This tool can be part of the solution to the OWASP Top 10 2013: A9 - Using Components with Known Vulnerabilities.</description>
<description>dependency-check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed vulnerabilities. This tool can be part of the solution to the OWASP Top 10 2013: A9 - Using Components with Known Vulnerabilities.</description>
<inceptionYear>2012</inceptionYear>
<organization>
@@ -140,14 +141,6 @@ Copyright (c) 2012 - Jeremy Long
<target>1.6</target>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-13 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
</plugin>
<!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -244,4 +237,4 @@ Copyright (c) 2012 - Jeremy Long
<type>jar</type>
</dependency>
</dependencies>
</project>
</project>

16
src/site/markdown/archive-analyzer.md Normal file
View File

@@ -0,0 +1,16 @@
Archive Analyzer
==============
Dependency-check includes an analyzer an archive analyzer that will attempt
to extract files from the archive that are supported by the other file type
analyzers.
Files Types Scanned: ZIP, EAR, WAR, JAR, SAR, APK, NUPKG, TAR, GZ, TGZ
Additional file extensions for ZIP archives can be added, see the configuration
section in the Maven, Ant, or CLI interfaces for more information on configuration.
Note, since this analyzer does examine the contents of a JAR file there are times
that you may see additional entries in the report and/or warnings in the log file (if used)
for DLL or EXE files contained within the JAR file. In almost all cases these can
be ignored as it is fairly rare to have a .NET dll or exe within a JAR file.

10
src/site/markdown/assembly-analyzer.md Normal file
View File

@@ -0,0 +1,10 @@
Assembly Analyzer
==============
Dependency-check includes an analyzer that scans .NET dll and exe files and collect as
much information it can about the files as it can. The information collected
is internally referred to as evidence and is grouped into vendor, product, and version
buckets. Other analyzers later use this evidence to identify any Common Platform
Enumeration (CPE) identifiers that apply.
Files Types Scanned: EXE, DLL

9
src/site/markdown/index.md
View File

@@ -12,11 +12,10 @@ The gist of the paper is that we as a development community include third party
libraries in our applications that contain well known published vulnerabilities
\(such as those at the [National Vulnerability Database](http://web.nvd.nist.gov/view/vuln/search)\).
Dependency-check scans directories and files and if it contains an Analyzer that
can scan a particular file type then information from the file is collected. This
information is then used to identify the [Common Platform Enumeration](http://nvd.nist.gov/cpe.cfm) \(CPE\). If a
CPE is identified a listing of associated [Common Vulnerability and Exposure](http://cve.mitre.org/) \(CVE\)
entries are listed in a report.
More information about dependency-check can be found here:
* [How does dependency-check work](./internals.html)
* [How to read the report](./thereport.html)
**IMPORTANT NOTE**: Dependency-check automatically updates itself using the NVD Data Feeds hosted by
NIST. **The initial download of the data may take fifteen minutes

37
src/site/markdown/internals.md Normal file
View File

@@ -0,0 +1,37 @@
How does dependency-check work?
===========
Dependency-check works by collecting information about the files it scans (using Analyzers). The information collected
is called Evidence; there are three types of evidence collected: vendor, product, and version. For instance, the
JarAnalyzer will collect information from the Manifest, pom.xml, and the package names within the JAR files scanned and
it has heuristics to place the information from the various sources into one or more buckets of evidence.
Within the NVD CVE Data (schema can be found [here](http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd)) each CVE Entry has
a list of vulnerable software:
```xml
<entry id="CVE-2012-5055">
...
<vuln:vulnerable-software-list>
<vuln:product>cpe:/a:vmware:springsource_spring_security:3.1.2</vuln:product>
<vuln:product>cpe:/a:vmware:springsource_spring_security:2.0.4</vuln:product>
<vuln:product>cpe:/a:vmware:springsource_spring_security:3.0.1</vuln:product>
```
These CPE entries are read "cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:...". The CPE data is collected
and stored in a [Lucene Index](http://lucene.apache.org/). Dependency-check then use the Evidence collected and attempt
to match an entry from the Lucene CPE Index. If found, the CPEAnalyzer will add an Identifier to the Dependency and
subsequently to the report. Once a CPE has been identified the associated CVE entries are added to the report.
One important point about the evidence is that it is rated using different confidence levels - low, medium, high, and
highest. These confidence levels are applied to each item of evidence. When the CPE is determined it is given a confidence
level that is equal to the lowest level confidence level of evidence used during identification. If only highest confidence
evidence was used in determining the CPE then the CPE would have a highest confidence level.
Because of the way dependency-check works both false positives and false negatives may exist. Please read
[How to read the report](thereport.html) to get a better understanding of sorting through the false positives and false
negatives.
Dependency-check does not currently use file hashes for identification. If the dependency was built from source the hash
likely will not match the "published" hash. While the evidence based mechanism currently used can also be unreliable the
design decision was to avoid maintaining a hash database of known vulnerable libraries. A future enhancement may add some
hash matching for very common well known libraries (Spring, Struts, etc.).

