mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-14 07:43:40 +01:00
Compare commits
1328 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
6f9ba0033f | ||
|
|
4d4672fc4d | ||
|
|
70859eb719 | ||
|
|
ae9daf7f33 | ||
|
|
ff0daa8d66 | ||
|
|
09f1a0ac92 | ||
|
|
e562be77f6 | ||
|
|
af7c6bc2a0 | ||
|
|
e49cbcf345 | ||
|
|
b4218ff0e8 | ||
|
|
4af174d27b | ||
|
|
203a7da23a | ||
|
|
9833ff20d1 | ||
|
|
638b3c0695 | ||
|
|
01ef2e1061 | ||
|
|
56aea8ad24 | ||
|
|
d530eddc57 | ||
|
|
1eab76aab8 | ||
|
|
167dbd7368 | ||
|
|
2594fb1c5f | ||
|
|
c57d21e9bc | ||
|
|
9c15bdfe41 | ||
|
|
64dedf892d | ||
|
|
d6fc456039 | ||
|
|
df606674db | ||
|
|
1e3a7ff4ba | ||
|
|
b53de8c69b | ||
|
|
0f3ffaf270 | ||
|
|
25238d5fb5 | ||
|
|
cf677bd70e | ||
|
|
42939e4922 | ||
|
|
7c4cc1334b | ||
|
|
ff4a1e0ac6 | ||
|
|
069e22049d | ||
|
|
135ed5c614 | ||
|
|
13d7d29630 | ||
|
|
889f315c0a | ||
|
|
5a0e280899 | ||
|
|
ccb5e234b3 | ||
|
|
2caccab85f | ||
|
|
085ab48f3f | ||
|
|
a28c2819fa | ||
|
|
40beec2e40 | ||
|
|
d136aeda84 | ||
|
|
fdd6c47cd5 | ||
|
|
c5a2b5b3d8 | ||
|
|
babe4739c5 | ||
|
|
49e8ee443c | ||
|
|
a5d8ce07d8 | ||
|
|
babc016b48 | ||
|
|
a5f378d755 | ||
|
|
ebf995537e | ||
|
|
49edb6c2e1 | ||
|
|
423f26852f | ||
|
|
f931412bee | ||
|
|
bef0657801 | ||
|
|
d79d5b5f33 | ||
|
|
4c5489efd3 | ||
|
|
d5753b9589 | ||
|
|
a841027d48 | ||
|
|
73bea8e63f | ||
|
|
bbc8bab4da | ||
|
|
019f6dfb8b | ||
|
|
3b6a2a2908 | ||
|
|
c2b757ad6f | ||
|
|
efeba40f2b | ||
|
|
018e4bc382 | ||
|
|
88924ea520 | ||
|
|
4461c2e4a4 | ||
|
|
1c4aceb0fb | ||
|
|
a5b396a60d | ||
|
|
efd96ed892 | ||
|
|
fe88785846 | ||
|
|
0dcb0fb325 | ||
|
|
0825843d0f | ||
|
|
8c4df134e4 | ||
|
|
dfed5067f3 | ||
|
|
2b78e8fdc1 | ||
|
|
63c7a9d926 | ||
|
|
6609481cc1 | ||
|
|
a37853def6 | ||
|
|
9f348cfa16 | ||
|
|
52293f2596 | ||
|
|
54d3a73282 | ||
|
|
ab2d3b70cb | ||
|
|
451df460f6 | ||
|
|
b4afa01887 | ||
|
|
2ea95f5bf9 | ||
|
|
22602f42f2 | ||
|
|
b2c5183043 | ||
|
|
9f6559c7fb | ||
|
|
ef04c16237 | ||
|
|
dd85bfd2ab | ||
|
|
7152a05bfd | ||
|
|
754c2fc9bf | ||
|
|
85ad0b881f | ||
|
|
db6c471cc6 | ||
|
|
300d990276 | ||
|
|
9c55b889cb | ||
|
|
735f76cc0b | ||
|
|
d1c27a4298 | ||
|
|
650f09bbc5 | ||
|
|
08bf16971a | ||
|
|
ccb149240e | ||
|
|
ae22719985 | ||
|
|
55c4d729bb | ||
|
|
429f0966f0 | ||
|
|
7a246b90b9 | ||
|
|
d2e7de5505 | ||
|
|
a9eab16502 | ||
|
|
d59cce8080 | ||
|
|
9390e71dd9 | ||
|
|
65992243fa | ||
|
|
c81b8b0171 | ||
|
|
0671d12628 | ||
|
|
a892c5e7b7 | ||
|
|
b5c21ffbf0 | ||
|
|
bb2b25cca5 | ||
|
|
b3867244ba | ||
|
|
6bf8d396e0 | ||
|
|
6394c1a7b4 | ||
|
|
ccd656845d | ||
|
|
2931e8454c | ||
|
|
112b158795 | ||
|
|
921001000f | ||
|
|
3e3a8e9f98 | ||
|
|
7440a039fd | ||
|
|
e73f9ab02f | ||
|
|
59815b858e | ||
|
|
7df7f59d93 | ||
|
|
e971bc1991 | ||
|
|
a3f0f12779 | ||
|
|
2a9c214593 | ||
|
|
3fc37f3e5e | ||
|
|
ebe4423e25 | ||
|
|
cfafb4a101 | ||
|
|
8d538a9977 | ||
|
|
cc2953d6a3 | ||
|
|
c888019068 | ||
|
|
56639d3965 | ||
|
|
09ff99823e | ||
|
|
5078e32dc7 | ||
|
|
ecaadff0d8 | ||
|
|
f2ad8cc7d1 | ||
|
|
c8d77eb213 | ||
|
|
fe3d9e8bf6 | ||
|
|
6c4171be75 | ||
|
|
4bbb466e43 | ||
|
|
c478415667 | ||
|
|
fc832b67c5 | ||
|
|
943a9ea97e | ||
|
|
2c7ab297d7 | ||
|
|
d8299f7db1 | ||
|
|
4deeb33f08 | ||
|
|
3bf4cf8c85 | ||
|
|
e0217fc6c3 | ||
|
|
62a3efa23a | ||
|
|
cc7ebe6d52 | ||
|
|
5d920e4b44 | ||
|
|
1264ea54a1 | ||
|
|
caa1d77d23 | ||
|
|
20a55b3342 | ||
|
|
8bfe67fc60 | ||
|
|
d42a1c6ab1 | ||
|
|
80a89ef6d1 | ||
|
|
1a0e605f0c | ||
|
|
573c8eb509 | ||
|
|
e676e3a14b | ||
|
|
af8c807ee0 | ||
|
|
dfaa5df965 | ||
|
|
32055ecdcc | ||
|
|
9db71c5f0c | ||
|
|
99856bf285 | ||
|
|
4d006b3e05 | ||
|
|
4e37165ba6 | ||
|
|
38a5834785 | ||
|
|
d6e1352869 | ||
|
|
bf1b7bd7a2 | ||
|
|
2306327057 | ||
|
|
2d389ba73f | ||
|
|
ce8d5bc635 | ||
|
|
8fdc2007e0 | ||
|
|
88a97769de | ||
|
|
589c761cb0 | ||
|
|
3e6787fd61 | ||
|
|
aff52ee3f5 | ||
|
|
4555b02592 | ||
|
|
e1d4599a93 | ||
|
|
1a1e141cb8 | ||
|
|
33218f41e8 | ||
|
|
8772cda47a | ||
|
|
512eb713e4 | ||
|
|
0f90d48c62 | ||
|
|
658860e396 | ||
|
|
7522dae557 | ||
|
|
e34e65a3ba | ||
|
|
5a001a2c32 | ||
|
|
13a03eb250 | ||
|
|
cd863b6cca | ||
|
|
83b182dda5 | ||
|
|
3b90d1a564 | ||
|
|
d724855dfc | ||
|
|
78008330fe | ||
|
|
e716aad224 | ||
|
|
aa0d7cb4e9 | ||
|
|
0cd43ce35c | ||
|
|
ac98c8e395 | ||
|
|
70a8fc09c6 | ||
|
|
5b00d05e2e | ||
|
|
28c1730a02 | ||
|
|
c54483d36f | ||
|
|
2dd02ff8cb | ||
|
|
46c5501b7a | ||
|
|
f154826749 | ||
|
|
96383ef985 | ||
|
|
ab4b19dbab | ||
|
|
cdc53ac570 | ||
|
|
143cc1912e | ||
|
|
0d90b676bc | ||
|
|
5fadbb3d25 | ||
|
|
0ec99a3e12 | ||
|
|
1efbc44cc4 | ||
|
|
735fcfeee2 | ||
|
|
4a77150566 | ||
|
|
180a420219 | ||
|
|
d12ba8f3ef | ||
|
|
1b2cd354db | ||
|
|
533b455356 | ||
|
|
58807d9021 | ||
|
|
bc9458101c | ||
|
|
d49556bf3d | ||
|
|
b9003a2f02 | ||
|
|
6b303410d1 | ||
|
|
8cae2f24b1 | ||
|
|
0a04d753ea | ||
|
|
35402c7bd3 | ||
|
|
847a97f61c | ||
|
|
fac27a6120 | ||
|
|
2e24eda00d | ||
|
|
7a653abf22 | ||
|
|
ae09229107 | ||
|
|
be35f48bdd | ||
|
|
846173844e | ||
|
|
59c28d8e51 | ||
|
|
abdfa3ccf6 | ||
|
|
99ad6634c4 | ||
|
|
84556fb055 | ||
|
|
26e14e0151 | ||
|
|
3df2daa5cb | ||
|
|
c55efddc81 | ||
|
|
a59c8908f0 | ||
|
|
a421c5f952 | ||
|
|
37b0612d45 | ||
|
|
07bc94f9f6 | ||
|
|
82511880ac | ||
|
|
2f5cc6a8a4 | ||
|
|
f9a0f5e7a1 | ||
|
|
47b083eaca | ||
|
|
8fcf5ee760 | ||
|
|
f2006206d3 | ||
|
|
c32361a428 | ||
|
|
ac83c2bc3c | ||
|
|
32808c16e7 | ||
|
|
e4e2433396 | ||
|
|
8196b6e69e | ||
|
|
8dd49b6156 | ||
|
|
c4ab83a801 | ||
|
|
2c51b7b835 | ||
|
|
bab49d04b7 | ||
|
|
6963d66240 | ||
|
|
8cbf3ffc6b | ||
|
|
2a4693f6ed | ||
|
|
217256746c | ||
|
|
6c90225024 | ||
|
|
92d8a894e3 | ||
|
|
c89d619808 | ||
|
|
31dd4f6305 | ||
|
|
ff9715ede7 | ||
|
|
ffd1e383c2 | ||
|
|
2cc4f8c2fe | ||
|
|
6f513eb359 | ||
|
|
b235a5bb49 | ||
|
|
25f1912573 | ||
|
|
d24d6f6b52 | ||
|
|
afdb156c84 | ||
|
|
643d3600b8 | ||
|
|
9c51bff55b | ||
|
|
81c91b3877 | ||
|
|
3d365eb258 | ||
|
|
6857f6d8f8 | ||
|
|
81bd9991bb | ||
|
|
056fa9ded2 | ||
|
|
a3792c474b | ||
|
|
ec233dbb46 | ||
|
|
d89cd789ac | ||
|
|
69088e162d | ||
|
|
ec53bd4125 | ||
|
|
35a264d21c | ||
|
|
0372c2eccc | ||
|
|
08c7ffc6d9 | ||
|
|
e386f6ac20 | ||
|
|
60ab893888 | ||
|
|
f2d960c3eb | ||
|
|
fb88aeaeb9 | ||
|
|
94561de719 | ||
|
|
89ed18cea3 | ||
|
|
b996fa234b | ||
|
|
f6cd5cb4b2 | ||
|
|
6ac8caaf5f | ||
|
|
e5a4145e37 | ||
|
|
2c8b408bfb | ||
|
|
58c5c04feb | ||
|
|
b0d6070d28 | ||
|
|
3728594f73 | ||
|
|
dc2f1eabb2 | ||
|
|
eda08e7454 | ||
|
|
1bf4b6daa9 | ||
|
|
f757266282 | ||
|
|
0321823125 | ||
|
|
33d190afaa | ||
|
|
ff16c4f127 | ||
|
|
134728438e | ||
|
|
754bd68a87 | ||
|
|
bd32eeeaa2 | ||
|
|
1b9a3bd4bd | ||
|
|
584d369b0b | ||
|
|
0ebe052752 | ||
|
|
535863bc52 | ||
|
|
dd925cd92b | ||
|
|
5529de3d95 | ||
|
|
ce6b65adb8 | ||
|
|
9897109332 | ||
|
|
cfc851a99b | ||
|
|
380178ccc8 | ||
|
|
3227ddd9f9 | ||
|
|
336be63237 | ||
|
|
37c9b9e1f5 | ||
|
|
ebb3e02dcc | ||
|
|
352505c54f | ||
|
|
0c7998712e | ||
|
|
b9a20e7ac5 | ||
|
|
7ab89b900c | ||
|
|
9620956727 | ||
|
|
9b85768b7e | ||
|
|
5276e1863d | ||
|
|
0fc1a30a2c | ||
|
|
8609b98b1c | ||
|
|
c85514a17a | ||
|
|
d00bef5546 | ||
|
|
b905f46f98 | ||
|
|
cdd4765d38 | ||
|
|
d62793f4ad | ||
|
|
d83d325a49 | ||
|
|
e5baf99814 | ||
|
|
b4aeab3501 | ||
|
|
039bfd372d | ||
|
|
1a92de71d1 | ||
|
|
d8279e11aa | ||
|
|
b1b8584641 | ||
|
|
11e75df1a9 | ||
|
|
25fc2bfbea | ||
|
|
a93c84ff64 | ||
|
|
986a4182d9 | ||
|
|
d38a8b109b | ||
|
|
711d8c8c6b | ||
|
|
0d1d22aeff | ||
|
|
ac2231f0f3 | ||
|
|
21344dacfc | ||
|
|
ca22ba5bbc | ||
|
|
fc64c34214 | ||
|
|
c35bc2476d | ||
|
|
222826af95 | ||
|
|
db28db0bc7 | ||
|
|
931f7d47ea | ||
|
|
987ed1cefc | ||
|
|
3e9a77abfa | ||
|
|
3879eb6b3a | ||
|
|
5e5a2040fc | ||
|
|
eea44d7de2 | ||
|
|
3fcbf075fb | ||
|
|
b2641494cc | ||
|
|
c48a794aee | ||
|
|
e53906aea8 | ||
|
|
05a4a1670f | ||
|
|
4bd35852a5 | ||
|
|
be4d56f8d2 | ||
|
|
dfbcd616f2 | ||
|
|
dc0106348d | ||
|
|
f2666d4a30 | ||
|
|
4220e58d26 | ||
|
|
07de43981a | ||
|
|
fa352c1a8f | ||
|
|
e5d582b30b | ||
|
|
8fb14ffdf3 | ||
|
|
c16e85e7db | ||
|
|
25a72e3508 | ||
|
|
20411da67b | ||
|
|
81bfdc69dd | ||
|
|
5e2829fe49 | ||
|
|
2aba09f090 | ||
|
|
38e27309fb | ||
|
|
6b586684e6 | ||
|
|
773e280339 | ||
|
|
297a67cd00 | ||
|
|
ceb61ebe74 | ||
|
|
6c85e3502e | ||
|
|
690192300f | ||
|
|
3ba963f474 | ||
|
|
9b2cacc3a0 | ||
|
|
315a616293 | ||
|
|
3c56cd6738 | ||
|
|
a48ac013e8 | ||
|
|
258602ce1a | ||
|
|
c85b547502 | ||
|
|
d6266c36bf | ||
|
|
fdd7f30e9a | ||
|
|
3994ef3619 | ||
|
|
633028a63f | ||
|
|
013374e9db | ||
|
|
4358b47e91 | ||
|
|
6decc1ce30 | ||
|
|
8a3dba3064 | ||
|
|
27bcead1bc | ||
|
|
acb9c01776 | ||
|
|
79fd23d51b | ||
|
|
776614d211 | ||
|
|
b03a498cd7 | ||
|
|
b612926fb6 | ||
|
|
b67377f505 | ||
|
|
2033acbe2a | ||
|
|
e435cfc489 | ||
|
|
a3199a52af | ||
|
|
99be870ab9 | ||
|
|
9b2ecb4701 | ||
|
|
be7443a0a0 | ||
|
|
0de6557872 | ||
|
|
258e890056 | ||
|
|
d84bbad79a | ||
|
|
07e6477686 | ||
|
|
acde161412 | ||
|
|
8d8f9c6d26 | ||
|
|
c7507d9743 | ||
|
|
ff970fde56 | ||
|
|
2c4a997c64 | ||
|
|
5c787e0b69 | ||
|
|
41da8435cc | ||
|
|
84ecc4c664 | ||
|
|
d18a36af22 | ||
|
|
b3e766aa50 | ||
|
|
0cee54c51b | ||
|
|
41e436a183 | ||
|
|
743fc19fa3 | ||
|
|
76e8c66b1b | ||
|
|
4379ea63f0 | ||
|
|
00ae54b4b2 | ||
|
|
3a7fd7d271 | ||
|
|
94a0c98bfe | ||
|
|
c2b2b2698d | ||
|
|
9bb630bae6 | ||
|
|
c47b2f5b18 | ||
|
|
ecdc9a968d | ||
|
|
c041ff66e2 | ||
|
|
fe0e2d5c2d | ||
|
|
2cf3bca8de | ||
|
|
b2a817e17b | ||
|
|
d1ca951ffa | ||
|
|
b3932ae8c5 | ||
|
|
35223d5737 | ||
|
|
9d263f11e5 | ||
|
|
3f28b30e95 | ||
|
|
d797abdb1f | ||
|
|
3b3a940ee4 | ||
|
|
1b5b61b25e | ||
|
|
00d29b88df | ||
|
|
ab9bc9da74 | ||
|
|
b79f7b7ab8 | ||
|
|
9b34b5ca89 | ||
|
|
b486788993 | ||
|
|
563e9c51e1 | ||
|
|
6ab5e3ed4f | ||
|
|
43a6c81151 | ||
|
|
887a5d50a4 | ||
|
|
be68f8c3f7 | ||
|
|
86a4923157 | ||
|
|
f80ff31412 | ||
|
|
94acc82bf5 | ||
|
|
3c1a1fcca1 | ||
|
|
b3d08e4cb8 | ||
|
|
ab766ce85b | ||
|
|
bcb8245c61 | ||
|
|
c9e60d5c3a | ||
|
|
eb7c74eea7 | ||
|
|
40f5911ceb | ||
|
|
2a8809adbb | ||
|
|
39524c4064 | ||
|
|
c1cc2d6350 | ||
|
|
acb857f433 | ||
|
|
d343d92b17 | ||
|
|
43cb4716a9 | ||
|
|
6222561431 | ||
|
|
07b10e9e23 | ||
|
|
dffe8cef7a | ||
|
|
bb26626fd5 | ||
|
|
2f207de1a0 | ||
|
|
a69419ed04 | ||
|
|
be7c1ba914 | ||
|
|
461f6ad2c1 | ||
|
|
aff85cbfb8 | ||
|
|
c0ce4523fa | ||
|
|
65f8b3978d | ||
|
|
80ca3e114e | ||
|
|
330e803675 | ||
|
|
337e9ac3ef | ||
|
|
dfb78788f9 | ||
|
|
2dc560f583 | ||
|
|
7355400548 | ||
|
|
50b4630436 | ||
|
|
132d43f999 | ||
|
|
0627f20f5e | ||
|
|
40f329512b | ||
|
|
c196c08ada | ||
|
|
8f1e0d57bf | ||
|
|
c30c455a9f | ||
|
|
cd0e8e1c6b | ||
|
|
cbeb91f9a9 | ||
|
|
a3830989ba | ||
|
|
86427e2042 | ||
|
|
8f079de0aa | ||
|
|
651727c697 | ||
|
|
5c55f4d4bb | ||
|
|
c8502d3b7b | ||
|
|
22e3b9b544 | ||
|
|
f16db8298b | ||
|
|
cf4a32b260 | ||
|
|
b8d83c37d9 | ||
|
|
617f6bb8ef | ||
|
|
0c9f2bf5d2 | ||
|
|
eb9afecd66 | ||
|
|
2c1f2ae589 | ||
|
|
9387b09a19 | ||
|
|
f17f04f00a | ||
|
|
07f0192088 | ||
|
|
0fd19f0de8 | ||
|
|
e954fa6478 | ||
|
|
a0fdfc0f39 | ||
|
|
57a4372b65 | ||
|
|
c11cb38269 | ||
|
|
e4fd446946 | ||
|
|
714d8ac3ba | ||
|
|
f09293e077 | ||
|
|
389e8bc325 | ||
|
|
367f763ce5 | ||
|
|
3febed82f1 | ||
|
|
8a6371fe68 | ||
|
|
93937feb13 | ||
|
|
21e62d8597 | ||
|
|
88e8019858 | ||
|
|
cbe562a204 | ||
|
|
4dc40389a3 | ||
|
|
0552f10c38 | ||
|
|
c9ac7401e8 | ||
|
|
60625b9978 | ||
|
|
b4b53cfa4c | ||
|
|
f1e1d67f4e | ||
|
|
982641752f | ||
|
|
ba66cbbc95 | ||
|
|
750d13a300 | ||
|
|
3c69a87fc2 | ||
|
|
dbaddab07b | ||
|
|
1d58811680 | ||
|
|
4d78fe9ca4 | ||
|
|
56d3082696 | ||
|
|
8f573aba2f | ||
|
|
96633360d0 | ||
|
|
8ae7935cee | ||
|
|
68e860baad | ||
|
|
38ead3133f | ||
|
|
553d1f85c4 | ||
|
|
d9a985ff38 | ||
|
|
d3a2d2b248 | ||
|
|
575b8e5f62 | ||
|
|
37ff924c74 | ||
|
|
7ccbc4c77c | ||
|
|
27b7a60a8d | ||
|
|
dca731ffb8 | ||
|
|
0d56de99a7 | ||
|
|
ac5e11d327 | ||
|
|
9d315b0ff9 | ||
|
|
038fe84498 | ||
|
|
4fd59f2a19 | ||
|
|
f77c3bfdf7 | ||
|
|
dc7d941316 | ||
|
|
433cc1e32c | ||
|
|
c066a03683 | ||
|
|
562a8036bc | ||
|
|
53ac703f09 | ||
|
|
a2891d97d0 | ||
|
|
2bd5169f20 | ||
|
|
b3fd6d8c92 | ||
|
|
cea281b1d3 | ||
|
|
e85b2a8961 | ||
|
|
77b879d6bb | ||
|
|
9de3ae5cf2 | ||
|
|
b3a0dc3506 | ||
|
|
383731da4d | ||
|
|
67abb42652 | ||
|
|
edcc24bc12 | ||
|
|
a6836cab15 | ||
|
|
8f985737b0 | ||
|
|
6e2f102177 | ||
|
|
46a768339a | ||
|
|
f1dbbd62e9 | ||
|
|
8bb94889e0 | ||
|
|
da38e4e00c | ||
|
|
d8e8156b1c | ||
|
|
77a1b18673 | ||
|
|
9abd51f318 | ||
|
|
c7d51a29ac | ||
|
|
ac453ef32a | ||
|
|
db25493c04 | ||
|
|
8d4b4d3cd9 | ||
|
|
b05f13d82b | ||
|
|
438622d450 | ||
|
|
4f79efedc9 | ||
|
|
845fa89d0f | ||
|
|
29768576c8 | ||
|
|
4e659d799d | ||
|
|
10596bcb54 | ||
|
|
5ac6f4f7b3 | ||
|
|
957bb46e5c | ||
|
|
1042a537c1 | ||
|
|
2159b4b691 | ||
|
|
ce48e07e18 | ||
|
|
48dded02c6 | ||
|
|
b7d77042bf | ||
|
|
b4ea2569e3 | ||
|
|
42a9f864eb | ||
|
|
22e6de19c4 | ||
|
|
572a65d661 | ||
|
|
108ecb7e12 | ||
|
|
9c87d61528 | ||
|
|
dd903dd7e5 | ||
|
|
ae13cb2513 | ||
|
|
40f47ccd4e | ||
|
|
c344cd2a2b | ||
|
|
7601af24f0 | ||
|
|
0197eb0d08 | ||
|
|
a248967ae8 | ||
|
|
a4beb58b54 | ||
|
|
922cc942a4 | ||
|
|
f11b086381 | ||
|
|
e5eab69f65 | ||
|
|
961884ef12 | ||
|
|
5dbbf643a4 | ||
|
|
f937458c25 | ||
|
|
c617e62a16 | ||
|
|
343c886d54 | ||
|
|
824d85b2a0 | ||
|
|
0289fc5ce2 | ||
|
|
914a886bfe | ||
|
|
f65c30e975 | ||
|
|
48ac0049aa | ||
|
|
fea1117eae | ||
|
|
ace1a060db | ||
|
|
be6ad9c5e3 | ||
|
|
b2d51a2a9b | ||
|
|
74411d8656 | ||
|
|
332392b7ba | ||
|
|
e441414854 | ||
|
|
4b1d79e7f7 | ||
|
|
d7889e27e5 | ||
|
|
e65a68ce78 | ||
|
|
990f6d3730 | ||
|
|
84a62b3707 | ||
|
|
e18789b8d3 | ||
|
|
cb7be0e460 | ||
|
|
df825d0109 | ||
|
|
ce4baecb4b | ||
|
|
48907517e9 | ||
|
|
dde1d96058 | ||
|
|
b2f688a032 | ||
|
|
b4664f85f0 | ||
|
|
2725d32c33 | ||
|
|
c9f80db3c6 | ||
|
|
cb53ddf8a8 | ||
|
|
fdca41a71b | ||
|
|
d59ceee0f7 | ||
|
|
38b08835c2 | ||
|
|
dbbdb1bcbe | ||
|
|
b408e5d0d3 | ||
|
|
30f00508f5 | ||
|
|
75bb6aa966 | ||
|
|
eff206fb2b | ||
|
|
98da419c96 | ||
|
|
efe226045d | ||
|
|
35ba1532f4 | ||
|
|
476d732a3c | ||
|
|
21efc0c4a5 | ||
|
|
c20c6665fd | ||
|
|
cd497bfe9b | ||
|
|
25c42bee6d | ||
|
|
6d639385da | ||
|
|
fd1c0efedf | ||
|
|
5d2010aa73 | ||
|
|
d9333b2e93 | ||
|
|
3034306fcc | ||
|
|
0c7bae6fd7 | ||
|
|
855233f498 | ||
|
|
6b859a0478 | ||
|
|
2f37b658f1 | ||
|
|
3bd952e5c5 | ||
|
|
ae58c1fa99 | ||
|
|
dfb411cb6a | ||
|
|
449e3f5cc6 | ||
|
|
1b1fe17fca | ||
|
|
f3c457745e | ||
|
|
26f2e2b223 | ||
|
|
fcdd399eea | ||
|
|
c1d16782ab | ||
|
|
860434a1d5 | ||
|
|
38b493ee9d | ||
|
|
19dc560d56 | ||
|
|
bb10214db0 | ||
|
|
6a871c51a1 | ||
|
|
d7ff3050c2 | ||
|
|
8e0a0379d5 | ||
|
|
b7ceb90e61 | ||
|
|
c1935c83f6 | ||
|
|
62f08a2105 | ||
|
|
38d7f6e671 | ||
|
|
3c2c99c236 | ||
|
|
7694402ae4 | ||
|
|
7ed1d13221 | ||
|
|
47e89e35b2 | ||
|
|
3633759295 | ||
|
|
98bdb0479b | ||
|
|
1e40df227d | ||
|
|
caf0a709b8 | ||
|
|
daef951e59 | ||
|
|
73eab87dd9 | ||
|
|
1a2720649b | ||
|
|
1083cdb743 | ||
|
|
06eb8f9c10 | ||
|
|
31af15d267 | ||
|
|
12938df375 | ||
|
|
24d8dbcf64 | ||
|
|
2b7585357f | ||
|
|
5b659966c8 | ||
|
|
2834d6cac7 | ||
|
|
65dd4c873f | ||
|
|
8c834e634b | ||
|
|
f92430d092 | ||
|
|
b110e944c3 | ||
|
|
77eb5b5147 | ||
|
|
1fabdb9e2d | ||
|
|
e8682ac058 | ||
|
|
08603ad905 | ||
|
|
224b867737 | ||
|
|
0eb4ac5bcc | ||
|
|
876ca5927d | ||
|
|
98b4509014 | ||
|
|
c0013a0ba5 | ||
|
|
cc915e39c5 | ||
|
|
b569ad4ef5 | ||
|
|
6ab5388075 | ||
|
|
ded3079390 | ||
|
|
44fe358766 | ||
|
|
cee4b089c6 | ||
|
|
ba8bd4f95c | ||
|
|
c602072e5b | ||
|
|
76061c84aa | ||
|
|
cd01d3e923 | ||
|
|
ff23e7aba7 | ||
|
|
e61fb6f206 | ||
|
|
a6cab8fddc | ||
|
|
ec16d9abfc | ||
|
|
b5c67a47d1 | ||
|
|
a4c1e3b0bc | ||
|
|
b160d58d1b | ||
|
|
b6a4dfb424 | ||
|
|
5837718cf4 | ||
|
|
962e579434 | ||
|
|
63a249ecb0 | ||
|
|
3f40ca65f5 | ||
|
|
57668fc618 | ||
|
|
e82d14c973 | ||
|
|
8e9aa23c3c | ||
|
|
4687c7dcda | ||
|
|
5d857c731f | ||
|
|
eaec1205a1 | ||
|
|
e3d03c3d78 | ||
|
|
927fb013ff | ||
|
|
4deb14ccfb | ||
|
|
e04dba610b | ||
|
|
99a5dfee31 | ||
|
|
66842fca8e | ||
|
|
a47280f47b | ||
|
|
2808ca139c | ||
|
|
d87467aa88 | ||
|
|
382aad5119 | ||
|
|
93f94b65f1 | ||
|
|
bc66d4b0e7 | ||
|
|
ff044c831f | ||
|
|
cb85292f99 | ||
|
|
7c7722e8fc | ||
|
|
78cc6764bf | ||
|
|
0b540d6406 | ||
|
|
f1e0b7a94f | ||
|
|
611635a9a2 | ||
|
|
26c30b013b | ||
|
|
899f5231b5 | ||
|
|
0cfeee18c9 | ||
|
|
3e44835687 | ||
|
|
d5ac67071f | ||
|
|
6aee9ce92e | ||
|
|
6a268bfb68 | ||
|
|
63848e815f | ||
|
|
6640df18ac | ||
|
|
b9436c0cab | ||
|
|
c730f7931f | ||
|
|
ef6035b5be | ||
|
|
8502c0f048 | ||
|
|
acc4d5201a | ||
|
|
8248f31b20 | ||
|
|
39c1624d42 | ||
|
|
7eb82f2e84 | ||
|
|
df0d0d820a | ||
|
|
e0c0d8bc04 | ||
|
|
97619d8ba1 | ||
|
|
80df96fd0d | ||
|
|
579e76430d | ||
|
|
36dd7269e2 | ||
|
|
6596cb014f | ||
|
|
62ac63fd77 | ||
|
|
e6e8d96f12 | ||
|
|
f80464ea31 | ||
|
|
75b0c6f7a3 | ||
|
|
f95ce8c7b5 | ||
|
|
c991a3ccfd | ||
|
|
a1d612b1f6 | ||
|
|
d3cbd20c5e | ||
|
|
cff4f29ba4 | ||
|
|
dc08363360 | ||
|
|
a2aa8d9336 | ||
|
|
ab2bfa951c | ||
|
|
e871d37044 | ||
|
|
e32ee71bea | ||
|
|
3bc8823e54 | ||
|
|
a4b9dfaf1c | ||
|
|
c7c85ac676 | ||
|
|
1af445a390 | ||
|
|
4236a2e6f7 | ||
|
|
47e58942f8 | ||
|
|
f854ed50d6 | ||
|
|
2933a173a2 | ||
|
|
39c45cd329 | ||
|
|
93e6473828 | ||
|
|
2cf96bef52 | ||
|
|
3850ef4355 | ||
|
|
d29f989c22 | ||
|
|
0e31d503d0 | ||
|
|
8c2d552238 | ||
|
|
1b6cb61f8a | ||
|
|
b6e0fa9085 | ||
|
|
1f983d502e | ||
|
|
13637be1aa | ||
|
|
8f22740e07 | ||
|
|
03d5cc7521 | ||
|
|
c9f9e2b97d | ||
|
|
8ca4ede403 | ||
|
|
b50be86615 | ||
|
|
fe1a8f4425 | ||
|
|
dd472c1322 | ||
|
|
a636adec10 | ||
|
|
e3960445ae | ||
|
|
c631b7cd8a | ||
|
|
bb2bf12808 | ||
|
|
db95dfe208 | ||
|
|
86d052e51e | ||
|
|
fb55b9db17 | ||
|
|
ad3ad81c1e | ||
|
|
dccb84ded8 | ||
|
|
510c693871 | ||
|
|
8696df12ac | ||
|
|
d56e0b0eba | ||
|
|
29d77b2f2c | ||
|
|
4e131cd059 | ||
|
|
4c1f3948a3 | ||
|
|
c40ff67704 | ||
|
|
af6ac8bd4f | ||
|
|
70211a8407 | ||
|
|
4d6b83425b | ||
|
|
985396aaf9 | ||
|
|
d86c14d3a6 | ||
|
|
3bdb3a6b87 | ||
|
|
8dac57d4cf | ||
|
|
a91e7b9ed0 | ||
|
|
220b2c9a2a | ||
|
|
06bc8ed4a4 | ||
|
|
648863d21b | ||
|
|
3232e60467 | ||
|
|
da81ea4e57 | ||
|
|
42baec7c72 | ||
|
|
1accdfe2e6 | ||
|
|
f625653b30 | ||
|
|
2682187fa3 | ||
|
|
090f3fafa9 | ||
|
|
de81ed0c61 | ||
|
|
49465888b2 | ||
|
|
1555185d60 | ||
|
|
e5235bd714 | ||
|
|
1b4fe6135f | ||
|
|
9481b29d6b | ||
|
|
20115e6557 | ||
|
|
ee47136fb4 | ||
|
|
83dece68fc | ||
|
|
fce7083e28 | ||
|
|
5268375153 | ||
|
|
3598f59123 | ||
|
|
557f491a7e | ||
|
|
5aa876da72 | ||
|
|
7e7a66595b | ||
|
|
c429bdf139 | ||
|
|
22d22f3afa | ||
|
|
f5845908b9 | ||
|
|
138ce1c69a | ||
|
|
8366ec5831 | ||
|
|
383f0a7f43 | ||
|
|
22e5a5cafd | ||
|
|
8d6255aa55 | ||
|
|
8fd6f7add9 | ||
|
|
623c2cb9f1 | ||
|
|
259e87442d | ||
|
|
8655e025a2 | ||
|
|
aba2a9f504 | ||
|
|
9aa76bd088 | ||
|
|
10faef62fa | ||
|
|
6b291a5ce5 | ||
|
|
164f1dcfd4 | ||
|
|
b7d6d027d3 | ||
|
|
c4869f1917 | ||
|
|
79c31b5f54 | ||
|
|
89e99219d7 | ||
|
|
a9b6c68ce3 | ||
|
|
0563077fb9 | ||
|
|
e2f174e92e | ||
|
|
861bdb47ed | ||
|
|
9f9e2d12c4 | ||
|
|
03f504cadc | ||
|
|
182c7e827b | ||
|
|
61e0cfc979 | ||
|
|
3ea3f01394 | ||
|
|
fc5b8ca1e5 | ||
|
|
5d67b2f9dc | ||
|
|
bcf4fd9e93 | ||
|
|
5b5faad553 | ||
|
|
5299261d18 | ||
|
|
f852851886 | ||
|
|
20a4d9adb8 | ||
|
|
13997cd282 | ||
|
|
965429296b | ||
|
|
d9750ce4dc | ||
|
|
d0fb41e582 | ||
|
|
f7a83d5a60 | ||
|
|
fc52462df4 | ||
|
|
119804794f | ||
|
|
f23bd0b268 | ||
|
|
d6f61b4faf | ||
|
|
4e4b7a1c39 | ||
|
|
376bfb6799 | ||
|
|
12bdba9a9c | ||
|
|
33fa1e1350 | ||
|
|
94e1a4f793 | ||
|
|
2603d960b7 | ||
|
|
b8433c4ea7 | ||
|
|
fc30aeea61 | ||
|
|
01d6e1f14d | ||
|
|
3b4a65deaa | ||
|
|
2ec5ec78a9 | ||
|
|
6b416b8494 | ||
|
|
eac470e081 | ||
|
|
34ce50b7b5 | ||
|
|
6d85e7cdf7 | ||
|
|
23a47a6f63 | ||
|
|
d2bfcc6f0e | ||
|
|
7495392aa2 | ||
|
|
c4ddf84ba8 | ||
|
|
aad6c28e4d | ||
|
|
2bd03dada4 | ||
|
|
5fab16ad06 | ||
|
|
6a4d1ed44d | ||
|
|
db22159a89 | ||
|
|
029e0e5044 | ||
|
|
3f1ee0b1b8 | ||
|
|
8009794cca | ||
|
|
12ce96d802 | ||
|
|
53bd62b236 | ||
|
|
cd7362c654 | ||
|
|
788b5633cb | ||
|
|
46d106e6e2 | ||
|
|
8ffb91022e | ||
|
|
57c09d1772 | ||
|
|
0731ed2c7a | ||
|
|
19ecb67f2d | ||
|
|
d16123c276 | ||
|
|
f90b168fdd | ||
|
|
09f416efdf | ||
|
|
05f40f3451 | ||
|
|
d81206fe2e | ||
|
|
f166ef9313 | ||
|
|
14704f9b4d | ||
|
|
8381daeeb7 | ||
|
|
164ed75af2 | ||
|
|
1f7c64e279 | ||
|
|
a76bf03bc9 | ||
|
|
e50d7f7b95 | ||
|
|
45b1327c58 | ||
|
|
fe60421731 | ||
|
|
0404fe9044 | ||
|
|
8cf6c59ec7 | ||
|
|
7b817ff866 | ||
|
|
f087f70a2c | ||
|
|
b05752f430 | ||
|
|
c4cde366e8 | ||
|
|
33249fad21 | ||
|
|
f0dd28d4db | ||
|
|
c0e35aa9fa | ||
|
|
1fd633a23b | ||
|
|
9a65e26e71 | ||
|
|
f22cabc32a | ||
|
|
b97d57f00b | ||
|
|
5db3544683 | ||
|
|
96eee95596 | ||
|
|
ffb3243bb6 | ||
|
|
09f07902ef | ||
|
|
43583bbc2e | ||
|
|
2ebc713cbb | ||
|
|
65ecc0f3bb | ||
|
|
ebabc1117e | ||
|
|
672e59e657 | ||
|
|
882e11f558 | ||
|
|
1cd5acb972 | ||
|
|
464a6efd28 | ||
|
|
18c3c1f475 | ||
|
|
52de46aeb3 | ||
|
|
b80d088254 | ||
|
|
7d0d85aeb7 | ||
|
|
d19ef8322e | ||
|
|
840b4d7619 | ||
|
|
e4a36545d7 | ||
|
|
31fbc7389b | ||
|
|
19ec936d38 | ||
|
|
939c67d41c | ||
|
|
9614e4f115 | ||
|
|
c48150a792 | ||
|
|
60687502d1 | ||
|
|
2fab58759e | ||
|
|
a42c586bb2 | ||
|
|
a6b76b3494 | ||
|
|
a6eaf7fc84 | ||
|
|
97ba9b42eb | ||
|
|
e0a71f0373 | ||
|
|
b8875d7f1c | ||
|
|
67dfd9a942 | ||
|
|
db46b03d0c | ||
|
|
5672c86905 | ||
|
|
d5406270a5 | ||
|
|
0b3f5e408b | ||
|
|
2ce432ac77 | ||
|
|
6cb26b3fbb | ||
|
|
a9b5949191 | ||
|
|
6016370515 | ||
|
|
f3c026f278 | ||
|
|
8f218bd6d6 | ||
|
|
59fd89bf68 | ||
|
|
d27a6235f0 | ||
|
|
c23febbcf0 | ||
|
|
81e85a4d0d | ||
|
|
44ba1bc85b | ||
|
|
6244fe5a93 | ||
|
|
973335db56 | ||
|
|
4b2c4f88d3 | ||
|
|
bbd2ca0d68 | ||
|
|
a82c225841 | ||
|
|
f9a6852aaa | ||
|
|
fad704b692 | ||
|
|
e362632477 | ||
|
|
4558b49c1b | ||
|
|
4357d8788a | ||
|
|
78b7c24c15 | ||
|
|
127e9e9f74 | ||
|
|
1951ae1cce | ||
|
|
79e2fd4b52 | ||
|
|
2265a2c43d | ||
|
|
1e7e543ab0 | ||
|
|
9671a73bd6 | ||
|
|
5bbee94d68 | ||
|
|
9d7122d69c | ||
|
|
6b1270a4f9 | ||
|
|
3c8de2be3f | ||
|
|
5afb5f0e83 | ||
|
|
7f42d0df40 | ||
|
|
0df54c9021 | ||
|
|
41bc33f4ba | ||
|
|
dcc883fa27 | ||
|
|
492c5d01bf | ||
|
|
49eaca1290 | ||
|
|
ce43b586ad | ||
|
|
ae49cd6a26 | ||
|
|
6ad3897af8 | ||
|
|
53ddb067ea | ||
|
|
a9762170bc | ||
|
|
4d91403fd2 | ||
|
|
e1cd4a63d0 | ||
|
|
18f3874dab | ||
|
|
6efcee500d | ||
|
|
8c0532f363 | ||
|
|
fdb0d07ab8 | ||
|
|
58e30649a3 | ||
|
|
85feef3a60 | ||
|
|
fccd913a8a | ||
|
|
dd119edafe | ||
|
|
f6633fb16c | ||
|
|
d243bf4f48 | ||
|
|
92d306f777 | ||
|
|
0ea29b3d7c | ||
|
|
c8e6e8eb32 | ||
|
|
a6aae6292e | ||
|
|
e33100b075 | ||
|
|
84a229d286 | ||
|
|
ab32c42487 | ||
|
|
0dc3744859 | ||
|
|
d22eab4155 | ||
|
|
ea9bfec3c9 | ||
|
|
02b43a5d66 | ||
|
|
e0fc7952f4 | ||
|
|
66ec2c5d27 | ||
|
|
f5a78402a6 | ||
|
|
29bfd7325d | ||
|
|
318962c01f | ||
|
|
8ca49fafa1 | ||
|
|
656e783894 | ||
|
|
18c6d60a85 | ||
|
|
b202121c21 | ||
|
|
ea3672dd08 | ||
|
|
88037af7ef | ||
|
|
4bda5b619d | ||
|
|
a0645ea30f | ||
|
|
a3e4adb0af | ||
|
|
e18aedfabf | ||
|
|
44529a78d2 | ||
|
|
bb9025364b | ||
|
|
7c78283b46 | ||
|
|
f7d6ca5c11 | ||
|
|
172a341b40 | ||
|
|
09aef67808 | ||
|
|
a400312d3a | ||
|
|
1b01b35b03 | ||
|
|
2d0acaa8ae | ||
|
|
a31a73320b | ||
|
|
75da352806 | ||
|
|
61b0c9b1c1 | ||
|
|
2185fe0f4c | ||
|
|
4ee0977aa1 | ||
|
|
1ba44771bb | ||
|
|
9966eec1df | ||
|
|
dd444f5f76 | ||
|
|
a0a6089057 | ||
|
|
4be72fc989 | ||
|
|
033cbf696a | ||
|
|
805bc85ea9 | ||
|
|
0d057d500e | ||
|
|
7462500e20 | ||
|
|
3e06a4a7c5 | ||
|
|
e0684ab086 | ||
|
|
e7be883e2e | ||
|
|
8fe80a4507 | ||
|
|
68084c4567 | ||
|
|
9c27545f5f | ||
|
|
6da8af7680 | ||
|
|
1b7ce93623 | ||
|
|
5f6480527e | ||
|
|
4d7b4ce877 | ||
|
|
fd61f7d363 | ||
|
|
47cc3d7358 | ||
|
|
d180618634 | ||
|
|
b2b96426d7 | ||
|
|
5796d4b969 | ||
|
|
37957613df | ||
|
|
cb82f02eb4 | ||
|
|
3feccefee8 | ||
|
|
910b1dca85 | ||
|
|
d71c6f055b | ||
|
|
536f373b91 | ||
|
|
6987845228 | ||
|
|
2edd2bf763 | ||
|
|
2605761d76 | ||
|
|
391d261ca1 | ||
|
|
6a7531f1e6 | ||
|
|
fb294e8bea | ||
|
|
a1046488c3 | ||
|
|
8cef56265c | ||
|
|
ec30851247 | ||
|
|
7420c12b89 | ||
|
|
895c770c24 | ||
|
|
606070f449 | ||
|
|
ec41493d91 | ||
|
|
d551093199 | ||
|
|
f7f8b2da62 | ||
|
|
1378b630a6 | ||
|
|
9726d86ab0 | ||
|
|
c9364e7b94 | ||
|
|
1e6780a2e3 | ||
|
|
72855d4d7a | ||
|
|
c0359da930 | ||
|
|
b4f39b0bfc | ||
|
|
d7af145f3b | ||
|
|
b078d8477e | ||
|
|
02b64e1a4b | ||
|
|
f444825e42 | ||
|
|
9fa62ef388 | ||
|
|
e73ad07836 | ||
|
|
a680e79686 | ||
|
|
728c05262c | ||
|
|
23e08c1ca1 | ||
|
|
198d73acfa | ||
|
|
71e210b66c | ||
|
|
2f31c53fd4 | ||
|
|
9f661535e0 | ||
|
|
5b0d4bf8e6 | ||
|
|
a639264149 | ||
|
|
91ab257eb6 | ||
|
|
e24a62d621 | ||
|
|
ec9f4b2b61 | ||
|
|
b66c7da4b3 | ||
|
|
6544cc98d5 | ||
|
|
2dbef9e1fa | ||
|
|
a924e81adb | ||
|
|
1ded1b603e | ||
|
|
a3012a29c2 | ||
|
|
8fcd800aff | ||
|
|
4d414ea082 | ||
|
|
d5b2380bc2 | ||
|
|
d2853fafa9 | ||
|
|
0e5a207c44 | ||
|
|
d7744537ae | ||
|
|
9e79e9efb6 | ||
|
|
a04338d184 | ||
|
|
772b0ca2b0 | ||
|
|
13eb2b75d5 | ||
|
|
c800440e44 | ||
|
|
05f822380c | ||
|
|
7896c81e98 | ||
|
|
ea50569b2a | ||
|
|
7bce07aa0e | ||
|
|
5ef02290dd | ||
|
|
34d5ba7d35 | ||
|
|
55004e7832 | ||
|
|
4945446171 | ||
|
|
0e2d2408ca | ||
|
|
8b8707c36e | ||
|
|
3bd9caf113 | ||
|
|
f713a83abf | ||
|
|
b0e0f8c8bf | ||
|
|
c8623fd3a2 | ||
|
|
c6aad2c2d4 | ||
|
|
7ede87753b | ||
|
|
59bed5a0fa | ||
|
|
e59377d9a3 | ||
|
|
6274cfce4b | ||
|
|
9d624702f6 | ||
|
|
f9d8ff3f74 | ||
|
|
6c837f0639 | ||
|
|
03c9ce3589 | ||
|
|
1ac7cdacb0 | ||
|
|
ba93be1814 | ||
|
|
1404bbab9f | ||
|
|
a5f8ed6378 | ||
|
|
1b59212003 | ||
|
|
4142901dc6 | ||
|
|
4ba9431e6f | ||
|
|
5da83517a8 | ||
|
|
a7e95c2a4d | ||
|
|
ae7fbbb04f | ||
|
|
cc18ef9aa8 | ||
|
|
4202e8a7ba | ||
|
|
882ff8a325 | ||
|
|
1b29957731 | ||
|
|
5702543bc5 | ||
|
|
c810f0647a | ||
|
|
d366b67bee | ||
|
|
85286b3cf9 | ||
|
|
ae4b5464c7 | ||
|
|
dec2536e3e | ||
|
|
30ea512dcc | ||
|
|
f6cdf34b25 | ||
|
|
99818d038b | ||
|
|
c35ce8e195 | ||
|
|
2ae856b0dd | ||
|
|
e592598990 | ||
|
|
07af34fbd0 | ||
|
|
0b3e313260 | ||
|
|
21947de4e0 | ||
|
|
3cdd0baabb | ||
|
|
f851e62330 | ||
|
|
bea19ad8ce | ||
|
|
f5b48f5390 | ||
|
|
cc712b86d5 | ||
|
|
0cf6cfc2b0 | ||
|
|
6f19360da5 | ||
|
|
f216b4716f | ||
|
|
3bf638f7c6 | ||
|
|
5ec9a24c99 | ||
|
|
23caa1d0b5 | ||
|
|
36ecf7c7fd | ||
|
|
0027e75a45 | ||
|
|
4cd759bfa6 | ||
|
|
0f2752220a | ||
|
|
ce1ed46851 | ||
|
|
aa795ee7eb | ||
|
|
5c83671739 | ||
|
|
3fb9390040 | ||
|
|
965687186c | ||
|
|
83742437d6 | ||
|
|
a37e53769c | ||
|
|
084a389a02 | ||
|
|
7971c42814 | ||
|
|
c694461abc |
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.2.6</version>
|
||||
<version>1.2.9</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-ant</artifactId>
|
||||
@@ -68,7 +68,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-resources-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
<configuration>
|
||||
<escapeWindowsPaths>false</escapeWindowsPaths>
|
||||
</configuration>
|
||||
@@ -191,10 +190,18 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-compiler-plugin</artifactId>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jar-plugin</artifactId>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-shade-plugin</artifactId>
|
||||
<version>2.1</version>
|
||||
<version>2.3</version>
|
||||
<configuration>
|
||||
<transformers>
|
||||
<transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" />
|
||||
@@ -218,29 +225,13 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jar-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<archive>
|
||||
<manifest>
|
||||
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
|
||||
</manifest>
|
||||
</archive>
|
||||
<excludes>
|
||||
<exclude>**/checkstyle*</exclude>
|
||||
</excludes>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
<configuration>
|
||||
<instrumentation>
|
||||
<!--instrumentation>
|
||||
<ignoreTrivial>true</ignoreTrivial>
|
||||
</instrumentation>
|
||||
</instrumentation-->
|
||||
<check>
|
||||
<branchRate>85</branchRate>
|
||||
<lineRate>85</lineRate>
|
||||
@@ -269,7 +260,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<configuration>
|
||||
<systemProperties>
|
||||
<property>
|
||||
@@ -279,162 +269,139 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
|
||||
</systemProperties>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-compiler-plugin</artifactId>
|
||||
<version>3.1</version>
|
||||
<configuration>
|
||||
<showDeprecation>false</showDeprecation>
|
||||
<source>1.6</source>
|
||||
<target>1.6</target>
|
||||
</configuration>
|
||||
</plugin>
|
||||
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-site-plugin</artifactId>
|
||||
<version>3.3</version>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.doxia</groupId>
|
||||
<artifactId>doxia-module-markdown</artifactId>
|
||||
<version>1.5</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
<configuration>
|
||||
<skipDeploy>true</skipDeploy>
|
||||
<reportPlugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-project-info-reports-plugin</artifactId>
|
||||
<version>2.7</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>index</report>
|
||||
<report>summary</report>
|
||||
<report>license</report>
|
||||
<report>help</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<configuration>
|
||||
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
|
||||
</configuration>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<id>default</id>
|
||||
<reports>
|
||||
<report>javadoc</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>versions-maven-plugin</artifactId>
|
||||
<version>2.1</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>dependency-updates-report</report>
|
||||
<report>plugin-updates-report</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jxr-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>taglist-maven-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<tagListOptions>
|
||||
<tagClasses>
|
||||
<tagClass>
|
||||
<displayName>Todo Work</displayName>
|
||||
<tags>
|
||||
<tag>
|
||||
<matchString>todo</matchString>
|
||||
<matchType>ignoreCase</matchType>
|
||||
</tag>
|
||||
<tag>
|
||||
<matchString>FIXME</matchString>
|
||||
<matchType>exact</matchType>
|
||||
</tag>
|
||||
</tags>
|
||||
</tagClass>
|
||||
</tagClasses>
|
||||
</tagListOptions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-checkstyle-plugin</artifactId>
|
||||
<version>2.11</version>
|
||||
<configuration>
|
||||
<enableRulesSummary>false</enableRulesSummary>
|
||||
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
|
||||
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
|
||||
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
|
||||
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-pmd-plugin</artifactId>
|
||||
<version>3.0.1</version>
|
||||
<configuration>
|
||||
<targetJdk>1.6</targetJdk>
|
||||
<linkXref>true</linkXref>
|
||||
<sourceEncoding>utf-8</sourceEncoding>
|
||||
<excludes>
|
||||
<exclude>**/generated/*.java</exclude>
|
||||
</excludes>
|
||||
<rulesets>
|
||||
<ruleset>../src/main/config/dcrules.xml</ruleset>
|
||||
<ruleset>/rulesets/java/basic.xml</ruleset>
|
||||
<ruleset>/rulesets/java/imports.xml</ruleset>
|
||||
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
|
||||
</rulesets>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>findbugs-maven-plugin</artifactId>
|
||||
<version>2.5.3</version>
|
||||
</plugin>
|
||||
</reportPlugins>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
<reporting>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-project-info-reports-plugin</artifactId>
|
||||
<version>2.7</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>index</report>
|
||||
<report>summary</report>
|
||||
<report>license</report>
|
||||
<report>help</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<configuration>
|
||||
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
|
||||
</configuration>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<id>default</id>
|
||||
<reports>
|
||||
<report>javadoc</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>versions-maven-plugin</artifactId>
|
||||
<version>2.1</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>dependency-updates-report</report>
|
||||
<report>plugin-updates-report</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jxr-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>taglist-maven-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<tagListOptions>
|
||||
<tagClasses>
|
||||
<tagClass>
|
||||
<displayName>Todo Work</displayName>
|
||||
<tags>
|
||||
<tag>
|
||||
<matchString>todo</matchString>
|
||||
<matchType>ignoreCase</matchType>
|
||||
</tag>
|
||||
<tag>
|
||||
<matchString>FIXME</matchString>
|
||||
<matchType>exact</matchType>
|
||||
</tag>
|
||||
</tags>
|
||||
</tagClass>
|
||||
</tagClasses>
|
||||
</tagListOptions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-checkstyle-plugin</artifactId>
|
||||
<version>2.11</version>
|
||||
<configuration>
|
||||
<enableRulesSummary>false</enableRulesSummary>
|
||||
<enableFilesSummary>false</enableFilesSummary>
|
||||
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
|
||||
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
|
||||
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
|
||||
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-pmd-plugin</artifactId>
|
||||
<version>3.0.1</version>
|
||||
<configuration>
|
||||
<targetJdk>1.6</targetJdk>
|
||||
<linkXref>true</linkXref>
|
||||
<sourceEncoding>utf-8</sourceEncoding>
|
||||
<excludes>
|
||||
<exclude>**/generated/*.java</exclude>
|
||||
</excludes>
|
||||
<rulesets>
|
||||
<ruleset>../src/main/config/dcrules.xml</ruleset>
|
||||
<ruleset>/rulesets/java/basic.xml</ruleset>
|
||||
<ruleset>/rulesets/java/imports.xml</ruleset>
|
||||
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
|
||||
</rulesets>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>findbugs-maven-plugin</artifactId>
|
||||
<version>2.5.3</version>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</reporting>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.owasp</groupId>
|
||||
@@ -456,12 +423,12 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
|
||||
<dependency>
|
||||
<groupId>org.apache.ant</groupId>
|
||||
<artifactId>ant</artifactId>
|
||||
<version>1.9.3</version>
|
||||
<version>1.9.4</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.ant</groupId>
|
||||
<artifactId>ant-testutil</artifactId>
|
||||
<version>1.9.3</version>
|
||||
<version>1.9.4</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
@@ -98,8 +98,8 @@ public class DependencyCheckTask extends Task {
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the
|
||||
* path object.
|
||||
* Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the path
|
||||
* object.
|
||||
*
|
||||
* @return the path
|
||||
*/
|
||||
@@ -215,9 +215,9 @@ public class DependencyCheckTask extends Task {
|
||||
this.reportOutputDirectory = reportOutputDirectory;
|
||||
}
|
||||
/**
|
||||
* Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
|
||||
* which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
|
||||
* The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
|
||||
* Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
|
||||
* means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11. The valid range
|
||||
* for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
|
||||
*/
|
||||
private float failBuildOnCVSS = 11;
|
||||
|
||||
@@ -239,8 +239,8 @@ public class DependencyCheckTask extends Task {
|
||||
this.failBuildOnCVSS = failBuildOnCVSS;
|
||||
}
|
||||
/**
|
||||
* Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
|
||||
* false. Default is true.
|
||||
* Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
|
||||
* is true.
|
||||
*/
|
||||
private boolean autoUpdate = true;
|
||||
|
||||
@@ -262,8 +262,8 @@ public class DependencyCheckTask extends Task {
|
||||
this.autoUpdate = autoUpdate;
|
||||
}
|
||||
/**
|
||||
* The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
|
||||
* within the Site plugin unless the externalReport is set to true. Default is HTML.
|
||||
* The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
|
||||
* Site plugin unless the externalReport is set to true. Default is HTML.
|
||||
*/
|
||||
private String reportFormat = "HTML";
|
||||
|
||||
@@ -322,8 +322,7 @@ public class DependencyCheckTask extends Task {
|
||||
* Set the value of proxyServer.
|
||||
*
|
||||
* @param proxyUrl new value of proxyServer
|
||||
* @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)}
|
||||
* instead
|
||||
* @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public void setProxyUrl(String proxyUrl) {
|
||||
@@ -559,6 +558,28 @@ public class DependencyCheckTask extends Task {
|
||||
public void setNuspecAnalyzerEnabled(boolean nuspecAnalyzerEnabled) {
|
||||
this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
|
||||
}
|
||||
/**
|
||||
* Whether or not the central analyzer is enabled.
|
||||
*/
|
||||
private boolean centralAnalyzerEnabled = false;
|
||||
|
||||
/**
|
||||
* Get the value of centralAnalyzerEnabled.
|
||||
*
|
||||
* @return the value of centralAnalyzerEnabled
|
||||
*/
|
||||
public boolean isCentralAnalyzerEnabled() {
|
||||
return centralAnalyzerEnabled;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of centralAnalyzerEnabled.
|
||||
*
|
||||
* @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
|
||||
*/
|
||||
public void setCentralAnalyzerEnabled(boolean centralAnalyzerEnabled) {
|
||||
this.centralAnalyzerEnabled = centralAnalyzerEnabled;
|
||||
}
|
||||
|
||||
/**
|
||||
* Whether or not the nexus analyzer is enabled.
|
||||
@@ -742,8 +763,8 @@ public class DependencyCheckTask extends Task {
|
||||
}
|
||||
|
||||
/**
|
||||
* Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
|
||||
* like ZIP files.
|
||||
* Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP
|
||||
* files.
|
||||
*/
|
||||
private String zipExtensions;
|
||||
|
||||
@@ -958,8 +979,8 @@ public class DependencyCheckTask extends Task {
|
||||
}
|
||||
|
||||
/**
|
||||
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
|
||||
* properties required to change the proxy server, port, and connection timeout.
|
||||
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
|
||||
* required to change the proxy server, port, and connection timeout.
|
||||
*/
|
||||
private void populateSettings() {
|
||||
Settings.initialize();
|
||||
@@ -1015,6 +1036,8 @@ public class DependencyCheckTask extends Task {
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
|
||||
//NUSPEC ANALYZER
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
|
||||
//CENTRAL ANALYZER
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
|
||||
//NEXUS ANALYZER
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
|
||||
if (nexusUrl != null && !nexusUrl.isEmpty()) {
|
||||
|
||||
@@ -50,8 +50,9 @@ Property | Description
|
||||
------------------------|---------------------------------------------------------------------------|------------------
|
||||
archiveAnalyzerEnabled | Sets whether the Archive Analyzer will be used. | true
|
||||
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |
|
||||
jarAnalyzer | Sets whether Jar Analyzer will be used. | true
|
||||
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. | true
|
||||
jarAnalyzer | Sets whether the Jar Analyzer will be used. | true
|
||||
centralAnalyzerEnabled | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true
|
||||
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
|
||||
nexusUrl | Defines the Nexus Pro URL. If not set the Nexus Analyzer will be disabled. |
|
||||
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
|
||||
nuspecAnalyzerEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true
|
||||
|
||||
@@ -30,6 +30,10 @@ import org.owasp.dependencycheck.utils.Settings;
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public class DependencyCheckTaskTest extends BuildFileTest {
|
||||
//TODO: The use of deprecated class BuildFileTestcan possibly
|
||||
//be replaced with BuildFileRule. However, it currently isn't included in the ant-testutil jar.
|
||||
//This should be fixed in ant-testutil 1.9.5, so we can check back once that has been released.
|
||||
//Reference: http://mail-archives.apache.org/mod_mbox/ant-user/201406.mbox/%3C000001cf87ba$8949b690$9bdd23b0$@de%3E
|
||||
|
||||
@Before
|
||||
@Override
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.2.6</version>
|
||||
<version>1.2.9</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-cli</artifactId>
|
||||
@@ -60,27 +60,21 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jar-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<archive>
|
||||
<manifest>
|
||||
<mainClass>org.owasp.dependencycheck.App</mainClass>
|
||||
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
|
||||
</manifest>
|
||||
</archive>
|
||||
<excludes>
|
||||
<exclude>**/checkstyle*</exclude>
|
||||
</excludes>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
<configuration>
|
||||
<instrumentation>
|
||||
<!--instrumentation>
|
||||
<ignoreTrivial>true</ignoreTrivial>
|
||||
</instrumentation>
|
||||
</instrumentation-->
|
||||
<check>
|
||||
<branchRate>85</branchRate>
|
||||
<lineRate>85</lineRate>
|
||||
@@ -114,7 +108,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<configuration>
|
||||
<systemProperties>
|
||||
<property>
|
||||
@@ -133,160 +126,10 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-compiler-plugin</artifactId>
|
||||
<version>3.1</version>
|
||||
<configuration>
|
||||
<showDeprecation>false</showDeprecation>
|
||||
<source>1.6</source>
|
||||
<target>1.6</target>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-site-plugin</artifactId>
|
||||
<version>3.3</version>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.doxia</groupId>
|
||||
<artifactId>doxia-module-markdown</artifactId>
|
||||
<version>1.5</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
<configuration>
|
||||
<skipDeploy>true</skipDeploy>
|
||||
<reportPlugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-project-info-reports-plugin</artifactId>
|
||||
<version>2.7</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>index</report>
|
||||
<report>summary</report>
|
||||
<report>license</report>
|
||||
<report>help</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<configuration>
|
||||
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
|
||||
</configuration>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<id>default</id>
|
||||
<reports>
|
||||
<report>javadoc</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>versions-maven-plugin</artifactId>
|
||||
<version>2.1</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>dependency-updates-report</report>
|
||||
<report>plugin-updates-report</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jxr-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>taglist-maven-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<tagListOptions>
|
||||
<tagClasses>
|
||||
<tagClass>
|
||||
<displayName>Todo Work</displayName>
|
||||
<tags>
|
||||
<tag>
|
||||
<matchString>todo</matchString>
|
||||
<matchType>ignoreCase</matchType>
|
||||
</tag>
|
||||
<tag>
|
||||
<matchString>FIXME</matchString>
|
||||
<matchType>exact</matchType>
|
||||
</tag>
|
||||
</tags>
|
||||
</tagClass>
|
||||
</tagClasses>
|
||||
</tagListOptions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-checkstyle-plugin</artifactId>
|
||||
<version>2.11</version>
|
||||
<configuration>
|
||||
<enableRulesSummary>false</enableRulesSummary>
|
||||
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
|
||||
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
|
||||
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
|
||||
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-pmd-plugin</artifactId>
|
||||
<version>3.1</version>
|
||||
<configuration>
|
||||
<targetJdk>1.6</targetJdk>
|
||||
<linkXref>true</linkXref>
|
||||
<sourceEncoding>utf-8</sourceEncoding>
|
||||
<excludes>
|
||||
<exclude>**/generated/*.java</exclude>
|
||||
</excludes>
|
||||
<rulesets>
|
||||
<ruleset>../src/main/config/dcrules.xml</ruleset>
|
||||
<ruleset>/rulesets/java/basic.xml</ruleset>
|
||||
<ruleset>/rulesets/java/imports.xml</ruleset>
|
||||
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
|
||||
</rulesets>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>findbugs-maven-plugin</artifactId>
|
||||
<version>2.5.3</version>
|
||||
</plugin>
|
||||
</reportPlugins>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>appassembler-maven-plugin</artifactId>
|
||||
<version>1.8.1</version>
|
||||
<configuration>
|
||||
<programs>
|
||||
<program>
|
||||
@@ -332,6 +175,137 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
<reporting>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-project-info-reports-plugin</artifactId>
|
||||
<version>2.7</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>index</report>
|
||||
<report>summary</report>
|
||||
<report>license</report>
|
||||
<report>help</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<configuration>
|
||||
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
|
||||
</configuration>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<id>default</id>
|
||||
<reports>
|
||||
<report>javadoc</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>versions-maven-plugin</artifactId>
|
||||
<version>2.1</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>dependency-updates-report</report>
|
||||
<report>plugin-updates-report</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jxr-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>taglist-maven-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<tagListOptions>
|
||||
<tagClasses>
|
||||
<tagClass>
|
||||
<displayName>Todo Work</displayName>
|
||||
<tags>
|
||||
<tag>
|
||||
<matchString>todo</matchString>
|
||||
<matchType>ignoreCase</matchType>
|
||||
</tag>
|
||||
<tag>
|
||||
<matchString>FIXME</matchString>
|
||||
<matchType>exact</matchType>
|
||||
</tag>
|
||||
</tags>
|
||||
</tagClass>
|
||||
</tagClasses>
|
||||
</tagListOptions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-checkstyle-plugin</artifactId>
|
||||
<version>2.11</version>
|
||||
<configuration>
|
||||
<enableRulesSummary>false</enableRulesSummary>
|
||||
<enableFilesSummary>false</enableFilesSummary>
|
||||
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
|
||||
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
|
||||
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
|
||||
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-pmd-plugin</artifactId>
|
||||
<version>3.1</version>
|
||||
<configuration>
|
||||
<targetJdk>1.6</targetJdk>
|
||||
<linkXref>true</linkXref>
|
||||
<sourceEncoding>utf-8</sourceEncoding>
|
||||
<excludes>
|
||||
<exclude>**/generated/*.java</exclude>
|
||||
</excludes>
|
||||
<rulesets>
|
||||
<ruleset>../src/main/config/dcrules.xml</ruleset>
|
||||
<ruleset>/rulesets/java/basic.xml</ruleset>
|
||||
<ruleset>/rulesets/java/imports.xml</ruleset>
|
||||
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
|
||||
</rulesets>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>findbugs-maven-plugin</artifactId>
|
||||
<version>2.5.3</version>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</reporting>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>commons-cli</groupId>
|
||||
|
||||
@@ -233,6 +233,7 @@ public class App {
|
||||
final boolean archiveDisabled = cli.isArchiveDisabled();
|
||||
final boolean assemblyDisabled = cli.isAssemblyDisabled();
|
||||
final boolean nuspecDisabled = cli.isNuspecDisabled();
|
||||
final boolean centralDisabled = cli.isCentralDisabled();
|
||||
final boolean nexusDisabled = cli.isNexusDisabled();
|
||||
final String nexusUrl = cli.getNexusUrl();
|
||||
final String databaseDriverName = cli.getDatabaseDriverName();
|
||||
@@ -298,6 +299,7 @@ public class App {
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled);
|
||||
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !centralDisabled);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled);
|
||||
if (nexusUrl != null && !nexusUrl.isEmpty()) {
|
||||
Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
|
||||
|
||||
@@ -84,8 +84,8 @@ public final class CliParser {
|
||||
/**
|
||||
* Validates that the command line arguments are valid.
|
||||
*
|
||||
* @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that
|
||||
* does not exist.
|
||||
* @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that does not
|
||||
* exist.
|
||||
* @throws ParseException is thrown if there is an exception parsing the command line.
|
||||
*/
|
||||
private void validateArgs() throws FileNotFoundException, ParseException {
|
||||
@@ -112,8 +112,8 @@ public final class CliParser {
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing
|
||||
* file a FileNotFoundException is thrown.
|
||||
* Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing file a
|
||||
* FileNotFoundException is thrown.
|
||||
*
|
||||
* @param paths the paths to validate if they exists
|
||||
* @param optType the option being validated (e.g. scan, out, etc.)
|
||||
@@ -139,10 +139,13 @@ public final class CliParser {
|
||||
final String msg = String.format("Invalid '%s' argument: null", argumentName);
|
||||
throw new FileNotFoundException(msg);
|
||||
} else if (!path.contains("*") && !path.contains("?")) {
|
||||
final File f = new File(path);
|
||||
if ("o".equals(argumentName.substring(0, 1).toLowerCase()) && !"ALL".equals(this.getReportFormat().toUpperCase())) {
|
||||
File f = new File(path);
|
||||
if ("o".equalsIgnoreCase(argumentName.substring(0, 1)) && !"ALL".equalsIgnoreCase(this.getReportFormat())) {
|
||||
final String checkPath = path.toLowerCase();
|
||||
if (checkPath.endsWith(".html") || checkPath.endsWith(".xml") || checkPath.endsWith(".htm")) {
|
||||
if (f.getParentFile() == null) {
|
||||
f = new File(".", path);
|
||||
}
|
||||
if (!f.getParentFile().isDirectory()) {
|
||||
isValid = false;
|
||||
final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
|
||||
@@ -254,8 +257,8 @@ public final class CliParser {
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds the advanced command line options to the given options collection. These are split out for purposes of being
|
||||
* able to display two different help messages.
|
||||
* Adds the advanced command line options to the given options collection. These are split out for purposes of being able to
|
||||
* display two different help messages.
|
||||
*
|
||||
* @param options a collection of command line arguments
|
||||
* @throws IllegalArgumentException thrown if there is an exception
|
||||
@@ -320,6 +323,11 @@ public final class CliParser {
|
||||
.withDescription("Disable the .NET Assembly Analyzer.")
|
||||
.create();
|
||||
|
||||
final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL)
|
||||
.withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
|
||||
+ "the Nexus Analyzer.")
|
||||
.create();
|
||||
|
||||
final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS)
|
||||
.withDescription("Disable the Nexus Analyzer.")
|
||||
.create();
|
||||
@@ -357,6 +365,7 @@ public final class CliParser {
|
||||
.addOption(disableArchiveAnalyzer)
|
||||
.addOption(disableAssemblyAnalyzer)
|
||||
.addOption(disableNuspecAnalyzer)
|
||||
.addOption(disableCentralAnalyzer)
|
||||
.addOption(disableNexusAnalyzer)
|
||||
.addOption(nexusUrl)
|
||||
.addOption(nexusUsesProxy)
|
||||
@@ -365,8 +374,8 @@ public final class CliParser {
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds the deprecated command line options to the given options collection. These are split out for purposes of not
|
||||
* including them in the help message. We need to add the deprecated options so as not to break existing scripts.
|
||||
* Adds the deprecated command line options to the given options collection. These are split out for purposes of not including
|
||||
* them in the help message. We need to add the deprecated options so as not to break existing scripts.
|
||||
*
|
||||
* @param options a collection of command line arguments
|
||||
* @throws IllegalArgumentException thrown if there is an exception
|
||||
@@ -453,6 +462,15 @@ public final class CliParser {
|
||||
return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns true if the disableCentral command line argument was specified.
|
||||
*
|
||||
* @return true if the disableCentral command line argument was specified; otherwise false
|
||||
*/
|
||||
public boolean isCentralDisabled() {
|
||||
return (line != null) && line.hasOption(ARGUMENT.DISABLE_CENTRAL);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the url to the nexus server if one was specified.
|
||||
*
|
||||
@@ -467,8 +485,7 @@ public final class CliParser {
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is
|
||||
* returned.
|
||||
* Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is returned.
|
||||
*
|
||||
* @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
|
||||
*/
|
||||
@@ -664,14 +681,13 @@ public final class CliParser {
|
||||
*/
|
||||
public void printVersionInfo() {
|
||||
final String version = String.format("%s version %s",
|
||||
Settings.getString("application.name", "DependencyCheck"),
|
||||
Settings.getString("application.version", "Unknown"));
|
||||
Settings.getString(Settings.KEYS.APPLICATION_VAME, "dependency-check"),
|
||||
Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
|
||||
System.out.println(version);
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the auto update feature has been disabled. If it has been disabled via the command line this will
|
||||
* return false.
|
||||
* Checks if the auto update feature has been disabled. If it has been disabled via the command line this will return false.
|
||||
*
|
||||
* @return if auto-update is allowed.
|
||||
*/
|
||||
@@ -873,6 +889,10 @@ public final class CliParser {
|
||||
* Disables the Nuspec Analyzer.
|
||||
*/
|
||||
public static final String DISABLE_NUSPEC = "disableNuspec";
|
||||
/**
|
||||
* Disables the Central Analyzer.
|
||||
*/
|
||||
public static final String DISABLE_CENTRAL = "disableCentral";
|
||||
/**
|
||||
* Disables the Nexus Analyzer.
|
||||
*/
|
||||
|
||||
@@ -1,17 +1,19 @@
|
||||
/*
|
||||
* Copyright 2014 OWASP.
|
||||
* This file is part of dependency-check-cli.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck;
|
||||
|
||||
|
||||
@@ -21,10 +21,12 @@ Advanced Options
|
||||
================
|
||||
Short | Argument Name | Parameter | Description | Default Value
|
||||
-------|-----------------------|-----------------|-----------------------------------------------------------------------------|---------------
|
||||
\-P | \-\-propertyfile | \<file\> | Specifies a file that contains properties to use instead of applicaion defaults. |
|
||||
| \-\-disableArchive | | Sets whether the Archive Analyzer will be used. | false
|
||||
| \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |
|
||||
| \-\-disableJar | | Sets whether Jar Analyzer will be used. | false
|
||||
| \-\-disableNexus | | Sets whether Nexus Analyzer will be used. | false
|
||||
| \-\-disableJar | | Sets whether the Jar Analyzer will be used. | false
|
||||
| \-\-disableCentral | | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false
|
||||
| \-\-disableNexus | | Sets whether the Nexus Analyzer will be used. Note, this has been superceded by the Central Analyzer. However, you can configure the Nexus URL to utilize an internally hosted Nexus Pro server. | false
|
||||
| \-\-nexus | \<url\> | The url to the Nexus Pro Server. If not set the Nexus Analyzer will be disabled. |
|
||||
| \-\-nexusUsesProxy | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | true
|
||||
| \-\-disableNuspec | | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | false
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.2.6</version>
|
||||
<version>1.2.9</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-core</artifactId>
|
||||
@@ -93,7 +93,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-dependency-plugin</artifactId>
|
||||
<version>2.8</version>
|
||||
<executions>
|
||||
<execution>
|
||||
<phase>generate-resources</phase>
|
||||
@@ -110,7 +109,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jar-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>jar</id>
|
||||
@@ -127,24 +125,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
</goals>
|
||||
</execution>
|
||||
</executions>
|
||||
<configuration>
|
||||
<archive>
|
||||
<manifest>
|
||||
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
|
||||
</manifest>
|
||||
</archive>
|
||||
<excludes>
|
||||
<exclude>**/checkstyle*</exclude>
|
||||
</excludes>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
<configuration>
|
||||
<instrumentation>
|
||||
<ignoreTrivial>true</ignoreTrivial>
|
||||
<!--ignoreTrivial>true</ignoreTrivial-->
|
||||
<ignores>
|
||||
<ignore>.*\$KEYS\.class</ignore>
|
||||
<ignore>.*\$Element\.class</ignore>
|
||||
@@ -192,7 +179,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<configuration>
|
||||
<systemProperties>
|
||||
<property>
|
||||
@@ -213,201 +199,149 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-failsafe-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<configuration>
|
||||
<systemProperties>
|
||||
<property>
|
||||
<name>data.directory</name>
|
||||
<value>${project.build.directory}/data</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>temp.directory</name>
|
||||
<value>${project.build.directory}/temp</value>
|
||||
</property>
|
||||
|
||||
</systemProperties>
|
||||
<includes>
|
||||
<include>**/*IntegrationTest.java</include>
|
||||
</includes>
|
||||
</configuration>
|
||||
<executions>
|
||||
<execution>
|
||||
<goals>
|
||||
<goal>integration-test</goal>
|
||||
<goal>verify</goal>
|
||||
</goals>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-site-plugin</artifactId>
|
||||
<version>3.3</version>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.doxia</groupId>
|
||||
<artifactId>doxia-module-markdown</artifactId>
|
||||
<version>1.5</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
<configuration>
|
||||
<skipDeploy>true</skipDeploy>
|
||||
<reportPlugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-project-info-reports-plugin</artifactId>
|
||||
<version>2.7</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>index</report>
|
||||
<report>summary</report>
|
||||
<report>license</report>
|
||||
<report>help</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<configuration>
|
||||
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
|
||||
</configuration>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<id>default</id>
|
||||
<reports>
|
||||
<report>javadoc</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>versions-maven-plugin</artifactId>
|
||||
<version>2.1</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>dependency-updates-report</report>
|
||||
<report>plugin-updates-report</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jxr-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
<reportSet>
|
||||
<id>integration-tests</id>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
<report>failsafe-report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>taglist-maven-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<tagListOptions>
|
||||
<tagClasses>
|
||||
<tagClass>
|
||||
<displayName>Todo Work</displayName>
|
||||
<tags>
|
||||
<tag>
|
||||
<matchString>todo</matchString>
|
||||
<matchType>ignoreCase</matchType>
|
||||
</tag>
|
||||
<tag>
|
||||
<matchString>FIXME</matchString>
|
||||
<matchType>exact</matchType>
|
||||
</tag>
|
||||
</tags>
|
||||
</tagClass>
|
||||
</tagClasses>
|
||||
</tagListOptions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-checkstyle-plugin</artifactId>
|
||||
<version>2.11</version>
|
||||
<configuration>
|
||||
<enableRulesSummary>false</enableRulesSummary>
|
||||
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
|
||||
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
|
||||
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
|
||||
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-pmd-plugin</artifactId>
|
||||
<version>3.1</version>
|
||||
<configuration>
|
||||
<targetJdk>1.6</targetJdk>
|
||||
<linkXref>true</linkXref>
|
||||
<sourceEncoding>utf-8</sourceEncoding>
|
||||
<excludes>
|
||||
<exclude>**/generated/*.java</exclude>
|
||||
</excludes>
|
||||
<rulesets>
|
||||
<ruleset>../src/main/config/dcrules.xml</ruleset>
|
||||
<ruleset>/rulesets/java/basic.xml</ruleset>
|
||||
<ruleset>/rulesets/java/imports.xml</ruleset>
|
||||
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
|
||||
</rulesets>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>findbugs-maven-plugin</artifactId>
|
||||
<version>2.5.3</version>
|
||||
</plugin>
|
||||
<dependency>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>javancss-maven-plugin</artifactId>
|
||||
<version>2.0</version>
|
||||
</dependency>
|
||||
</reportPlugins>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-compiler-plugin</artifactId>
|
||||
<version>3.1</version>
|
||||
<configuration>
|
||||
<showDeprecation>false</showDeprecation>
|
||||
<compilerArgument>-Xlint:unchecked</compilerArgument>
|
||||
<source>1.6</source>
|
||||
<target>1.6</target>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
<reporting>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<configuration>
|
||||
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
|
||||
</configuration>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<id>default</id>
|
||||
<reports>
|
||||
<report>javadoc</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>versions-maven-plugin</artifactId>
|
||||
<version>2.1</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>dependency-updates-report</report>
|
||||
<report>plugin-updates-report</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jxr-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
<reportSet>
|
||||
<id>integration-tests</id>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
<report>failsafe-report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>taglist-maven-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<tagListOptions>
|
||||
<tagClasses>
|
||||
<tagClass>
|
||||
<displayName>Todo Work</displayName>
|
||||
<tags>
|
||||
<tag>
|
||||
<matchString>todo</matchString>
|
||||
<matchType>ignoreCase</matchType>
|
||||
</tag>
|
||||
<tag>
|
||||
<matchString>FIXME</matchString>
|
||||
<matchType>exact</matchType>
|
||||
</tag>
|
||||
</tags>
|
||||
</tagClass>
|
||||
</tagClasses>
|
||||
</tagListOptions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-checkstyle-plugin</artifactId>
|
||||
<version>2.11</version>
|
||||
<configuration>
|
||||
<enableRulesSummary>false</enableRulesSummary>
|
||||
<enableFilesSummary>false</enableFilesSummary>
|
||||
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
|
||||
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
|
||||
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
|
||||
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-pmd-plugin</artifactId>
|
||||
<version>3.1</version>
|
||||
<configuration>
|
||||
<targetJdk>1.6</targetJdk>
|
||||
<linkXref>true</linkXref>
|
||||
<sourceEncoding>utf-8</sourceEncoding>
|
||||
<excludes>
|
||||
<exclude>**/generated/*.java</exclude>
|
||||
</excludes>
|
||||
<rulesets>
|
||||
<ruleset>../src/main/config/dcrules.xml</ruleset>
|
||||
<ruleset>/rulesets/java/basic.xml</ruleset>
|
||||
<ruleset>/rulesets/java/imports.xml</ruleset>
|
||||
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
|
||||
</rulesets>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>findbugs-maven-plugin</artifactId>
|
||||
<version>2.5.3</version>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</reporting>
|
||||
<dependencies>
|
||||
<!-- Note, to stay compatible with Jenkins installations only JARs compiled to 1.6 can be used -->
|
||||
<dependency>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-utils</artifactId>
|
||||
@@ -416,30 +350,24 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<dependency>
|
||||
<groupId>org.apache.lucene</groupId>
|
||||
<artifactId>lucene-test-framework</artifactId>
|
||||
<version>4.3.1</version>
|
||||
<version>${apache.lucene.version}</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<!--dependency>
|
||||
<dependency>
|
||||
<groupId>org.jmockit</groupId>
|
||||
<artifactId>jmockit</artifactId>
|
||||
<version>1.12</version>
|
||||
<scope>test</scope>
|
||||
</dependency-->
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>com.google.code.findbugs</groupId>
|
||||
<artifactId>annotations</artifactId>
|
||||
<version>2.0.1</version>
|
||||
<version>3.0.0</version>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>commons-cli</groupId>
|
||||
<artifactId>commons-cli</artifactId>
|
||||
<version>1.2</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.commons</groupId>
|
||||
<artifactId>commons-compress</artifactId>
|
||||
<version>1.8.1</version>
|
||||
<version>1.9</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>commons-io</groupId>
|
||||
@@ -449,22 +377,22 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<dependency>
|
||||
<groupId>commons-lang</groupId>
|
||||
<artifactId>commons-lang</artifactId>
|
||||
<version>2.5</version>
|
||||
<version>2.6</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.lucene</groupId>
|
||||
<artifactId>lucene-core</artifactId>
|
||||
<version>4.5.1</version>
|
||||
<version>${apache.lucene.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.lucene</groupId>
|
||||
<artifactId>lucene-analyzers-common</artifactId>
|
||||
<version>4.5.1</version>
|
||||
<version>${apache.lucene.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.lucene</groupId>
|
||||
<artifactId>lucene-queryparser</artifactId>
|
||||
<version>4.5.1</version>
|
||||
<version>${apache.lucene.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.velocity</groupId>
|
||||
@@ -474,7 +402,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<dependency>
|
||||
<groupId>com.h2database</groupId>
|
||||
<artifactId>h2</artifactId>
|
||||
<version>1.3.172</version>
|
||||
<version>1.3.176</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.jsoup</groupId>
|
||||
@@ -606,7 +534,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<version>2.18.1</version>
|
||||
<configuration>
|
||||
<skip>true</skip>
|
||||
</configuration>
|
||||
@@ -614,7 +542,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-failsafe-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<version>2.18.1</version>
|
||||
<configuration>
|
||||
<systemProperties>
|
||||
<property>
|
||||
@@ -728,8 +656,33 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<scope>provided</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>com.google.inject</groupId>
|
||||
<artifactId>guice</artifactId>
|
||||
<version>3.0</version>
|
||||
<scope>provided</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.opensaml</groupId>
|
||||
<artifactId>xmltooling</artifactId>
|
||||
<version>1.4.1</version>
|
||||
<scope>provided</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework</groupId>
|
||||
<artifactId>spring-webmvc</artifactId>
|
||||
<version>3.2.12.RELEASE</version>
|
||||
<scope>provided</scope>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</profile>
|
||||
</profiles>
|
||||
<properties>
|
||||
<!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
|
||||
this, we cannot upgrade beyond 4.7.2 -->
|
||||
<apache.lucene.version>4.7.2</apache.lucene.version>
|
||||
</properties>
|
||||
</project>
|
||||
|
||||
@@ -18,7 +18,6 @@
|
||||
package org.owasp.dependencycheck;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.Serializable;
|
||||
import java.util.ArrayList;
|
||||
import java.util.EnumMap;
|
||||
import java.util.HashSet;
|
||||
@@ -32,8 +31,6 @@ import org.owasp.dependencycheck.analyzer.Analyzer;
|
||||
import org.owasp.dependencycheck.analyzer.AnalyzerService;
|
||||
import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
|
||||
import org.owasp.dependencycheck.data.cpe.IndexException;
|
||||
import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
|
||||
import org.owasp.dependencycheck.data.nvdcve.CveDB;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
@@ -53,28 +50,30 @@ import org.owasp.dependencycheck.utils.Settings;
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public class Engine implements Serializable {
|
||||
public class Engine {
|
||||
|
||||
/**
|
||||
* The list of dependencies.
|
||||
*/
|
||||
private List<Dependency> dependencies;
|
||||
private List<Dependency> dependencies = new ArrayList<Dependency>();
|
||||
/**
|
||||
* A Map of analyzers grouped by Analysis phase.
|
||||
*/
|
||||
private final transient EnumMap<AnalysisPhase, List<Analyzer>> analyzers;
|
||||
private EnumMap<AnalysisPhase, List<Analyzer>> analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
|
||||
|
||||
/**
|
||||
* A Map of analyzers grouped by Analysis phase.
|
||||
*/
|
||||
private final transient Set<FileTypeAnalyzer> fileTypeAnalyzers;
|
||||
private Set<FileTypeAnalyzer> fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
|
||||
|
||||
/**
|
||||
* The ClassLoader to use when dynamically loading Analyzer and Update services.