11
src/site/markdown/jar-analyzer.md Normal file
View File

@@ -0,0 +1,11 @@
Jar Analyzer
==============
Dependency-check includes an analyzer that scans JAR files and collect as
much information it can about the file as it can. The information collected
is internally referred to as evidence and is grouped into vendor, product, and version
buckets. Other analyzers later use this evidence to identify any Common Platform
Enumeration (CPE) identifiers that apply. Additionally, if a POM is present
the analyzer will add the Maven group, artifact, and version (GAV).
Files Types Scanned: JAR, WAR

2
src/site/markdown/nexus-analyzer.md
View File

@@ -1,7 +1,7 @@
Nexus Analyzer
==============
Dependency Check includes an analyzer which will check for the Maven GAV
Dependency-check includes an analyzer that will check for the Maven GAV
(Group/Artifact/Version) information for artifacts in the scanned area. By
default the information comes from [Maven Central][1], but can be configured to
use a local repository if necessary. If the artifact's hash is found in the

13
src/site/markdown/nuspec-analyzer.md Normal file
View File

@@ -0,0 +1,13 @@
Nuspec Analyzer
==============
Dependency-check includes an analyzer that will scan NuGet's Nuspec file to
collect information about the component being used. The evidence collected
is used by other analyzers to determine if there are any known vulnerabilities
associated with the component.
Note, the Nuspec Analyzer does not scan dependencies defined. However, if
the dependencies have been downloaded and may be included in the scan depending
on configuration.
Files Types Scanned: NUSPEC

9
src/site/markdown/suppression.md
View File

@@ -64,6 +64,15 @@ HTML version of the report. The other common scenario would be to ignore all CVE
]]></notes>
<cvssBelow>7</cvssBelow>
</suppress>
<suppress>
<notes><![CDATA[
This suppresses false positives identified on spring security.
]]></notes>
<gav regex="true">org\.springframework\.security:spring.*</gav>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
<cpe>cpe:/a:springsource:spring_framework</cpe>
<cpe>cpe:/a:mod_security:mod_security</cpe>
</suppress>
</suppressions>
```

26
src/site/markdown/thereport.md Normal file
View File

@@ -0,0 +1,26 @@
How To Read The Report
========
There is a lot of information contained in the HTML version of the report. When analyzing the results, the first thing one should do is determine if the CPE looks
appropriate. Due to the way dependency-check works (see above) the report may contain false positives; these false positives are primarily on the CPE values. If the CPE value
is wrong, this is usually obvious and one should use the suppression feature in the report to generate a suppression XML file that can be used on future scans. In addition
to just looking at the CPE values in comparison to the name of the dependency - one may also consider the confidence of the CPE (as discussed in [How does dependency-check
work](./internals.html)). See the [Suppressing False Positives](./suppression.html) page for more information on how to generate and use the suppression file.
Once you have weeded out any obvious false positives one can then look at the remaining entries and determine if any of the identified CVE entries are actually
exploitable in your environment. Determining if a CVE is exploitable in your environment can be tricky - for this I do not currently have any tips other then
upgrade the library if you can just to be safe. Note, some CVE entries can be fixed by either upgrading the library or changing configuration options.
One item that dependency-check flags that many may think is a false positive are old database drivers. One thing to consider about an old database driver is that the
CPE/CVEs identified are usually for the server rather then the driver. However, the presence of an old driver may indicate that you have an older version of the server
running in your environment and that server may need to be patched or upgraded. However, in some cases the old database drivers are actually unused, transitive dependencies
from other dependencies.
Regarding False Negatives
=======
As stated above, due to the nature of dependency-check there may be publicly disclosed vulnerabilities in the project dependencies scanned by dependency-check that
are not identified. With the current version of dependency-check the HTML report has a table at the top that initially displays just the dependencies with identified
vulnerabilities. This can be toggled to show all dependencies. If you examine the rows that do not have identified CPE/CVE entries you will see an "evidence count".
If the evidence count is extremely low (0-5 entries) then there may not have been enough information contained in the dependency to identify a CPE and associated CVEs.
It should be noted that while the false positives described above are bad, more concerning is that there may be vulnerabilities within the project dependencies that
have yet to be publicly known. If one has the resources consider performing security assessments on the project dependencies.

22542
src/site/resources/SampleReport.html
View File

File diff suppressed because one or more lines are too long

29
src/site/site.xml
View File

@@ -72,6 +72,12 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<menu ref="reports" />
<menu name="General">
<item name="How it Works" href="./internals.html">
<description>How does dependency-check work?</description>
</item>
<item name="Reading the Report" href="./thereport.html">
<description>How to read the report</description>
</item>
<item name="False Positives" href="./suppression.html">
<description>Suppressing False Positives</description>
</item>
@@ -84,14 +90,25 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<item name="Sample Report" href="./SampleReport.html">
<description>Sample Report</description>
</item>
</menu>
<menu name="File Type Analyzers">
<item name="Archive Analyzer" href="./archive-analyzer.html">
<description>Archive Analyzer</description>
</item>
<item name="Jar Analyzer" href="./jar-analyzer.html">
<description>Jar Analyzer</description>
</item>
<item name="Nexus Analyzer" href="./nexus-analyzer.html">
<description>Nexus Analyzer</description>
</item>
<item name="Assembly Analyzer" href="./assembly-analyzer.html">
<description>Assembly Analyzer</description>
</item>
<item name="Nuspec Analyzer" href="./nuspec-analyzer.html">
<description>Nuspec Analyzer</description>
</item>
</menu>
<menu name="Modules">
<item name="dependency-check-core" href="./dependency-check-core/index.html">
<description>The core dependency-check library</description>
</item>
<item name="dependency-check-cli" href="./dependency-check-cli/installation.html">
<description>The command line interface for dependency-check.</description>
</item>
@@ -104,6 +121,12 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<item name="dependency-check-jenkins" href="./dependency-check-jenkins/index.html">
<description>A Jenkins plugin for dependency-check.</description>
</item>
<item name="dependency-check-core" href="./dependency-check-core/index.html">
<description>The core dependency-check engine and reporting tool.</description>
</item>
<item name="dependency-check-utils" href="./dependency-check-utils/index.html">
<description>A set of utility classes used by dependency-check.</description>
</item>
</menu>
<footer>Copyright © 2012-2014 Jeremy Long. All Rights Reserved.</footer>
</body>