|
||||
*/
|
||||
private transient ClassLoader serviceClassLoader;
|
||||
private ClassLoader serviceClassLoader = Thread.currentThread().getContextClassLoader();
|
||||
/**
|
||||
* The Logger for use throughout the class.
|
||||
*/
|
||||
private static final transient Logger LOGGER = Logger.getLogger(Engine.class.getName());
|
||||
private static final Logger LOGGER = Logger.getLogger(Engine.class.getName());
|
||||
|
||||
/**
|
||||
* Creates a new Engine.
|
||||
@@ -82,32 +81,27 @@ public class Engine implements Serializable {
|
||||
* @throws DatabaseException thrown if there is an error connecting to the database
|
||||
*/
|
||||
public Engine() throws DatabaseException {
|
||||
this(Thread.currentThread().getContextClassLoader());
|
||||
initializeEngine();
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a new Engine.
|
||||
*
|
||||
* @param serviceClassLoader a reference the class loader being used
|
||||
* @throws DatabaseException thrown if there is an error connecting to the database
|
||||
*/
|
||||
public Engine(ClassLoader serviceClassLoader) throws DatabaseException {
|
||||
this.serviceClassLoader = serviceClassLoader;
|
||||
initializeEngine();
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a new Engine using the specified classloader to dynamically load Analyzer and Update services.
|
||||
*
|
||||
* @param serviceClassLoader the ClassLoader to use when dynamically loading Analyzer and Update services
|
||||
* @throws DatabaseException thrown if there is an error connecting to the database
|
||||
*/
|
||||
public Engine(ClassLoader serviceClassLoader) throws DatabaseException {
|
||||
this.dependencies = new ArrayList<Dependency>();
|
||||
this.analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
|
||||
this.fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
|
||||
this.serviceClassLoader = serviceClassLoader;
|
||||
|
||||
protected final void initializeEngine() throws DatabaseException {
|
||||
ConnectionFactory.initialize();
|
||||
|
||||
boolean autoUpdate = true;
|
||||
try {
|
||||
autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
|
||||
} catch (InvalidSettingException ex) {
|
||||
LOGGER.log(Level.FINE, "Invalid setting for auto-update; using true.");
|
||||
}
|
||||
if (autoUpdate) {
|
||||
doUpdates();
|
||||
}
|
||||
loadAnalyzers();
|
||||
}
|
||||
|
||||
@@ -122,7 +116,9 @@ public class Engine implements Serializable {
|
||||
* Loads the analyzers specified in the configuration file (or system properties).
|
||||
*/
|
||||
private void loadAnalyzers() {
|
||||
|
||||
if (!analyzers.isEmpty()) {
|
||||
return;
|
||||
}
|
||||
for (AnalysisPhase phase : AnalysisPhase.values()) {
|
||||
analyzers.put(phase, new ArrayList<Analyzer>());
|
||||
}
|
||||
@@ -157,11 +153,13 @@ public class Engine implements Serializable {
|
||||
return dependencies;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the dependencies.
|
||||
*
|
||||
* @param dependencies the dependencies
|
||||
*/
|
||||
public void setDependencies(List<Dependency> dependencies) {
|
||||
this.dependencies = dependencies;
|
||||
//for (Dependency dependency: dependencies) {
|
||||
// dependencies.add(dependency);
|
||||
//}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -330,7 +328,7 @@ public class Engine implements Serializable {
|
||||
}
|
||||
} else {
|
||||
final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.", file.toString());
|
||||
LOGGER.log(Level.FINEST, msg);
|
||||
LOGGER.log(Level.FINE, msg);
|
||||
}
|
||||
return dependency;
|
||||
}
|
||||
@@ -339,6 +337,16 @@ public class Engine implements Serializable {
|
||||
* Runs the analyzers against all of the dependencies.
|
||||
*/
|
||||
public void analyzeDependencies() {
|
||||
boolean autoUpdate = true;
|
||||
try {
|
||||
autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
|
||||
} catch (InvalidSettingException ex) {
|
||||
LOGGER.log(Level.FINE, "Invalid setting for auto-update; using true.");
|
||||
}
|
||||
if (autoUpdate) {
|
||||
doUpdates();
|
||||
}
|
||||
|
||||
//need to ensure that data exists
|
||||
try {
|
||||
ensureDataExists();
|
||||
@@ -367,7 +375,7 @@ public class Engine implements Serializable {
|
||||
final List<Analyzer> analyzerList = analyzers.get(phase);
|
||||
|
||||
for (Analyzer a : analyzerList) {
|
||||
initializeAnalyzer(a);
|
||||
a = initializeAnalyzer(a);
|
||||
|
||||
/* need to create a copy of the collection because some of the
|
||||
* analyzers may modify it. This prevents ConcurrentModificationExceptions.
|
||||
@@ -422,8 +430,9 @@ public class Engine implements Serializable {
|
||||
* Initializes the given analyzer.
|
||||
*
|
||||
* @param analyzer the analyzer to initialize
|
||||
* @return the initialized analyzer
|
||||
*/
|
||||
private void initializeAnalyzer(Analyzer analyzer) {
|
||||
protected Analyzer initializeAnalyzer(Analyzer analyzer) {
|
||||
try {
|
||||
final String msg = String.format("Initializing %s", analyzer.getName());
|
||||
LOGGER.log(Level.FINE, msg);
|
||||
@@ -438,6 +447,7 @@ public class Engine implements Serializable {
|
||||
LOGGER.log(Level.FINEST, null, ex1);
|
||||
}
|
||||
}
|
||||
return analyzer;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -445,7 +455,7 @@ public class Engine implements Serializable {
|
||||
*
|
||||
* @param analyzer the analyzer to close
|
||||
*/
|
||||
private void closeAnalyzer(Analyzer analyzer) {
|
||||
protected void closeAnalyzer(Analyzer analyzer) {
|
||||
final String msg = String.format("Closing Analyzer '%s'", analyzer.getName());
|
||||
LOGGER.log(Level.FINE, msg);
|
||||
try {
|
||||
@@ -459,6 +469,7 @@ public class Engine implements Serializable {
|
||||
* Cycles through the cached web data sources and calls update on all of them.
|
||||
*/
|
||||
private void doUpdates() {
|
||||
LOGGER.info("Checking for updates");
|
||||
final UpdateService service = new UpdateService(serviceClassLoader);
|
||||
final Iterator<CachedWebDataSource> iterator = service.getDataSources();
|
||||
while (iterator.hasNext()) {
|
||||
@@ -471,6 +482,7 @@ public class Engine implements Serializable {
|
||||
LOGGER.log(Level.FINE, String.format("Unable to update details for %s", source.getClass().getName()), ex);
|
||||
}
|
||||
}
|
||||
LOGGER.info("Check for updates complete");
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -506,6 +518,15 @@ public class Engine implements Serializable {
|
||||
return scan;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the set of file type analyzers.
|
||||
*
|
||||
* @return the set of file type analyzers
|
||||
*/
|
||||
public Set<FileTypeAnalyzer> getFileTypeAnalyzers() {
|
||||
return this.fileTypeAnalyzers;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks the CPE Index to ensure documents exists. If none exist a NoDataException is thrown.
|
||||
*
|
||||
@@ -513,22 +534,16 @@ public class Engine implements Serializable {
|
||||
* @throws DatabaseException thrown if there is an exception opening the database
|
||||
*/
|
||||
private void ensureDataExists() throws NoDataException, DatabaseException {
|
||||
final CpeMemoryIndex cpe = CpeMemoryIndex.getInstance();
|
||||
final CveDB cve = new CveDB();
|
||||
|
||||
try {
|
||||
cve.open();
|
||||
cpe.open(cve);
|
||||
} catch (IndexException ex) {
|
||||
throw new NoDataException(ex.getMessage(), ex);
|
||||
if (!cve.dataExists()) {
|
||||
throw new NoDataException("No documents exist");
|
||||
}
|
||||
} catch (DatabaseException ex) {
|
||||
throw new NoDataException(ex.getMessage(), ex);
|
||||
} finally {
|
||||
cve.close();
|
||||
}
|
||||
if (cpe.numDocs() <= 0) {
|
||||
cpe.close();
|
||||
throw new NoDataException("No documents exist");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -440,6 +440,52 @@ public class DependencyCheckScanAgent {
|
||||
this.showSummary = showSummary;
|
||||
}
|
||||
|
||||
/**
|
||||
* Whether or not the Maven Central analyzer is enabled.
|
||||
*/
|
||||
private boolean centralAnalyzerEnabled = true;
|
||||
|
||||
/**
|
||||
* Get the value of centralAnalyzerEnabled.
|
||||
*
|
||||
* @return the value of centralAnalyzerEnabled
|
||||
*/
|
||||
public boolean isCentralAnalyzerEnabled() {
|
||||
return centralAnalyzerEnabled;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of centralAnalyzerEnabled.
|
||||
*
|
||||
* @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
|
||||
*/
|
||||
public void setCentralAnalyzerEnabled(boolean centralAnalyzerEnabled) {
|
||||
this.centralAnalyzerEnabled = centralAnalyzerEnabled;
|
||||
}
|
||||
|
||||
/**
|
||||
* The URL of Maven Central.
|
||||
*/
|
||||
private String centralUrl;
|
||||
|
||||
/**
|
||||
* Get the value of centralUrl.
|
||||
*
|
||||
* @return the value of centralUrl
|
||||
*/
|
||||
public String getCentralUrl() {
|
||||
return centralUrl;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of centralUrl.
|
||||
*
|
||||
* @param centralUrl new value of centralUrl
|
||||
*/
|
||||
public void setCentralUrl(String centralUrl) {
|
||||
this.centralUrl = centralUrl;
|
||||
}
|
||||
|
||||
/**
|
||||
* Whether or not the nexus analyzer is enabled.
|
||||
*/
|
||||
@@ -849,6 +895,10 @@ public class DependencyCheckScanAgent {
|
||||
if (suppressionFile != null && !suppressionFile.isEmpty()) {
|
||||
Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
|
||||
}
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
|
||||
if (centralUrl != null && !centralUrl.isEmpty()) {
|
||||
Settings.setString(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
|
||||
}
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
|
||||
if (nexusUrl != null && !nexusUrl.isEmpty()) {
|
||||
Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
|
||||
|
||||
@@ -41,16 +41,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
|
||||
* enabled.
|
||||
*/
|
||||
public AbstractFileTypeAnalyzer() {
|
||||
final String key = getAnalyzerEnabledSettingKey();
|
||||
try {
|
||||
enabled = Settings.getBoolean(key, true);
|
||||
} catch (InvalidSettingException ex) {
|
||||
String msg = String.format("Invalid setting for property '%s'", key);
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
LOGGER.log(Level.FINE, "", ex);
|
||||
msg = String.format("%s has been disabled", getName());
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
}
|
||||
reset();
|
||||
}
|
||||
//</editor-fold>
|
||||
|
||||
@@ -164,6 +155,23 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Resets the enabled flag on the analyzer.
|
||||
*/
|
||||
@Override
|
||||
public final void reset() {
|
||||
final String key = getAnalyzerEnabledSettingKey();
|
||||
try {
|
||||
enabled = Settings.getBoolean(key, true);
|
||||
} catch (InvalidSettingException ex) {
|
||||
String msg = String.format("Invalid setting for property '%s'", key);
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
LOGGER.log(Level.FINE, "", ex);
|
||||
msg = String.format("%s has been disabled", getName());
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
|
||||
* scanned, and added to the list of dependencies within the engine.
|
||||
|
||||
@@ -110,7 +110,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
static {
|
||||
final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
|
||||
if (additionalZipExt != null) {
|
||||
final HashSet<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
|
||||
final Set<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
|
||||
ZIPPABLES.addAll(ext);
|
||||
}
|
||||
EXTENSIONS.addAll(ZIPPABLES);
|
||||
@@ -338,7 +338,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
try {
|
||||
fis.close();
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.FINEST, null, ex);
|
||||
LOGGER.log(Level.FINE, null, ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -367,8 +367,10 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final File file = new File(destination, entry.getName());
|
||||
final String ext = FileUtils.getFileExtension(file.getName());
|
||||
if (engine.supportsExtension(ext)) {
|
||||
final String extracting = String.format("Extracting '%s'", file.getPath());
|
||||
LOGGER.fine(extracting);
|
||||
BufferedOutputStream bos = null;
|
||||
FileOutputStream fos;
|
||||
FileOutputStream fos = null;
|
||||
try {
|
||||
final File parent = file.getParentFile();
|
||||
if (!parent.isDirectory()) {
|
||||
@@ -380,7 +382,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
fos = new FileOutputStream(file);
|
||||
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
|
||||
int count;
|
||||
final byte data[] = new byte[BUFFER_SIZE];
|
||||
final byte[] data = new byte[BUFFER_SIZE];
|
||||
while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
|
||||
bos.write(data, 0, count);
|
||||
}
|
||||
@@ -401,6 +403,13 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
LOGGER.log(Level.FINEST, null, ex);
|
||||
}
|
||||
}
|
||||
if (fos != null) {
|
||||
try {
|
||||
fos.close();
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.FINEST, null, ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -428,6 +437,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @throws ArchiveExtractionException thrown if there is an exception decompressing the file
|
||||
*/
|
||||
private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
|
||||
final String msg = String.format("Decompressing '%s'", outputFile.getPath());
|
||||
LOGGER.fine(msg);
|
||||
FileOutputStream out = null;
|
||||
try {
|
||||
out = new FileOutputStream(outputFile);
|
||||
|
||||
@@ -120,11 +120,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
// Try evacuating the error stream
|
||||
rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
|
||||
String line = null;
|
||||
// CheckStyle:VisibilityModifier OFF
|
||||
// CHECKSTYLE:OFF
|
||||
while (rdr.ready() && (line = rdr.readLine()) != null) {
|
||||
LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.stderr", line);
|
||||
}
|
||||
// CheckStyle:VisibilityModifier ON
|
||||
// CHECKSTYLE:ON
|
||||
int rc = 0;
|
||||
doc = builder.parse(proc.getInputStream());
|
||||
|
||||
@@ -235,11 +235,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final Process p = pb.start();
|
||||
// Try evacuating the error stream
|
||||
rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
|
||||
// CheckStyle:VisibilityModifier OFF
|
||||
// CHECKSTYLE:OFF
|
||||
while (rdr.ready() && rdr.readLine() != null) {
|
||||
// We expect this to complain
|
||||
}
|
||||
// CheckStyle:VisibilityModifier ON
|
||||
// CHECKSTYLE:ON
|
||||
final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
|
||||
final XPath xpath = XPathFactory.newInstance().newXPath();
|
||||
final String error = xpath.evaluate("/assembly/error", doc);
|
||||
|
||||
@@ -51,8 +51,8 @@ import org.owasp.dependencycheck.utils.DependencyVersion;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
|
||||
|
||||
/**
|
||||
* CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE.
|
||||
* It uses the evidence contained within the dependency to search the Lucene index.
|
||||
* CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE. It uses
|
||||
* the evidence contained within the dependency to search the Lucene index.
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
@@ -130,8 +130,8 @@ public class CPEAnalyzer implements Analyzer {
|
||||
* Opens the data source.
|
||||
*
|
||||
* @throws IOException when the Lucene directory to be queried does not exist or is corrupt.
|
||||
* @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use
|
||||
* by another process.
|
||||
* @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use by another
|
||||
* process.
|
||||
*/
|
||||
public void open() throws IOException, DatabaseException {
|
||||
LOGGER.log(Level.FINE, "Opening the CVE Database");
|
||||
@@ -161,8 +161,8 @@ public class CPEAnalyzer implements Analyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence
|
||||
* contained within. The dependency passed in is updated with any identified CPE values.
|
||||
* Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence contained
|
||||
* within. The dependency passed in is updated with any identified CPE values.
|
||||
*
|
||||
* @param dependency the dependency to search for CPE entries on.
|
||||
* @throws CorruptIndexException is thrown when the Lucene index is corrupt.
|
||||
@@ -176,15 +176,12 @@ public class CPEAnalyzer implements Analyzer {
|
||||
for (Confidence confidence : Confidence.values()) {
|
||||
if (dependency.getVendorEvidence().contains(confidence)) {
|
||||
vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
|
||||
LOGGER.fine(String.format("vendor search: %s", vendors));
|
||||
}
|
||||
if (dependency.getProductEvidence().contains(confidence)) {
|
||||
products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
|
||||
LOGGER.fine(String.format("product search: %s", products));
|
||||
}
|
||||
/* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
|
||||
* CPE identified. As such, we are "using" the evidence and ignoring the results. */
|
||||
// if (dependency.getVersionEvidence().contains(confidence)) {
|
||||
// addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
|
||||
// }
|
||||
if (!vendors.isEmpty() && !products.isEmpty()) {
|
||||
final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
|
||||
dependency.getVendorEvidence().getWeighting());
|
||||
@@ -193,9 +190,11 @@ public class CPEAnalyzer implements Analyzer {
|
||||
}
|
||||
boolean identifierAdded = false;
|
||||
for (IndexEntry e : entries) {
|
||||
LOGGER.fine(String.format("Verifying entry: %s", e.toString()));
|
||||
if (verifyEntry(e, dependency)) {
|
||||
final String vendor = e.getVendor();
|
||||
final String product = e.getProduct();
|
||||
LOGGER.fine(String.format("identified vendor/product: %s/%s", vendor, product));
|
||||
identifierAdded |= determineIdentifiers(dependency, vendor, product, confidence);
|
||||
}
|
||||
}
|
||||
@@ -207,9 +206,9 @@ public class CPEAnalyzer implements Analyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a
|
||||
* specific confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence
|
||||
* is longer then 200 characters it will be truncated.
|
||||
* Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a specific
|
||||
* confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence is longer then 200
|
||||
* characters it will be truncated.
|
||||
*
|
||||
* @param text the base text.
|
||||
* @param ec an EvidenceCollection
|
||||
@@ -244,8 +243,8 @@ public class CPEAnalyzer implements Analyzer {
|
||||
* version.</p>
|
||||
*
|
||||
* <p>
|
||||
* If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting
|
||||
* factors to the search.</p>
|
||||
* If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting factors to
|
||||
* the search.</p>
|
||||
*
|
||||
* @param vendor the text used to search the vendor field
|
||||
* @param product the text used to search the product field
|
||||
@@ -256,7 +255,7 @@ public class CPEAnalyzer implements Analyzer {
|
||||
protected List<IndexEntry> searchCPE(String vendor, String product,
|
||||
Set<String> vendorWeightings, Set<String> productWeightings) {
|
||||
|
||||
final ArrayList<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
|
||||
final List<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
|
||||
|
||||
final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
|
||||
if (searchString == null) {
|
||||
@@ -270,13 +269,6 @@ public class CPEAnalyzer implements Analyzer {
|
||||
final IndexEntry entry = new IndexEntry();
|
||||
entry.setVendor(doc.get(Fields.VENDOR));
|
||||
entry.setProduct(doc.get(Fields.PRODUCT));
|
||||
// if (d.score < 0.08) {
|
||||
// System.out.print(entry.getVendor());
|
||||
// System.out.print(":");
|
||||
// System.out.print(entry.getProduct());
|
||||
// System.out.print(":");
|
||||
// System.out.println(d.score);
|
||||
// }
|
||||
entry.setSearchScore(d.score);
|
||||
if (!ret.contains(entry)) {
|
||||
ret.add(entry);
|
||||
@@ -301,8 +293,8 @@ public class CPEAnalyzer implements Analyzer {
|
||||
* Builds a Lucene search string by properly escaping data and constructing a valid search query.</p>
|
||||
*
|
||||
* <p>
|
||||
* If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting
|
||||
* factors to the search string generated.</p>
|
||||
* If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting factors to
|
||||
* the search string generated.</p>
|
||||
*
|
||||
* @param vendor text to search the vendor field
|
||||
* @param product text to search the product field
|
||||
@@ -328,9 +320,8 @@ public class CPEAnalyzer implements Analyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* This method constructs a Lucene query for a given field. The searchText is split into separate words and if the
|
||||
* word is within the list of weighted words then an additional weighting is applied to the term as it is appended
|
||||
* into the query.
|
||||
* This method constructs a Lucene query for a given field. The searchText is split into separate words and if the word is
|
||||
* within the list of weighted words then an additional weighting is applied to the term as it is appended into the query.
|
||||
*
|
||||
* @param sb a StringBuilder that the query text will be appended to.
|
||||
* @param field the field within the Lucene index that the query is searching.
|
||||
@@ -401,8 +392,8 @@ public class CPEAnalyzer implements Analyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version
|
||||
* information for the CPE are contained within the dependencies evidence.
|
||||
* Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version information
|
||||
* for the CPE are contained within the dependencies evidence.
|
||||
*
|
||||
* @param entry a CPE entry.
|
||||
* @param dependency the dependency that the CPE entries could be for.
|
||||
@@ -491,9 +482,9 @@ public class CPEAnalyzer implements Analyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then
|
||||
* validated to find only CPEs that are valid for the given dependency. It is possible that the CPE identified is a
|
||||
* best effort "guess" based on the vendor, product, and version information.
|
||||
* Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then validated to find
|
||||
* only CPEs that are valid for the given dependency. It is possible that the CPE identified is a best effort "guess" based on
|
||||
* the vendor, product, and version information.
|
||||
*
|
||||
* @param dependency the Dependency being analyzed
|
||||
* @param vendor the vendor for the CPE being analyzed
|
||||
@@ -601,8 +592,8 @@ public class CPEAnalyzer implements Analyzer {
|
||||
*/
|
||||
BEST_GUESS,
|
||||
/**
|
||||
* The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS
|
||||
* that only specifies vendor/product.
|
||||
* The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS that only
|
||||
* specifies vendor/product.
|
||||
*/
|
||||
BROAD_MATCH
|
||||
}
|
||||
@@ -750,8 +741,7 @@ public class CPEAnalyzer implements Analyzer {
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
* Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the
|
||||
* identifier.
|
||||
* Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the identifier.
|
||||
*
|
||||
* @param o the IdentifierMatch to compare to
|
||||
* @return the natural ordering of IdentifierMatch
|
||||
|
||||
@@ -17,6 +17,7 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck.analyzer;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.URL;
|
||||
@@ -24,18 +25,23 @@ import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import org.apache.commons.io.FileUtils;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.data.central.CentralSearch;
|
||||
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.jaxb.pom.PomUtils;
|
||||
import org.owasp.dependencycheck.utils.DownloadFailedException;
|
||||
import org.owasp.dependencycheck.utils.Downloader;
|
||||
import org.owasp.dependencycheck.utils.InvalidSettingException;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
* Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's
|
||||
* SHA-1 digest.
|
||||
* Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
|
||||
* digest.
|
||||
*
|
||||
* @author colezlaw
|
||||
*/
|
||||
@@ -62,8 +68,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
|
||||
|
||||
/**
|
||||
* The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has
|
||||
* occurred.
|
||||
* The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
|
||||
*/
|
||||
private boolean errorFlag = false;
|
||||
|
||||
@@ -71,7 +76,10 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* The searcher itself.
|
||||
*/
|
||||
private CentralSearch searcher;
|
||||
|
||||
/**
|
||||
* Utility to read POM files.
|
||||
*/
|
||||
private PomUtils pomUtil = new PomUtils();
|
||||
/**
|
||||
* Field indicating if the analyzer is enabled.
|
||||
*/
|
||||
@@ -99,7 +107,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
|
||||
if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
|
||||
|| NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
|
||||
LOGGER.info("Enabling the Central analyzer");
|
||||
LOGGER.fine("Enabling the Central analyzer");
|
||||
retval = true;
|
||||
} else {
|
||||
LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
|
||||
@@ -188,6 +196,39 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
for (MavenArtifact ma : mas) {
|
||||
LOGGER.fine(String.format("Central analyzer found artifact (%s) for dependency (%s)", ma.toString(), dependency.getFileName()));
|
||||
dependency.addAsEvidence("central", ma, confidence);
|
||||
boolean pomAnalyzed = false;
|
||||
for (Evidence e : dependency.getVendorEvidence()) {
|
||||
if ("pom".equals(e.getSource())) {
|
||||
pomAnalyzed = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!pomAnalyzed && ma.getPomUrl() != null) {
|
||||
File pomFile = null;
|
||||
try {
|
||||
final File baseDir = Settings.getTempDirectory();
|
||||
pomFile = File.createTempFile("pom", ".xml", baseDir);
|
||||
if (!pomFile.delete()) {
|
||||
final String msg = String.format("Unable to fetch pom.xml for %s from Central; "
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
LOGGER.warning(msg);
|
||||
LOGGER.fine("Unable to delete temp file");
|
||||
}
|
||||
LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
|
||||
Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
|
||||
pomUtil.analyzePOM(dependency, pomFile);
|
||||
|
||||
} catch (DownloadFailedException ex) {
|
||||
final String msg = String.format("Unable to download pom.xml for %s from Central; "
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
LOGGER.warning(msg);
|
||||
} finally {
|
||||
if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
|
||||
pomFile.deleteOnExit();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
} catch (IllegalArgumentException iae) {
|
||||
LOGGER.info(String.format("invalid sha1-hash on %s", dependency.getFileName()));
|
||||
@@ -198,4 +239,5 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
errorFlag = true;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -36,9 +36,9 @@ import org.owasp.dependencycheck.utils.LogUtils;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are
|
||||
* grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the
|
||||
* same relative path then these should be grouped into a single dependency under the core/main library.</p>
|
||||
* This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are grouped. An
|
||||
* example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the same relative path
|
||||
* then these should be grouped into a single dependency under the core/main library.</p>
|
||||
* <p>
|
||||
* Note, this grouping only works on dependencies with identified CVE entries</p>
|
||||
*
|
||||
@@ -55,7 +55,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
/**
|
||||
* A pattern for obtaining the first part of a filename.
|
||||
*/
|
||||
private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
|
||||
private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z0-9]*");
|
||||
/**
|
||||
* a flag indicating if this analyzer has run. This analyzer only runs once.
|
||||
*/
|
||||
@@ -91,8 +91,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
* Analyzes a set of dependencies. If they have been found to have the same base path and the same set of
|
||||
* identifiers they are likely related. The related dependencies are bundled into a single reportable item.
|
||||
* Analyzes a set of dependencies. If they have been found to have the same base path and the same set of identifiers they are
|
||||
* likely related. The related dependencies are bundled into a single reportable item.
|
||||
*
|
||||
* @param ignore this analyzer ignores the dependency being analyzed
|
||||
* @param engine the engine that is scanning the dependencies
|
||||
@@ -107,7 +107,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
//for (Dependency nextDependency : engine.getDependencies()) {
|
||||
while (mainIterator.hasNext()) {
|
||||
final Dependency dependency = mainIterator.next();
|
||||
if (mainIterator.hasNext()) {
|
||||
if (mainIterator.hasNext() && !dependenciesToRemove.contains(dependency)) {
|
||||
final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
|
||||
while (subIterator.hasNext()) {
|
||||
final Dependency nextDependency = subIterator.next();
|
||||
@@ -116,21 +116,25 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
|
||||
} else {
|
||||
mergeDependencies(nextDependency, dependency, dependenciesToRemove);
|
||||
break; //since we merged into the next dependency - skip forward to the next in mainIterator
|
||||
}
|
||||
} else if (isShadedJar(dependency, nextDependency)) {
|
||||
if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
|
||||
dependenciesToRemove.add(dependency);
|
||||
mergeDependencies(nextDependency, dependency, dependenciesToRemove);
|
||||
nextDependency.getRelatedDependencies().remove(dependency);
|
||||
break;
|
||||
} else {
|
||||
dependenciesToRemove.add(nextDependency);
|
||||
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
|
||||
nextDependency.getRelatedDependencies().remove(nextDependency);
|
||||
}
|
||||
} else if (cpeIdentifiersMatch(dependency, nextDependency)
|
||||
&& hasSameBasePath(dependency, nextDependency)
|
||||
&& fileNameMatch(dependency, nextDependency)) {
|
||||
|
||||
if (isCore(dependency, nextDependency)) {
|
||||
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
|
||||
} else {
|
||||
mergeDependencies(nextDependency, dependency, dependenciesToRemove);
|
||||
break; //since we merged into the next dependency - skip forward to the next in mainIterator
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -138,9 +142,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
}
|
||||
//removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions
|
||||
// was difficult because of the inner iterator.
|
||||
for (Dependency d : dependenciesToRemove) {
|
||||
engine.getDependencies().remove(d);
|
||||
}
|
||||
engine.getDependencies().removeAll(dependenciesToRemove);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -148,10 +150,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
* Adds the relatedDependency to the dependency's related dependencies.
|
||||
*
|
||||
* @param dependency the main dependency
|
||||
* @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the
|
||||
* source of dependencies to remove
|
||||
* @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this
|
||||
* function adds to this collection
|
||||
* @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the source of
|
||||
* dependencies to remove
|
||||
* @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this function
|
||||
* adds to this collection
|
||||
*/
|
||||
private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
|
||||
dependency.addRelatedDependency(relatedDependency);
|
||||
@@ -160,12 +162,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
dependency.addRelatedDependency(i.next());
|
||||
i.remove();
|
||||
}
|
||||
if (dependency.getSha1sum().equals(relatedDependency.getSha1sum())) {
|
||||
dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
|
||||
}
|
||||
dependenciesToRemove.add(relatedDependency);
|
||||
}
|
||||
|
||||
/**
|
||||
* Attempts to trim a maven repo to a common base path. This is typically
|
||||
* [drive]\[repo_location]\repository\[path1]\[path2].
|
||||
* Attempts to trim a maven repo to a common base path. This is typically [drive]\[repo_location]\repository\[path1]\[path2].
|
||||
*
|
||||
* @param path the path to trim
|
||||
* @return a string representing the base path.
|
||||
@@ -201,25 +205,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
|| dependency2 == null || dependency2.getFileName() == null) {
|
||||
return false;
|
||||
}
|
||||
String fileName1 = dependency1.getFileName();
|
||||
String fileName2 = dependency2.getFileName();
|
||||
|
||||
//update to deal with archive analyzer, the starting name maybe the same
|
||||
// as this is incorrectly looking at the starting path
|
||||
final File one = new File(fileName1);
|
||||
final File two = new File(fileName2);
|
||||
final String oneParent = one.getParent();
|
||||
final String twoParent = two.getParent();
|
||||
if (oneParent != null) {
|
||||
if (oneParent.equals(twoParent)) {
|
||||
fileName1 = one.getName();
|
||||
fileName2 = two.getName();
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
} else if (twoParent != null) {
|
||||
return false;
|
||||
}
|
||||
final String fileName1 = dependency1.getActualFile().getName();
|
||||
final String fileName2 = dependency2.getActualFile().getName();
|
||||
|
||||
//version check
|
||||
final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
|
||||
@@ -267,9 +254,11 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
}
|
||||
if (cpeCount1 > 0 && cpeCount1 == cpeCount2) {
|
||||
for (Identifier i : dependency1.getIdentifiers()) {
|
||||
matches |= dependency2.getIdentifiers().contains(i);
|
||||
if (!matches) {
|
||||
break;
|
||||
if ("cpe".equals(i.getType())) {
|
||||
matches |= dependency2.getIdentifiers().contains(i);
|
||||
if (!matches) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -318,8 +307,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
}
|
||||
|
||||
/**
|
||||
* This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison
|
||||
* to the 'right' library.
|
||||
* This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the
|
||||
* 'right' library.
|
||||
*
|
||||
* @param left the dependency to test
|
||||
* @param right the dependency to test against
|
||||
@@ -338,6 +327,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
|| !rightName.contains("core") && leftName.contains("core")
|
||||
|| !rightName.contains("kernel") && leftName.contains("kernel")) {
|
||||
returnVal = true;
|
||||
// } else if (leftName.matches(".*struts2\\-core.*") && rightName.matches(".*xwork\\-core.*")) {
|
||||
// returnVal = true;
|
||||
// } else if (rightName.matches(".*struts2\\-core.*") && leftName.matches(".*xwork\\-core.*")) {
|
||||
// returnVal = false;
|
||||
} else {
|
||||
/*
|
||||
* considered splitting the names up and comparing the components,
|
||||
@@ -372,13 +365,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml
|
||||
* dependency should be removed.
|
||||
* Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml dependency
|
||||
* should be removed.
|
||||
*
|
||||
* @param dependency a dependency to check
|
||||
* @param nextDependency another dependency to check
|
||||
* @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match;
|
||||
* otherwise false
|
||||
* @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match; otherwise false
|
||||
*/
|
||||
private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
|
||||
final String mainName = dependency.getFileName().toLowerCase();
|
||||
@@ -392,8 +384,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to
|
||||
* determine if the first path is smaller.
|
||||
* Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to determine if the
|
||||
* first path is smaller.
|
||||
*
|
||||
* @param left the first path to compare
|
||||
* @param right the second path to compare
|
||||
|
||||
@@ -31,4 +31,9 @@ public interface FileTypeAnalyzer extends Analyzer {
|
||||
* @return whether or not the specified file extension is supported by this analyzer.
|
||||
*/
|
||||
boolean supportsExtension(String extension);
|
||||
|
||||
/**
|
||||
* Resets the analyzers state.
|
||||
*/
|
||||
void reset();
|
||||
}
|
||||
|
||||
@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.analyzer;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
@@ -64,8 +65,8 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
* The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of
|
||||
* identifiers or vulnerabilities.
|
||||
* The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of identifiers
|
||||
* or vulnerabilities.
|
||||
*
|
||||
* @param dependency The dependency being analyzed
|
||||
* @param engine The scanning engine
|
||||
@@ -84,24 +85,39 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
|
||||
Confidence.HIGH);
|
||||
|
||||
final Evidence springTest3 = new Evidence("Manifest",
|
||||
"Implementation-Title",
|
||||
"spring-core",
|
||||
Confidence.HIGH);
|
||||
|
||||
final Evidence springTest4 = new Evidence("Manifest",
|
||||
"Bundle-Vendor",
|
||||
"SpringSource",
|
||||
Confidence.HIGH);
|
||||
|
||||
Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
|
||||
if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
|
||||
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
|
||||
final Evidence springTest5 = new Evidence("jar",
|
||||
"package name",
|
||||
"springframework",
|
||||
Confidence.LOW);
|
||||
|
||||
//springsource/vware problem
|
||||
final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
|
||||
final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
|
||||
|
||||
if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
|
||||
|| (dependency.getFileName().contains("spring") && (product.contains(springTest5) || vendor.contains(springTest5)))) {
|
||||
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
|
||||
}
|
||||
|
||||
evidence = dependency.getVendorEvidence().getEvidence();
|
||||
if (evidence.contains(springTest3)) {
|
||||
if (vendor.contains(springTest4)) {
|
||||
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
|
||||
}
|
||||
|
||||
//sun/oracle problem
|
||||
final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
|
||||
final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();
|
||||
final List<Evidence> newEntries = new ArrayList<Evidence>();
|
||||
while (itr.hasNext()) {
|
||||
final Evidence e = itr.next();
|
||||
if ("sun".equalsIgnoreCase(e.getValue(false))) {
|
||||
|
||||
@@ -46,13 +46,6 @@ import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.zip.ZipEntry;
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.JAXBElement;
|
||||
import javax.xml.bind.JAXBException;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
import javax.xml.parsers.SAXParser;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import javax.xml.transform.sax.SAXSource;
|
||||
import org.jsoup.Jsoup;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
@@ -60,7 +53,7 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.EvidenceCollection;
|
||||
import org.owasp.dependencycheck.jaxb.pom.MavenNamespaceFilter;
|
||||
import org.owasp.dependencycheck.jaxb.pom.PomUtils;
|
||||
import org.owasp.dependencycheck.jaxb.pom.generated.License;
|
||||
import org.owasp.dependencycheck.jaxb.pom.generated.Model;
|
||||
import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
|
||||
@@ -68,9 +61,6 @@ import org.owasp.dependencycheck.utils.FileUtils;
|
||||
import org.owasp.dependencycheck.utils.NonClosingStream;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.xml.sax.InputSource;
|
||||
import org.xml.sax.SAXException;
|
||||
import org.xml.sax.XMLFilter;
|
||||
import org.xml.sax.XMLReader;
|
||||
|
||||
/**
|
||||
* Used to load a JAR file and collect information that can be used to determine the associated CPE.
|
||||
@@ -158,24 +148,18 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* A pattern to detect HTML within text.
|
||||
*/
|
||||
private static final Pattern HTML_DETECTION_PATTERN = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE);
|
||||
|
||||
/**
|
||||
* The unmarshaller used to parse the pom.xml from a JAR file.
|
||||
* The POM Utility for parsing POM files.
|
||||
*/
|
||||
private Unmarshaller pomUnmarshaller;
|
||||
private PomUtils pomUtils = null;
|
||||
//</editor-fold>
|
||||
|
||||
/**
|
||||
* Constructs a new JarAnalyzer.
|
||||
*/
|
||||
public JarAnalyzer() {
|
||||
try {
|
||||
//final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
|
||||
final JAXBContext jaxbContext = JAXBContext.newInstance(Model.class);
|
||||
pomUnmarshaller = jaxbContext.createUnmarshaller();
|
||||
} catch (JAXBException ex) { //guess we will just have a null pointer exception later...
|
||||
LOGGER.log(Level.SEVERE, "Unable to load parser. See the log for more details.");
|
||||
LOGGER.log(Level.FINE, null, ex);
|
||||
}
|
||||
pomUtils = new PomUtils();
|
||||
}
|
||||
|
||||
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
|
||||
@@ -243,7 +227,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
@Override
|
||||
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
|
||||
try {
|
||||
final ArrayList<ClassNameInformation> classNames = collectClassNames(dependency);
|
||||
final List<ClassNameInformation> classNames = collectClassNames(dependency);
|
||||
final String fileName = dependency.getFileName().toLowerCase();
|
||||
if (classNames.isEmpty()
|
||||
&& (fileName.endsWith("-sources.jar")
|
||||
@@ -262,8 +246,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence.
|
||||
* This will attempt to interpolate the strings contained within the pom.properties if one exists.
|
||||
* Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence. This will
|
||||
* attempt to interpolate the strings contained within the pom.properties if one exists.
|
||||
*
|
||||
* @param dependency the dependency being analyzed
|
||||
* @param classes a collection of class name information
|
||||
@@ -271,7 +255,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @throws AnalysisException is thrown if there is an exception parsing the pom
|
||||
* @return whether or not evidence was added to the dependency
|
||||
*/
|
||||
protected boolean analyzePOM(Dependency dependency, ArrayList<ClassNameInformation> classes, Engine engine) throws AnalysisException {
|
||||
protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
|
||||
boolean foundSomething = false;
|
||||
final JarFile jar;
|
||||
try {
|
||||
@@ -295,15 +279,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
File externalPom = null;
|
||||
if (pomEntries.isEmpty()) {
|
||||
if (dependency.getActualFilePath().matches(".*\\.m2.repository\\b.*")) {
|
||||
String pomPath = dependency.getActualFilePath();
|
||||
pomPath = pomPath.substring(0, pomPath.lastIndexOf('.')) + ".pom";
|
||||
externalPom = new File(pomPath);
|
||||
if (externalPom.isFile()) {
|
||||
pomEntries.add(pomPath);
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
String pomPath = dependency.getActualFilePath();
|
||||
pomPath = pomPath.substring(0, pomPath.lastIndexOf('.')) + ".pom";
|
||||
externalPom = new File(pomPath);
|
||||
if (externalPom.isFile()) {
|
||||
pomEntries.add(pomPath);
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
@@ -342,7 +322,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
if (externalPom == null) {
|
||||
pom = retrievePom(path, jar);
|
||||
} else {
|
||||
pom = retrievePom(externalPom);
|
||||
pom = pomUtils.readPom(externalPom);
|
||||
}
|
||||
foundSomething |= setPomEvidence(dependency, pom, pomProperties, classes);
|
||||
}
|
||||
@@ -428,7 +408,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
fos = new FileOutputStream(file);
|
||||
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
|
||||
int count;
|
||||
final byte data[] = new byte[BUFFER_SIZE];
|
||||
final byte[] data = new byte[BUFFER_SIZE];
|
||||
while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
|
||||
bos.write(data, 0, count);
|
||||
}
|
||||
@@ -450,7 +430,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final InputStreamReader reader = new InputStreamReader(fis, "UTF-8");
|
||||
final InputSource xml = new InputSource(reader);
|
||||
final SAXSource source = new SAXSource(xml);
|
||||
model = readPom(source);
|
||||
model = pomUtils.readPom(source);
|
||||
} catch (FileNotFoundException ex) {
|
||||
final String msg = String.format("Unable to parse pom '%s' in jar '%s' (File Not Found)", path, jar.getName());
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
@@ -520,7 +500,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
|
||||
final InputSource xml = new InputSource(reader);
|
||||
final SAXSource source = new SAXSource(xml);
|
||||
model = readPom(source);
|
||||
model = pomUtils.readPom(source);
|
||||
} catch (SecurityException ex) {
|
||||
final String msg = String.format("Unable to parse pom '%s' in jar '%s'; invalid signature", path, jar.getName());
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
@@ -541,84 +521,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
return model;
|
||||
}
|
||||
|
||||
/**
|
||||
* Reads in the specified POM and converts it to a Model.
|
||||
*
|
||||
* @param file the pom.xml file
|
||||
* @return returns a
|
||||
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
|
||||
* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
|
||||
*/
|
||||
private Model retrievePom(File file) throws AnalysisException {
|
||||
Model model = null;
|
||||
try {
|
||||
final FileInputStream stream = new FileInputStream(file);
|
||||
final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
|
||||
final InputSource xml = new InputSource(reader);
|
||||
final SAXSource source = new SAXSource(xml);
|
||||
model = readPom(source);
|
||||
} catch (SecurityException ex) {
|
||||
final String msg = String.format("Unable to parse pom '%s'; invalid signature", file.getPath());
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
LOGGER.log(Level.FINE, null, ex);
|
||||
throw new AnalysisException(ex);
|
||||
} catch (IOException ex) {
|
||||
final String msg = String.format("Unable to parse pom '%s'(IO Exception)", file.getPath());
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
LOGGER.log(Level.FINE, "", ex);
|
||||
throw new AnalysisException(ex);
|
||||
} catch (Throwable ex) {
|
||||
final String msg = String.format("Unexpected error during parsing of the pom '%s'", file.getPath());
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
LOGGER.log(Level.FINE, "", ex);
|
||||
throw new AnalysisException(ex);
|
||||
}
|
||||
return model;
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieves the specified POM from a jar file and converts it to a Model.
|
||||
*
|
||||
* @param source the SAXSource input stream to read the POM from
|
||||
* @return returns the POM object
|
||||
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
|
||||
* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
|
||||
*/
|
||||
private Model readPom(SAXSource source) throws AnalysisException {
|
||||
Model model = null;
|
||||
try {
|
||||
final XMLFilter filter = new MavenNamespaceFilter();
|
||||
final SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
final SAXParser sp = spf.newSAXParser();
|
||||
final XMLReader xr = sp.getXMLReader();
|
||||
filter.setParent(xr);
|
||||
final JAXBElement<Model> el = pomUnmarshaller.unmarshal(source, Model.class);
|
||||
model = el.getValue();
|
||||
} catch (SecurityException ex) {
|
||||
throw new AnalysisException(ex);
|
||||
} catch (ParserConfigurationException ex) {
|
||||
throw new AnalysisException(ex);
|
||||
} catch (SAXException ex) {
|
||||
throw new AnalysisException(ex);
|
||||
} catch (JAXBException ex) {
|
||||
throw new AnalysisException(ex);
|
||||
} catch (Throwable ex) {
|
||||
throw new AnalysisException(ex);
|
||||
}
|
||||
return model;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets evidence from the pom on the supplied dependency.
|
||||
*
|
||||
* @param dependency the dependency to set data on
|
||||
* @param pom the information from the pom
|
||||
* @param pomProperties the pom properties file (null if none exists)
|
||||
* @param classes a collection of ClassNameInformation - containing data about the fully qualified class names
|
||||
* within the JAR file being analyzed
|
||||
* @param classes a collection of ClassNameInformation - containing data about the fully qualified class names within the JAR
|
||||
* file being analyzed
|
||||
* @return true if there was evidence within the pom that we could use; otherwise false
|
||||
*/
|
||||
private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
|
||||
private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, List<ClassNameInformation> classes) {
|
||||
boolean foundSomething = false;
|
||||
boolean addAsIdentifier = true;
|
||||
if (pom == null) {
|
||||
@@ -739,17 +652,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible
|
||||
* vendor or product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
|
||||
* Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible vendor or
|
||||
* product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
|
||||
*
|
||||
* @param classNames a list of class names
|
||||
* @param dependency a dependency to analyze
|
||||
* @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence.
|
||||
*/
|
||||
protected void analyzePackageNames(ArrayList<ClassNameInformation> classNames,
|
||||
protected void analyzePackageNames(List<ClassNameInformation> classNames,
|
||||
Dependency dependency, boolean addPackagesAsEvidence) {
|
||||
final HashMap<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
|
||||
final HashMap<String, Integer> productIdentifiers = new HashMap<String, Integer>();
|
||||
final Map<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
|
||||
final Map<String, Integer> productIdentifiers = new HashMap<String, Integer>();
|
||||
analyzeFullyQualifiedClassNames(classNames, vendorIdentifiers, productIdentifiers);
|
||||
|
||||
final int classCount = classNames.size();
|
||||
@@ -791,7 +704,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @return whether evidence was identified parsing the manifest
|
||||
* @throws IOException if there is an issue reading the JAR file
|
||||
*/
|
||||
protected boolean parseManifest(Dependency dependency, ArrayList<ClassNameInformation> classInformation) throws IOException {
|
||||
protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) throws IOException {
|
||||
boolean foundSomething = false;
|
||||
JarFile jar = null;
|
||||
try {
|
||||
@@ -948,18 +861,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds a description to the given dependency. If the description contains one of the following strings beyond 100
|
||||
* characters, then the description used will be trimmed to that position:
|
||||
* Adds a description to the given dependency. If the description contains one of the following strings beyond 100 characters,
|
||||
* then the description used will be trimmed to that position:
|
||||
* <ul><li>"such as"</li><li>"like "</li><li>"will use "</li><li>"* uses "</li></ul>
|
||||
*
|
||||
* @param dependency a dependency
|
||||
* @param description the description
|
||||
* @param source the source of the evidence
|
||||
* @param key the "name" of the evidence
|
||||
* @return if the description is trimmed, the trimmed version is returned; otherwise the original description is
|
||||
* returned
|
||||
* @return if the description is trimmed, the trimmed version is returned; otherwise the original description is returned
|
||||
*/
|
||||
private String addDescription(Dependency dependency, String description, String source, String key) {
|
||||
public static String addDescription(Dependency dependency, String description, String source, String key) {
|
||||
if (dependency.getDescription() == null) {
|
||||
dependency.setDescription(description);
|
||||
}
|
||||
@@ -1064,12 +976,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* A utility function that will interpolate strings based on values given in the properties file. It will also
|
||||
* interpolate the strings contained within the properties file so that properties can reference other
|
||||
* properties.</p>
|
||||
* A utility function that will interpolate strings based on values given in the properties file. It will also interpolate the
|
||||
* strings contained within the properties file so that properties can reference other properties.</p>
|
||||
* <p>
|
||||
* <b>Note:</b> if there is no property found the reference will be removed. In other words, if the interpolated
|
||||
* string will be replaced with an empty string.
|
||||
* <b>Note:</b> if there is no property found the reference will be removed. In other words, if the interpolated string will
|
||||
* be replaced with an empty string.
|
||||
* </p>
|
||||
* <p>
|
||||
* Example:</p>
|
||||
@@ -1089,13 +1000,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @param properties a collection of properties that may be referenced within the text.
|
||||
* @return the interpolated text.
|
||||
*/
|
||||
protected String interpolateString(String text, Properties properties) {
|
||||
Properties props = properties;
|
||||
public static String interpolateString(String text, Properties properties) {
|
||||
final Properties props = properties;
|
||||
if (text == null) {
|
||||
return text;
|
||||
}
|
||||
if (props == null) {
|
||||
props = new Properties();
|
||||
return text;
|
||||
}
|
||||
|
||||
final int pos = text.indexOf("${");
|
||||
@@ -1133,14 +1044,14 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class
|
||||
* names. This does not include core Java package names (i.e. java.* or javax.*).
|
||||
* Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class names. This
|
||||
* does not include core Java package names (i.e. java.* or javax.*).
|
||||
*
|
||||
* @param dependency the dependency being analyzed
|
||||
* @return an list of fully qualified class names
|
||||
*/
|
||||
private ArrayList<ClassNameInformation> collectClassNames(Dependency dependency) {
|
||||
final ArrayList<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
|
||||
private List<ClassNameInformation> collectClassNames(Dependency dependency) {
|
||||
final List<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
|
||||
JarFile jar = null;
|
||||
try {
|
||||
jar = new JarFile(dependency.getActualFilePath());
|
||||
@@ -1171,17 +1082,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Cycles through the list of class names and places the package levels 0-3 into the provided maps for vendor and
|
||||
* product. This is helpful when analyzing vendor/product as many times this is included in the package name.
|
||||
* Cycles through the list of class names and places the package levels 0-3 into the provided maps for vendor and product.
|
||||
* This is helpful when analyzing vendor/product as many times this is included in the package name.
|
||||
*
|
||||
* @param classNames a list of class names
|
||||
* @param vendor HashMap of possible vendor names from package names (e.g. owasp)
|
||||
* @param product HashMap of possible product names from package names (e.g. dependencycheck)
|
||||
*/
|
||||
private void analyzeFullyQualifiedClassNames(ArrayList<ClassNameInformation> classNames,
|
||||
HashMap<String, Integer> vendor, HashMap<String, Integer> product) {
|
||||
private void analyzeFullyQualifiedClassNames(List<ClassNameInformation> classNames,
|
||||
Map<String, Integer> vendor, Map<String, Integer> product) {
|
||||
for (ClassNameInformation entry : classNames) {
|
||||
final ArrayList<String> list = entry.getPackageStructure();
|
||||
final List<String> list = entry.getPackageStructure();
|
||||
addEntry(vendor, list.get(0));
|
||||
|
||||
if (list.size() == 2) {
|
||||
@@ -1203,13 +1114,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds an entry to the specified collection and sets the Integer (e.g. the count) to 1. If the entry already exists
|
||||
* in the collection then the Integer is incremented by 1.
|
||||
* Adds an entry to the specified collection and sets the Integer (e.g. the count) to 1. If the entry already exists in the
|
||||
* collection then the Integer is incremented by 1.
|
||||
*
|
||||
* @param collection a collection of strings and their occurrence count
|
||||
* @param key the key to add to the collection
|
||||
*/
|
||||
private void addEntry(HashMap<String, Integer> collection, String key) {
|
||||
private void addEntry(Map<String, Integer> collection, String key) {
|
||||
if (collection.containsKey(key)) {
|
||||
collection.put(key, collection.get(key) + 1);
|
||||
} else {
|
||||
@@ -1218,15 +1129,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* Cycles through the collection of class name information to see if parts of the package names are contained in the
|
||||
* provided value. If found, it will be added as the HIGHEST confidence evidence because we have more then one
|
||||
* source corroborating the value.
|
||||
* Cycles through the collection of class name information to see if parts of the package names are contained in the provided
|
||||
* value. If found, it will be added as the HIGHEST confidence evidence because we have more then one source corroborating the
|
||||
* value.
|
||||
*
|
||||
* @param classes a collection of class name information
|
||||
* @param value the value to check to see if it contains a package name
|
||||
* @param evidence the evidence collection to add new entries too
|
||||
*/
|
||||
private void addMatchingValues(ArrayList<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
|
||||
private void addMatchingValues(List<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
|
||||
if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
|
||||
return;
|
||||
}
|
||||
@@ -1261,7 +1172,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* @param pomProperties the properties, used for string interpolation
|
||||
* @param dependency the dependency to add license information too
|
||||
*/
|
||||
private void extractLicense(Model pom, Properties pomProperties, Dependency dependency) {
|
||||
public static void extractLicense(Model pom, Properties pomProperties, Dependency dependency) {
|
||||
//license
|
||||
if (pom.getLicenses() != null) {
|
||||
String license = null;
|
||||
@@ -1302,9 +1213,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Stores information about a given class name. This class will keep the fully qualified class name and a list
|
||||
* of the important parts of the package structure. Up to the first four levels of the package structure are
|
||||
* stored, excluding a leading "org" or "com". Example:</p>
|
||||
* Stores information about a given class name. This class will keep the fully qualified class name and a list of the
|
||||
* important parts of the package structure. Up to the first four levels of the package structure are stored, excluding a
|
||||
* leading "org" or "com". Example:</p>
|
||||
* <code>ClassNameInformation obj = new ClassNameInformation("org.owasp.dependencycheck.analyzer.JarAnalyzer");
|
||||
* System.out.println(obj.getName());
|
||||
* for (String p : obj.getPackageStructure())
|
||||
|
||||
@@ -17,6 +17,7 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck.analyzer;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.MalformedURLException;
|
||||
@@ -24,13 +25,18 @@ import java.net.URL;
|
||||
import java.util.Set;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import org.apache.commons.io.FileUtils;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
|
||||
import org.owasp.dependencycheck.data.nexus.NexusSearch;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.jaxb.pom.PomUtils;
|
||||
import org.owasp.dependencycheck.utils.InvalidSettingException;
|
||||
import org.owasp.dependencycheck.utils.DownloadFailedException;
|
||||
import org.owasp.dependencycheck.utils.Downloader;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
@@ -83,6 +89,10 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
* Field indicating if the analyzer is enabled.
|
||||
*/
|
||||
private final boolean enabled = checkEnabled();
|
||||
/**
|
||||
* Field for doing POM work
|
||||
*/
|
||||
private final PomUtils pomUtil = new PomUtils();
|
||||
|
||||
/**
|
||||
* Determines if this analyzer is enabled
|
||||
@@ -101,7 +111,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
LOGGER.info("Enabling Nexus analyzer");
|
||||
retval = true;
|
||||
} else {
|
||||
LOGGER.info("Nexus analyzer disabled, using Central instead");
|
||||
LOGGER.fine("Nexus analyzer disabled, using Central instead");
|
||||
}
|
||||
} catch (InvalidSettingException ise) {
|
||||
LOGGER.warning("Invalid setting. Disabling Nexus analyzer");
|
||||
@@ -202,6 +212,38 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
try {
|
||||
final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
|
||||
dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
|
||||
boolean pomAnalyzed = false;
|
||||
LOGGER.fine("POM URL " + ma.getPomUrl());
|
||||
for (Evidence e : dependency.getVendorEvidence()) {
|
||||
if ("pom".equals(e.getSource())) {
|
||||
pomAnalyzed = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!pomAnalyzed && ma.getPomUrl() != null) {
|
||||
File pomFile = null;
|
||||
try {
|
||||
final File baseDir = Settings.getTempDirectory();
|
||||
pomFile = File.createTempFile("pom", ".xml", baseDir);
|
||||
if (!pomFile.delete()) {
|
||||
final String msg = String.format("Unable to fetch pom.xml for %s from Nexus repository; "
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
LOGGER.warning(msg);
|
||||
LOGGER.fine("Unable to delete temp file");
|
||||
}
|
||||
LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
|
||||
Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
|
||||
pomUtil.analyzePOM(dependency, pomFile);
|
||||
} catch (DownloadFailedException ex) {
|
||||
final String msg = String.format("Unable to download pom.xml for %s from Nexus repository; "
|
||||
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
|
||||
LOGGER.warning(msg);
|
||||
} finally {
|
||||
if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
|
||||
pomFile.deleteOnExit();
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (IllegalArgumentException iae) {
|
||||
//dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
|
||||
LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
|
||||
|
||||
@@ -60,8 +60,8 @@ public class CentralSearch {
|
||||
/**
|
||||
* Creates a NexusSearch for the given repository URL.
|
||||
*
|
||||
* @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so
|
||||
* it should end in /select)
|
||||
* @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so it should
|
||||
* end in /select)
|
||||
*/
|
||||
public CentralSearch(URL rootURL) {
|
||||
this.rootURL = rootURL;
|
||||
@@ -75,13 +75,12 @@ public class CentralSearch {
|
||||
}
|
||||
|
||||
/**
|
||||
* Searches the configured Central URL for the given sha1 hash. If the artifact is found, a
|
||||
* <code>MavenArtifact</code> is populated with the GAV.
|
||||
* Searches the configured Central URL for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
|
||||
* populated with the GAV.
|
||||
*
|
||||
* @param sha1 the SHA-1 hash string for which to search
|
||||
* @return the populated Maven GAV.
|
||||
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
|
||||
* found.
|
||||
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
|
||||
*/
|
||||
public List<MavenArtifact> searchSha1(String sha1) throws IOException {
|
||||
if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
|
||||
@@ -124,8 +123,19 @@ public class CentralSearch {
|
||||
final String a = xpath.evaluate("./str[@name='a']", docs.item(i));
|
||||
LOGGER.finest(String.format("ArtifactId: %s", a));
|
||||
final String v = xpath.evaluate("./str[@name='v']", docs.item(i));
|
||||
final NodeList atts = (NodeList) xpath.evaluate("./arr[@name='ec']/str", docs.item(i), XPathConstants.NODESET);
|
||||
boolean pomAvailable = false;
|
||||
boolean jarAvailable = false;
|
||||
for (int x = 0; x < atts.getLength(); x++) {
|
||||
final String tmp = xpath.evaluate(".", atts.item(x));
|
||||
if (".pom".equals(tmp)) {
|
||||
pomAvailable = true;
|
||||
} else if (".jar".equals(tmp)) {
|
||||
jarAvailable = true;
|
||||
}
|
||||
}
|
||||
LOGGER.finest(String.format("Version: %s", v));
|
||||
result.add(new MavenArtifact(g, a, v, url.toString()));
|
||||
result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable));
|
||||
}
|
||||
|
||||
return result;
|
||||
|
||||
@@ -48,8 +48,8 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.utils.Pair;
|
||||
|
||||
/**
|
||||
* An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within
|
||||
* the NVD CVE data.
|
||||
* An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within the NVD
|
||||
* CVE data.
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
@@ -62,7 +62,7 @@ public final class CpeMemoryIndex {
|
||||
/**
|
||||
* singleton instance.
|
||||
*/
|
||||
private static CpeMemoryIndex instance = new CpeMemoryIndex();
|
||||
private static final CpeMemoryIndex INSTANCE = new CpeMemoryIndex();
|
||||
|
||||
/**
|
||||
* private constructor for singleton.
|
||||
@@ -76,7 +76,7 @@ public final class CpeMemoryIndex {
|
||||
* @return the instance of the CpeMemoryIndex
|
||||
*/
|
||||
public static CpeMemoryIndex getInstance() {
|
||||
return instance;
|
||||
return INSTANCE;
|
||||
}
|
||||
/**
|
||||
* The in memory Lucene index.
|
||||
@@ -114,18 +114,20 @@ public final class CpeMemoryIndex {
|
||||
* @throws IndexException thrown if there is an error creating the index
|
||||
*/
|
||||
public void open(CveDB cve) throws IndexException {
|
||||
if (!openState) {
|
||||
index = new RAMDirectory();
|
||||
buildIndex(cve);
|
||||
try {
|
||||
indexReader = DirectoryReader.open(index);
|
||||
} catch (IOException ex) {
|
||||
throw new IndexException(ex);
|
||||
synchronized (INSTANCE) {
|
||||
if (!openState) {
|
||||
index = new RAMDirectory();
|
||||
buildIndex(cve);
|
||||
try {
|
||||
indexReader = DirectoryReader.open(index);
|
||||
} catch (IOException ex) {
|
||||
throw new IndexException(ex);
|
||||
}
|
||||
indexSearcher = new IndexSearcher(indexReader);
|
||||
searchingAnalyzer = createSearchingAnalyzer();
|
||||
queryParser = new QueryParser(LuceneUtils.CURRENT_VERSION, Fields.DOCUMENT_KEY, searchingAnalyzer);
|
||||
openState = true;
|
||||
}
|
||||
indexSearcher = new IndexSearcher(indexReader);
|
||||
searchingAnalyzer = createSearchingAnalyzer();
|
||||
queryParser = new QueryParser(LuceneUtils.CURRENT_VERSION, Fields.DOCUMENT_KEY, searchingAnalyzer);
|
||||
openState = true;
|
||||
}
|
||||
}
|
||||
/**
|
||||
|
||||
@@ -72,7 +72,7 @@ public abstract class AbstractTokenizingFilter extends TokenFilter {
|
||||
* @return whether or not a new term was added
|
||||
*/
|
||||
protected boolean addTerm() {
|
||||
final boolean termAdded = tokens.size() > 0;
|
||||
final boolean termAdded = !tokens.isEmpty();
|
||||
if (termAdded) {
|
||||
final String term = tokens.pop();
|
||||
clearAttributes();
|
||||
|
||||
@@ -29,8 +29,8 @@ import org.apache.lucene.util.Version;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The
|
||||
* intended purpose of this Analyzer is to index the CPE fields vendor and product.</p>
|
||||
* A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The intended
|
||||
* purpose of this Analyzer is to index the CPE fields vendor and product.</p>
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
|
||||
@@ -17,6 +17,7 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck.data.lucene;
|
||||
|
||||
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
|
||||
import org.apache.lucene.util.Version;
|
||||
|
||||
/**
|
||||
@@ -28,10 +29,10 @@ import org.apache.lucene.util.Version;
|
||||
public final class LuceneUtils {
|
||||
|
||||
/**
|
||||
* The current version of Lucene being used. Declaring this one place so an upgrade doesn't require hunting through
|
||||
* the code base.
|
||||
* The current version of Lucene being used. Declaring this one place so an upgrade doesn't require hunting through the code
|
||||
* base.
|
||||
*/
|
||||
public static final Version CURRENT_VERSION = Version.LUCENE_45;
|
||||
public static final Version CURRENT_VERSION = Version.LUCENE_47;
|
||||
|
||||
/**
|
||||
* Private constructor as this is a utility class.
|
||||
@@ -46,7 +47,7 @@ public final class LuceneUtils {
|
||||
* @param text the data to be escaped
|
||||
*/
|
||||
@SuppressWarnings("fallthrough")
|
||||
@edu.umd.cs.findbugs.annotations.SuppressWarnings(
|
||||
@SuppressFBWarnings(
|
||||
value = "SF_SWITCH_NO_DEFAULT",
|
||||
justification = "The switch below does have a default.")
|
||||
public static void appendEscapedLuceneQuery(StringBuilder buf,
|
||||
|
||||
@@ -39,8 +39,7 @@ public class SearchFieldAnalyzer extends Analyzer {
|
||||
*/
|
||||
private final Version version;
|
||||
/**
|
||||
* A local reference to the TokenPairConcatenatingFilter so that we can clear any left over state if this analyzer
|
||||
* is re-used.
|
||||
* A local reference to the TokenPairConcatenatingFilter so that we can clear any left over state if this analyzer is re-used.
|
||||
*/
|
||||
private TokenPairConcatenatingFilter concatenatingFilter;
|
||||
|
||||
@@ -85,8 +84,7 @@ public class SearchFieldAnalyzer extends Analyzer {
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Resets the analyzer and clears any internal state data that may have been left-over from previous uses of the
|
||||
* analyzer.</p>
|
||||
* Resets the analyzer and clears any internal state data that may have been left-over from previous uses of the analyzer.</p>
|
||||
* <p>
|
||||
* <b>If this analyzer is re-used this method must be called between uses.</b></p>
|
||||
*/
|
||||
|
||||
@@ -1,72 +0,0 @@
|
||||
/*
|
||||
* This file is part of dependency-check-core.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.data.lucene;
|
||||
|
||||
import java.io.Reader;
|
||||
import org.apache.lucene.analysis.Analyzer;
|
||||
import org.apache.lucene.analysis.TokenStream;
|
||||
import org.apache.lucene.analysis.Tokenizer;
|
||||
import org.apache.lucene.analysis.core.LowerCaseFilter;
|
||||
import org.apache.lucene.analysis.core.WhitespaceTokenizer;
|
||||
import org.apache.lucene.util.Version;
|
||||
|
||||
/**
|
||||
* SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
* @deprecated version information is no longer stored in lucene
|
||||
*/
|
||||
@Deprecated
|
||||
public class SearchVersionAnalyzer extends Analyzer {
|
||||
//TODO consider implementing payloads/custom attributes...
|
||||
// use custom attributes for major, minor, x, x, x, rcx
|
||||
// these can then be used to weight the score for searches on the version.
|
||||
// see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
|
||||
// look at this article to implement
|
||||
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
|
||||
|
||||
/**
|
||||
* The Lucene Version used.
|
||||
*/
|
||||
private final Version version;
|
||||
|
||||
/**
|
||||
* Creates a new SearchVersionAnalyzer.
|
||||
*
|
||||
* @param version the Lucene version
|
||||
*/
|
||||
public SearchVersionAnalyzer(Version version) {
|
||||
this.version = version;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates the TokenStreamComponents
|
||||
*
|
||||
* @param fieldName the field name being analyzed
|
||||
* @param reader the reader containing the input
|
||||
* @return the TokenStreamComponents
|
||||
*/
|
||||
@Override
|
||||
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
|
||||
final Tokenizer source = new WhitespaceTokenizer(version, reader);
|
||||
TokenStream stream = source;
|
||||
stream = new LowerCaseFilter(version, stream);
|
||||
stream = new VersionTokenizingFilter(stream);
|
||||
return new TokenStreamComponents(source, stream);
|
||||
}
|
||||
}
|
||||
@@ -92,7 +92,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
|
||||
|
||||
//if we have a previousTerm - write it out as its own token concatenated
|
||||
// with the current word (if one is available).
|
||||
if (previousWord != null && words.size() > 0) {
|
||||
if (previousWord != null && !words.isEmpty()) {
|
||||
final String word = words.getFirst();
|
||||
clearAttributes();
|
||||
termAtt.append(previousWord).append(word);
|
||||
@@ -100,7 +100,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
|
||||
return true;
|
||||
}
|
||||
//if we have words, write it out as a single token
|
||||
if (words.size() > 0) {
|
||||
if (!words.isEmpty()) {
|
||||
final String word = words.removeFirst();
|
||||
clearAttributes();
|
||||
termAtt.append(word);
|
||||
|
||||
@@ -60,7 +60,7 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
|
||||
public boolean incrementToken() throws IOException {
|
||||
final LinkedList<String> tokens = getTokens();
|
||||
final CharTermAttribute termAtt = getTermAtt();
|
||||
if (tokens.size() == 0 && input.incrementToken()) {
|
||||
if (tokens.isEmpty() && input.incrementToken()) {
|
||||
final String text = new String(termAtt.buffer(), 0, termAtt.length());
|
||||
if (UrlStringUtils.containsUrl(text)) {
|
||||
final String[] parts = text.split("\\s");
|
||||
|
||||
@@ -1,71 +0,0 @@
|
||||
/*
|
||||
* This file is part of dependency-check-core.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.data.lucene;
|
||||
|
||||
import java.io.Reader;
|
||||
import org.apache.lucene.analysis.Analyzer;
|
||||
import org.apache.lucene.analysis.TokenStream;
|
||||
import org.apache.lucene.analysis.Tokenizer;
|
||||
import org.apache.lucene.analysis.core.LowerCaseFilter;
|
||||
import org.apache.lucene.analysis.core.WhitespaceTokenizer;
|
||||
import org.apache.lucene.util.Version;
|
||||
|
||||
/**
|
||||
* VersionAnalyzer is a Lucene Analyzer used to analyze version information.
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
* @deprecated version information is no longer stored in lucene
|
||||
*/
|
||||
@Deprecated
|
||||
public class VersionAnalyzer extends Analyzer {
|
||||
//TODO consider implementing payloads/custom attributes...
|
||||
// use custom attributes for major, minor, x, x, x, rcx
|
||||
// these can then be used to weight the score for searches on the version.
|
||||
// see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
|
||||
// look at this article to implement
|
||||
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
|
||||
|
||||
/**
|
||||
* The Lucene Version used.
|
||||
*/
|
||||
private final Version version;
|
||||
|
||||
/**
|
||||
* Creates a new VersionAnalyzer.
|
||||
*
|
||||
* @param version the Lucene version
|
||||
*/
|
||||
public VersionAnalyzer(Version version) {
|
||||
this.version = version;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates the TokenStreamComponents
|
||||
*
|
||||
* @param fieldName the field name being analyzed
|
||||
* @param reader the reader containing the input
|
||||
* @return the TokenStreamComponents
|
||||
*/
|
||||
@Override
|
||||
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
|
||||
final Tokenizer source = new WhitespaceTokenizer(version, reader);
|
||||
TokenStream stream = source;
|
||||
stream = new LowerCaseFilter(version, stream);
|
||||
return new TokenStreamComponents(source, stream);
|
||||
}
|
||||
}
|
||||
@@ -1,98 +0,0 @@
|
||||
/*
|
||||
* This file is part of dependency-check-core.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.data.lucene;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.LinkedList;
|
||||
import org.apache.lucene.analysis.TokenStream;
|
||||
import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
|
||||
* <p>
|
||||
* <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
* @deprecated version information is no longer stored in lucene
|
||||
*/
|
||||
@Deprecated
|
||||
public final class VersionTokenizingFilter extends AbstractTokenizingFilter {
|
||||
|
||||
/**
|
||||
* Constructs a new VersionTokenizingFilter.
|
||||
*
|
||||
* @param stream the TokenStream that this filter will process
|
||||
*/
|
||||
public VersionTokenizingFilter(TokenStream stream) {
|
||||
super(stream);
|
||||
}
|
||||
|
||||
/**
|
||||
* Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
|
||||
* concatenating tokens with the previous token.
|
||||
*
|
||||
* @return whether or not we have hit the end of the TokenStream
|
||||
* @throws IOException is thrown when an IOException occurs
|
||||
*/
|
||||
@Override
|
||||
public boolean incrementToken() throws IOException {
|
||||
final LinkedList<String> tokens = getTokens();
|
||||
final CharTermAttribute termAtt = getTermAtt();
|
||||
if (tokens.size() == 0 && input.incrementToken()) {
|
||||
final String version = new String(termAtt.buffer(), 0, termAtt.length());
|
||||
final String[] toAnalyze = version.split("[_-]");
|
||||
//ensure we analyze the whole string as one too
|
||||
analyzeVersion(version);
|
||||
for (String str : toAnalyze) {
|
||||
analyzeVersion(str);
|
||||
}
|
||||
}
|
||||
return addTerm();
|
||||
}
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Analyzes the version and adds several copies of the version as different tokens. For example, the version 1.2.7
|
||||
* would create the tokens 1 1.2 1.2.7. This is useful in discovering the correct version - sometimes a maintenance
|
||||
* or build number will throw off the version identification.</p>
|
||||
*
|
||||
* <p>
|
||||
* expected format:&nbps;major.minor[.maintenance[.build]]</p>
|
||||
*
|
||||
* @param version the version to analyze
|
||||
*/
|
||||
private void analyzeVersion(String version) {
|
||||
//todo should we also be splitting on dash or underscore? we would need
|
||||
// to incorporate the dash or underscore back in...
|
||||
final LinkedList<String> tokens = getTokens();
|
||||
final String[] versionParts = version.split("\\.");
|
||||
String dottedVersion = null;
|
||||
for (String current : versionParts) {
|
||||
if (!current.matches("^/d+$")) {
|
||||
tokens.add(current);
|
||||
}
|
||||
if (dottedVersion == null) {
|
||||
dottedVersion = current;
|
||||
} else {
|
||||
dottedVersion = dottedVersion + "." + current;
|
||||
}
|
||||
tokens.add(dottedVersion);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -24,6 +24,11 @@ package org.owasp.dependencycheck.data.nexus;
|
||||
*/
|
||||
public class MavenArtifact {
|
||||
|
||||
/**
|
||||
* The base URL for download artifacts from Central.
|
||||
*/
|
||||
private static final String CENTRAL_CONTENT_URL = "http://search.maven.org/remotecontent?filepath=";
|
||||
|
||||
/**
|
||||
* The groupId
|
||||
*/
|
||||
@@ -43,6 +48,10 @@ public class MavenArtifact {
|
||||
* The artifact url. This may change depending on which Nexus server the search took place.
|
||||
*/
|
||||
private String artifactUrl;
|
||||
/**
|
||||
* The url to download the POM from.
|
||||
*/
|
||||
private String pomUrl;
|
||||
|
||||
/**
|
||||
* Creates an empty MavenArtifact.
|
||||
@@ -58,9 +67,34 @@ public class MavenArtifact {
|
||||
* @param version the version
|
||||
*/
|
||||
public MavenArtifact(String groupId, String artifactId, String version) {
|
||||
setGroupId(groupId);
|
||||
setArtifactId(artifactId);
|
||||
setVersion(version);
|
||||
this.groupId = groupId;
|
||||
this.artifactId = artifactId;
|
||||
this.version = version;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a MavenArtifact with the given attributes.
|
||||
*
|
||||
* @param groupId the groupId
|
||||
* @param artifactId the artifactId
|
||||
* @param version the version
|
||||
* @param jarAvailable if the jar file is available from central
|
||||
* @param pomAvailable if the pom file is available from central
|
||||
*/
|
||||
public MavenArtifact(String groupId, String artifactId, String version, boolean jarAvailable, boolean pomAvailable) {
|
||||
this.groupId = groupId;
|
||||
this.artifactId = artifactId;
|
||||
this.version = version;
|
||||
if (jarAvailable) {
|
||||
//org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
|
||||
this.artifactUrl = this.CENTRAL_CONTENT_URL + groupId.replace('.', '/') + "/" + artifactId.replace('.', '/') + "/"
|
||||
+ version + "/" + artifactId + "-" + version + ".jar";
|
||||
}
|
||||
if (pomAvailable) {
|
||||
//org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
|
||||
this.pomUrl = this.CENTRAL_CONTENT_URL + groupId.replace('.', '/') + "/" + artifactId.replace('.', '/') + "/"
|
||||
+ version + "/" + artifactId + "-" + version + ".pom";
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -72,10 +106,10 @@ public class MavenArtifact {
|
||||
* @param url the artifactLink url
|
||||
*/
|
||||
public MavenArtifact(String groupId, String artifactId, String version, String url) {
|
||||
setGroupId(groupId);
|
||||
setArtifactId(artifactId);
|
||||
setVersion(version);
|
||||
setArtifactUrl(url);
|
||||
this.groupId = groupId;
|
||||
this.artifactId = artifactId;
|
||||
this.version = version;
|
||||
this.artifactUrl = url;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -159,6 +193,25 @@ public class MavenArtifact {
|
||||
public String getArtifactUrl() {
|
||||
return artifactUrl;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the value of pomUrl.
|
||||
*
|
||||
* @return the value of pomUrl
|
||||
*/
|
||||
public String getPomUrl() {
|
||||
return pomUrl;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of pomUrl.
|
||||
*
|
||||
* @param pomUrl new value of pomUrl
|
||||
*/
|
||||
public void setPomUrl(String pomUrl) {
|
||||
this.pomUrl = pomUrl;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// vim: cc=120:sw=4:ts=4:sts=4
|
||||
|
||||
@@ -58,8 +58,8 @@ public class NexusSearch {
|
||||
/**
|
||||
* Creates a NexusSearch for the given repository URL.
|
||||
*
|
||||
* @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated
|
||||
* relative to this URL, so it should end with a /
|
||||
* @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated relative to this
|
||||
* URL, so it should end with a /
|
||||
*/
|
||||
public NexusSearch(URL rootURL) {
|
||||
this.rootURL = rootURL;
|
||||
@@ -78,13 +78,12 @@ public class NexusSearch {
|
||||
}
|
||||
|
||||
/**
|
||||
* Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a
|
||||
* <code>MavenArtifact</code> is populated with the coordinate information.
|
||||
* Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
|
||||
* populated with the coordinate information.
|
||||
*
|
||||
* @param sha1 The SHA-1 hash string for which to search
|
||||
* @return the populated Maven coordinates
|
||||
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
|
||||
* found.
|
||||
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
|
||||
*/
|
||||
public MavenArtifact searchSha1(String sha1) throws IOException {
|
||||
if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
|
||||
@@ -131,7 +130,18 @@ public class NexusSearch {
|
||||
.evaluate(
|
||||
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
|
||||
doc);
|
||||
return new MavenArtifact(groupId, artifactId, version, link);
|
||||
final String pomLink = xpath
|
||||
.evaluate(
|
||||
"/org.sonatype.nexus.rest.model.NexusArtifact/pomLink",
|
||||
doc);
|
||||
final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
|
||||
if (link != null && !"".equals(link)) {
|
||||
ma.setArtifactUrl(link);
|
||||
}
|
||||
if (pomLink != null && !"".equals(pomLink)) {
|
||||
ma.setPomUrl(pomLink);
|
||||
}
|
||||
return ma;
|
||||
} catch (Throwable e) {
|
||||
// Anything else is jacked-up XML stuff that we really can't recover
|
||||
// from well
|
||||
|
||||
@@ -17,6 +17,7 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck.data.nvdcve;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.sql.Connection;
|
||||
import java.sql.PreparedStatement;
|
||||
@@ -24,8 +25,10 @@ import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.Properties;
|
||||
import java.util.Set;
|
||||
@@ -39,6 +42,7 @@ import org.owasp.dependencycheck.utils.DBUtils;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersion;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
|
||||
import org.owasp.dependencycheck.utils.Pair;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
* The database holding information about the NVD CVE data.
|
||||
@@ -57,8 +61,8 @@ public class CveDB {
|
||||
private Connection conn;
|
||||
|
||||
/**
|
||||
* Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller
|
||||
* by calling the close method.
|
||||
* Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller by calling
|
||||
* the close method.
|
||||
*
|
||||
* @throws DatabaseException thrown if there is an exception opening the database.
|
||||
*/
|
||||
@@ -87,7 +91,9 @@ public class CveDB {
|
||||
* @throws DatabaseException thrown if there is an error opening the database connection
|
||||
*/
|
||||
public final void open() throws DatabaseException {
|
||||
conn = ConnectionFactory.getConnection();
|
||||
if (!isOpen()) {
|
||||
conn = ConnectionFactory.getConnection();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -170,8 +176,8 @@ public class CveDB {
|
||||
*/
|
||||
private static final String DELETE_VULNERABILITY = "DELETE FROM vulnerability WHERE id = ?";
|
||||
/**
|
||||
* SQL Statement to cleanup orphan entries. Yes, the db schema could be a little tighter, but what we have works
|
||||
* well to keep the data file size down a bit.
|
||||
* SQL Statement to cleanup orphan entries. Yes, the db schema could be a little tighter, but what we have works well to keep
|
||||
* the data file size down a bit.
|
||||
*/
|
||||
private static final String CLEANUP_ORPHANS = "DELETE FROM CpeEntry WHERE id not in (SELECT CPEEntryId FROM Software); ";
|
||||
/**
|
||||
@@ -208,7 +214,8 @@ public class CveDB {
|
||||
private static final String SELECT_CVE_FROM_SOFTWARE = "SELECT cve, cpe, previousVersion "
|
||||
+ "FROM software INNER JOIN vulnerability ON vulnerability.id = software.cveId "
|
||||
+ "INNER JOIN cpeEntry ON cpeEntry.id = software.cpeEntryId "
|
||||
+ "WHERE vendor = ? AND product = ?";
|
||||
+ "WHERE vendor = ? AND product = ? "
|
||||
+ "ORDER BY cve, cpe"; //, previousVersion
|
||||
//unfortunately, the version info is too complicated to do in a select. Need to filter this afterwards
|
||||
// + " AND (version = '-' OR previousVersion IS NOT NULL OR version=?)";
|
||||
//
|
||||
@@ -266,8 +273,8 @@ public class CveDB {
|
||||
|
||||
//</editor-fold>
|
||||
/**
|
||||
* Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination.
|
||||
* The returned list will include all versions of the product that are registered in the NVD CVE data.
|
||||
* Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination. The returned
|
||||
* list will include all versions of the product that are registered in the NVD CVE data.
|
||||
*
|
||||
* @param vendor the identified vendor name of the dependency being analyzed
|
||||
* @param product the identified name of the product of the dependency being analyzed
|
||||
@@ -452,30 +459,41 @@ public class CveDB {
|
||||
final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
|
||||
|
||||
PreparedStatement ps;
|
||||
final HashSet<String> cveEntries = new HashSet<String>();
|
||||
try {
|
||||
ps = getConnection().prepareStatement(SELECT_CVE_FROM_SOFTWARE);
|
||||
ps.setString(1, cpe.getVendor());
|
||||
ps.setString(2, cpe.getProduct());
|
||||
rs = ps.executeQuery();
|
||||
String currentCVE = "";
|
||||
|
||||
final Map<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
|
||||
while (rs.next()) {
|
||||
final String cveId = rs.getString(1);
|
||||
if (!currentCVE.equals(cveId)) { //check for match and add
|
||||
final Entry<String, Boolean> matchedCPE = getMatchingSoftware(vulnSoftware, cpe.getVendor(), cpe.getProduct(), detectedVersion);
|
||||
if (matchedCPE != null) {
|
||||
final Vulnerability v = getVulnerability(currentCVE);
|
||||
v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
|
||||
vulnerabilities.add(v);
|
||||
}
|
||||
vulnSoftware.clear();
|
||||
currentCVE = cveId;
|
||||
}
|
||||
|
||||
final String cpeId = rs.getString(2);
|
||||
final String previous = rs.getString(3);
|
||||
if (!cveEntries.contains(cveId) && isAffected(cpe.getVendor(), cpe.getProduct(), detectedVersion, cpeId, previous)) {
|
||||
cveEntries.add(cveId);
|
||||
final Vulnerability v = getVulnerability(cveId);
|
||||
v.setMatchedCPE(cpeId, previous);
|
||||
vulnerabilities.add(v);
|
||||
}
|
||||
final Boolean p = previous != null && !previous.isEmpty();
|
||||
vulnSoftware.put(cpeId, p);
|
||||
}
|
||||
//remember to process the last set of CVE/CPE entries
|
||||
final Entry<String, Boolean> matchedCPE = getMatchingSoftware(vulnSoftware, cpe.getVendor(), cpe.getProduct(), detectedVersion);
|
||||
if (matchedCPE != null) {
|
||||
final Vulnerability v = getVulnerability(currentCVE);
|
||||
v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
|
||||
vulnerabilities.add(v);
|
||||
}
|
||||
DBUtils.closeResultSet(rs);
|
||||
DBUtils.closeStatement(ps);
|
||||
// for (String cve : cveEntries) {
|
||||
// final Vulnerability v = getVulnerability(cve);
|
||||
// vulnerabilities.add(v);
|
||||
// }
|
||||
|
||||
} catch (SQLException ex) {
|
||||
throw new DatabaseException("Exception retrieving vulnerability for " + cpeStr, ex);
|
||||
} finally {
|
||||
@@ -701,8 +719,45 @@ public class CveDB {
|
||||
}
|
||||
|
||||
/**
|
||||
* It is possible that orphaned rows may be generated during database updates. This should be called after all
|
||||
* updates have been completed to ensure orphan entries are removed.
|
||||
* Checks to see if data exists so that analysis can be performed.
|
||||
*
|
||||
* @return <code>true</code> if data exists; otherwise <code>false</code>
|
||||
*/
|
||||
public boolean dataExists() {
|
||||
Statement cs = null;
|
||||
ResultSet rs = null;
|
||||
try {
|
||||
cs = conn.createStatement();
|
||||
rs = cs.executeQuery("SELECT COUNT(*) records FROM cpeEntry");
|
||||
if (rs.next()) {
|
||||
if (rs.getInt(1) > 0) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
} catch (SQLException ex) {
|
||||
String dd;
|
||||
try {
|
||||
dd = Settings.getDataDirectory().getAbsolutePath();
|
||||
} catch (IOException ex1) {
|
||||
dd = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
|
||||
}
|
||||
final String msg = String.format("Unable to access the local database.%n%nEnsure that '%s' is a writable directory. "
|
||||
+ "If the problem persist try deleting the files in '%s' and running %s again. If the problem continues, please "
|
||||
+ "create a log file (see documentation at http://jeremylong.github.io/DependencyCheck/) and open a ticket at "
|
||||
+ "https://github.com/jeremylong/DependencyCheck/issues and include the log file.%n%n",
|
||||
dd, dd, Settings.getString(Settings.KEYS.APPLICATION_VAME));
|
||||
LOGGER.log(Level.SEVERE, msg);
|
||||
LOGGER.log(Level.FINE, "", ex);
|
||||
} finally {
|
||||
DBUtils.closeResultSet(rs);
|
||||
DBUtils.closeStatement(cs);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* It is possible that orphaned rows may be generated during database updates. This should be called after all updates have
|
||||
* been completed to ensure orphan entries are removed.
|
||||
*/
|
||||
public void cleanupDatabase() {
|
||||
PreparedStatement ps = null;
|
||||
@@ -721,46 +776,80 @@ public class CveDB {
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null,
|
||||
* non-empty string passed to the previous version argument indicates that all previous versions are affected.
|
||||
* Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null, non-empty
|
||||
* string passed to the previous version argument indicates that all previous versions are affected.
|
||||
*
|
||||
* @param vendor the vendor of the dependency being analyzed
|
||||
* @param product the product name of the dependency being analyzed
|
||||
* @param vulnerableSoftware a map of the vulnerable software with a boolean indicating if all previous versions are affected
|
||||
* @param identifiedVersion the identified version of the dependency being analyzed
|
||||
* @param cpeId the cpe identifier of software that has a known vulnerability
|
||||
* @param previous a flag indicating if previous versions of the product are vulnerable
|
||||
* @return true if the identified version is affected, otherwise false
|
||||
*/
|
||||
protected boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
|
||||
boolean affected = false;
|
||||
final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
|
||||
final DependencyVersion v = parseDependencyVersion(cpeId);
|
||||
final boolean prevAffected = previous != null && !previous.isEmpty();
|
||||
if (v == null || "-".equals(v.toString())) { //all versions
|
||||
affected = true;
|
||||
} else if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
|
||||
if (prevAffected) {
|
||||
affected = true;
|
||||
Entry<String, Boolean> getMatchingSoftware(Map<String, Boolean> vulnerableSoftware, String vendor, String product,
|
||||
DependencyVersion identifiedVersion) {
|
||||
|
||||
final boolean isVersionTwoADifferentProduct = "apache".equals(vendor) && "struts".equals(product);
|
||||
|
||||
final Set<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
|
||||
final boolean matchesAnyPrevious = identifiedVersion == null || "-".equals(identifiedVersion.toString());
|
||||
String majorVersionMatch = null;
|
||||
for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
|
||||
final DependencyVersion v = parseDependencyVersion(entry.getKey());
|
||||
if (v == null || "-".equals(v.toString())) { //all versions
|
||||
return entry;
|
||||
}
|
||||
} else if (identifiedVersion.equals(v) || (prevAffected && identifiedVersion.compareTo(v) < 0)) {
|
||||
if (isStruts) { //struts 2 vulns don't affect struts 1
|
||||
if (identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0))) {
|
||||
affected = true;
|
||||
if (entry.getValue()) {
|
||||
if (matchesAnyPrevious) {
|
||||
return entry;
|
||||
}
|
||||
} else {
|
||||
affected = true;
|
||||
if (identifiedVersion != null && identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0))) {
|
||||
majorVersionMatch = v.getVersionParts().get(0);
|
||||
}
|
||||
majorVersionsAffectingAllPrevious.add(v.getVersionParts().get(0));
|
||||
}
|
||||
}
|
||||
/*
|
||||
* TODO consider utilizing the matchThreeVersion method to get additional results. However, this
|
||||
* might also introduce false positives.
|
||||
*/
|
||||
return affected;
|
||||
if (matchesAnyPrevious) {
|
||||
return null;
|
||||
}
|
||||
|
||||
final boolean canSkipVersions = majorVersionMatch != null && majorVersionsAffectingAllPrevious.size() > 1;
|
||||
//yes, we are iterating over this twice. The first time we are skipping versions those that affect all versions
|
||||
//then later we process those that affect all versions. This could be done with sorting...
|
||||
for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
|
||||
if (!entry.getValue()) {
|
||||
final DependencyVersion v = parseDependencyVersion(entry.getKey());
|
||||
//this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
|
||||
if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
|
||||
continue;
|
||||
}
|
||||
//this can't dereference a null 'identifiedVersion' because if it was null we would have exited
|
||||
//in the above loop or just after loop (if matchesAnyPrevious return null).
|
||||
if (identifiedVersion.equals(v)) {
|
||||
return entry;
|
||||
}
|
||||
}
|
||||
}
|
||||
for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
|
||||
if (entry.getValue()) {
|
||||
final DependencyVersion v = parseDependencyVersion(entry.getKey());
|
||||
//this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
|
||||
if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
|
||||
continue;
|
||||
}
|
||||
//this can't dereference a null 'identifiedVersion' because if it was null we would have exited
|
||||
//in the above loop or just after loop (if matchesAnyPrevious return null).
|
||||
if (entry.getValue() && identifiedVersion.compareTo(v) <= 0) {
|
||||
if (!(isVersionTwoADifferentProduct && !identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0)))) {
|
||||
return entry;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is
|
||||
* returned.
|
||||
* Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is returned.
|
||||
*
|
||||
* @param cpeStr a cpe identifier
|
||||
* @return a dependency version
|
||||
@@ -784,9 +873,9 @@ public class CveDB {
|
||||
*/
|
||||
private DependencyVersion parseDependencyVersion(VulnerableSoftware cpe) {
|
||||
DependencyVersion cpeVersion;
|
||||
if (cpe.getVersion() != null && cpe.getVersion().length() > 0) {
|
||||
if (cpe.getVersion() != null && !cpe.getVersion().isEmpty()) {
|
||||
String versionText;
|
||||
if (cpe.getRevision() != null && cpe.getRevision().length() > 0) {
|
||||
if (cpe.getRevision() != null && !cpe.getRevision().isEmpty()) {
|
||||
versionText = String.format("%s.%s", cpe.getVersion(), cpe.getRevision());
|
||||
} else {
|
||||
versionText = cpe.getVersion();
|
||||
|
||||
@@ -91,7 +91,7 @@ public class DatabaseProperties {
|
||||
}
|
||||
|
||||
/**
|
||||
* Writes a properties file containing the last updated date to the VULNERABLE_CPE directory.
|
||||
* Saves the last updated information to the properties file.
|
||||
*
|
||||
* @param updatedValue the updated NVD CVE entry
|
||||
* @throws UpdateException is thrown if there is an update exception
|
||||
@@ -100,8 +100,19 @@ public class DatabaseProperties {
|
||||
if (updatedValue == null) {
|
||||
return;
|
||||
}
|
||||
properties.put(LAST_UPDATED_BASE + updatedValue.getId(), String.valueOf(updatedValue.getTimestamp()));
|
||||
cveDB.saveProperty(LAST_UPDATED_BASE + updatedValue.getId(), String.valueOf(updatedValue.getTimestamp()));
|
||||
save(LAST_UPDATED_BASE + updatedValue.getId(), String.valueOf(updatedValue.getTimestamp()));
|
||||
}
|
||||
|
||||
/**
|
||||
* Saves the key value pair to the properties store.
|
||||
*
|
||||
* @param key the property key
|
||||
* @param value the property value
|
||||
* @throws UpdateException is thrown if there is an update exception
|
||||
*/
|
||||
public void save(String key, String value) throws UpdateException {
|
||||
properties.put(key, value);
|
||||
cveDB.saveProperty(key, value);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -143,7 +154,7 @@ public class DatabaseProperties {
|
||||
* @return a map of the database meta data
|
||||
*/
|
||||
public Map<String, String> getMetaData() {
|
||||
final TreeMap<String, String> map = new TreeMap<String, String>();
|
||||
final Map<String, String> map = new TreeMap<String, String>();
|
||||
for (Entry<Object, Object> entry : properties.entrySet()) {
|
||||
final String key = (String) entry.getKey();
|
||||
if (!"version".equals(key)) {
|
||||
|
||||
@@ -27,6 +27,7 @@ import java.sql.Driver;
|
||||
import java.sql.DriverManager;
|
||||
import java.sql.SQLException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
|
||||
@@ -75,7 +76,7 @@ public final class DriverLoader {
|
||||
*/
|
||||
public static Driver load(String className, String pathToDriver) throws DriverLoadException {
|
||||
final URLClassLoader parent = (URLClassLoader) ClassLoader.getSystemClassLoader();
|
||||
final ArrayList<URL> urls = new ArrayList<URL>();
|
||||
final List<URL> urls = new ArrayList<URL>();
|
||||
final String[] paths = pathToDriver.split(File.pathSeparator);
|
||||
for (String path : paths) {
|
||||
final File file = new File(path);
|
||||
|
||||
@@ -0,0 +1,214 @@
|
||||
/*
|
||||
* This file is part of dependency-check-core.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.data.update;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.HttpURLConnection;
|
||||
import java.net.MalformedURLException;
|
||||
import java.net.URL;
|
||||
import java.util.Date;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import org.apache.commons.io.IOUtils;
|
||||
import org.owasp.dependencycheck.data.nvdcve.CveDB;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
|
||||
import org.owasp.dependencycheck.data.update.exception.UpdateException;
|
||||
import org.owasp.dependencycheck.utils.DateUtil;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersion;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.owasp.dependencycheck.utils.URLConnectionFactory;
|
||||
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public class EngineVersionCheck implements CachedWebDataSource {
|
||||
|
||||
/**
|
||||
* Static logger.
|
||||
*/
|
||||
private static final Logger LOGGER = Logger.getLogger(EngineVersionCheck.class.getName());
|
||||
/**
|
||||
* The property key indicating when the last version check occurred.
|
||||
*/
|
||||
public static final String ENGINE_VERSION_CHECKED_ON = "VersionCheckOn";
|
||||
/**
|
||||
* The property key indicating when the last version check occurred.
|
||||
*/
|
||||
public static final String CURRENT_ENGINE_RELEASE = "CurrentEngineRelease";
|
||||
/**
|
||||
* Reference to the Cve Database.
|
||||
*/
|
||||
private CveDB cveDB = null;
|
||||
|
||||
/**
|
||||
* The version retrieved from the database properties or web to check against.
|
||||
*/
|
||||
private String updateToVersion;
|
||||
|
||||
/**
|
||||
* Getter for updateToVersion - only used for testing. Represents the version retrieved from the database.
|
||||
*
|
||||
* @return the version to test
|
||||
*/
|
||||
protected String getUpdateToVersion() {
|
||||
return updateToVersion;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for updateToVersion - only used for testing. Represents the version retrieved from the database.
|
||||
*
|
||||
* @param version the version to test
|
||||
*/
|
||||
protected void setUpdateToVersion(String version) {
|
||||
updateToVersion = version;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void update() throws UpdateException {
|
||||
try {
|
||||
openDatabase();
|
||||
LOGGER.fine("Begin Engine Version Check");
|
||||
final DatabaseProperties properties = cveDB.getDatabaseProperties();
|
||||
final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
|
||||
final long now = (new Date()).getTime();
|
||||
updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
|
||||
final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
|
||||
LOGGER.fine("Last checked: " + lastChecked);
|
||||
LOGGER.fine("Now: " + now);
|
||||
LOGGER.fine("Current version: " + currentVersion);
|
||||
final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
|
||||
if (updateNeeded) {
|
||||
final String msg = String.format("A new version of dependency-check is available. Consider updating to version %s.",
|
||||
updateToVersion);
|
||||
LOGGER.warning(msg);
|
||||
}
|
||||
} catch (DatabaseException ex) {
|
||||
LOGGER.log(Level.FINE, "Database Exception opening databases to retrieve properties", ex);
|
||||
throw new UpdateException("Error occured updating database properties.");
|
||||
} finally {
|
||||
closeDatabase();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if a new version of the dependency-check engine has been released.
|
||||
*
|
||||
* @param lastChecked the epoch time of the last version check
|
||||
* @param now the current epoch time
|
||||
* @param properties the database properties object
|
||||
* @param currentVersion the current version of dependency-check
|
||||
* @return <code>true</code> if a newer version of the database has been released; otherwise <code>false</code>
|
||||
* @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the
|
||||
* local database.
|
||||
*/
|
||||
protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
|
||||
String currentVersion) throws UpdateException {
|
||||
//check every 30 days if we know there is an update, otherwise check every 7 days
|
||||
int checkRange = 30;
|
||||
if (updateToVersion.isEmpty()) {
|
||||
checkRange = 7;
|
||||
}
|
||||
if (!DateUtil.withinDateRange(lastChecked, now, checkRange)) {
|
||||
LOGGER.fine("Checking web for new version.");
|
||||
final String currentRelease = getCurrentReleaseVersion();
|
||||
if (currentRelease != null) {
|
||||
final DependencyVersion v = new DependencyVersion(currentRelease);
|
||||
if (v.getVersionParts() != null && v.getVersionParts().size() >= 3) {
|
||||
updateToVersion = v.toString();
|
||||
if (!currentRelease.equals(updateToVersion)) {
|
||||
properties.save(CURRENT_ENGINE_RELEASE, updateToVersion);
|
||||
} else {
|
||||
properties.save(CURRENT_ENGINE_RELEASE, "");
|
||||
}
|
||||
properties.save(ENGINE_VERSION_CHECKED_ON, Long.toString(now));
|
||||
}
|
||||
}
|
||||
LOGGER.log(Level.FINE, "Current Release: {0}", updateToVersion);
|
||||
}
|
||||
final DependencyVersion running = new DependencyVersion(currentVersion);
|
||||
final DependencyVersion released = new DependencyVersion(updateToVersion);
|
||||
if (running.compareTo(released) < 0) {
|
||||
LOGGER.fine("Upgrade recommended");
|
||||
return true;
|
||||
}
|
||||
LOGGER.fine("Upgrade not needed");
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Opens the CVE and CPE data stores.
|
||||
*
|
||||
* @throws DatabaseException thrown if a data store cannot be opened
|
||||
*/
|
||||
protected final void openDatabase() throws DatabaseException {
|
||||
if (cveDB != null) {
|
||||
return;
|
||||
}
|
||||
cveDB = new CveDB();
|
||||
cveDB.open();
|
||||
}
|
||||
|
||||
/**
|
||||
* Closes the CVE and CPE data stores.
|
||||
*/
|
||||
protected void closeDatabase() {
|
||||
if (cveDB != null) {
|
||||
try {
|
||||
cveDB.close();
|
||||
} catch (Throwable ignore) {
|
||||
LOGGER.log(Level.FINEST, "Error closing the cveDB", ignore);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieves the current released version number from the github documentation site.
|
||||
*
|
||||
* @return the current released version number
|
||||
*/
|
||||
protected String getCurrentReleaseVersion() {
|
||||
HttpURLConnection conn = null;
|
||||
try {
|
||||
final String str = Settings.getString(Settings.KEYS.ENGINE_VERSION_CHECK_URL, "http://jeremylong.github.io/DependencyCheck/current.txt");
|
||||
final URL url = new URL(str);
|
||||
conn = URLConnectionFactory.createHttpURLConnection(url);
|
||||
conn.connect();
|
||||
if (conn.getResponseCode() != 200) {
|
||||
return null;
|
||||
}
|
||||
final String releaseVersion = IOUtils.toString(conn.getInputStream(), "UTF-8");
|
||||
if (releaseVersion != null) {
|
||||
return releaseVersion.trim();
|
||||
}
|
||||
} catch (MalformedURLException ex) {
|
||||
LOGGER.log(Level.FINE, "unable to retrieve current release version of dependency-check", ex);
|
||||
} catch (URLConnectionFailureException ex) {
|
||||
LOGGER.log(Level.FINE, "unable to retrieve current release version of dependency-check", ex);
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.FINE, "unable to retrieve current release version of dependency-check", ex);
|
||||
} finally {
|
||||
if (conn != null) {
|
||||
conn.disconnect();
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}
|
||||
@@ -36,6 +36,7 @@ import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
|
||||
import org.owasp.dependencycheck.data.update.exception.UpdateException;
|
||||
import org.owasp.dependencycheck.data.update.task.DownloadTask;
|
||||
import org.owasp.dependencycheck.data.update.task.ProcessTask;
|
||||
import org.owasp.dependencycheck.utils.DateUtil;
|
||||
import org.owasp.dependencycheck.utils.DownloadFailedException;
|
||||
import org.owasp.dependencycheck.utils.InvalidSettingException;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
@@ -220,7 +221,7 @@ public class StandardUpdate {
|
||||
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
|
||||
if (lastUpdated == updates.getTimeStamp(MODIFIED)) {
|
||||
updates.clear(); //we don't need to update anything.
|
||||
} else if (withinRange(lastUpdated, now.getTime(), days)) {
|
||||
} else if (DateUtil.withinDateRange(lastUpdated, now.getTime(), days)) {
|
||||
for (NvdCveInfo entry : updates) {
|
||||
if (MODIFIED.equals(entry.getId())) {
|
||||
entry.setNeedsUpdate(true);
|
||||
@@ -317,19 +318,4 @@ public class StandardUpdate {
|
||||
throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if the epoch date is within the range specified of the compareTo epoch time. This takes the
|
||||
* (compareTo-date)/1000/60/60/24 to get the number of days. If the calculated days is less then the range the date
|
||||
* is considered valid.
|
||||
*
|
||||
* @param date the date to be checked.
|
||||
* @param compareTo the date to compare to.
|
||||
* @param range the range in days to be considered valid.
|
||||
* @return whether or not the date is within the range.
|
||||
*/
|
||||
protected boolean withinRange(long date, long compareTo, int range) {
|
||||
final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
|
||||
return differenceInDays < range;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -261,9 +261,9 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
|
||||
*/
|
||||
private void extractGzip(File file) throws FileNotFoundException, IOException {
|
||||
final String originalPath = file.getPath();
|
||||
File gzip = new File(originalPath + ".gz");
|
||||
if (gzip.isFile()) {
|
||||
gzip.delete();
|
||||
final File gzip = new File(originalPath + ".gz");
|
||||
if (gzip.isFile() && !gzip.delete()) {
|
||||
gzip.deleteOnExit();
|
||||
}
|
||||
if (!file.renameTo(gzip)) {
|
||||
throw new IOException("Unable to rename '" + file.getPath() + "'");
|
||||
@@ -284,10 +284,18 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
|
||||
}
|
||||
} finally {
|
||||
if (cin != null) {
|
||||
cin.close();
|
||||
try {
|
||||
cin.close();
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.FINEST, "ignore", ex);
|
||||
}
|
||||
}
|
||||
if (out != null) {
|
||||
out.close();
|
||||
try {
|
||||
out.close();
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.FINEST, "ignore", ex);
|
||||
}
|
||||
}
|
||||
if (gzip.isFile()) {
|
||||
FileUtils.deleteQuietly(gzip);
|
||||
|
||||
@@ -21,6 +21,9 @@ import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.io.Serializable;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.SortedSet;
|
||||
import java.util.TreeSet;
|
||||
@@ -31,9 +34,9 @@ import org.owasp.dependencycheck.utils.Checksum;
|
||||
import org.owasp.dependencycheck.utils.FileUtils;
|
||||
|
||||
/**
|
||||
* A program dependency. This object is one of the core components within DependencyCheck. It is used to collect
|
||||
* information about the dependency in the form of evidence. The Evidence is then used to determine if there are any
|
||||
* known, published, vulnerabilities associated with the program dependency.
|
||||
* A program dependency. This object is one of the core components within DependencyCheck. It is used to collect information about
|
||||
* the dependency in the form of evidence. The Evidence is then used to determine if there are any known, published,
|
||||
* vulnerabilities associated with the program dependency.
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
@@ -121,8 +124,8 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the file name of the dependency with the backslash escaped for use in JavaScript. This is a complete hack
|
||||
* as I could not get the replace to work in the template itself.
|
||||
* Returns the file name of the dependency with the backslash escaped for use in JavaScript. This is a complete hack as I
|
||||
* could not get the replace to work in the template itself.
|
||||
*
|
||||
* @return the file name of the dependency with the backslash escaped for use in JavaScript
|
||||
*/
|
||||
@@ -194,8 +197,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the file name to display in reports; if no display file name has been set it will default to the actual
|
||||
* file name.
|
||||
* Returns the file name to display in reports; if no display file name has been set it will default to the actual file name.
|
||||
*
|
||||
* @return the file name to display
|
||||
*/
|
||||
@@ -210,8 +212,8 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
* <p>
|
||||
* Gets the file path of the dependency.</p>
|
||||
* <p>
|
||||
* <b>NOTE:</b> This may not be the actual path of the file on disk. The actual path of the file on disk can be
|
||||
* obtained via the getActualFilePath().</p>
|
||||
* <b>NOTE:</b> This may not be the actual path of the file on disk. The actual path of the file on disk can be obtained via
|
||||
* the getActualFilePath().</p>
|
||||
*
|
||||
* @return the file path of the dependency
|
||||
*/
|
||||
@@ -340,7 +342,9 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
if ("maven".equals(i.getType()) && i.getValue().equals(mavenArtifact.toString())) {
|
||||
found = true;
|
||||
i.setConfidence(Confidence.HIGHEST);
|
||||
i.setUrl(mavenArtifact.getArtifactUrl());
|
||||
final String url = "http://search.maven.org/#search|ga|1|1%3A%22" + this.getSha1sum() + "%22";
|
||||
i.setUrl(url);
|
||||
//i.setUrl(mavenArtifact.getArtifactUrl());
|
||||
LOGGER.fine(String.format("Already found identifier %s. Confidence set to highest", i.getValue()));
|
||||
break;
|
||||
}
|
||||
@@ -595,6 +599,47 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
return relatedDependencies;
|
||||
}
|
||||
|
||||
/**
|
||||
* A list of projects that reference this dependency.
|
||||
*/
|
||||
private Set<String> projectReferences = new HashSet<String>();
|
||||
|
||||
/**
|
||||
* Get the value of projectReferences.
|
||||
*
|
||||
* @return the value of projectReferences
|
||||
*/
|
||||
public Set<String> getProjectReferences() {
|
||||
return projectReferences;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of projectReferences.
|
||||
*
|
||||
* @param projectReferences new value of projectReferences
|
||||
*/
|
||||
public void setProjectReferences(Set<String> projectReferences) {
|
||||
this.projectReferences = projectReferences;
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds a project reference.
|
||||
*
|
||||
* @param projectReference a project reference
|
||||
*/
|
||||
public void addProjectReference(String projectReference) {
|
||||
this.projectReferences.add(projectReference);
|
||||
}
|
||||
|
||||
/**
|
||||
* Add a collection of project reference.
|
||||
*
|
||||
* @param projectReferences a set of project references
|
||||
*/
|
||||
public void addAllProjectReferences(Set<String> projectReferences) {
|
||||
this.projectReferences.addAll(projectReferences);
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of relatedDependencies.
|
||||
*
|
||||
@@ -610,7 +655,46 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
* @param dependency a reference to the related dependency
|
||||
*/
|
||||
public void addRelatedDependency(Dependency dependency) {
|
||||
relatedDependencies.add(dependency);
|
||||
if (this == dependency) {
|
||||
LOGGER.warning("Attempted to add a circular reference - please post the log file to issue #172 here "
|
||||
+ "https://github.com/jeremylong/DependencyCheck/issues/172 ");
|
||||
LOGGER.log(Level.FINE, "this: {0}", this.toString());
|
||||
LOGGER.log(Level.FINE, "dependency: {0}", dependency.toString());
|
||||
} else {
|
||||
relatedDependencies.add(dependency);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A list of available versions.
|
||||
*/
|
||||
private List<String> availableVersions = new ArrayList<String>();
|
||||
|
||||
/**
|
||||
* Get the value of availableVersions.
|
||||
*
|
||||
* @return the value of availableVersions
|
||||
*/
|
||||
public List<String> getAvailableVersions() {
|
||||
return availableVersions;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the value of availableVersions.
|
||||
*
|
||||
* @param availableVersions new value of availableVersions
|
||||
*/
|
||||
public void setAvailableVersions(List<String> availableVersions) {
|
||||
this.availableVersions = availableVersions;
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds a version to the available version list.
|
||||
*
|
||||
* @param version the version to add to the list
|
||||
*/
|
||||
public void addAvailableVersion(String version) {
|
||||
this.availableVersions.add(version);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -681,6 +765,15 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
&& (this.relatedDependencies == null || !this.relatedDependencies.equals(other.relatedDependencies))) {
|
||||
return false;
|
||||
}
|
||||
if (this.projectReferences != other.projectReferences
|
||||
&& (this.projectReferences == null || !this.projectReferences.equals(other.projectReferences))) {
|
||||
return false;
|
||||
}
|
||||
if (this.availableVersions != other.availableVersions
|
||||
&& (this.availableVersions == null || !this.availableVersions.equals(other.availableVersions))) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -706,6 +799,8 @@ public class Dependency implements Serializable, Comparable<Dependency> {
|
||||
hash = 47 * hash + (this.license != null ? this.license.hashCode() : 0);
|
||||
hash = 47 * hash + (this.vulnerabilities != null ? this.vulnerabilities.hashCode() : 0);
|
||||
hash = 47 * hash + (this.relatedDependencies != null ? this.relatedDependencies.hashCode() : 0);
|
||||
hash = 47 * hash + (this.projectReferences != null ? this.projectReferences.hashCode() : 0);
|
||||
hash = 47 * hash + (this.availableVersions != null ? this.availableVersions.hashCode() : 0);
|
||||
return hash;
|
||||
}
|
||||
|
||||
|
||||
@@ -25,6 +25,15 @@ import java.io.Serializable;
|
||||
*/
|
||||
public class Identifier implements Serializable, Comparable<Identifier> {
|
||||
|
||||
/**
|
||||
* Default constructor. Should only be used for automatic class
|
||||
* creation as is the case with many XML parsers (for the parsing
|
||||
* of the Dependency-Check XML report). For all other use-cases,
|
||||
* please use the non-default constructors.
|
||||
*/
|
||||
public Identifier() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs a new Identifier with the specified data.
|
||||
*
|
||||
|
||||
@@ -0,0 +1,226 @@
|
||||
/*
|
||||
* This file is part of dependency-check-core.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.jaxb.pom;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStreamReader;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.JAXBElement;
|
||||
import javax.xml.bind.JAXBException;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
import javax.xml.parsers.SAXParser;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import javax.xml.transform.sax.SAXSource;
|
||||
|
||||
import org.owasp.dependencycheck.analyzer.JarAnalyzer;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.jaxb.pom.generated.Model;
|
||||
import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
|
||||
import org.xml.sax.InputSource;
|
||||
import org.xml.sax.SAXException;
|
||||
import org.xml.sax.XMLFilter;
|
||||
import org.xml.sax.XMLReader;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author jeremy
|
||||
*/
|
||||
public class PomUtils {
|
||||
|
||||
/**
|
||||
* The logger.
|
||||
*/
|
||||
private static final Logger LOGGER = Logger.getLogger(PomUtils.class.getName());
|
||||
|
||||
/**
|
||||
* The unmarshaller used to parse the pom.xml from a JAR file.
|
||||
*/
|
||||
private Unmarshaller pomUnmarshaller;
|
||||
|
||||
/**
|
||||
* Constructs a new POM Utility.
|
||||
*/
|
||||
public PomUtils() {
|
||||
try {
|
||||
//final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
|
||||
final JAXBContext jaxbContext = JAXBContext.newInstance(Model.class);
|
||||
pomUnmarshaller = jaxbContext.createUnmarshaller();
|
||||
} catch (JAXBException ex) { //guess we will just have a null pointer exception later...
|
||||
LOGGER.log(Level.SEVERE, "Unable to load parser. See the log for more details.");
|
||||
LOGGER.log(Level.FINE, null, ex);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Reads in the specified POM and converts it to a Model.
|
||||
*
|
||||
* @param file the pom.xml file
|
||||
* @return returns a
|
||||
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
|
||||
* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
|
||||
*/
|
||||
public Model readPom(File file) throws AnalysisException {
|
||||
Model model = null;
|
||||
try {
|
||||
final FileInputStream stream = new FileInputStream(file);
|
||||
final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
|
||||
final InputSource xml = new InputSource(reader);
|
||||
final SAXSource source = new SAXSource(xml);
|
||||
model = readPom(source);
|
||||
} catch (SecurityException ex) {
|
||||
final String msg = String.format("Unable to parse pom '%s'; invalid signature", file.getPath());
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
LOGGER.log(Level.FINE, "", ex);
|
||||
throw new AnalysisException(ex);
|
||||
} catch (IOException ex) {
|
||||
final String msg = String.format("Unable to parse pom '%s'(IO Exception)", file.getPath());
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
LOGGER.log(Level.FINE, "", ex);
|
||||
throw new AnalysisException(ex);
|
||||
} catch (Throwable ex) {
|
||||
final String msg = String.format("Unexpected error during parsing of the pom '%s'", file.getPath());
|
||||
LOGGER.log(Level.WARNING, msg);
|
||||
LOGGER.log(Level.FINE, "", ex);
|
||||
throw new AnalysisException(ex);
|
||||
}
|
||||
return model;
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieves the specified POM from a jar file and converts it to a Model.
|
||||
*
|
||||
* @param source the SAXSource input stream to read the POM from
|
||||
* @return returns the POM object
|
||||
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
|
||||
* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
|
||||
*/
|
||||
public Model readPom(SAXSource source) throws AnalysisException {
|
||||
Model model = null;
|
||||
try {
|
||||
final XMLFilter filter = new MavenNamespaceFilter();
|
||||
final SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
final SAXParser sp = spf.newSAXParser();
|
||||
final XMLReader xr = sp.getXMLReader();
|
||||
filter.setParent(xr);
|
||||
final JAXBElement<Model> el = pomUnmarshaller.unmarshal(source, Model.class);
|
||||
model = el.getValue();
|
||||
} catch (SecurityException ex) {
|
||||
throw new AnalysisException(ex);
|
||||
} catch (ParserConfigurationException ex) {
|
||||
throw new AnalysisException(ex);
|
||||
} catch (SAXException ex) {
|
||||
throw new AnalysisException(ex);
|
||||
} catch (JAXBException ex) {
|
||||
throw new AnalysisException(ex);
|
||||
} catch (Throwable ex) {
|
||||
throw new AnalysisException(ex);
|
||||
}
|
||||
return model;
|
||||
}
|
||||
|
||||
/**
|
||||
* Reads in the pom file and adds elements as evidence to the given dependency.
|
||||
*
|
||||
* @param dependency the dependency being analyzed
|
||||
* @param pomFile the pom file to read
|
||||
* @throws AnalysisException is thrown if there is an exception parsing the pom
|
||||
*/
|
||||
public void analyzePOM(Dependency dependency, File pomFile) throws AnalysisException {
|
||||
final Model pom = this.readPom(pomFile);
|
||||
|
||||
String groupid = pom.getGroupId();
|
||||
String parentGroupId = null;
|
||||
|
||||
if (pom.getParent() != null) {
|
||||
parentGroupId = pom.getParent().getGroupId();
|
||||
if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
|
||||
groupid = parentGroupId;
|
||||
}
|
||||
}
|
||||
if (groupid != null && !groupid.isEmpty()) {
|
||||
dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGHEST);
|
||||
dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
|
||||
if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
|
||||
dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
|
||||
dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW);
|
||||
}
|
||||
}
|
||||
String artifactid = pom.getArtifactId();
|
||||
String parentArtifactId = null;
|
||||
if (pom.getParent() != null) {
|
||||
parentArtifactId = pom.getParent().getArtifactId();
|
||||
if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
|
||||
artifactid = parentArtifactId;
|
||||
}
|
||||
}
|
||||
if (artifactid != null && !artifactid.isEmpty()) {
|
||||
if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
|
||||
artifactid = artifactid.substring(4);
|
||||
}
|
||||
dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST);
|
||||
dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
|
||||
if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
|
||||
dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
|
||||
dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
|
||||
}
|
||||
}
|
||||
//version
|
||||
String version = pom.getVersion();
|
||||
String parentVersion = null;
|
||||
if (pom.getParent() != null) {
|
||||
parentVersion = pom.getParent().getVersion();
|
||||
if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
|
||||
version = parentVersion;
|
||||
}
|
||||
}
|
||||
if (version != null && !version.isEmpty()) {
|
||||
dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
|
||||
if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) {
|
||||
dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW);
|
||||
}
|
||||
}
|
||||
|
||||
final Organization org = pom.getOrganization();
|
||||
if (org != null) {
|
||||
final String orgName = org.getName();
|
||||
if (orgName != null && !orgName.isEmpty()) {
|
||||
dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
|
||||
}
|
||||
}
|
||||
final String pomName = pom.getName();
|
||||
if (pomName != null && !pomName.isEmpty()) {
|
||||
dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
|
||||
dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
|
||||
}
|
||||
|
||||
if (pom.getDescription() != null) {
|
||||
final String description = pom.getDescription();
|
||||
if (description != null && !description.isEmpty()) {
|
||||
JarAnalyzer.addDescription(dependency, description, "pom", "description");
|
||||
}
|
||||
}
|
||||
JarAnalyzer.extractLicense(pom, null, dependency);
|
||||
}
|
||||
}
|
||||
@@ -31,7 +31,7 @@ import javax.xml.namespace.QName;
|
||||
@XmlRegistry
|
||||
public class ObjectFactory {
|
||||
|
||||
private final static QName _Project_QNAME = new QName("http://maven.apache.org/POM/4.0.0", "project");
|
||||
private static final QName _Project_QNAME = new QName("http://maven.apache.org/POM/4.0.0", "project");
|
||||
|
||||
/**
|
||||
* Create a new ObjectFactory that can be used to create new instances of schema derived classes for package: org.owasp.dependencycheck.analyzer.pom.generated
|
||||
|
||||
@@ -113,7 +113,7 @@ public class ReportGenerator {
|
||||
context.put("scanDate", scanDate);
|
||||
context.put("scanDateXML", scanDateXML);
|
||||
context.put("enc", enc);
|
||||
context.put("version", Settings.getString("application.version", "Unknown"));
|
||||
context.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -137,6 +137,26 @@ public class ReportGenerator {
|
||||
return new VelocityContext();
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates the Dependency Reports for the identified dependencies.
|
||||
*
|
||||
* @param outputStream the OutputStream to send the generated report to
|
||||
* @param format the format the report should be written in
|
||||
* @throws IOException is thrown when the template file does not exist
|
||||
* @throws Exception is thrown if there is an error writing out the reports.
|
||||
*/
|
||||
public void generateReports(OutputStream outputStream, Format format) throws IOException, Exception {
|
||||
if (format == Format.XML || format == Format.ALL) {
|
||||
generateReport("XmlReport", outputStream);
|
||||
}
|
||||
if (format == Format.HTML || format == Format.ALL) {
|
||||
generateReport("HtmlReport", outputStream);
|
||||
}
|
||||
if (format == Format.VULN || format == Format.ALL) {
|
||||
generateReport("VulnerabilityReport", outputStream);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates the Dependency Reports for the identified dependencies.
|
||||
*
|
||||
@@ -202,11 +222,11 @@ public class ReportGenerator {
|
||||
* template file.
|
||||
*
|
||||
* @param templateName the name of the template to load.
|
||||
* @param outFileName the filename and path to write the report to.
|
||||
* @param outputStream the OutputStream to write the report to.
|
||||
* @throws IOException is thrown when the template file does not exist.
|
||||
* @throws Exception is thrown when an exception occurs.
|
||||
*/
|
||||
protected void generateReport(String templateName, String outFileName) throws IOException, Exception {
|
||||
protected void generateReport(String templateName, OutputStream outputStream) throws IOException, Exception {
|
||||
InputStream input = null;
|
||||
String templatePath = null;
|
||||
final File f = new File(templateName);
|
||||
@@ -229,18 +249,8 @@ public class ReportGenerator {
|
||||
|
||||
final InputStreamReader reader = new InputStreamReader(input, "UTF-8");
|
||||
OutputStreamWriter writer = null;
|
||||
OutputStream outputStream = null;
|
||||
|
||||
try {
|
||||
final File outDir = new File(outFileName).getParentFile();
|
||||
if (!outDir.exists()) {
|
||||
final boolean created = outDir.mkdirs();
|
||||
if (!created) {
|
||||
throw new Exception("Unable to create directory '" + outDir.getAbsolutePath() + "'.");
|
||||
}
|
||||
}
|
||||
|
||||
outputStream = new FileOutputStream(outFileName);
|
||||
writer = new OutputStreamWriter(outputStream, "UTF-8");
|
||||
|
||||
if (!engine.evaluate(context, writer, templatePath, reader)) {
|
||||
@@ -269,4 +279,41 @@ public class ReportGenerator {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates a report from a given Velocity Template. The template name provided can be the name of a template
|
||||
* contained in the jar file, such as 'XmlReport' or 'HtmlReport', or the template name can be the path to a
|
||||
* template file.
|
||||
*
|
||||
* @param templateName the name of the template to load.
|
||||
* @param outFileName the filename and path to write the report to.
|
||||
* @throws IOException is thrown when the template file does not exist.
|
||||
* @throws Exception is thrown when an exception occurs.
|
||||
*/
|
||||
protected void generateReport(String templateName, String outFileName) throws Exception {
|
||||
File outFile = new File(outFileName);
|
||||
if (outFile.getParentFile() == null) {
|
||||
outFile = new File(".", outFileName);
|
||||
}
|
||||
if (!outFile.getParentFile().exists()) {
|
||||
final boolean created = outFile.getParentFile().mkdirs();
|
||||
if (!created) {
|
||||
throw new Exception("Unable to create directory '" + outFile.getParentFile().getAbsolutePath() + "'.");
|
||||
}
|
||||
}
|
||||
|
||||
OutputStream outputSteam = null;
|
||||
try {
|
||||
outputSteam = new FileOutputStream(outFile);
|
||||
generateReport(templateName, outputSteam);
|
||||
} finally {
|
||||
if (outputSteam != null) {
|
||||
try {
|
||||
outputSteam.close();
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.FINEST, "ignore", ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -112,7 +112,7 @@ public class SuppressionRule {
|
||||
* @return whether or not this suppression rule as CPE entries
|
||||
*/
|
||||
public boolean hasCpe() {
|
||||
return cpe.size() > 0;
|
||||
return !cpe.isEmpty();
|
||||
}
|
||||
/**
|
||||
* The list of cvssBelow scores.
|
||||
@@ -152,7 +152,7 @@ public class SuppressionRule {
|
||||
* @return whether or not this suppression rule has cvss suppressions
|
||||
*/
|
||||
public boolean hasCvssBelow() {
|
||||
return cvssBelow.size() > 0;
|
||||
return !cvssBelow.isEmpty();
|
||||
}
|
||||
/**
|
||||
* The list of cwe entries to suppress.
|
||||
@@ -192,7 +192,7 @@ public class SuppressionRule {
|
||||
* @return whether this suppression rule has CWE entries
|
||||
*/
|
||||
public boolean hasCwe() {
|
||||
return cwe.size() > 0;
|
||||
return !cwe.isEmpty();
|
||||
}
|
||||
/**
|
||||
* The list of cve entries to suppress.
|
||||
@@ -232,7 +232,7 @@ public class SuppressionRule {
|
||||
* @return whether this suppression rule has CVE entries
|
||||
*/
|
||||
public boolean hasCve() {
|
||||
return cve.size() > 0;
|
||||
return !cve.isEmpty();
|
||||
}
|
||||
/**
|
||||
* A Maven GAV to suppression.
|
||||
@@ -450,28 +450,28 @@ public class SuppressionRule {
|
||||
if (gav != null) {
|
||||
sb.append("gav=").append(gav).append(",");
|
||||
}
|
||||
if (cpe != null && cpe.size() > 0) {
|
||||
if (cpe != null && !cpe.isEmpty()) {
|
||||
sb.append("cpe={");
|
||||
for (PropertyType pt : cpe) {
|
||||
sb.append(pt).append(",");
|
||||
}
|
||||
sb.append("}");
|
||||
}
|
||||
if (cwe != null && cwe.size() > 0) {
|
||||
if (cwe != null && !cwe.isEmpty()) {
|
||||
sb.append("cwe={");
|
||||
for (String s : cwe) {
|
||||
sb.append(s).append(",");
|
||||
}
|
||||
sb.append("}");
|
||||
}
|
||||
if (cve != null && cve.size() > 0) {
|
||||
if (cve != null && !cve.isEmpty()) {
|
||||
sb.append("cve={");
|
||||
for (String s : cve) {
|
||||
sb.append(s).append(",");
|
||||
}
|
||||
sb.append("}");
|
||||
}
|
||||
if (cvssBelow != null && cvssBelow.size() > 0) {
|
||||
if (cvssBelow != null && !cvssBelow.isEmpty()) {
|
||||
sb.append("cvssBelow={");
|
||||
for (Float s : cvssBelow) {
|
||||
sb.append(s).append(",");
|
||||
|
||||
@@ -0,0 +1,46 @@
|
||||
/*
|
||||
* This file is part of dependency-check-core.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.utils;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public final class DateUtil {
|
||||
|
||||
/**
|
||||
* Private constructor for utility class.
|
||||
*/
|
||||
private DateUtil() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if the epoch date is within the range specified of the compareTo epoch time. This takes the
|
||||
* (compareTo-date)/1000/60/60/24 to get the number of days. If the calculated days is less then the range the date
|
||||
* is considered valid.
|
||||
*
|
||||
* @param date the date to be checked.
|
||||
* @param compareTo the date to compare to.
|
||||
* @param range the range in days to be considered valid.
|
||||
* @return whether or not the date is within the range.
|
||||
*/
|
||||
public static boolean withinDateRange(long date, long compareTo, int range) {
|
||||
final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
|
||||
return differenceInDays < range;
|
||||
}
|
||||
}
|
||||
@@ -18,6 +18,7 @@
|
||||
package org.owasp.dependencycheck.utils;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
@@ -62,7 +63,7 @@ public final class DependencyVersionUtil {
|
||||
//'-' is a special case used within the CVE entries, just include it as the version.
|
||||
if ("-".equals(text)) {
|
||||
final DependencyVersion dv = new DependencyVersion();
|
||||
final ArrayList<String> list = new ArrayList<String>();
|
||||
final List<String> list = new ArrayList<String>();
|
||||
list.add(text);
|
||||
dv.setVersionParts(list);
|
||||
return dv;
|
||||
|
||||
@@ -107,7 +107,7 @@ public final class ExtractionUtil {
|
||||
fos = new FileOutputStream(file);
|
||||
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
|
||||
int count;
|
||||
final byte data[] = new byte[BUFFER_SIZE];
|
||||
final byte[] data = new byte[BUFFER_SIZE];
|
||||
while ((count = zis.read(data, 0, BUFFER_SIZE)) != -1) {
|
||||
bos.write(data, 0, count);
|
||||
}
|
||||
|
||||
@@ -23,6 +23,7 @@ import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
/**
|
||||
@@ -68,7 +69,7 @@ public final class UrlStringUtils {
|
||||
/**
|
||||
* A listing of domain parts that should not be used as evidence. Yes, this is an incomplete list.
|
||||
*/
|
||||
private static final HashSet<String> IGNORE_LIST = new HashSet<String>(
|
||||
private static final Set<String> IGNORE_LIST = new HashSet<String>(
|
||||
Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx"));
|
||||
|
||||
/**
|
||||
@@ -86,7 +87,7 @@ public final class UrlStringUtils {
|
||||
* @throws MalformedURLException thrown if the URL is malformed
|
||||
*/
|
||||
public static List<String> extractImportantUrlData(String text) throws MalformedURLException {
|
||||
final ArrayList<String> importantParts = new ArrayList<String>();
|
||||
final List<String> importantParts = new ArrayList<String>();
|
||||
final URL url = new URL(text);
|
||||
final String[] domain = url.getHost().split("\\.");
|
||||
//add the domain except www and the tld.
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
org.owasp.dependencycheck.data.update.NvdCveUpdater
|
||||
org.owasp.dependencycheck.data.update.NvdCveUpdater
|
||||
org.owasp.dependencycheck.data.update.EngineVersionCheck
|
||||
@@ -48,18 +48,40 @@
|
||||
<cpe>cpe:/a:oracle:glassfish</cpe>
|
||||
<cpe>cpe:/a:oracle:oracle_client</cpe>
|
||||
</suppress>
|
||||
<suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
Suppresses false positives on the grizzly-framework
|
||||
]]></notes>
|
||||
<gav regex="true">org\.glassfish\.grizzly:grizzly-framework:.*</gav>
|
||||
<cpe>cpe:/a:oracle:glassfish</cpe>
|
||||
</suppress>
|
||||
<suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
Suppresses false positives on the grizzly-framework
|
||||
]]></notes>
|
||||
<gav regex="true">org\.forgerock\.opendj:opendj-ldap-sdk:.*</gav>
|
||||
<cpe>cpe:/a:ldap_project:ldap</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
Suppresses false positives on the org.opensaml:xmltooling
|
||||
]]></notes>
|
||||
<gav regex="true">org\.opensaml:xmltooling:.*</gav>
|
||||
<cpe>cpe:/a:shibboleth:opensaml</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
Suppresses false positives on the org.opensaml:openws
|
||||
]]></notes>
|
||||
<gav regex="true">org\.opensaml:openws:.*</gav>
|
||||
<cpe>cpe:/a:internet2:opensaml</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
Suppresses false positives on the org.opensaml:xmltooling
|
||||
]]></notes>
|
||||
<gav regex="true">org\.opensaml:xmltooling:.*</gav>
|
||||
<cpe>cpe:/a:internet2:opensaml</cpe>
|
||||
</suppress>
|
||||
|
||||
</suppressions>
|
||||
@@ -3,6 +3,9 @@ application.version=${pom.version}
|
||||
autoupdate=true
|
||||
max.download.threads=3
|
||||
|
||||
# the url to obtain the current engine version from
|
||||
engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
|
||||
|
||||
#temp.directory defaults to System.getProperty("java.io.tmpdir")
|
||||
#temp.directory=[path to temp directory]
|
||||
|
||||
|
||||
@@ -534,7 +534,7 @@ arising out of or in connection with the use of this tool, the analysis performe
|
||||
<li class="scaninfo hidden"><i>$enc.html($prop.key)</i>: $enc.html($prop.value)</li>
|
||||
#end
|
||||
</ul><br/>
|
||||
Display: <a href="#" title="Click to toggle display" onclick="return toggleDisplay(this, '.notvulnerable', 'Showing Vulnerable Dependencies', 'Showing All Dependencies'); return false;">Showing Vulnerable Dependencies</a><br/><br/>
|
||||
Display: <a href="#" title="Click to toggle display" onclick="return toggleDisplay(this, '.notvulnerable', 'Showing Vulnerable Dependencies (click to show all)', 'Showing All Dependencies (click to show less)'); return false;">Showing Vulnerable Dependencies (click to show all)</a><br/><br/>
|
||||
#set($lnkcnt=0)
|
||||
<table class="lined">
|
||||
<tr style="text-align:left">
|
||||
@@ -606,22 +606,6 @@ arising out of or in connection with the use of this tool, the analysis performe
|
||||
</tr>
|
||||
#end
|
||||
</table>
|
||||
## <ul class="indent">
|
||||
## #set($lnkcnt=0)
|
||||
## #foreach($dependency in $dependencies)
|
||||
## #set($lnkcnt=$lnkcnt+1)
|
||||
## <li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
|
||||
## <a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.DisplayFileName)</a>
|
||||
## #if($dependency.getRelatedDependencies().size()>0)
|
||||
## <ul>
|
||||
## #foreach($related in $dependency.getRelatedDependencies())
|
||||
## <li>$enc.html($related.DisplayFileName)</li>
|
||||
## #end
|
||||
## </ul>
|
||||
## #end
|
||||
## </li>
|
||||
## #end
|
||||
## </ul>
|
||||
<h2>Dependencies</h2>
|
||||
#set($lnkcnt=0)
|
||||
#set($cnt=0)
|
||||
@@ -644,6 +628,19 @@ arising out of or in connection with the use of this tool, the analysis performe
|
||||
<b>File Path:</b> $enc.html($dependency.FilePath)<br/>
|
||||
<b>MD5:</b> $enc.html($dependency.Md5sum)<br/>
|
||||
<b>SHA1:</b> $enc.html($dependency.Sha1sum)
|
||||
#if ($dependency.projectReferences.size()==1)
|
||||
<br/><b>Referenced In Project:</b>
|
||||
#foreach($ref in $dependency.projectReferences)
|
||||
$enc.html($ref)
|
||||
#end
|
||||
#end
|
||||
#if ($dependency.projectReferences.size()>1)
|
||||
<br/><b>Referenced In Projects:</b><ul>
|
||||
#foreach($ref in $dependency.projectReferences)
|
||||
<li>$enc.html($ref)</li>
|
||||
#end
|
||||
</ul>
|
||||
#end
|
||||
</p>
|
||||
#set($cnt=$cnt+1)
|
||||
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
|
||||
|
||||
@@ -15,7 +15,10 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.InputStream;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Assume;
|
||||
import org.junit.BeforeClass;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
@@ -34,4 +37,31 @@ public class BaseTest {
|
||||
public static void tearDownClass() throws Exception {
|
||||
Settings.cleanup(true);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the given resource as an InputStream using the object's class loader. The org.junit.Assume API is used so that test
|
||||
* cases are skipped if the resource is not available.
|
||||
*
|
||||
* @param o the object used to obtain a reference to the class loader
|
||||
* @param resource the name of the resource to load
|
||||
* @return the resource as an InputStream
|
||||
*/
|
||||
public static InputStream getResourceAsStream(Object o, String resource) {
|
||||
getResourceAsFile(o, resource);
|
||||
return o.getClass().getClassLoader().getResourceAsStream(resource);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the given resource as a File using the object's class loader. The org.junit.Assume API is used so that test cases
|
||||
* are skipped if the resource is not available.
|
||||
*
|
||||
* @param o the object used to obtain a reference to the class loader
|
||||
* @param resource the name of the resource to load
|
||||
* @return the resource as an File
|
||||
*/
|
||||
public static File getResourceAsFile(Object o, String resource) {
|
||||
File f = new File(o.getClass().getClassLoader().getResource(resource).getPath());
|
||||
Assume.assumeTrue(String.format("%n%n[SEVERE] Unable to load resource for test case: %s%n%n", resource), f.exists());
|
||||
return f;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -23,6 +23,7 @@ import java.util.Set;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
@@ -129,11 +130,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
|
||||
instance.supportsExtension("ear");
|
||||
try {
|
||||
instance.initialize();
|
||||
|
||||
File file = new File(this.getClass().getClassLoader().getResource("daytrader-ear-2.1.7.ear").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "daytrader-ear-2.1.7.ear");
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("daytrader-ear-2.1.7.ear").getPath());
|
||||
Dependency dependency = new Dependency(file);
|
||||
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
|
||||
Engine engine = new Engine();
|
||||
|
||||
int initial_size = engine.getDependencies().size();
|
||||
@@ -161,10 +163,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
|
||||
instance.initialize();
|
||||
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("file.tar").getPath());
|
||||
File file = new File(this.getClass().getClassLoader().getResource("stagedhttp-modified.tar").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("stagedhttp-modified.tar").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "stagedhttp-modified.tar");
|
||||
Dependency dependency = new Dependency(file);
|
||||
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
|
||||
Engine engine = new Engine();
|
||||
|
||||
int initial_size = engine.getDependencies().size();
|
||||
@@ -189,10 +193,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
|
||||
try {
|
||||
instance.initialize();
|
||||
|
||||
File file = new File(this.getClass().getClassLoader().getResource("file.tar.gz").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("file.tar.gz").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "file.tar.gz");
|
||||
//Dependency dependency = new Dependency(file);
|
||||
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
|
||||
Engine engine = new Engine();
|
||||
|
||||
int initial_size = engine.getDependencies().size();
|
||||
@@ -220,6 +226,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
|
||||
// File file = new File(this.getClass().getClassLoader().getResource("nested.zip").getPath());
|
||||
// Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||
// Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
|
||||
// Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
|
||||
// Engine engine = new Engine();
|
||||
//
|
||||
// engine.scan(file);
|
||||
@@ -239,9 +246,11 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
|
||||
try {
|
||||
instance.initialize();
|
||||
|
||||
File file = new File(this.getClass().getClassLoader().getResource("file.tgz").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("file.tgz").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "file.tgz");
|
||||
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
|
||||
Engine engine = new Engine();
|
||||
|
||||
int initial_size = engine.getDependencies().size();
|
||||
@@ -265,10 +274,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
|
||||
try {
|
||||
instance.initialize();
|
||||
|
||||
File file = new File(this.getClass().getClassLoader().getResource("test.zip").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("test.zip").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "test.zip");
|
||||
Dependency dependency = new Dependency(file);
|
||||
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
|
||||
Engine engine = new Engine();
|
||||
int initial_size = engine.getDependencies().size();
|
||||
// boolean failed = false;
|
||||
|
||||
@@ -78,7 +78,8 @@ public class AssemblyAnalyzerTest extends BaseTest {
|
||||
|
||||
@Test
|
||||
public void testAnalysis() throws Exception {
|
||||
File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("GrokAssembly.exe").getPath());
|
||||
//File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("GrokAssembly.exe").getPath());
|
||||
File f = BaseTest.getResourceAsFile(this, "GrokAssembly.exe");
|
||||
Dependency d = new Dependency(f);
|
||||
analyzer.analyze(d, null);
|
||||
boolean foundVendor = false;
|
||||
@@ -100,7 +101,9 @@ public class AssemblyAnalyzerTest extends BaseTest {
|
||||
|
||||
@Test
|
||||
public void testLog4Net() throws Exception {
|
||||
File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
|
||||
//File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
|
||||
File f = BaseTest.getResourceAsFile(this, "log4net.dll");
|
||||
|
||||
Dependency d = new Dependency(f);
|
||||
analyzer.analyze(d, null);
|
||||
assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.2.13.0", Confidence.HIGHEST)));
|
||||
@@ -115,7 +118,8 @@ public class AssemblyAnalyzerTest extends BaseTest {
|
||||
// Tweak the log level so the warning doesn't show in the console
|
||||
Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(Level.OFF);
|
||||
Logger.getLogger(Dependency.class.getName()).setLevel(Level.OFF);
|
||||
File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
|
||||
//File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
|
||||
File f = BaseTest.getResourceAsFile(this, "log4net.dll");
|
||||
File test = new File(f.getParent(), "nonexistent.dll");
|
||||
Dependency d = new Dependency(test);
|
||||
|
||||
|
||||
@@ -27,6 +27,7 @@ import org.apache.lucene.queryparser.classic.ParseException;
|
||||
import org.junit.Assert;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
|
||||
import org.owasp.dependencycheck.data.cpe.IndexEntry;
|
||||
import org.owasp.dependencycheck.dependency.Confidence;
|
||||
@@ -110,7 +111,8 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
|
||||
*/
|
||||
public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer instance, FileNameAnalyzer fnAnalyzer, JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp) throws Exception {
|
||||
|
||||
File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, depName);
|
||||
|
||||
Dependency dep = new Dependency(file);
|
||||
|
||||
@@ -137,7 +139,8 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
|
||||
*/
|
||||
@Test
|
||||
public void testDetermineCPE() throws Exception {
|
||||
File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
|
||||
Dependency struts = new Dependency(file);
|
||||
|
||||
@@ -147,15 +150,18 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
|
||||
JarAnalyzer jarAnalyzer = new JarAnalyzer();
|
||||
jarAnalyzer.analyze(struts, null);
|
||||
|
||||
File fileCommonValidator = new File(this.getClass().getClassLoader().getResource("commons-validator-1.4.0.jar").getPath());
|
||||
//File fileCommonValidator = new File(this.getClass().getClassLoader().getResource("commons-validator-1.4.0.jar").getPath());
|
||||
File fileCommonValidator = BaseTest.getResourceAsFile(this, "commons-validator-1.4.0.jar");
|
||||
Dependency commonValidator = new Dependency(fileCommonValidator);
|
||||
jarAnalyzer.analyze(commonValidator, null);
|
||||
|
||||
File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
|
||||
//File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
|
||||
File fileSpring = BaseTest.getResourceAsFile(this, "spring-core-2.5.5.jar");
|
||||
Dependency spring = new Dependency(fileSpring);
|
||||
jarAnalyzer.analyze(spring, null);
|
||||
|
||||
File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
|
||||
//File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
|
||||
File fileSpring3 = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
|
||||
Dependency spring3 = new Dependency(fileSpring3);
|
||||
jarAnalyzer.analyze(spring3, null);
|
||||
|
||||
|
||||
@@ -21,6 +21,7 @@ import java.io.File;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
|
||||
/**
|
||||
@@ -56,9 +57,11 @@ public class FileNameAnalyzerTest {
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyze() throws Exception {
|
||||
File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
//File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
|
||||
Dependency resultStruts = new Dependency(struts);
|
||||
File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
|
||||
//File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
|
||||
File axis = BaseTest.getResourceAsFile(this, "axis2-adb-1.4.1.jar");
|
||||
Dependency resultAxis = new Dependency(axis);
|
||||
FileNameAnalyzer instance = new FileNameAnalyzer();
|
||||
instance.analyze(resultStruts, null);
|
||||
|
||||
@@ -69,12 +69,15 @@ public class HintAnalyzerTest extends BaseTest {
|
||||
public void testAnalyze() throws Exception {
|
||||
HintAnalyzer instance = new HintAnalyzer();
|
||||
|
||||
File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
|
||||
//File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
|
||||
File guice = BaseTest.getResourceAsFile(this, "guice-3.0.jar");
|
||||
//Dependency guice = new Dependency(fileg);
|
||||
File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
|
||||
//File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
|
||||
File spring = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
|
||||
//Dependency spring = new Dependency(files);
|
||||
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
|
||||
Engine engine = new Engine();
|
||||
|
||||
engine.scan(guice);
|
||||
|
||||
@@ -41,14 +41,16 @@ public class JarAnalyzerTest extends BaseTest {
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyze() throws Exception {
|
||||
File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
|
||||
Dependency result = new Dependency(file);
|
||||
JarAnalyzer instance = new JarAnalyzer();
|
||||
instance.analyze(result, null);
|
||||
assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache"));
|
||||
assertTrue(result.getVendorEvidence().getWeighting().contains("apache"));
|
||||
|
||||
file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
|
||||
//file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
|
||||
file = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar");
|
||||
result = new Dependency(file);
|
||||
instance.analyze(result, null);
|
||||
boolean found = false;
|
||||
@@ -81,7 +83,8 @@ public class JarAnalyzerTest extends BaseTest {
|
||||
}
|
||||
assertTrue("implementation-version of 4.2.27 not found in org.mortbay.jetty.jar", found);
|
||||
|
||||
file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath());
|
||||
//file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath());
|
||||
file = BaseTest.getResourceAsFile(this, "org.mortbay.jmx.jar");
|
||||
result = new Dependency(file);
|
||||
instance.analyze(result, null);
|
||||
assertEquals("org.mortbar,jmx.jar has version evidence?", result.getVersionEvidence().size(), 0);
|
||||
|
||||
@@ -84,9 +84,12 @@ public class JavaScriptAnalyzerTest extends BaseTest {
|
||||
*/
|
||||
@Test
|
||||
public void testAnalyze() throws Exception {
|
||||
File jq6 = new File(this.getClass().getClassLoader().getResource("jquery-1.6.2.min.js").getPath());
|
||||
File jq10 = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.js").getPath());
|
||||
File jq10min = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.min.js").getPath());
|
||||
//File jq6 = new File(this.getClass().getClassLoader().getResource("jquery-1.6.2.min.js").getPath());
|
||||
File jq6 = BaseTest.getResourceAsFile(this, "jquery-1.6.2.min.js");
|
||||
//File jq10 = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.js").getPath());
|
||||
File jq10 = BaseTest.getResourceAsFile(this, "jquery-1.10.2.js");
|
||||
//File jq10min = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.min.js").getPath());
|
||||
File jq10min = BaseTest.getResourceAsFile(this, "jquery-1.10.2.min.js");
|
||||
Dependency depJQ6 = new Dependency(jq6);
|
||||
Dependency depJQ10 = new Dependency(jq10);
|
||||
Dependency depJQ10min = new Dependency(jq10min);
|
||||
|
||||
@@ -21,6 +21,7 @@ import java.io.File;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
@@ -61,10 +62,13 @@ public class VulnerabilitySuppressionAnalyzerIntegrationTest extends AbstractDat
|
||||
@Test
|
||||
public void testAnalyze() throws Exception {
|
||||
|
||||
File file = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.jar").getPath());
|
||||
File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.jar").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.jar");
|
||||
//File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
|
||||
File suppression = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.suppression.xml");
|
||||
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
|
||||
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
|
||||
Engine engine = new Engine();
|
||||
engine.scan(file);
|
||||
engine.analyzeDependencies();
|
||||
|
||||
@@ -20,16 +20,10 @@ package org.owasp.dependencycheck.data.lucene;
|
||||
import java.io.IOException;
|
||||
import java.io.Reader;
|
||||
import org.apache.lucene.analysis.Analyzer;
|
||||
import org.apache.lucene.analysis.Analyzer.TokenStreamComponents;
|
||||
import org.apache.lucene.analysis.BaseTokenStreamTestCase;
|
||||
import static org.apache.lucene.analysis.BaseTokenStreamTestCase.checkOneTerm;
|
||||
import org.apache.lucene.analysis.MockTokenizer;
|
||||
import org.apache.lucene.analysis.Tokenizer;
|
||||
import org.apache.lucene.analysis.core.KeywordTokenizer;
|
||||
import org.junit.After;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -50,24 +44,6 @@ public class UrlTokenizingFilterTest extends BaseTokenStreamTestCase {
|
||||
};
|
||||
}
|
||||
|
||||
@BeforeClass
|
||||
public static void setUpClass() {
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
public static void tearDownClass() {
|
||||
}
|
||||
|
||||
@Before
|
||||
public void setUp() throws Exception {
|
||||
super.setUp();
|
||||
}
|
||||
|
||||
@After
|
||||
public void tearDown() throws Exception {
|
||||
super.tearDown();
|
||||
}
|
||||
|
||||
/**
|
||||
* test some example domains
|
||||
*/
|
||||
@@ -102,6 +78,6 @@ public class UrlTokenizingFilterTest extends BaseTokenStreamTestCase {
|
||||
return new TokenStreamComponents(tokenizer, new UrlTokenizingFilter(tokenizer));
|
||||
}
|
||||
};
|
||||
checkOneTermReuse(a, "", "");
|
||||
checkOneTerm(a, "", "");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -24,6 +24,7 @@ import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import org.junit.Assume;
|
||||
import org.junit.Before;
|
||||
import org.junit.Ignore;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
@@ -42,11 +43,13 @@ public class NexusSearchTest extends BaseTest {
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
@Ignore
|
||||
public void testNullSha1() throws Exception {
|
||||
searcher.searchSha1(null);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
@Ignore
|
||||
public void testMalformedSha1() throws Exception {
|
||||
searcher.searchSha1("invalid");
|
||||
}
|
||||
@@ -55,6 +58,7 @@ public class NexusSearchTest extends BaseTest {
|
||||
// you may not be able to reach. Remove the @Ignore annotation if you want to
|
||||
// test it anyway
|
||||
@Test
|
||||
@Ignore
|
||||
public void testValidSha1() throws Exception {
|
||||
MavenArtifact ma = searcher.searchSha1("9977a8d04e75609cf01badc4eb6a9c7198c4c5ea");
|
||||
assertEquals("Incorrect group", "org.apache.maven.plugins", ma.getGroupId());
|
||||
@@ -67,6 +71,7 @@ public class NexusSearchTest extends BaseTest {
|
||||
// you may not be able to reach. Remove the @Ignore annotation if you want to
|
||||
// test it anyway
|
||||
@Test(expected = FileNotFoundException.class)
|
||||
@Ignore
|
||||
public void testMissingSha1() throws Exception {
|
||||
searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
|
||||
}
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
package org.owasp.dependencycheck.data.nuget;
|
||||
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.File;
|
||||
import java.io.InputStream;
|
||||
import java.io.PrintStream;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
@@ -39,7 +40,8 @@ public class XPathNuspecParserTest extends BaseTest {
|
||||
@Test
|
||||
public void testGoodDocument() throws Exception {
|
||||
NuspecParser parser = new XPathNuspecParser();
|
||||
InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("log4net.2.0.3.nuspec");
|
||||
//InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("log4net.2.0.3.nuspec");
|
||||
InputStream is = BaseTest.getResourceAsStream(this, "log4net.2.0.3.nuspec");
|
||||
NugetPackage np = parser.parse(is);
|
||||
assertEquals("log4net", np.getId());
|
||||
assertEquals("2.0.3", np.getVersion());
|
||||
@@ -57,7 +59,8 @@ public class XPathNuspecParserTest extends BaseTest {
|
||||
@Test(expected = NuspecParseException.class)
|
||||
public void testMissingDocument() throws Exception {
|
||||
NuspecParser parser = new XPathNuspecParser();
|
||||
InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("dependencycheck.properties");
|
||||
//InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("dependencycheck.properties");
|
||||
InputStream is = BaseTest.getResourceAsStream(this, "dependencycheck.properties");
|
||||
|
||||
//hide the fatal message from the core parser
|
||||
final ByteArrayOutputStream myOut = new ByteArrayOutputStream();
|
||||
@@ -74,7 +77,8 @@ public class XPathNuspecParserTest extends BaseTest {
|
||||
@Test(expected = NuspecParseException.class)
|
||||
public void testNotNuspec() throws Exception {
|
||||
NuspecParser parser = new XPathNuspecParser();
|
||||
InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("suppressions.xml");
|
||||
//InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("suppressions.xml");
|
||||
InputStream is = BaseTest.getResourceAsStream(this, "suppressions.xml");
|
||||
NugetPackage np = parser.parse(is);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,11 +17,14 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck.data.nvdcve;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.Set;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import org.junit.Assert;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.dependency.Vulnerability;
|
||||
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersion;
|
||||
|
||||
@@ -66,28 +69,94 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
|
||||
public void testGetVulnerabilities() throws Exception {
|
||||
String cpeStr = "cpe:/a:apache:struts:2.1.2";
|
||||
CveDB instance = new CveDB();
|
||||
List<Vulnerability> results;
|
||||
try {
|
||||
instance.open();
|
||||
List result = instance.getVulnerabilities(cpeStr);
|
||||
assertTrue(result.size() > 5);
|
||||
results = instance.getVulnerabilities(cpeStr);
|
||||
assertTrue(results.size() > 5);
|
||||
cpeStr = "cpe:/a:jruby:jruby:1.6.3";
|
||||
results = instance.getVulnerabilities(cpeStr);
|
||||
assertTrue(results.size() > 1);
|
||||
|
||||
boolean found = false;
|
||||
String expected = "CVE-2011-4838";
|
||||
for (Vulnerability v : results) {
|
||||
if (expected.equals(v.getName())) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
assertTrue("Expected " + expected + ", but was not identified", found);
|
||||
|
||||
found = false;
|
||||
expected = "CVE-2012-5370";
|
||||
for (Vulnerability v : results) {
|
||||
if (expected.equals(v.getName())) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
assertTrue("Expected " + expected + ", but was not identified", found);
|
||||
|
||||
} finally {
|
||||
instance.close();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of isAffected method, of class CveDB.
|
||||
* Test of getMatchingSoftware method, of class CveDB.
|
||||
*/
|
||||
@Test
|
||||
public void testIsAffected() throws Exception {
|
||||
String vendor = "openssl";
|
||||
String product = "openssl";
|
||||
public void testGetMatchingSoftware() throws Exception {
|
||||
HashMap<String, Boolean> versions = new HashMap<String, Boolean>();
|
||||
DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
|
||||
String cpeId = "cpe:/a:openssl:openssl:1.0.1e";
|
||||
String previous = "y";
|
||||
versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE);
|
||||
|
||||
CveDB instance = new CveDB();
|
||||
assertFalse(instance.isAffected(vendor, product, identifiedVersion, cpeId, previous));
|
||||
Entry<String, Boolean> results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
|
||||
Assert.assertNull(results);
|
||||
versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE);
|
||||
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
|
||||
Assert.assertNull(results);
|
||||
|
||||
versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE);
|
||||
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
|
||||
Assert.assertNotNull(results);
|
||||
Assert.assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey());
|
||||
|
||||
versions.clear();
|
||||
|
||||
versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE);
|
||||
versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE);
|
||||
versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE);
|
||||
|
||||
versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE);
|
||||
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE);
|
||||
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE);
|
||||
versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE);
|
||||
|
||||
identifiedVersion = new DependencyVersion("3.2.2");
|
||||
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
|
||||
Assert.assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey());
|
||||
Assert.assertTrue(results.getValue());
|
||||
identifiedVersion = new DependencyVersion("3.2.12");
|
||||
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
|
||||
Assert.assertNull(results);
|
||||
|
||||
identifiedVersion = new DependencyVersion("4.0.0");
|
||||
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
|
||||
Assert.assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey());
|
||||
Assert.assertTrue(results.getValue());
|
||||
identifiedVersion = new DependencyVersion("4.1.0");
|
||||
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
|
||||
Assert.assertNull(results);
|
||||
|
||||
versions.clear();
|
||||
|
||||
versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE);
|
||||
identifiedVersion = new DependencyVersion("1.6.3");
|
||||
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
|
||||
Assert.assertNotNull(results);
|
||||
|
||||
}
|
||||
|
||||
|
||||
@@ -27,6 +27,7 @@ import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -85,7 +86,8 @@ public class DriverLoaderTest {
|
||||
public void testLoad_String_String() throws Exception {
|
||||
String className = "com.mysql.jdbc.Driver";
|
||||
//we know this is in target/test-classes
|
||||
File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
|
||||
//File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
|
||||
File testClassPath = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar").getParentFile();
|
||||
File driver = new File(testClassPath, "../../src/test/resources/mysql-connector-java-5.1.27-bin.jar");
|
||||
assertTrue("MySQL Driver JAR file not found in src/test/resources?", driver.isFile());
|
||||
|
||||
@@ -108,7 +110,8 @@ public class DriverLoaderTest {
|
||||
public void testLoad_String_String_multiple_paths() throws Exception {
|
||||
final String className = "com.mysql.jdbc.Driver";
|
||||
//we know this is in target/test-classes
|
||||
final File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
|
||||
//final File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
|
||||
final File testClassPath = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar").getParentFile();
|
||||
final File dir1 = new File(testClassPath, "../../src/test/");
|
||||
final File dir2 = new File(testClassPath, "../../src/test/resources/");
|
||||
final String paths = String.format("%s" + File.pathSeparator + "%s", dir1.getAbsolutePath(), dir2.getAbsolutePath());
|
||||
@@ -130,7 +133,8 @@ public class DriverLoaderTest {
|
||||
public void testLoad_String_String_badClassName() throws Exception {
|
||||
String className = "com.mybad.jdbc.Driver";
|
||||
//we know this is in target/test-classes
|
||||
File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
|
||||
//File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
|
||||
File testClassPath = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar").getParentFile();
|
||||
File driver = new File(testClassPath, "../../src/test/resources/mysql-connector-java-5.1.27-bin.jar");
|
||||
assertTrue("MySQL Driver JAR file not found in src/test/resources?", driver.isFile());
|
||||
|
||||
@@ -144,7 +148,8 @@ public class DriverLoaderTest {
|
||||
public void testLoad_String_String_badPath() throws Exception {
|
||||
String className = "com.mysql.jdbc.Driver";
|
||||
//we know this is in target/test-classes
|
||||
File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
|
||||
//File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
|
||||
File testClassPath = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar").getParentFile();
|
||||
File driver = new File(testClassPath, "../../src/test/bad/mysql-connector-java-5.1.27-bin.jar");
|
||||
Driver d = DriverLoader.load(className, driver.getAbsolutePath());
|
||||
}
|
||||
|
||||
@@ -0,0 +1,145 @@
|
||||
/*
|
||||
* Copyright 2014 OWASP.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.owasp.dependencycheck.data.update;
|
||||
|
||||
import java.text.DateFormat;
|
||||
import java.text.SimpleDateFormat;
|
||||
import java.util.Properties;
|
||||
import mockit.Mock;
|
||||
import mockit.MockUp;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
|
||||
import org.owasp.dependencycheck.data.update.exception.UpdateException;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersion;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public class EngineVersionCheckTest extends BaseTest {
|
||||
|
||||
// /**
|
||||
// * Test of update method, of class EngineVersionCheck.
|
||||
// */
|
||||
// @Test
|
||||
// public void testUpdate() throws Exception {
|
||||
// EngineVersionCheck instance = new EngineVersionCheck();
|
||||
// instance.update();
|
||||
// }
|
||||
/**
|
||||
* Test of shouldUpdate method, of class EngineVersionCheck.
|
||||
*/
|
||||
@Test
|
||||
public void testShouldUpdate() throws Exception {
|
||||
DatabaseProperties properties = new MockUp<DatabaseProperties>() {
|
||||
final private Properties properties = new Properties();
|
||||
|
||||
@Mock
|
||||
public void save(String key, String value) throws UpdateException {
|
||||
properties.setProperty(key, value);
|
||||
}
|
||||
|
||||
@Mock
|
||||
public String getProperty(String key) {
|
||||
return properties.getProperty(key);
|
||||
}
|
||||
|
||||
}.getMockInstance();
|
||||
|
||||
DateFormat df = new SimpleDateFormat("yyyy-MM-dd");
|
||||
|
||||
String updateToVersion = "1.2.6";
|
||||
String currentVersion = "1.2.6";
|
||||
long lastChecked = df.parse("2014-12-01").getTime();
|
||||
long now = df.parse("2014-12-01").getTime();
|
||||
|
||||
EngineVersionCheck instance = new EngineVersionCheck();
|
||||
boolean expResult = false;
|
||||
instance.setUpdateToVersion(updateToVersion);
|
||||
boolean result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
|
||||
assertEquals(expResult, result);
|
||||
|
||||
updateToVersion = "1.2.5";
|
||||
currentVersion = "1.2.5";
|
||||
lastChecked = df.parse("2014-10-01").getTime();
|
||||
now = df.parse("2014-12-01").getTime();
|
||||
expResult = true;
|
||||
instance.setUpdateToVersion(updateToVersion);
|
||||
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
|
||||
assertEquals(expResult, result);
|
||||
//System.out.println(properties.getProperty(CURRENT_ENGINE_RELEASE));
|
||||
|
||||
updateToVersion = "1.2.5";
|
||||
currentVersion = "1.2.5";
|
||||
lastChecked = df.parse("2014-12-01").getTime();
|
||||
now = df.parse("2014-12-03").getTime();
|
||||
expResult = false;
|
||||
instance.setUpdateToVersion(updateToVersion);
|
||||
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
|
||||
assertEquals(expResult, result);
|
||||
|
||||
updateToVersion = "1.2.6";
|
||||
currentVersion = "1.2.5";
|
||||
lastChecked = df.parse("2014-12-01").getTime();
|
||||
now = df.parse("2014-12-03").getTime();
|
||||
expResult = true;
|
||||
instance.setUpdateToVersion(updateToVersion);
|
||||
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
|
||||
assertEquals(expResult, result);
|
||||
|
||||
updateToVersion = "1.2.5";
|
||||
currentVersion = "1.2.6";
|
||||
lastChecked = df.parse("2014-12-01").getTime();
|
||||
now = df.parse("2014-12-08").getTime();
|
||||
expResult = false;
|
||||
instance.setUpdateToVersion(updateToVersion);
|
||||
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
|
||||
assertEquals(expResult, result);
|
||||
|
||||
updateToVersion = "";
|
||||
currentVersion = "1.2.5";
|
||||
lastChecked = df.parse("2014-12-01").getTime();
|
||||
now = df.parse("2014-12-03").getTime();
|
||||
expResult = false;
|
||||
instance.setUpdateToVersion(updateToVersion);
|
||||
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
|
||||
assertEquals(expResult, result);
|
||||
|
||||
updateToVersion = "";
|
||||
currentVersion = "1.2.5";
|
||||
lastChecked = df.parse("2014-12-01").getTime();
|
||||
now = df.parse("2014-12-08").getTime();
|
||||
expResult = true;
|
||||
instance.setUpdateToVersion(updateToVersion);
|
||||
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
|
||||
assertEquals(expResult, result);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of getCurrentReleaseVersion method, of class EngineVersionCheck.
|
||||
*/
|
||||
@Test
|
||||
public void testGetCurrentReleaseVersion() {
|
||||
EngineVersionCheck instance = new EngineVersionCheck();
|
||||
DependencyVersion minExpResult = new DependencyVersion("1.2.6");
|
||||
String release = instance.getCurrentReleaseVersion();
|
||||
DependencyVersion result = new DependencyVersion(release);
|
||||
assertTrue(minExpResult.compareTo(result) <= 0);
|
||||
}
|
||||
}
|
||||
@@ -34,7 +34,8 @@ public class NvdCveUpdaterIntegrationTest extends BaseTest {
|
||||
public void setUp() throws Exception {
|
||||
int year = Calendar.getInstance().get(Calendar.YEAR);
|
||||
if (year <= 2014) {
|
||||
File f = new File(NvdCveUpdaterIntegrationTest.class.getClassLoader().getResource("nvdcve-2.0-2014.xml").getPath());
|
||||
//File f = new File(NvdCveUpdaterIntegrationTest.class.getClassLoader().getResource("nvdcve-2.0-2014.xml").getPath());
|
||||
File f = BaseTest.getResourceAsFile(this, "nvdcve-2.0-2014.xml");
|
||||
String baseURL = f.toURI().toURL().toString();
|
||||
String modified12 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-modified.xml");
|
||||
String modified20 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-2.0-modified.xml");
|
||||
|
||||
@@ -18,8 +18,6 @@
|
||||
package org.owasp.dependencycheck.data.update;
|
||||
|
||||
import java.net.MalformedURLException;
|
||||
import java.util.Calendar;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
@@ -47,26 +45,6 @@ public class StandardUpdateIntegrationTest extends BaseTest {
|
||||
instance.closeDataStores();
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of withinRange method, of class StandardUpdate.
|
||||
*/
|
||||
@Test
|
||||
public void testWithinRange() throws Exception {
|
||||
Calendar c = Calendar.getInstance();
|
||||
|
||||
long current = c.getTimeInMillis();
|
||||
long lastRun = c.getTimeInMillis() - (3 * (1000 * 60 * 60 * 24));
|
||||
int range = 7; // 7 days
|
||||
StandardUpdate instance = getStandardUpdateTask();
|
||||
boolean expResult = true;
|
||||
boolean result = instance.withinRange(lastRun, current, range);
|
||||
assertEquals(expResult, result);
|
||||
|
||||
lastRun = c.getTimeInMillis() - (8 * (1000 * 60 * 60 * 24));
|
||||
expResult = false;
|
||||
result = instance.withinRange(lastRun, current, range);
|
||||
assertEquals(expResult, result);
|
||||
}
|
||||
// test removed as it is duplicative of the EngineIntegrationTest and the NvdCveUpdaterIntergraionTest
|
||||
// /**
|
||||
// * Test of update method, of class StandardUpdate.
|
||||
@@ -77,7 +55,6 @@ public class StandardUpdateIntegrationTest extends BaseTest {
|
||||
// instance.update();
|
||||
// //TODO make this an actual test
|
||||
// }
|
||||
|
||||
/**
|
||||
* Test of updatesNeeded method, of class StandardUpdate.
|
||||
*/
|
||||
|
||||
@@ -68,7 +68,7 @@ public class DownloadTaskTest {
|
||||
cve.setOldSchemaVersionUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL));
|
||||
ExecutorService processExecutor = null;
|
||||
CveDB cveDB = null;
|
||||
DownloadTask instance = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());;
|
||||
DownloadTask instance = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
|
||||
Future<ProcessTask> result = instance.call();
|
||||
assertNull(result);
|
||||
}
|
||||
|
||||
@@ -28,6 +28,7 @@ import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
|
||||
|
||||
/**
|
||||
@@ -60,7 +61,8 @@ public class NvdCve_1_2_HandlerTest {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
SAXParser saxParser = factory.newSAXParser();
|
||||
|
||||
File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2012.xml").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2012.xml").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "nvdcve-2012.xml");
|
||||
|
||||
NvdCve12Handler instance = new NvdCve12Handler();
|
||||
saxParser.parse(file, instance);
|
||||
|
||||
@@ -26,6 +26,7 @@ import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -59,7 +60,8 @@ public class NvdCve_2_0_HandlerTest {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
SAXParser saxParser = factory.newSAXParser();
|
||||
|
||||
File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2.0-2012.xml").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2.0-2012.xml").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "nvdcve-2.0-2012.xml");
|
||||
|
||||
NvdCve20Handler instance = new NvdCve20Handler();
|
||||
|
||||
|
||||
@@ -28,6 +28,7 @@ import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
|
||||
|
||||
/**
|
||||
@@ -152,7 +153,9 @@ public class DependencyTest {
|
||||
*/
|
||||
@Test
|
||||
public void testGetMd5sum() {
|
||||
File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
|
||||
|
||||
Dependency instance = new Dependency(file);
|
||||
//assertEquals("89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B", result.getSha1sum());
|
||||
String expResult = "C30B57142E1CCBC1EFD5CD15F307358F";
|
||||
@@ -176,7 +179,8 @@ public class DependencyTest {
|
||||
*/
|
||||
@Test
|
||||
public void testGetSha1sum() {
|
||||
File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
|
||||
Dependency instance = new Dependency(file);
|
||||
String expResult = "89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B";
|
||||
String result = instance.getSha1sum();
|
||||
|
||||
@@ -105,8 +105,8 @@ public class ReportGeneratorIntegrationTest extends BaseTest {
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates an XML report containing known vulnerabilities and realistic data and validates the generated XML
|
||||
* document against the XSD.
|
||||
* Generates an XML report containing known vulnerabilities and realistic data and validates the generated XML document
|
||||
* against the XSD.
|
||||
*
|
||||
* @throws Exception
|
||||
*/
|
||||
@@ -120,9 +120,12 @@ public class ReportGeneratorIntegrationTest extends BaseTest {
|
||||
}
|
||||
String writeTo = "target/test-reports/Report.xml";
|
||||
|
||||
File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
|
||||
File jetty = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
|
||||
//File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
|
||||
//File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
|
||||
File axis = BaseTest.getResourceAsFile(this, "axis2-adb-1.4.1.jar");
|
||||
//File jetty = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
|
||||
File jetty = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar");
|
||||
|
||||
boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
|
||||
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||
|
||||
@@ -31,6 +31,7 @@ import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.xml.sax.InputSource;
|
||||
import org.xml.sax.XMLReader;
|
||||
|
||||
@@ -66,9 +67,11 @@ public class SuppressionHandlerTest {
|
||||
*/
|
||||
@Test
|
||||
public void testHandler() throws Exception {
|
||||
File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "suppressions.xml");
|
||||
|
||||
File schema = new File(this.getClass().getClassLoader().getResource("schema/suppression.xsd").getPath());
|
||||
//File schema = new File(this.getClass().getClassLoader().getResource("schema/suppression.xsd").getPath());
|
||||
File schema = BaseTest.getResourceAsFile(this, "schema/suppression.xsd");
|
||||
SuppressionHandler handler = new SuppressionHandler();
|
||||
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
|
||||
@@ -25,6 +25,7 @@ import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
|
||||
/**
|
||||
* Test of the suppression parser.
|
||||
@@ -57,7 +58,8 @@ public class SuppressionParserTest {
|
||||
*/
|
||||
@Test
|
||||
public void testParseSuppressionRules() throws Exception {
|
||||
File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
|
||||
File file = BaseTest.getResourceAsFile(this, "suppressions.xml");
|
||||
SuppressionParser instance = new SuppressionParser();
|
||||
List result = instance.parseSuppressionRules(file);
|
||||
assertTrue(result.size() > 3);
|
||||
|
||||
@@ -28,6 +28,7 @@ import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.BaseTest;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Identifier;
|
||||
import org.owasp.dependencycheck.dependency.Vulnerability;
|
||||
@@ -422,7 +423,8 @@ public class SuppressionRuleTest {
|
||||
*/
|
||||
@Test
|
||||
public void testProcess() {
|
||||
File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
//File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
|
||||
File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
|
||||
Dependency dependency = new Dependency(struts);
|
||||
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
|
||||
String sha1 = dependency.getSha1sum();
|
||||
@@ -501,7 +503,8 @@ public class SuppressionRuleTest {
|
||||
*/
|
||||
@Test
|
||||
public void testProcessGAV() {
|
||||
File spring = new File(this.getClass().getClassLoader().getResource("spring-security-web-3.0.0.RELEASE.jar").getPath());
|
||||
//File spring = new File(this.getClass().getClassLoader().getResource("spring-security-web-3.0.0.RELEASE.jar").getPath());
|
||||
File spring = BaseTest.getResourceAsFile(this, "spring-security-web-3.0.0.RELEASE.jar");
|
||||
Dependency dependency = new Dependency(spring);
|
||||
dependency.addIdentifier("cpe", "cpe:/a:vmware:springsource_spring_framework:3.0.0", "some url not needed for this test");
|
||||
dependency.addIdentifier("cpe", "cpe:/a:springsource:spring_framework:3.0.0", "some url not needed for this test");
|
||||
|
||||
@@ -0,0 +1,71 @@
|
||||
/*
|
||||
* Copyright 2014 OWASP.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.owasp.dependencycheck.utils;
|
||||
|
||||
import java.util.Calendar;
|
||||
import org.junit.After;
|
||||
import org.junit.AfterClass;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public class DateUtilTest {
|
||||
|
||||
public DateUtilTest() {
|
||||
}
|
||||
|
||||
@BeforeClass
|
||||
public static void setUpClass() {
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
public static void tearDownClass() {
|
||||
}
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
}
|
||||
|
||||
@After
|
||||
public void tearDown() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Test of withinDateRange method, of class DateUtil.
|
||||
*/
|
||||
@Test
|
||||
public void testWithinDateRange() {
|
||||
Calendar c = Calendar.getInstance();
|
||||
|
||||
long current = c.getTimeInMillis();
|
||||
long lastRun = c.getTimeInMillis() - (3 * (1000 * 60 * 60 * 24));
|
||||
int range = 7; // 7 days
|
||||
boolean expResult = true;
|
||||
boolean result = DateUtil.withinDateRange(lastRun, current, range);
|
||||
assertEquals(expResult, result);
|
||||
|
||||
lastRun = c.getTimeInMillis() - (8 * (1000 * 60 * 60 * 24));
|
||||
expResult = false;
|
||||
result = DateUtil.withinDateRange(lastRun, current, range);
|
||||
assertEquals(expResult, result);
|
||||
}
|
||||
|
||||
}
|
||||
@@ -3,6 +3,9 @@ application.version=${pom.version}
|
||||
autoupdate=true
|
||||
max.download.threads=3
|
||||
|
||||
# the url to obtain the current engine version from
|
||||
engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
|
||||
|
||||
#temp.directory defaults to System.getProperty("java.io.tmpdir")
|
||||
#temp.directory=[path to temp directory]
|
||||
|
||||
|
||||
@@ -3,9 +3,8 @@
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.2.6</version>
|
||||
<version>1.2.9</version>
|
||||
</parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-jenkins</artifactId>
|
||||
<name>Dependency-Check Jenkins Plugin</name>
|
||||
<url>http://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin</url>
|
||||
@@ -59,7 +58,6 @@
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-site-plugin</artifactId>
|
||||
<version>3.3</version>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.doxia</groupId>
|
||||
|
||||
@@ -22,7 +22,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.2.6</version>
|
||||
<version>1.2.9</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-maven</artifactId>
|
||||
@@ -40,9 +40,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
</site>
|
||||
</distributionManagement>
|
||||
<!-- end copy -->
|
||||
<prerequisites>
|
||||
<maven>3.0</maven>
|
||||
</prerequisites>
|
||||
<build>
|
||||
<resources>
|
||||
<resource>
|
||||
@@ -66,7 +63,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-plugin-plugin</artifactId>
|
||||
<version>3.2</version>
|
||||
<configuration>
|
||||
<skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
|
||||
<goalPrefix>dependency-check</goalPrefix>
|
||||
@@ -86,11 +82,26 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<configuration>
|
||||
<systemProperties>
|
||||
<property>
|
||||
<name>data.directory</name>
|
||||
<value>${project.build.directory}/dependency-check-data</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>temp.directory</name>
|
||||
<value>${project.build.directory}/temp</value>
|
||||
</property>
|
||||
</systemProperties>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<inherited>true</inherited>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-enforcer-plugin</artifactId>
|
||||
<version>1.2</version>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>enforce-maven-3</id>
|
||||
@@ -110,169 +121,135 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-site-plugin</artifactId>
|
||||
<version>3.3</version>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.doxia</groupId>
|
||||
<artifactId>doxia-module-markdown</artifactId>
|
||||
<version>1.5</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
<artifactId>maven-compiler-plugin</artifactId>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
<reporting>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-plugin-plugin</artifactId>
|
||||
<version>3.2</version>
|
||||
<configuration>
|
||||
<skipDeploy>true</skipDeploy>
|
||||
<reportPlugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-project-info-reports-plugin</artifactId>
|
||||
<version>2.7</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>index</report>
|
||||
<report>summary</report>
|
||||
<report>license</report>
|
||||
<report>help</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-plugin-plugin</artifactId>
|
||||
<version>3.2</version>
|
||||
<configuration>
|
||||
<goalPrefix>dependency-check</goalPrefix>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<configuration>
|
||||
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
|
||||
</configuration>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<id>default</id>
|
||||
<reports>
|
||||
<report>javadoc</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>versions-maven-plugin</artifactId>
|
||||
<version>2.1</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>dependency-updates-report</report>
|
||||
<report>plugin-updates-report</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jxr-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>taglist-maven-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<tagListOptions>
|
||||
<tagClasses>
|
||||
<tagClass>
|
||||
<displayName>Todo Work</displayName>
|
||||
<tags>
|
||||
<tag>
|
||||
<matchString>todo</matchString>
|
||||
<matchType>ignoreCase</matchType>
|
||||
</tag>
|
||||
<tag>
|
||||
<matchString>FIXME</matchString>
|
||||
<matchType>exact</matchType>
|
||||
</tag>
|
||||
</tags>
|
||||
</tagClass>
|
||||
</tagClasses>
|
||||
</tagListOptions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-checkstyle-plugin</artifactId>
|
||||
<version>2.11</version>
|
||||
<configuration>
|
||||
<enableRulesSummary>false</enableRulesSummary>
|
||||
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
|
||||
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
|
||||
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
|
||||
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-pmd-plugin</artifactId>
|
||||
<version>3.1</version>
|
||||
<configuration>
|
||||
<targetJdk>1.6</targetJdk>
|
||||
<linkXref>true</linkXref>
|
||||
<sourceEncoding>utf-8</sourceEncoding>
|
||||
<excludes>
|
||||
<exclude>**/generated/**/*.java</exclude>
|
||||
<exclude>**/HelpMojo.java</exclude>
|
||||
</excludes>
|
||||
<rulesets>
|
||||
<ruleset>../src/main/config/dcrules.xml</ruleset>
|
||||
<ruleset>/rulesets/java/basic.xml</ruleset>
|
||||
<ruleset>/rulesets/java/imports.xml</ruleset>
|
||||
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
|
||||
</rulesets>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>findbugs-maven-plugin</artifactId>
|
||||
<version>2.5.3</version>
|
||||
</plugin>
|
||||
</reportPlugins>
|
||||
<goalPrefix>dependency-check</goalPrefix>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-compiler-plugin</artifactId>
|
||||
<version>3.1</version>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<configuration>
|
||||
<showDeprecation>false</showDeprecation>
|
||||
<source>1.6</source>
|
||||
<target>1.6</target>
|
||||
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
|
||||
</configuration>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<id>default</id>
|
||||
<reports>
|
||||
<report>javadoc</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>versions-maven-plugin</artifactId>
|
||||
<version>2.1</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>dependency-updates-report</report>
|
||||
<report>plugin-updates-report</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jxr-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>taglist-maven-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<tagListOptions>
|
||||
<tagClasses>
|
||||
<tagClass>
|
||||
<displayName>Todo Work</displayName>
|
||||
<tags>
|
||||
<tag>
|
||||
<matchString>todo</matchString>
|
||||
<matchType>ignoreCase</matchType>
|
||||
</tag>
|
||||
<tag>
|
||||
<matchString>FIXME</matchString>
|
||||
<matchType>exact</matchType>
|
||||
</tag>
|
||||
</tags>
|
||||
</tagClass>
|
||||
</tagClasses>
|
||||
</tagListOptions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-checkstyle-plugin</artifactId>
|
||||
<version>2.11</version>
|
||||
<configuration>
|
||||
<enableRulesSummary>false</enableRulesSummary>
|
||||
<enableFilesSummary>false</enableFilesSummary>
|
||||
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
|
||||
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
|
||||
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
|
||||
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-pmd-plugin</artifactId>
|
||||
<version>3.1</version>
|
||||
<configuration>
|
||||
<targetJdk>1.6</targetJdk>
|
||||
<linkXref>true</linkXref>
|
||||
<sourceEncoding>utf-8</sourceEncoding>
|
||||
<excludes>
|
||||
<exclude>**/generated/**/*.java</exclude>
|
||||
<exclude>**/HelpMojo.java</exclude>
|
||||
</excludes>
|
||||
<rulesets>
|
||||
<ruleset>../src/main/config/dcrules.xml</ruleset>
|
||||
<ruleset>/rulesets/java/basic.xml</ruleset>
|
||||
<ruleset>/rulesets/java/imports.xml</ruleset>
|
||||
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
|
||||
</rulesets>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>findbugs-maven-plugin</artifactId>
|
||||
<version>2.5.3</version>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
|
||||
</reporting>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.owasp</groupId>
|
||||
@@ -287,27 +264,27 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
<dependency>
|
||||
<groupId>org.apache.maven</groupId>
|
||||
<artifactId>maven-plugin-api</artifactId>
|
||||
<version>3.0</version>
|
||||
<version>3.2.5</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven</groupId>
|
||||
<artifactId>maven-settings</artifactId>
|
||||
<version>3.0</version>
|
||||
<version>3.2.5</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven</groupId>
|
||||
<artifactId>maven-core</artifactId>
|
||||
<version>3.0</version>
|
||||
<version>3.2.5</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-site-plugin</artifactId>
|
||||
<version>3.0</version>
|
||||
<version>3.4</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.plugin-tools</groupId>
|
||||
<artifactId>maven-plugin-annotations</artifactId>
|
||||
<version>3.0</version>
|
||||
<version>3.4</version>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
@@ -316,16 +293,14 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
<version>3.0</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>junit</groupId>
|
||||
<artifactId>junit</artifactId>
|
||||
<version>4.11</version>
|
||||
<groupId>org.jmockit</groupId>
|
||||
<artifactId>jmockit</artifactId>
|
||||
<scope>test</scope>
|
||||
<type>jar</type>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.plugin-testing</groupId>
|
||||
<artifactId>maven-plugin-testing-harness</artifactId>
|
||||
<version>2.1</version>
|
||||
<version>3.3.0</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
@@ -0,0 +1,264 @@
|
||||
/*
|
||||
* This file is part of dependency-check-maven.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.maven;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Set;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import org.apache.maven.plugin.MojoExecutionException;
|
||||
import org.apache.maven.plugin.MojoFailureException;
|
||||
import org.apache.maven.plugins.annotations.LifecyclePhase;
|
||||
import org.apache.maven.plugins.annotations.Mojo;
|
||||
import org.apache.maven.plugins.annotations.ResolutionScope;
|
||||
import org.apache.maven.project.MavenProject;
|
||||
import org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer;
|
||||
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
* Maven Plugin that checks project dependencies and the dependencies of all child modules to see if they have any known published
|
||||
* vulnerabilities.
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
@Mojo(
|
||||
name = "aggregate",
|
||||
defaultPhase = LifecyclePhase.SITE,
|
||||
aggregator = true,
|
||||
threadSafe = true,
|
||||
requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
|
||||
requiresOnline = true
|
||||
)
|
||||
public class AggregateMojo extends BaseDependencyCheckMojo {
|
||||
|
||||
/**
|
||||
* Logger field reference.
|
||||
*/
|
||||
private static final Logger LOGGER = Logger.getLogger(AggregateMojo.class.getName());
|
||||
|
||||
/**
|
||||
* Executes the aggregate dependency-check goal. This runs dependency-check and generates the subsequent reports.
|
||||
*
|
||||
* @throws MojoExecutionException thrown if there is ane exception running the mojo
|
||||
* @throws MojoFailureException thrown if dependency-check is configured to fail the build
|
||||
*/
|
||||
@Override
|
||||
public void runCheck() throws MojoExecutionException, MojoFailureException {
|
||||
final Engine engine = generateDataFile();
|
||||
|
||||
if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
|
||||
|
||||
//ensure that the .ser file was created for each.
|
||||
for (MavenProject current : getReactorProjects()) {
|
||||
final File dataFile = getDataFile(current);
|
||||
if (dataFile == null) { //dc was never run on this project. write the ser to the target.
|
||||
LOGGER.fine(String.format("Executing dependency-check on %s", current.getName()));
|
||||
generateDataFile(engine, current);
|
||||
}
|
||||
}
|
||||
|
||||
for (MavenProject current : getReactorProjects()) {
|
||||
List<Dependency> dependencies = readDataFile(current);
|
||||
if (dependencies == null) {
|
||||
dependencies = new ArrayList<Dependency>();
|
||||
}
|
||||
final Set<MavenProject> childProjects = getDescendants(current);
|
||||
for (MavenProject reportOn : childProjects) {
|
||||
final List<Dependency> childDeps = readDataFile(reportOn);
|
||||
if (childDeps != null && !childDeps.isEmpty()) {
|
||||
LOGGER.fine(String.format("Adding %d dependencies from %s", childDeps.size(), reportOn.getName()));
|
||||
dependencies.addAll(childDeps);
|
||||
} else {
|
||||
LOGGER.fine(String.format("No dependencies read for %s", reportOn.getName()));
|
||||
}
|
||||
}
|
||||
engine.getDependencies().clear();
|
||||
engine.getDependencies().addAll(dependencies);
|
||||
final DependencyBundlingAnalyzer bundler = new DependencyBundlingAnalyzer();
|
||||
try {
|
||||
LOGGER.fine(String.format("Dependency count pre-bundler: %s", engine.getDependencies().size()));
|
||||
bundler.analyze(null, engine);
|
||||
LOGGER.fine(String.format("Dependency count post-bundler: %s", engine.getDependencies().size()));
|
||||
} catch (AnalysisException ex) {
|
||||
LOGGER.log(Level.WARNING, "An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
|
||||
LOGGER.log(Level.FINE, "Bundling Exception", ex);
|
||||
}
|
||||
|
||||
File outputDir = getCorrectOutputDirectory(current);
|
||||
if (outputDir == null) {
|
||||
//in some regards we shouldn't be writting this, but we are anyway.
|
||||
//we shouldn't write this because nothing is configured to generate this report.
|
||||
outputDir = new File(current.getBuild().getDirectory());
|
||||
}
|
||||
writeReports(engine, current, outputDir);
|
||||
}
|
||||
}
|
||||
engine.cleanup();
|
||||
Settings.cleanup();
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a set containing all the descendant projects of the given project.
|
||||
*
|
||||
* @param project the project for which all descendants will be returned
|
||||
* @return the set of descendant projects
|
||||
*/
|
||||
protected Set<MavenProject> getDescendants(MavenProject project) {
|
||||
if (project == null) {
|
||||
return Collections.emptySet();
|
||||
}
|
||||
final Set<MavenProject> descendants = new HashSet<MavenProject>();
|
||||
int size = 0;
|
||||
LOGGER.fine(String.format("Collecting descendants of %s", project.getName()));
|
||||
for (String m : project.getModules()) {
|
||||
for (MavenProject mod : getReactorProjects()) {
|
||||
try {
|
||||
File mpp = new File(project.getBasedir(), m);
|
||||
mpp = mpp.getCanonicalFile();
|
||||
if (mpp.compareTo(mod.getBasedir()) == 0) {
|
||||
if (descendants.add(mod)) {
|
||||
LOGGER.fine(String.format("Decendent module %s added", mod.getName()));
|
||||
}
|
||||
}
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.FINE, "Unable to determine module path", ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
do {
|
||||
size = descendants.size();
|
||||
for (MavenProject p : getReactorProjects()) {
|
||||
if (project.equals(p.getParent()) || descendants.contains(p.getParent())) {
|
||||
if (descendants.add(p)) {
|
||||
LOGGER.fine(String.format("Decendent %s added", p.getName()));
|
||||
}
|
||||
for (MavenProject modTest : getReactorProjects()) {
|
||||
if (p.getModules() != null && p.getModules().contains(modTest.getName())) {
|
||||
if (descendants.add(modTest)) {
|
||||
LOGGER.fine(String.format("Decendent %s added", modTest.getName()));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
for (MavenProject dec : descendants) {
|
||||
for (String mod : dec.getModules()) {
|
||||
try {
|
||||
File mpp = new File(dec.getBasedir(), mod);
|
||||
mpp = mpp.getCanonicalFile();
|
||||
if (mpp.compareTo(p.getBasedir()) == 0) {
|
||||
if (descendants.add(p)) {
|
||||
LOGGER.fine(String.format("Decendent module %s added", p.getName()));
|
||||
}
|
||||
}
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.FINE, "Unable to determine module path", ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
} while (size != 0 && size != descendants.size());
|
||||
LOGGER.fine(String.format("%s has %d children", project, descendants.size()));
|
||||
return descendants;
|
||||
}
|
||||
|
||||
/**
|
||||
* Test if the project has pom packaging
|
||||
*
|
||||
* @param mavenProject Project to test
|
||||
* @return <code>true</code> if it has a pom packaging; otherwise <code>false</code>
|
||||
*/
|
||||
protected boolean isMultiModule(MavenProject mavenProject) {
|
||||
return "pom".equals(mavenProject.getPackaging());
|
||||
}
|
||||
|
||||
/**
|
||||
* Initilizes the engine, runs a scan, and writes the serialized dependencies to disk.
|
||||
*
|
||||
* @return the Engine used to execute dependency-check
|
||||
* @throws MojoExecutionException thrown if there is an exception running the mojo
|
||||
* @throws MojoFailureException thrown if dependency-check is configured to fail the build if severe CVEs are identified.
|
||||
*/
|
||||
protected Engine generateDataFile() throws MojoExecutionException, MojoFailureException {
|
||||
final Engine engine;
|
||||
try {
|
||||
engine = initializeEngine();
|
||||
} catch (DatabaseException ex) {
|
||||
LOGGER.log(Level.FINE, "Database connection error", ex);
|
||||
throw new MojoExecutionException("An exception occured connecting to the local database. Please see the log file for more details.", ex);
|
||||
}
|
||||
return generateDataFile(engine, getProject());
|
||||
}
|
||||
|
||||
/**
|
||||
* Runs dependency-check's Engine and writes the serialized dependencies to disk.
|
||||
*
|
||||
* @param engine the Engine to use when scanning.
|
||||
* @param project the project to scan and generate the data file for
|
||||
* @return the Engine used to execute dependency-check
|
||||
* @throws MojoExecutionException thrown if there is an exception running the mojo
|
||||
* @throws MojoFailureException thrown if dependency-check is configured to fail the build if severe CVEs are identified.
|
||||
*/
|
||||
protected Engine generateDataFile(Engine engine, MavenProject project) throws MojoExecutionException, MojoFailureException {
|
||||
LOGGER.fine(String.format("Begin Scanning: %s", project.getName()));
|
||||
engine.getDependencies().clear();
|
||||
engine.resetFileTypeAnalyzers();
|
||||
scanArtifacts(project, engine);
|
||||
engine.analyzeDependencies();
|
||||
final File target = new File(project.getBuild().getDirectory());
|
||||
writeDataFile(project, target, engine.getDependencies());
|
||||
showSummary(project, engine.getDependencies());
|
||||
checkForFailure(engine.getDependencies());
|
||||
return engine;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean canGenerateReport() {
|
||||
return true; //aggregate always returns true for now - we can look at a more complicated/acurate solution later
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the report name.
|
||||
*
|
||||
* @param locale the location
|
||||
* @return the report name
|
||||
*/
|
||||
public String getName(Locale locale) {
|
||||
return "dependency-check:aggregate";
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
|
||||
*
|
||||
* @param locale The Locale to get the description for
|
||||
* @return the description
|
||||
*/
|
||||
public String getDescription(Locale locale) {
|
||||
return "Generates an aggregate report of all child Maven projects providing details on any "
|
||||
+ "published vulnerabilities within project dependencies. This report is a best "
|
||||
+ "effort and may contain false positives and false negatives.";
|
||||
}
|
||||
}
|
||||
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,118 @@
|
||||
/*
|
||||
* This file is part of dependency-check-maven.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.maven;
|
||||
|
||||
import java.util.Locale;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import org.apache.maven.artifact.Artifact;
|
||||
import org.apache.maven.plugin.MojoExecutionException;
|
||||
import org.apache.maven.plugin.MojoFailureException;
|
||||
import org.apache.maven.plugins.annotations.LifecyclePhase;
|
||||
import org.apache.maven.plugins.annotations.Mojo;
|
||||
import org.apache.maven.plugins.annotations.ResolutionScope;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
* Maven Plugin that checks the project dependencies to see if they have any known published vulnerabilities.
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
@Mojo(
|
||||
name = "check",
|
||||
defaultPhase = LifecyclePhase.COMPILE,
|
||||
threadSafe = true,
|
||||
requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
|
||||
requiresOnline = true
|
||||
)
|
||||
public class CheckMojo extends BaseDependencyCheckMojo {
|
||||
|
||||
/**
|
||||
* Logger field reference.
|
||||
*/
|
||||
private static final Logger LOGGER = Logger.getLogger(CheckMojo.class.getName());
|
||||
|
||||
/**
|
||||
* Returns whether or not a the report can be generated.
|
||||
*
|
||||
* @return <code>true</code> if the report can be generated; otherwise <code>false</code>
|
||||
*/
|
||||
@Override
|
||||
public boolean canGenerateReport() {
|
||||
boolean isCapable = false;
|
||||
for (Artifact a : getProject().getArtifacts()) {
|
||||
if (!excludeFromScan(a)) {
|
||||
isCapable = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
return isCapable;
|
||||
}
|
||||
|
||||
/**
|
||||
* Executes the dependency-check engine on the project's dependencies and generates the report.
|
||||
*
|
||||
* @throws MojoExecutionException thrown if there is an exception executing the goal
|
||||
* @throws MojoFailureException thrown if dependency-check is configured to fail the build
|
||||
*/
|
||||
@Override
|
||||
public void runCheck() throws MojoExecutionException, MojoFailureException {
|
||||
final Engine engine;
|
||||
try {
|
||||
engine = initializeEngine();
|
||||
} catch (DatabaseException ex) {
|
||||
LOGGER.log(Level.FINE, "Database connection error", ex);
|
||||
throw new MojoExecutionException("An exception occured connecting to the local database. Please see the log file for more details.", ex);
|
||||
}
|
||||
scanArtifacts(getProject(), engine);
|
||||
if (engine.getDependencies().isEmpty()) {
|
||||
LOGGER.info("No dependencies were identified that could be analyzed by dependency-check");
|
||||
} else {
|
||||
engine.analyzeDependencies();
|
||||
writeReports(engine, getProject(), getCorrectOutputDirectory());
|
||||
writeDataFile(getProject(), null, engine.getDependencies());
|
||||
showSummary(getProject(), engine.getDependencies());
|
||||
checkForFailure(engine.getDependencies());
|
||||
}
|
||||
engine.cleanup();
|
||||
Settings.cleanup();
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the report name.
|
||||
*
|
||||
* @param locale the location
|
||||
* @return the report name
|
||||
*/
|
||||
public String getName(Locale locale) {
|
||||
return "dependency-check";
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
|
||||
*
|
||||
* @param locale The Locale to get the description for
|
||||
* @return the description
|
||||
*/
|
||||
public String getDescription(Locale locale) {
|
||||
return "Generates a report providing details on any published vulnerabilities within project dependencies. "
|
||||
+ "This report is a best effort and may contain false positives and false negatives.";
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,222 @@
|
||||
/*
|
||||
* This file is part of dependency-check-maven.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.maven;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.logging.Logger;
|
||||
import org.apache.maven.project.MavenProject;
|
||||
import org.owasp.dependencycheck.analyzer.Analyzer;
|
||||
import org.owasp.dependencycheck.analyzer.CPEAnalyzer;
|
||||
import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
* A modified version of the core engine specifically designed to persist some
|
||||
* data between multiple executions of a multi-module Maven project.
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public class Engine extends org.owasp.dependencycheck.Engine {
|
||||
|
||||
/**
|
||||
* The logger.
|
||||
*/
|
||||
private static final transient Logger LOGGER = Logger.getLogger(Engine.class.getName());
|
||||
/**
|
||||
* A key used to persist an object in the MavenProject.
|
||||
*/
|
||||
private static final String CPE_ANALYZER_KEY = "dependency-check-CPEAnalyzer";
|
||||
/**
|
||||
* The current MavenProject.
|
||||
*/
|
||||
private MavenProject currentProject;
|
||||
/**
|
||||
* The list of MavenProjects that are part of the current build.
|
||||
*/
|
||||
private List<MavenProject> reactorProjects;
|
||||
/**
|
||||
* Key used in the MavenProject context values to note whether or not an
|
||||
* update has been executed.
|
||||
*/
|
||||
public static final String UPDATE_EXECUTED_FLAG = "dependency-check-update-executed";
|
||||
|
||||
/**
|
||||
* Creates a new Engine to perform anyalsis on dependencies.
|
||||
*
|
||||
* @param project the current Maven project
|
||||
* @param reactorProjects the reactor projects for the current Maven
|
||||
* execution
|
||||
* @throws DatabaseException thrown if there is an issue connecting to the
|
||||
* database
|
||||
*/
|
||||
public Engine(MavenProject project, List<MavenProject> reactorProjects) throws DatabaseException {
|
||||
this.currentProject = project;
|
||||
this.reactorProjects = reactorProjects;
|
||||
initializeEngine();
|
||||
}
|
||||
|
||||
/**
|
||||
* Runs the analyzers against all of the dependencies.
|
||||
*/
|
||||
@Override
|
||||
public void analyzeDependencies() {
|
||||
final MavenProject root = getExecutionRoot();
|
||||
if (root != null) {
|
||||
LOGGER.fine(String.format("Checking root project, %s, if updates have already been completed", root.getArtifactId()));
|
||||
} else {
|
||||
LOGGER.fine("Checking root project, null, if updates have already been completed");
|
||||
}
|
||||
if (root != null && root.getContextValue(UPDATE_EXECUTED_FLAG) != null) {
|
||||
System.setProperty(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE.toString());
|
||||
}
|
||||
super.analyzeDependencies();
|
||||
if (root != null) {
|
||||
root.setContextValue(UPDATE_EXECUTED_FLAG, Boolean.TRUE);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* This constructor should not be called. Use Engine(MavenProject) instead.
|
||||
*
|
||||
* @throws DatabaseException thrown if there is an issue connecting to the
|
||||
* database
|
||||
*/
|
||||
private Engine() throws DatabaseException {
|
||||
}
|
||||
|
||||
/**
|
||||
* Initializes the given analyzer. This skips the initialization of the
|
||||
* CPEAnalyzer if it has been initialized by a previous execution.
|
||||
*
|
||||
* @param analyzer the analyzer to initialize
|
||||
* @return the initialized analyzer
|
||||
*/
|
||||
@Override
|
||||
protected Analyzer initializeAnalyzer(Analyzer analyzer) {
|
||||
if ((analyzer instanceof CPEAnalyzer)) {
|
||||
CPEAnalyzer cpe = getPreviouslyLoadedCPEAnalyzer();
|
||||
if (cpe != null) {
|
||||
return cpe;
|
||||
}
|
||||
cpe = (CPEAnalyzer) super.initializeAnalyzer(analyzer);
|
||||
storeCPEAnalyzer(cpe);
|
||||
}
|
||||
return super.initializeAnalyzer(analyzer);
|
||||
}
|
||||
|
||||
/**
|
||||
* Releases resources used by the analyzers by calling close() on each
|
||||
* analyzer.
|
||||
*/
|
||||
@Override
|
||||
public void cleanup() {
|
||||
super.cleanup();
|
||||
if (currentProject == null || reactorProjects == null) {
|
||||
return;
|
||||
}
|
||||
if (this.currentProject == reactorProjects.get(reactorProjects.size() - 1)) {
|
||||
final CPEAnalyzer cpe = getPreviouslyLoadedCPEAnalyzer();
|
||||
if (cpe != null) {
|
||||
cpe.close();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Closes the given analyzer. This skips closing the CPEAnalyzer.
|
||||
*
|
||||
* @param analyzer the analyzer to close
|
||||
*/
|
||||
@Override
|
||||
protected void closeAnalyzer(Analyzer analyzer) {
|
||||
if ((analyzer instanceof CPEAnalyzer)) {
|
||||
if (getPreviouslyLoadedCPEAnalyzer() == null) {
|
||||
super.closeAnalyzer(analyzer);
|
||||
}
|
||||
} else {
|
||||
super.closeAnalyzer(analyzer);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the CPEAnalyzer from the root Maven Project.
|
||||
*
|
||||
* @return an initialized CPEAnalyzer
|
||||
*/
|
||||
private CPEAnalyzer getPreviouslyLoadedCPEAnalyzer() {
|
||||
CPEAnalyzer cpe = null;
|
||||
final MavenProject project = getExecutionRoot();
|
||||
if (project != null) {
|
||||
final Object obj = project.getContextValue(CPE_ANALYZER_KEY);
|
||||
if (obj != null && obj instanceof CPEAnalyzer) {
|
||||
cpe = (CPEAnalyzer) project.getContextValue(CPE_ANALYZER_KEY);
|
||||
}
|
||||
}
|
||||
return cpe;
|
||||
}
|
||||
|
||||
/**
|
||||
* Stores a CPEAnalyzer in the root Maven Project.
|
||||
*
|
||||
* @param cpe the CPEAnalyzer to store
|
||||
*/
|
||||
private void storeCPEAnalyzer(CPEAnalyzer cpe) {
|
||||
final MavenProject p = getExecutionRoot();
|
||||
if (p != null) {
|
||||
p.setContextValue(CPE_ANALYZER_KEY, cpe);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the root Maven Project.
|
||||
*
|
||||
* @return the root Maven Project
|
||||
*/
|
||||
private MavenProject getExecutionRoot() {
|
||||
if (reactorProjects == null) {
|
||||
return null;
|
||||
}
|
||||
for (MavenProject p : reactorProjects) {
|
||||
if (p.isExecutionRoot()) {
|
||||
return p;
|
||||
}
|
||||
}
|
||||
//the following should never run, but leaving it as a failsafe.
|
||||
if (this.currentProject == null) {
|
||||
return null;
|
||||
}
|
||||
MavenProject p = this.currentProject;
|
||||
while (p.getParent() != null) {
|
||||
p = p.getParent();
|
||||
}
|
||||
return p;
|
||||
}
|
||||
|
||||
/**
|
||||
* Resets the file type analyzers so that they can be re-used to scan
|
||||
* additional directories. Without the reset the analyzer might be disabled
|
||||
* because the first scan/analyze did not identify any files that could be
|
||||
* processed by the analyzer.
|
||||
*/
|
||||
public void resetFileTypeAnalyzers() {
|
||||
for (FileTypeAnalyzer a : getFileTypeAnalyzers()) {
|
||||
a.reset();
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,462 +0,0 @@
|
||||
/*
|
||||
* This file is part of dependency-check-maven.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.maven;
|
||||
|
||||
import java.io.File;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.logging.Logger;
|
||||
import org.apache.maven.doxia.sink.Sink;
|
||||
import org.apache.maven.plugin.AbstractMojo;
|
||||
import org.apache.maven.plugin.MojoExecutionException;
|
||||
import org.apache.maven.plugin.MojoFailureException;
|
||||
import org.apache.maven.plugins.annotations.Component;
|
||||
import org.apache.maven.plugins.annotations.Parameter;
|
||||
import org.apache.maven.project.MavenProject;
|
||||
import org.apache.maven.reporting.MavenReport;
|
||||
import org.apache.maven.reporting.MavenReportException;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* This is an abstract reporting mojo that enables report aggregation. Some of the code in the this class was copied
|
||||
* from the CoberturaReportMojo (http://mojo.codehaus.org/cobertura-maven-plugin/, version 2.6). The authors of the
|
||||
* CoberturaReportMojo were <a href="will.gwaltney@sas.com">Will Gwaltney</a> and
|
||||
* <a href="mailto:joakim@erdfelt.com">Joakim Erdfelt</a>. There working example of how to do report aggregation was
|
||||
* invaluable.</p>
|
||||
* <p>
|
||||
* An important point about using this abstract class is that it is intended for one to write some form of serialized
|
||||
* data (via the {@link org.owasp.dependencycheck.maven.ReportAggregationMojo#writeDataFile() }; note that the
|
||||
* <code>writeDataFile()</code> function is called automatically after either {@link org.owasp.dependencycheck.maven.ReportAggregationMojo#executeNonAggregateReport(org.apache.maven.doxia.sink.Sink,
|
||||
* org.apache.maven.doxia.sink.SinkFactory, java.util.Locale)
|
||||
* } or {@link org.owasp.dependencycheck.maven.ReportAggregationMojo#executeAggregateReport(org.apache.maven.doxia.sink.Sink,
|
||||
* org.apache.maven.doxia.sink.SinkFactory, java.util.Locale)
|
||||
* } are called. When <code>executeAggregateReport()</code> is implemented, one can call {@link org.owasp.dependencycheck.maven.ReportAggregationMojo#getChildDataFiles()
|
||||
* } to obtain a list of the data files to aggregate.</p>
|
||||
*
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public abstract class ReportAggregationMojo extends AbstractMojo implements MavenReport {
|
||||
|
||||
/**
|
||||
* The Maven Project Object.
|
||||
*/
|
||||
@Component
|
||||
private MavenProject project;
|
||||
|
||||
/**
|
||||
* Logger field reference.
|
||||
*/
|
||||
private static final Logger LOGGER = Logger.getLogger(ReportAggregationMojo.class.getName());
|
||||
|
||||
/**
|
||||
* List of Maven project of the current build
|
||||
*/
|
||||
@Parameter(readonly = true, required = true, property = "reactorProjects")
|
||||
private List<MavenProject> reactorProjects;
|
||||
|
||||
/**
|
||||
* Generate aggregate reports in multi-module projects.
|
||||
*/
|
||||
@Parameter(property = "aggregate", defaultValue = "false")
|
||||
private boolean aggregate;
|
||||
|
||||
/**
|
||||
* Sets whether or not the external report format should be used.
|
||||
*/
|
||||
@Parameter(property = "metaFileName", defaultValue = "dependency-check.ser", required = true)
|
||||
private String dataFileName;
|
||||
/**
|
||||
* Specifies the destination directory for the generated Dependency-Check report. This generally maps to
|
||||
* "target/site".
|
||||
*/
|
||||
@Parameter(property = "reportOutputDirectory", defaultValue = "${project.reporting.outputDirectory}", required = true)
|
||||
private File reportOutputDirectory;
|
||||
|
||||
/**
|
||||
* Sets the Reporting output directory.
|
||||
*
|
||||
* @param directory the output directory
|
||||
*/
|
||||
@Override
|
||||
public void setReportOutputDirectory(File directory) {
|
||||
reportOutputDirectory = directory;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the output directory.
|
||||
*
|
||||
* @return the output directory
|
||||
*/
|
||||
@Override
|
||||
public File getReportOutputDirectory() {
|
||||
return reportOutputDirectory;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the output directory for the given project.
|
||||
*
|
||||
* @param project the Maven project to get the output directory for
|
||||
* @return the output directory for the given project
|
||||
*/
|
||||
public File getReportOutputDirectory(MavenProject project) {
|
||||
final Object o = project.getContextValue(getOutputDirectoryContextKey());
|
||||
if (o != null && o instanceof File) {
|
||||
return (File) o;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns whether this is an external report. This method always returns true.
|
||||
*
|
||||
* @return <code>true</code>
|
||||
*/
|
||||
@Override
|
||||
public final boolean isExternalReport() {
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* The collection of child projects.
|
||||
*/
|
||||
private final Map<MavenProject, Set<MavenProject>> projectChildren = new HashMap<MavenProject, Set<MavenProject>>();
|
||||
|
||||
/**
|
||||
* Called before execute; allows for any setup that is needed. If this is overridden you must call
|
||||
* </code>super.preExecute()</code>.
|
||||
*
|
||||
* @throws MojoExecutionException thrown if there is an issue executing the mojo
|
||||
* @throws MojoFailureException thrown if there is an issue executing the mojo
|
||||
*/
|
||||
protected void preExecute() throws MojoExecutionException, MojoFailureException {
|
||||
buildAggregateInfo();
|
||||
}
|
||||
|
||||
/**
|
||||
* Called when the mojo is being executed.
|
||||
*
|
||||
* @throws MojoExecutionException thrown if there is an issue executing the mojo
|
||||
* @throws MojoFailureException thrown if there is an issue executing the mojo
|
||||
*/
|
||||
protected abstract void performExecute() throws MojoExecutionException, MojoFailureException;
|
||||
|
||||
/**
|
||||
* Runs after the mojo has executed. This implementation will call <code>writeDataFile()</code>. As such, it is
|
||||
* important that if this method is overriden that <code>super.postExecute()</code> is called.
|
||||
*
|
||||
* @throws MojoExecutionException thrown if there is an issue executing the mojo
|
||||
* @throws MojoFailureException thrown if there is an issue executing the mojo
|
||||
*/
|
||||
protected void postExecute() throws MojoExecutionException, MojoFailureException {
|
||||
final File written = writeDataFile();
|
||||
if (written != null) {
|
||||
project.setContextValue(getDataFileContextKey(), written.getAbsolutePath());
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the key used to store the path to the data file that is saved by <code>writeDataFile()</code>. This key
|
||||
* is used in the <code>MavenProject.(set|get)ContextValue</code>.
|
||||
*
|
||||
* @return the key used to store the path to the data file
|
||||
*/
|
||||
protected String getDataFileContextKey() {
|
||||
return "dependency-check-path-" + this.getDataFileName();
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the key used to store the path to the output directory. When generating the report in the
|
||||
* <code>executeAggregateReport()</code> the output directory should be obtained by using this key.
|
||||
*
|
||||
* @return the key used to store the path to the output directory
|
||||
*/
|
||||
protected String getOutputDirectoryContextKey() {
|
||||
return "dependency-output-dir-" + this.getDataFileName();
|
||||
}
|
||||
|
||||
/**
|
||||
* Is called by Maven to execute the mojo.
|
||||
*
|
||||
* @throws MojoExecutionException thrown if there is an issue executing the mojo
|
||||
* @throws MojoFailureException thrown if there is an issue executing the mojo
|
||||
*/
|
||||
public final void execute() throws MojoExecutionException, MojoFailureException {
|
||||
try {
|
||||
preExecute();
|
||||
performExecute();
|
||||
} finally {
|
||||
postExecute();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Runs prior to the site report generation.
|
||||
*
|
||||
* @throws MavenReportException if a maven report exception occurs
|
||||
*/
|
||||
protected void preGenerate() throws MavenReportException {
|
||||
buildAggregateInfo();
|
||||
|
||||
project.setContextValue(getOutputDirectoryContextKey(), getReportOutputDirectory());
|
||||
}
|
||||
|
||||
/**
|
||||
* Executes after the site report has been generated.
|
||||
*
|
||||
* @throws MavenReportException if a maven report exception occurs
|
||||
*/
|
||||
protected void postGenerate() throws MavenReportException {
|
||||
final File written = writeDataFile();
|
||||
if (written != null) {
|
||||
project.setContextValue(getDataFileContextKey(), written.getAbsolutePath());
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates the non aggregate report.
|
||||
*
|
||||
* @param locale the locale to use when generating the report
|
||||
* @throws MavenReportException if a maven report exception occurs
|
||||
*/
|
||||
protected abstract void executeNonAggregateReport(Locale locale) throws MavenReportException;
|
||||
|
||||
/**
|
||||
* Generates the aggregate Site Report.
|
||||
*
|
||||
* @param project the maven project used to generate the aggregate report
|
||||
* @param locale the locale to use when generating the report
|
||||
* @throws MavenReportException if a maven report exception occurs
|
||||
*/
|
||||
protected abstract void executeAggregateReport(MavenProject project, Locale locale) throws MavenReportException;
|
||||
|
||||
/**
|
||||
* Generates the Dependency-Check Site Report.
|
||||
*
|
||||
* @param sink the sink to write the report to
|
||||
* @param locale the locale to use when generating the report
|
||||
* @throws MavenReportException if a maven report exception occurs
|
||||
* @deprecated use {@link #generate(org.apache.maven.doxia.sink.Sink, java.util.Locale) instead.
|
||||
*/
|
||||
@Deprecated
|
||||
public final void generate(@SuppressWarnings("deprecation") org.codehaus.doxia.sink.Sink sink, Locale locale) throws MavenReportException {
|
||||
generate((Sink) sink, locale);
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates the Dependency-Check Site Report.
|
||||
*
|
||||
* @param sink the sink to write the report to
|
||||
* @param locale the locale to use when generating the report
|
||||
* @throws MavenReportException if a maven report exception occurs
|
||||
*/
|
||||
public final void generate(Sink sink, Locale locale) throws MavenReportException {
|
||||
try {
|
||||
preGenerate();
|
||||
if (canGenerateNonAggregateReport()) {
|
||||
executeNonAggregateReport(locale);
|
||||
}
|
||||
|
||||
if (canGenerateAggregateReport()) {
|
||||
for (MavenProject proj : reactorProjects) {
|
||||
if (!isMultiModule(proj)) {
|
||||
continue;
|
||||
}
|
||||
executeAggregateReport(proj, locale);
|
||||
}
|
||||
}
|
||||
} finally {
|
||||
postGenerate();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns whether or not the mojo can generate a non-aggregate report for this project.
|
||||
*
|
||||
* @return <code>true</code> if a non-aggregate report can be generated, otherwise <code>false</code>
|
||||
*/
|
||||
protected abstract boolean canGenerateNonAggregateReport();
|
||||
|
||||
/**
|
||||
* Returns whether or not we can generate any aggregate reports at this time.
|
||||
*
|
||||
* @return <code>true</code> if an aggregate report can be generated, otherwise <code>false</code>
|
||||
*/
|
||||
protected abstract boolean canGenerateAggregateReport();
|
||||
|
||||
/**
|
||||
* Returns the name of the data file that contains the serialized data.
|
||||
*
|
||||
* @return the name of the data file that contains the serialized data
|
||||
*/
|
||||
protected String getDataFileName() {
|
||||
return dataFileName;
|
||||
}
|
||||
|
||||
/**
|
||||
* Writes the data file to disk in the target directory.
|
||||
*
|
||||
* @return the File object referencing the data file that was written
|
||||
*/
|
||||
protected abstract File writeDataFile();
|
||||
|
||||
/**
|
||||
* Collects the information needed for building aggregate reports.
|
||||
*/
|
||||
private void buildAggregateInfo() {
|
||||
// build parent-child map
|
||||
for (MavenProject proj : reactorProjects) {
|
||||
Set<MavenProject> depList = projectChildren.get(proj.getParent());
|
||||
if (depList == null) {
|
||||
depList = new HashSet<MavenProject>();
|
||||
projectChildren.put(proj.getParent(), depList);
|
||||
}
|
||||
depList.add(proj);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a list containing all the recursive, non-pom children of the given project, never <code>null</code>.
|
||||
*
|
||||
* @return a list of child projects
|
||||
*/
|
||||
protected List<MavenProject> getAllChildren() {
|
||||
return getAllChildren(project);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a list containing all the recursive, non-pom children of the given project, never <code>null</code>.
|
||||
*
|
||||
* @param parentProject the parent project to collect the child project references
|
||||
* @return a list of child projects
|
||||
*/
|
||||
protected List<MavenProject> getAllChildren(MavenProject parentProject) {
|
||||
final Set<MavenProject> children = projectChildren.get(parentProject);
|
||||
if (children == null) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
final List<MavenProject> result = new ArrayList<MavenProject>();
|
||||
for (MavenProject child : children) {
|
||||
if (isMultiModule(child)) {
|
||||
result.addAll(getAllChildren(child));
|
||||
} else {
|
||||
result.add(child);
|
||||
}
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a list of data files that were produced by the direct children of the given MavenProject.
|
||||
*
|
||||
* @param project the Maven project to obtain the child data files from
|
||||
* @return a list of the data files
|
||||
*/
|
||||
protected List<File> getAllChildDataFiles(MavenProject project) {
|
||||
final List<MavenProject> children = getAllChildren(project);
|
||||
return getDataFiles(children);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns any existing output files from the given list of projects.
|
||||
*
|
||||
* @param projects the list of projects to obtain the output files from
|
||||
* @return a list of output files
|
||||
*/
|
||||
protected List<File> getDataFiles(List<MavenProject> projects) {
|
||||
final List<File> files = new ArrayList<File>();
|
||||
for (MavenProject proj : projects) {
|
||||
final Object path = project.getContextValue(getDataFileContextKey());
|
||||
if (path == null) {
|
||||
final String msg = String.format("Unable to aggregate data for '%s' - aggregate data file was not generated",
|
||||
proj.getName());
|
||||
LOGGER.warning(msg);
|
||||
} else {
|
||||
final File outputFile = new File((String) path);
|
||||
if (outputFile.exists()) {
|
||||
files.add(outputFile);
|
||||
} else {
|
||||
if (!isMultiModule(project)) {
|
||||
final String msg = String.format("Unable to aggregate data for '%s' - missing data file '%s'",
|
||||
proj.getName(), outputFile.getPath());
|
||||
LOGGER.warning(msg);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return files;
|
||||
}
|
||||
|
||||
/**
|
||||
* Test if the project has pom packaging
|
||||
*
|
||||
* @param mavenProject Project to test
|
||||
* @return <code>true</code> if it has a pom packaging; otherwise <code>false</code>
|
||||
*/
|
||||
protected boolean isMultiModule(MavenProject mavenProject) {
|
||||
return "pom".equals(mavenProject.getPackaging());
|
||||
}
|
||||
|
||||
/**
|
||||
* Test if the current project has pom packaging
|
||||
*
|
||||
* @return <code>true</code> if it has a pom packaging; otherwise <code>false</code>
|
||||
*/
|
||||
protected boolean isMultiModule() {
|
||||
return isMultiModule(project);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check whether the current project is the last project in a multi-module build. If the maven build is not a
|
||||
* multi-module project then this will always return true.
|
||||
*
|
||||
* @return <code>true</code> if the current project is the last project in a multi-module build; otherwise
|
||||
* <code>false</code>
|
||||
*/
|
||||
protected boolean isLastProject() {
|
||||
return project.equals(reactorProjects.get(reactorProjects.size() - 1));
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns whether or not the mojo is configured to perform report aggregation.
|
||||
*
|
||||
* @return <code>true</code> if report aggregation is enabled; otherwise <code>false</code>
|
||||
*/
|
||||
public boolean isAggregate() {
|
||||
return aggregate;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a reference to the current project. This method is used instead of auto-binding the project via component
|
||||
* annotation in concrete implementations of this. If the child has a <code>@Component MavenProject project;</code>
|
||||
* defined then the abstract class (i.e. this class) will not have access to the current project (just the way Maven
|
||||
* works with the binding).
|
||||
*
|
||||
* @return returns a reference to the current project
|
||||
*/
|
||||
protected MavenProject getProject() {
|
||||
return project;
|
||||
}
|
||||
}
|
||||
@@ -1,456 +0,0 @@
|
||||
/*
|
||||
* This file is part of dependency-check-maven.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.maven;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.net.URLEncoder;
|
||||
import java.text.DateFormat;
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import org.apache.maven.doxia.sink.Sink;
|
||||
import org.owasp.dependencycheck.Engine;
|
||||
import org.owasp.dependencycheck.data.nvdcve.CveDB;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Evidence;
|
||||
import org.owasp.dependencycheck.dependency.Identifier;
|
||||
import org.owasp.dependencycheck.dependency.Reference;
|
||||
import org.owasp.dependencycheck.dependency.Vulnerability;
|
||||
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
|
||||
import org.owasp.dependencycheck.reporting.ReportGenerator;
|
||||
|
||||
/**
|
||||
* A utility class that encapsulates the report generation for dependency-check-maven.
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
final class ReportingUtil {
|
||||
|
||||
/**
|
||||
* Logger field reference.
|
||||
*/
|
||||
private static final Logger LOGGER = Logger.getLogger(ReportingUtil.class.getName());
|
||||
|
||||
/**
|
||||
* Empty private constructor for this utility class.
|
||||
*/
|
||||
private ReportingUtil() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates the reports for a given dependency-check engine.
|
||||
*
|
||||
* @param engine a dependency-check engine
|
||||
* @param outDirectory the directory to write the reports to
|
||||
* @param projectName the name of the project that a report is being generated for
|
||||
* @param format the format of the report to generate
|
||||
*/
|
||||
static void generateExternalReports(Engine engine, File outDirectory, String projectName, String format) {
|
||||
DatabaseProperties prop = null;
|
||||
CveDB cve = null;
|
||||
try {
|
||||
cve = new CveDB();
|
||||
cve.open();
|
||||
prop = cve.getDatabaseProperties();
|
||||
} catch (DatabaseException ex) {
|
||||
LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
|
||||
} finally {
|
||||
if (cve != null) {
|
||||
cve.close();
|
||||
}
|
||||
}
|
||||
final ReportGenerator r = new ReportGenerator(projectName, engine.getDependencies(), engine.getAnalyzers(), prop);
|
||||
try {
|
||||
r.generateReports(outDirectory.getCanonicalPath(), format);
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.SEVERE,
|
||||
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
|
||||
LOGGER.log(Level.FINE, null, ex);
|
||||
} catch (Throwable ex) {
|
||||
LOGGER.log(Level.SEVERE,
|
||||
"Unexpected exception occurred during analysis; please see the verbose error log for more details.");
|
||||
LOGGER.log(Level.FINE, null, ex);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates a dependency-check report using the Maven Site format.
|
||||
*
|
||||
* @param engine the engine used to scan the dependencies
|
||||
* @param sink the sink to write the data to
|
||||
* @param projectName the name of the project
|
||||
*/
|
||||
static void generateMavenSiteReport(final Engine engine, Sink sink, String projectName) {
|
||||
final List<Dependency> dependencies = engine.getDependencies();
|
||||
|
||||
writeSiteReportHeader(sink, projectName);
|
||||
writeSiteReportTOC(sink, dependencies);
|
||||
|
||||
int cnt = 0;
|
||||
for (Dependency d : dependencies) {
|
||||
writeSiteReportDependencyHeader(sink, d);
|
||||
cnt = writeSiteReportDependencyEvidenceUsed(d, cnt, sink);
|
||||
cnt = writeSiteReportDependencyRelatedDependencies(d, cnt, sink);
|
||||
writeSiteReportDependencyIdentifiers(d, sink);
|
||||
writeSiteReportDependencyVulnerabilities(d, sink, cnt);
|
||||
}
|
||||
sink.body_();
|
||||
}
|
||||
|
||||
// <editor-fold defaultstate="collapsed" desc="various writeXXXXX methods to generate the Site Report">
|
||||
/**
|
||||
* Writes the vulnerabilities to the site report.
|
||||
*
|
||||
* @param d the dependency
|
||||
* @param sink the sink to write the data to
|
||||
* @param collapsibleHeaderCount the collapsible header count
|
||||
*/
|
||||
private static void writeSiteReportDependencyVulnerabilities(Dependency d, Sink sink, int collapsibleHeaderCount) {
|
||||
int cnt = collapsibleHeaderCount;
|
||||
if (d.getVulnerabilities() != null && !d.getVulnerabilities().isEmpty()) {
|
||||
for (Vulnerability v : d.getVulnerabilities()) {
|
||||
|
||||
sink.paragraph();
|
||||
sink.bold();
|
||||
try {
|
||||
sink.link("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + URLEncoder.encode(v.getName(), "US-ASCII"));
|
||||
sink.text(v.getName());
|
||||
sink.link_();
|
||||
sink.bold_();
|
||||
} catch (UnsupportedEncodingException ex) {
|
||||
sink.text(v.getName());
|
||||
sink.bold_();
|
||||
sink.lineBreak();
|
||||
sink.text("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + v.getName());
|
||||
}
|
||||
sink.paragraph_();
|
||||
sink.paragraph();
|
||||
sink.text("Severity: ");
|
||||
if (v.getCvssScore() < 4.0) {
|
||||
sink.text("Low");
|
||||
} else {
|
||||
if (v.getCvssScore() >= 7.0) {
|
||||
sink.text("High");
|
||||
} else {
|
||||
sink.text("Medium");
|
||||
}
|
||||
}
|
||||
sink.lineBreak();
|
||||
sink.text("CVSS Score: " + v.getCvssScore());
|
||||
if (v.getCwe() != null && !v.getCwe().isEmpty()) {
|
||||
sink.lineBreak();
|
||||
sink.text("CWE: ");
|
||||
sink.text(v.getCwe());
|
||||
}
|
||||
sink.paragraph_();
|
||||
sink.paragraph();
|
||||
sink.text(v.getDescription());
|
||||
if (v.getReferences() != null && !v.getReferences().isEmpty()) {
|
||||
sink.list();
|
||||
for (Reference ref : v.getReferences()) {
|
||||
sink.listItem();
|
||||
sink.text(ref.getSource());
|
||||
sink.text(" - ");
|
||||
sink.link(ref.getUrl());
|
||||
sink.text(ref.getName());
|
||||
sink.link_();
|
||||
sink.listItem_();
|
||||
}
|
||||
sink.list_();
|
||||
}
|
||||
sink.paragraph_();
|
||||
if (v.getVulnerableSoftware() != null && !v.getVulnerableSoftware().isEmpty()) {
|
||||
sink.paragraph();
|
||||
|
||||
cnt += 1;
|
||||
sink.rawText("Vulnerable Software <a href=\"javascript:toggleElement(this, 'vulnSoft" + cnt + "')\">[-]</a>");
|
||||
sink.rawText("<div id=\"vulnSoft" + cnt + "\" style=\"display:block\">");
|
||||
sink.list();
|
||||
for (VulnerableSoftware vs : v.getVulnerableSoftware()) {
|
||||
sink.listItem();
|
||||
try {
|
||||
sink.link("http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + URLEncoder.encode(vs.getName(), "US-ASCII"));
|
||||
sink.text(vs.getName());
|
||||
sink.link_();
|
||||
if (vs.hasPreviousVersion()) {
|
||||
sink.text(" and all previous versions.");
|
||||
}
|
||||
} catch (UnsupportedEncodingException ex) {
|
||||
sink.text(vs.getName());
|
||||
if (vs.hasPreviousVersion()) {
|
||||
sink.text(" and all previous versions.");
|
||||
}
|
||||
sink.text(" (http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + vs.getName() + ")");
|
||||
}
|
||||
|
||||
sink.listItem_();
|
||||
}
|
||||
sink.list_();
|
||||
sink.rawText("</div>");
|
||||
sink.paragraph_();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Writes the identifiers to the site report.
|
||||
*
|
||||
* @param d the dependency
|
||||
* @param sink the sink to write the data to
|
||||
*/
|
||||
private static void writeSiteReportDependencyIdentifiers(Dependency d, Sink sink) {
|
||||
if (d.getIdentifiers() != null && !d.getIdentifiers().isEmpty()) {
|
||||
sink.sectionTitle4();
|
||||
sink.text("Identifiers");
|
||||
sink.sectionTitle4_();
|
||||
sink.list();
|
||||
for (Identifier i : d.getIdentifiers()) {
|
||||
sink.listItem();
|
||||
sink.text(i.getType());
|
||||
sink.text(": ");
|
||||
if (i.getUrl() != null && i.getUrl().length() > 0) {
|
||||
sink.link(i.getUrl());
|
||||
sink.text(i.getValue());
|
||||
sink.link_();
|
||||
} else {
|
||||
sink.text(i.getValue());
|
||||
}
|
||||
if (i.getDescription() != null && i.getDescription().length() > 0) {
|
||||
sink.lineBreak();
|
||||
sink.text(i.getDescription());
|
||||
}
|
||||
sink.listItem_();
|
||||
}
|
||||
sink.list_();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Writes the related dependencies to the site report.
|
||||
*
|
||||
* @param d the dependency
|
||||
* @param sink the sink to write the data to
|
||||
* @param collapsibleHeaderCount the collapsible header count
|
||||
* @return the collapsible header count
|
||||
*/
|
||||
private static int writeSiteReportDependencyRelatedDependencies(Dependency d, int collapsibleHeaderCount, Sink sink) {
|
||||
int cnt = collapsibleHeaderCount;
|
||||
if (d.getRelatedDependencies() != null && !d.getRelatedDependencies().isEmpty()) {
|
||||
cnt += 1;
|
||||
sink.sectionTitle4();
|
||||
sink.rawText("Related Dependencies <a href=\"javascript:toggleElement(this, 'related" + cnt + "')\">[+]</a>");
|
||||
sink.sectionTitle4_();
|
||||
sink.rawText("<div id=\"related" + cnt + "\" style=\"display:none\">");
|
||||
sink.list();
|
||||
for (Dependency r : d.getRelatedDependencies()) {
|
||||
sink.listItem();
|
||||
sink.text(r.getFileName());
|
||||
sink.list();
|
||||
writeListItem(sink, "File Path: " + r.getFilePath());
|
||||
writeListItem(sink, "SHA1: " + r.getSha1sum());
|
||||
writeListItem(sink, "MD5: " + r.getMd5sum());
|
||||
sink.list_();
|
||||
sink.listItem_();
|
||||
}
|
||||
sink.list_();
|
||||
sink.rawText("</div>");
|
||||
}
|
||||
return cnt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Writes the evidence used to the site report.
|
||||
*
|
||||
* @param d the dependency
|
||||
* @param sink the sink to write the data to
|
||||
* @param collapsibleHeaderCount the collapsible header count
|
||||
* @return the collapsible header count
|
||||
*/
|
||||
private static int writeSiteReportDependencyEvidenceUsed(Dependency d, int collapsibleHeaderCount, Sink sink) {
|
||||
int cnt = collapsibleHeaderCount;
|
||||
final Set<Evidence> evidence = d.getEvidenceForDisplay();
|
||||
if (evidence != null && evidence.size() > 0) {
|
||||
cnt += 1;
|
||||
sink.sectionTitle4();
|
||||
sink.rawText("Evidence Collected <a href=\"javascript:toggleElement(this, 'evidence" + cnt + "')\">[+]</a>");
|
||||
sink.sectionTitle4_();
|
||||
sink.rawText("<div id=\"evidence" + cnt + "\" style=\"display:none\">");
|
||||
sink.table();
|
||||
sink.tableRow();
|
||||
writeTableHeaderCell(sink, "Source");
|
||||
writeTableHeaderCell(sink, "Name");
|
||||
writeTableHeaderCell(sink, "Value");
|
||||
sink.tableRow_();
|
||||
for (Evidence e : evidence) {
|
||||
sink.tableRow();
|
||||
writeTableCell(sink, e.getSource());
|
||||
writeTableCell(sink, e.getName());
|
||||
writeTableCell(sink, e.getValue());
|
||||
sink.tableRow_();
|
||||
}
|
||||
sink.table_();
|
||||
sink.rawText("</div>");
|
||||
}
|
||||
return cnt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Writes the dependency header to the site report.
|
||||
*
|
||||
* @param d the dependency
|
||||
* @param sink the sink to write the data to
|
||||
*/
|
||||
private static void writeSiteReportDependencyHeader(Sink sink, Dependency d) {
|
||||
sink.sectionTitle2();
|
||||
sink.anchor("sha1" + d.getSha1sum());
|
||||
sink.text(d.getFileName());
|
||||
sink.anchor_();
|
||||
sink.sectionTitle2_();
|
||||
if (d.getDescription() != null && d.getDescription().length() > 0) {
|
||||
sink.paragraph();
|
||||
sink.bold();
|
||||
sink.text("Description: ");
|
||||
sink.bold_();
|
||||
sink.text(d.getDescription());
|
||||
sink.paragraph_();
|
||||
}
|
||||
if (d.getLicense() != null && d.getLicense().length() > 0) {
|
||||
sink.paragraph();
|
||||
sink.bold();
|
||||
sink.text("License: ");
|
||||
sink.bold_();
|
||||
if (d.getLicense().startsWith("http://") && !d.getLicense().contains(" ")) {
|
||||
sink.link(d.getLicense());
|
||||
sink.text(d.getLicense());
|
||||
sink.link_();
|
||||
} else {
|
||||
sink.text(d.getLicense());
|
||||
}
|
||||
sink.paragraph_();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds a list item to the site report.
|
||||
*
|
||||
* @param sink the sink to write the data to
|
||||
* @param text the text to write
|
||||
*/
|
||||
private static void writeListItem(Sink sink, String text) {
|
||||
sink.listItem();
|
||||
sink.text(text);
|
||||
sink.listItem_();
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds a table cell to the site report.
|
||||
*
|
||||
* @param sink the sink to write the data to
|
||||
* @param text the text to write
|
||||
*/
|
||||
private static void writeTableCell(Sink sink, String text) {
|
||||
sink.tableCell();
|
||||
sink.text(text);
|
||||
sink.tableCell_();
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds a table header cell to the site report.
|
||||
*
|
||||
* @param sink the sink to write the data to
|
||||
* @param text the text to write
|
||||
*/
|
||||
private static void writeTableHeaderCell(Sink sink, String text) {
|
||||
sink.tableHeaderCell();
|
||||
sink.text(text);
|
||||
sink.tableHeaderCell_();
|
||||
}
|
||||
|
||||
/**
|
||||
* Writes the TOC for the site report.
|
||||
*
|
||||
* @param sink the sink to write the data to
|
||||
* @param dependencies the dependencies that are being reported on
|
||||
*/
|
||||
private static void writeSiteReportTOC(Sink sink, final List<Dependency> dependencies) {
|
||||
sink.list();
|
||||
for (Dependency d : dependencies) {
|
||||
sink.listItem();
|
||||
sink.link("#sha1" + d.getSha1sum());
|
||||
sink.text(d.getFileName());
|
||||
sink.link_();
|
||||
if (!d.getVulnerabilities().isEmpty()) {
|
||||
sink.rawText(" <font style=\"color:red\">•</font>");
|
||||
}
|
||||
if (!d.getRelatedDependencies().isEmpty()) {
|
||||
sink.list();
|
||||
for (Dependency r : d.getRelatedDependencies()) {
|
||||
writeListItem(sink, r.getFileName());
|
||||
}
|
||||
sink.list_();
|
||||
}
|
||||
sink.listItem_();
|
||||
}
|
||||
sink.list_();
|
||||
}
|
||||
|
||||
/**
|
||||
* Writes the site report header.
|
||||
*
|
||||
* @param sink the sink to write the data to
|
||||
* @param projectName the name of the project
|
||||
*/
|
||||
private static void writeSiteReportHeader(Sink sink, String projectName) {
|
||||
sink.head();
|
||||
sink.title();
|
||||
sink.text("Dependency-Check Report: " + projectName);
|
||||
sink.title_();
|
||||
sink.head_();
|
||||
sink.body();
|
||||
sink.rawText("<script type=\"text/javascript\">");
|
||||
sink.rawText("function toggleElement(el, targetId) {");
|
||||
sink.rawText("if (el.innerText == '[+]') {");
|
||||
sink.rawText(" el.innerText = '[-]';");
|
||||
sink.rawText(" document.getElementById(targetId).style.display='block';");
|
||||
sink.rawText("} else {");
|
||||
sink.rawText(" el.innerText = '[+]';");
|
||||
sink.rawText(" document.getElementById(targetId).style.display='none';");
|
||||
sink.rawText("}");
|
||||
|
||||
sink.rawText("}");
|
||||
sink.rawText("</script>");
|
||||
sink.section1();
|
||||
sink.sectionTitle1();
|
||||
sink.text("Project: " + projectName);
|
||||
sink.sectionTitle1_();
|
||||
sink.date();
|
||||
final Date now = new Date();
|
||||
sink.text(DateFormat.getDateTimeInstance().format(now));
|
||||
sink.date_();
|
||||
sink.section1_();
|
||||
}
|
||||
// </editor-fold>
|
||||
|
||||
}
|
||||
@@ -1,10 +1,18 @@
|
||||
Goals
|
||||
====================
|
||||
|
||||
Goal | Description
|
||||
-----------|-----------------------
|
||||
aggregate | Runs dependency-check against the child projects and aggregates the results into a single report.
|
||||
check | Runs dependency-check against the project and generates a report.
|
||||
|
||||
Configuration
|
||||
====================
|
||||
The following properties can be set on the dependency-check-maven plugin.
|
||||
|
||||
Property | Description | Default Value
|
||||
---------------------|------------------------------------|------------------
|
||||
aggregate | Sets whether report aggregation will be performed for multi-module site reports. This option only affects the report generation when configured within the reporting section. | false
|
||||
aggregate | Deprecated - use the aggregate goal instead. |
|
||||
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
|
||||
outputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
|
||||
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
|
||||
@@ -28,7 +36,8 @@ Property | Description
|
||||
archiveAnalyzerEnabled | Sets whether the Archive Analyzer will be used. | true
|
||||
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |
|
||||
jarAnalyzer | Sets whether Jar Analyzer will be used. | true
|
||||
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. | true
|
||||
centralAnalyzerEnabled | Sets whether Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true
|
||||
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
|
||||
nexusUrl | Defines the Nexus Pro Server URL. If not set the Nexus Analyzer will be disabled. |
|
||||
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
|
||||
nuspecAnalyzerEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true
|
||||
|
||||
@@ -13,7 +13,7 @@ seven days the update will only take a few seconds.
|
||||
#set( $H = '#' )
|
||||
|
||||
$H$H$H Example 1:
|
||||
Create the DependencyCheck-report.html in the target directory
|
||||
Create the DependencyCheck-report.html in the target directory.
|
||||
|
||||
```xml
|
||||
<project>
|
||||
@@ -43,7 +43,7 @@ Create the DependencyCheck-report.html in the target directory
|
||||
```
|
||||
|
||||
$H$H$H Example 2:
|
||||
Create an aggregated dependency-check report within the site
|
||||
Create an aggregated dependency-check report within the site.
|
||||
|
||||
```xml
|
||||
<project>
|
||||
@@ -57,13 +57,10 @@ Create an aggregated dependency-check report within the site
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-maven</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<configuration>
|
||||
<aggregate>true</aggregate>
|
||||
</configuration>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>check</report>
|
||||
<report>aggregate</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
@@ -78,7 +75,7 @@ Create an aggregated dependency-check report within the site
|
||||
```
|
||||
|
||||
$H$H$H Example 3:
|
||||
Create the DependencyCheck-report.html and fail the build for CVSS greater then 8
|
||||
Create the DependencyCheck-report.html and fail the build for CVSS greater then 8.
|
||||
|
||||
```xml
|
||||
<project>
|
||||
@@ -111,7 +108,7 @@ Create the DependencyCheck-report.html and fail the build for CVSS greater then
|
||||
```
|
||||
|
||||
$H$H$H Example 4:
|
||||
Create the DependencyCheck-report.html and skip artifacts not bundled in distribution (Provided and Runtime scope)
|
||||
Create the DependencyCheck-report.html and skip artifacts not bundled in distribution (Provided and Runtime scope).
|
||||
|
||||
```xml
|
||||
<project>
|
||||
@@ -145,7 +142,7 @@ Create the DependencyCheck-report.html and skip artifacts not bundled in distrib
|
||||
```
|
||||
|
||||
$H$H$H Example 5:
|
||||
Create the DependencyCheck-report.html and use internal mirroring of CVE contents
|
||||
Create the DependencyCheck-report.html and use internal mirroring of CVE contents.
|
||||
|
||||
```xml
|
||||
<project>
|
||||
|
||||
@@ -0,0 +1,111 @@
|
||||
/*
|
||||
* This file is part of dependency-check-maven.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.maven;
|
||||
|
||||
import java.io.File;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.HashSet;
|
||||
import java.util.Locale;
|
||||
import java.util.Set;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import mockit.Mock;
|
||||
import mockit.MockUp;
|
||||
import org.apache.maven.artifact.Artifact;
|
||||
import org.apache.maven.plugin.MojoExecutionException;
|
||||
import org.apache.maven.plugin.MojoFailureException;
|
||||
import org.apache.maven.plugin.testing.stubs.ArtifactStub;
|
||||
import org.apache.maven.project.MavenProject;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.junit.Test;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.utils.InvalidSettingException;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public class BaseDependencyCheckMojoTest extends BaseTest {
|
||||
|
||||
/**
|
||||
* Test of scanArtifacts method, of class BaseDependencyCheckMojo.
|
||||
*/
|
||||
@Test
|
||||
public void testScanArtifacts() throws DatabaseException, InvalidSettingException {
|
||||
MavenProject project = new MockUp<MavenProject>() {
|
||||
@Mock
|
||||
public Set<Artifact> getArtifacts() {
|
||||
Set<Artifact> artifacts = new HashSet<Artifact>();
|
||||
Artifact a = new ArtifactStub();
|
||||
try {
|
||||
File file = new File(Test.class.getProtectionDomain().getCodeSource().getLocation().toURI());
|
||||
a.setFile(file);
|
||||
artifacts.add(a);
|
||||
} catch (URISyntaxException ex) {
|
||||
Logger.getLogger(BaseDependencyCheckMojoTest.class.getName()).log(Level.SEVERE, null, ex);
|
||||
}
|
||||
//File file = new File(this.getClass().getClassLoader().getResource("daytrader-ear-2.1.7.ear").getPath());
|
||||
|
||||
return artifacts;
|
||||
}
|
||||
|
||||
@Mock
|
||||
public String getName() {
|
||||
return "test-project";
|
||||
}
|
||||
}.getMockInstance();
|
||||
|
||||
boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
|
||||
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
|
||||
Engine engine = new Engine(null, null);
|
||||
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
|
||||
|
||||
assertTrue(engine.getDependencies().isEmpty());
|
||||
BaseDependencyCheckMojoImpl instance = new BaseDependencyCheckMojoImpl();
|
||||
instance.scanArtifacts(project, engine);
|
||||
assertFalse(engine.getDependencies().isEmpty());
|
||||
engine.cleanup();
|
||||
}
|
||||
|
||||
public class BaseDependencyCheckMojoImpl extends BaseDependencyCheckMojo {
|
||||
|
||||
@Override
|
||||
public void runCheck() throws MojoExecutionException, MojoFailureException {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getName(Locale locale) {
|
||||
return "test implementation";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getDescription(Locale locale) {
|
||||
return "test implementation";
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean canGenerateReport() {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,47 @@
|
||||
/*
|
||||
* This file is part of dependency-check-maven.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.maven;
|
||||
|
||||
import java.io.InputStream;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.BeforeClass;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public class BaseTest {
|
||||
|
||||
/**
|
||||
* The properties file location.
|
||||
*/
|
||||
public static final String PROPERTIES_FILE = "mojo.properties";
|
||||
|
||||
@BeforeClass
|
||||
public static void setUpClass() throws Exception {
|
||||
Settings.initialize();
|
||||
InputStream mojoProperties = BaseTest.class.getClassLoader().getResourceAsStream(BaseTest.PROPERTIES_FILE);
|
||||
Settings.mergeProperties(mojoProperties);
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
public static void tearDownClass() throws Exception {
|
||||
Settings.cleanup(true);
|
||||
}
|
||||
}
|
||||
@@ -1,210 +0,0 @@
|
||||
/*
|
||||
* This file is part of dependency-check-maven.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.maven;
|
||||
|
||||
import org.apache.maven.plugin.testing.AbstractMojoTestCase;
|
||||
import org.junit.After;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
|
||||
/**
|
||||
* TODO - figure out how to get the test harness to work. ATM no tests are running.
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public class DependencyCheckMojoTest extends AbstractMojoTestCase {
|
||||
|
||||
public DependencyCheckMojoTest() {
|
||||
}
|
||||
|
||||
@BeforeClass
|
||||
public static void setUpClass() throws Exception {
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
public static void tearDownClass() throws Exception {
|
||||
}
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
}
|
||||
|
||||
@After
|
||||
public void tearDown() {
|
||||
}
|
||||
//
|
||||
// /**
|
||||
// * Test of execute method, of class DependencyCheckMojo.
|
||||
// */
|
||||
// @Test
|
||||
// public void testExecute() throws Exception {
|
||||
// System.out.println("execute");
|
||||
// DependencyCheckMojo instance = new DependencyCheckMojo();
|
||||
// instance.execute();
|
||||
// // TODO review the generated test code and remove the default call to fail.
|
||||
// fail("The test case is a prototype.");
|
||||
// }
|
||||
//
|
||||
// /**
|
||||
// * Test of generate method, of class DependencyCheckMojo.
|
||||
// */
|
||||
// @Test
|
||||
// public void testGenerate_Sink_Locale() throws Exception {
|
||||
// System.out.println("generate");
|
||||
// org.codehaus.doxia.sink.Sink sink = null;
|
||||
// Locale locale = null;
|
||||
// DependencyCheckMojo instance = new DependencyCheckMojo();
|
||||
// instance.generate(sink, locale);
|
||||
// // TODO review the generated test code and remove the default call to fail.
|
||||
// fail("The test case is a prototype.");
|
||||
// }
|
||||
|
||||
/**
|
||||
* Test of generate method, of class DependencyCheckMojo.
|
||||
*/
|
||||
@Test
|
||||
public void testGenerate_Sink_SinkFactory_Locale() throws Exception {
|
||||
//can't get the test-harness to work.
|
||||
// File samplePom = new File(this.getClass().getClassLoader().getResource("sample.xml").toURI());
|
||||
// DependencyCheckMojo mojo = (DependencyCheckMojo) lookupMojo("check", samplePom);
|
||||
// assertNotNull("Unable to load mojo", mojo);
|
||||
//
|
||||
// File out = mojo.getReportOutputDirectory();
|
||||
// OutputStream os = new FileOutputStream(out);
|
||||
// MySink sink = new MySink(os);
|
||||
// Locale locale = new Locale("en");
|
||||
//
|
||||
//
|
||||
// mojo.generate(sink, null, locale);
|
||||
// sink.close();
|
||||
}
|
||||
// /**
|
||||
// * Test of getOutputName method, of class DependencyCheckMojo.
|
||||
// */
|
||||
// @Test
|
||||
// public void testGetOutputName() {
|
||||
// System.out.println("getOutputName");
|
||||
// DependencyCheckMojo instance = new DependencyCheckMojo();
|
||||
// String expResult = "";
|
||||
// String result = instance.getOutputName();
|
||||
// assertEquals(expResult, result);
|
||||
// // TODO review the generated test code and remove the default call to fail.
|
||||
// fail("The test case is a prototype.");
|
||||
// }
|
||||
//
|
||||
// /**
|
||||
// * Test of getCategoryName method, of class DependencyCheckMojo.
|
||||
// */
|
||||
// @Test
|
||||
// public void testGetCategoryName() {
|
||||
// System.out.println("getCategoryName");
|
||||
// DependencyCheckMojo instance = new DependencyCheckMojo();
|
||||
// String expResult = "";
|
||||
// String result = instance.getCategoryName();
|
||||
// assertEquals(expResult, result);
|
||||
// // TODO review the generated test code and remove the default call to fail.
|
||||
// fail("The test case is a prototype.");
|
||||
// }
|
||||
//
|
||||
// /**
|
||||
// * Test of getName method, of class DependencyCheckMojo.
|
||||
// */
|
||||
// @Test
|
||||
// public void testGetName() {
|
||||
// System.out.println("getName");
|
||||
// Locale locale = null;
|
||||
// DependencyCheckMojo instance = new DependencyCheckMojo();
|
||||
// String expResult = "";
|
||||
// String result = instance.getName(locale);
|
||||
// assertEquals(expResult, result);
|
||||
// // TODO review the generated test code and remove the default call to fail.
|
||||
// fail("The test case is a prototype.");
|
||||
// }
|
||||
//
|
||||
// /**
|
||||
// * Test of setReportOutputDirectory method, of class DependencyCheckMojo.
|
||||
// */
|
||||
// @Test
|
||||
// public void testSetReportOutputDirectory() {
|
||||
// System.out.println("setReportOutputDirectory");
|
||||
// File directory = null;
|
||||
// DependencyCheckMojo instance = new DependencyCheckMojo();
|
||||
// instance.setReportOutputDirectory(directory);
|
||||
// // TODO review the generated test code and remove the default call to fail.
|
||||
// fail("The test case is a prototype.");
|
||||
// }
|
||||
//
|
||||
// /**
|
||||
// * Test of getReportOutputDirectory method, of class DependencyCheckMojo.
|
||||
// */
|
||||
// @Test
|
||||
// public void testGetReportOutputDirectory() {
|
||||
// System.out.println("getReportOutputDirectory");
|
||||
// DependencyCheckMojo instance = new DependencyCheckMojo();
|
||||
// File expResult = null;
|
||||
// File result = instance.getReportOutputDirectory();
|
||||
// assertEquals(expResult, result);
|
||||
// // TODO review the generated test code and remove the default call to fail.
|
||||
// fail("The test case is a prototype.");
|
||||
// }
|
||||
//
|
||||
// /**
|
||||
// * Test of getDescription method, of class DependencyCheckMojo.
|
||||
// */
|
||||
// @Test
|
||||
// public void testGetDescription() {
|
||||
// System.out.println("getDescription");
|
||||
// Locale locale = null;
|
||||
// DependencyCheckMojo instance = new DependencyCheckMojo();
|
||||
// String expResult = "";
|
||||
// String result = instance.getDescription(locale);
|
||||
// assertEquals(expResult, result);
|
||||
// // TODO review the generated test code and remove the default call to fail.
|
||||
// fail("The test case is a prototype.");
|
||||
// }
|
||||
//
|
||||
// /**
|
||||
// * Test of isExternalReport method, of class DependencyCheckMojo.
|
||||
// */
|
||||
// @Test
|
||||
// public void testIsExternalReport() {
|
||||
// System.out.println("isExternalReport");
|
||||
// DependencyCheckMojo instance = new DependencyCheckMojo();
|
||||
// boolean expResult = false;
|
||||
// boolean result = instance.isExternalReport();
|
||||
// assertEquals(expResult, result);
|
||||
// // TODO review the generated test code and remove the default call to fail.
|
||||
// fail("The test case is a prototype.");
|
||||
// }
|
||||
//
|
||||
// /**
|
||||
// * Test of canGenerateReport method, of class DependencyCheckMojo.
|
||||
// */
|
||||
// @Test
|
||||
// public void testCanGenerateReport() {
|
||||
// System.out.println("canGenerateReport");
|
||||
// DependencyCheckMojo instance = new DependencyCheckMojo();
|
||||
// boolean expResult = false;
|
||||
// boolean result = instance.canGenerateReport();
|
||||
// assertEquals(expResult, result);
|
||||
// // TODO review the generated test code and remove the default call to fail.
|
||||
// fail("The test case is a prototype.");
|
||||
// }
|
||||
}
|
||||
@@ -1,601 +0,0 @@
|
||||
/*
|
||||
* This file is part of dependency-check-maven.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
*/
|
||||
package org.owasp.dependencycheck.maven;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.OutputStream;
|
||||
import java.io.OutputStreamWriter;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import org.apache.maven.doxia.logging.Log;
|
||||
import org.apache.maven.doxia.sink.Sink;
|
||||
import org.apache.maven.doxia.sink.SinkEventAttributes;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Jeremy Long <jeremy.long@owasp.org>
|
||||
*/
|
||||
public class MySink implements Sink {
|
||||
|
||||
private OutputStreamWriter out = null;
|
||||
|
||||
public MySink(OutputStream os) {
|
||||
out = new OutputStreamWriter(os);
|
||||
|
||||
}
|
||||
|
||||
private void writeTag(String tag) {
|
||||
try {
|
||||
out.write(tag);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(MySink.class.getName()).log(Level.SEVERE, "Error writing a tag; unable to generate the report");
|
||||
Logger.getLogger(MySink.class.getName()).log(Level.FINE, null, ex);
|
||||
}
|
||||
}
|
||||
|
||||
public void head() {
|
||||
writeTag("<head>");
|
||||
}
|
||||
|
||||
public void head_() {
|
||||
writeTag("</head>");
|
||||
}
|
||||
|
||||
public void title() {
|
||||
writeTag("<title>");
|
||||
}
|
||||
|
||||
public void title_() {
|
||||
writeTag("</title>");
|
||||
}
|
||||
|
||||
public void author() {
|
||||
writeTag("<author>");
|
||||
}
|
||||
|
||||
public void author_() {
|
||||
writeTag("</author>");
|
||||
}
|
||||
|
||||
public void date() {
|
||||
writeTag("<time>");
|
||||
}
|
||||
|
||||
public void date_() {
|
||||
writeTag("</time>");
|
||||
}
|
||||
|
||||
public void body() {
|
||||
writeTag("<body>");
|
||||
}
|
||||
|
||||
public void body_() {
|
||||
writeTag("</body>");
|
||||
}
|
||||
|
||||
public void sectionTitle() {
|
||||
writeTag("<h1>");
|
||||
}
|
||||
|
||||
public void sectionTitle_() {
|
||||
writeTag("</h1>");
|
||||
}
|
||||
|
||||
public void section1() {
|
||||
writeTag("<div>");
|
||||
}
|
||||
|
||||
public void section1_() {
|
||||
writeTag("</div>");
|
||||
}
|
||||
|
||||
public void sectionTitle1() {
|
||||
writeTag("<h2>");
|
||||
}
|
||||
|
||||
public void sectionTitle1_() {
|
||||
writeTag("</h2>");
|
||||
}
|
||||
|
||||
public void section2() {
|
||||
writeTag("<div>");
|
||||
}
|
||||
|
||||
public void section2_() {
|
||||
writeTag("</div>");
|
||||
}
|
||||
|
||||
public void sectionTitle2() {
|
||||
writeTag("<h3>");
|
||||
}
|
||||
|
||||
public void sectionTitle2_() {
|
||||
writeTag("</h3>");
|
||||
}
|
||||
|
||||
public void section3() {
|
||||
writeTag("<div>");
|
||||
}
|
||||
|
||||
public void section3_() {
|
||||
writeTag("</div>");
|
||||
}
|
||||
|
||||
public void sectionTitle3() {
|
||||
writeTag("<h4>");
|
||||
}
|
||||
|
||||
public void sectionTitle3_() {
|
||||
writeTag("</h4>");
|
||||
}
|
||||
|
||||
public void section4() {
|
||||
writeTag("<div>");
|
||||
}
|
||||
|
||||
public void section4_() {
|
||||
writeTag("</div>");
|
||||
}
|
||||
|
||||
public void sectionTitle4() {
|
||||
writeTag("<h5>");
|
||||
}
|
||||
|
||||
public void sectionTitle4_() {
|
||||
writeTag("</h5>");
|
||||
}
|
||||
|
||||
public void section5() {
|
||||
writeTag("<div>");
|
||||
}
|
||||
|
||||
public void section5_() {
|
||||
writeTag("</div>");
|
||||
}
|
||||
|
||||
public void sectionTitle5() {
|
||||
writeTag("<h6>");
|
||||
}
|
||||
|
||||
public void sectionTitle5_() {
|
||||
writeTag("</h6>");
|
||||
}
|
||||
|
||||
public void list() {
|
||||
writeTag("<ul>");
|
||||
}
|
||||
|
||||
public void list_() {
|
||||
writeTag("</ul>");
|
||||
}
|
||||
|
||||
public void listItem() {
|
||||
writeTag("<li>");
|
||||
}
|
||||
|
||||
public void listItem_() {
|
||||
writeTag("</li>");
|
||||
}
|
||||
|
||||
public void numberedList(int numbering) {
|
||||
writeTag("<ol>");
|
||||
}
|
||||
|
||||
public void numberedList_() {
|
||||
writeTag("</ol>");
|
||||
}
|
||||
|
||||
public void numberedListItem() {
|
||||
writeTag("<li>");
|
||||
}
|
||||
|
||||
public void numberedListItem_() {
|
||||
writeTag("</li>");
|
||||
}
|
||||
|
||||
public void definitionList() {
|
||||
writeTag("<dl>");
|
||||
}
|
||||
|
||||
public void definitionList_() {
|
||||
writeTag("</dl>");
|
||||
}
|
||||
|
||||
public void definitionListItem() {
|
||||
writeTag("<dt>");
|
||||
}
|
||||
|
||||
public void definitionListItem_() {
|
||||
writeTag("</dt>");
|
||||
}
|
||||
|
||||
public void definition() {
|
||||
writeTag("<dd>");
|
||||
}
|
||||
|
||||
public void definition_() {
|
||||
writeTag("</dd>");
|
||||
}
|
||||
|
||||
public void definedTerm() {
|
||||
writeTag("<dt>");
|
||||
}
|
||||
|
||||
public void definedTerm_() {
|
||||
writeTag("</dt>");
|
||||
}
|
||||
|
||||
public void figure() {
|
||||
throw new UnsupportedOperationException("Not supported yet.");
|
||||
}
|
||||
|
||||
public void figure_() {
|
||||
throw new UnsupportedOperationException("Not supported yet.");
|
||||
}
|
||||
|
||||
public void figureCaption() {
|
||||
throw new UnsupportedOperationException("Not supported yet.");
|
||||
}
|
||||
|
||||
public void figureCaption_() {
|
||||
throw new UnsupportedOperationException("Not supported yet.");
|
||||
}
|
||||
|
||||
public void figureGraphics(String name) {
|
||||
throw new UnsupportedOperationException("Not supported yet.");
|
||||
}
|
||||
|
||||
public void table() {
|
||||
writeTag("<table>");
|
||||
}
|
||||
|
||||
public void table_() {
|
||||
writeTag("</table>");
|
||||
}
|
||||
|
||||
public void tableRows(int[] justification, boolean grid) {
|
||||
writeTag("<tr>");
|
||||
}
|
||||
|
||||
public void tableRows_() {
|
||||
writeTag("</tr>");
|
||||
}
|
||||
|
||||
public void tableRow() {
|
||||
writeTag("<tr>");
|
||||
}
|
||||
|
||||
public void tableRow_() {
|
||||
writeTag("</tr>");
|
||||
}
|
||||
|
||||
public void tableCell() {
|
||||
writeTag("<td>");
|
||||
}
|
||||
|
||||
public void tableCell(String width) {
|
||||
writeTag("<td>");
|
||||
}
|
||||
|
||||
public void tableCell_() {
|
||||
writeTag("</td>");
|
||||
}
|
||||
|
||||
public void tableHeaderCell() {
|
||||
writeTag("<th>");
|
||||
}
|
||||
|
||||
public void tableHeaderCell(String width) {
|
||||
writeTag("<th>");
|
||||
}
|
||||
|
||||
public void tableHeaderCell_() {
|
||||
writeTag("</th>");
|
||||
}
|
||||
|
||||
public void tableCaption() {
|
||||
writeTag("<caption>");
|
||||
}
|
||||
|
||||
public void tableCaption_() {
|
||||
writeTag("</caption>");
|
||||
}
|
||||
|
||||
public void paragraph() {
|
||||
writeTag("<p>");
|
||||
}
|
||||
|
||||
public void paragraph_() {
|
||||
writeTag("</p>");
|
||||
}
|
||||
|
||||
public void verbatim(boolean boxed) {
|
||||
writeTag("<pre>");
|
||||
}
|
||||
|
||||
public void verbatim_() {
|
||||
writeTag("</pre>");
|
||||
}
|
||||
|
||||
public void horizontalRule() {
|
||||
writeTag("<hr/>");
|
||||
}
|
||||
|
||||
public void pageBreak() {
|
||||
writeTag("<br/>");
|
||||
}
|
||||
|
||||
public void anchor(String name) {
|
||||
writeTag("<a href=\"" + name + "\">");
|
||||
}
|
||||
|
||||
public void anchor_() {
|
||||
writeTag("</a>");
|
||||
}
|
||||
|
||||
public void link(String name) {
|
||||
writeTag("<link href=\"" + name + "\">");
|
||||
}
|
||||
|
||||
public void link_() {
|
||||
writeTag("</link>");
|
||||
}
|
||||
|
||||
public void italic() {
|
||||
writeTag("<i>");
|
||||
}
|
||||
|
||||
public void italic_() {
|
||||
writeTag("</i>");
|
||||
}
|
||||
|
||||
public void bold() {
|
||||
writeTag("<b>");
|
||||
}
|
||||
|
||||
public void bold_() {
|
||||
writeTag("</b>");
|
||||
}
|
||||
|
||||
public void monospaced() {
|
||||
writeTag("<pre>");
|
||||
}
|
||||
|
||||
public void monospaced_() {
|
||||
writeTag("</pre>");
|
||||
}
|
||||
|
||||
public void lineBreak() {
|
||||
writeTag("<br>");
|
||||
}
|
||||
|
||||
public void nonBreakingSpace() {
|
||||
writeTag(" ");
|
||||
}
|
||||
|
||||
public void text(String text) {
|
||||
try {
|
||||
//TODO add HTML Encoding - or figure out how to get the doxia xhtmlsink to work.
|
||||
out.write(text);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(MySink.class.getName()).log(Level.SEVERE, "Error writing a text; unable to generate the report");
|
||||
Logger.getLogger(MySink.class.getName()).log(Level.FINE, null, ex);
|
||||
}
|
||||
}
|
||||
|
||||
public void rawText(String text) {
|
||||
try {
|
||||
out.write(text);
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(MySink.class.getName()).log(Level.SEVERE, "Error writing raw text; unable to generate the report");
|
||||
Logger.getLogger(MySink.class.getName()).log(Level.FINE, null, ex);
|
||||
}
|
||||
}
|
||||
|
||||
public void flush() {
|
||||
try {
|
||||
out.flush();
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(MySink.class.getName()).log(Level.FINEST, null, ex);
|
||||
}
|
||||
}
|
||||
|
||||
public void close() {
|
||||
flush();
|
||||
try {
|
||||
out.close();
|
||||
} catch (IOException ex) {
|
||||
Logger.getLogger(MySink.class.getName()).log(Level.FINEST, null, ex);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void head(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void title(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void author(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void date(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void body(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void section(int i, SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void section_(int i) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void sectionTitle(int i, SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void sectionTitle_(int i) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void list(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void listItem(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void numberedList(int i, SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void numberedListItem(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void definitionList(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void definitionListItem(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void definition(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void definedTerm(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void figure(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void figureCaption(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void figureGraphics(String string, SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void table(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void tableRow(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void tableCell(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void tableHeaderCell(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void tableCaption(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void paragraph(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void verbatim(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void horizontalRule(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void anchor(String string, SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void link(String string, SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void lineBreak(SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void text(String string, SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void comment(String string) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void unknown(String string, Object[] os, SinkEventAttributes sea) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
|
||||
@Override
|
||||
public void enableLogging(Log log) {
|
||||
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
# the path to the data directory
|
||||
data.directory=[JAR]/dependency-check-data
|
||||
@@ -21,7 +21,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.2.6</version>
|
||||
<version>1.2.9</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-utils</artifactId>
|
||||
@@ -45,11 +45,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
<configuration>
|
||||
<instrumentation>
|
||||
<!--instrumentation>
|
||||
<ignoreTrivial>true</ignoreTrivial>
|
||||
</instrumentation>
|
||||
</instrumentation-->
|
||||
<check>
|
||||
<branchRate>85</branchRate>
|
||||
<lineRate>85</lineRate>
|
||||
@@ -78,7 +77,6 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<configuration>
|
||||
<systemProperties>
|
||||
<property>
|
||||
@@ -94,196 +92,137 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-failsafe-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<configuration>
|
||||
<systemProperties>
|
||||
<property>
|
||||
<name>temp.directory</name>
|
||||
<value>${project.build.directory}/temp</value>
|
||||
</property>
|
||||
</systemProperties>
|
||||
<includes>
|
||||
<include>**/*IntegrationTest.java</include>
|
||||
</includes>
|
||||
</configuration>
|
||||
<executions>
|
||||
<execution>
|
||||
<goals>
|
||||
<goal>integration-test</goal>
|
||||
<goal>verify</goal>
|
||||
</goals>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-compiler-plugin</artifactId>
|
||||
<version>3.1</version>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
<reporting>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<configuration>
|
||||
<showDeprecation>false</showDeprecation>
|
||||
<source>1.6</source>
|
||||
<target>1.6</target>
|
||||
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
|
||||
</configuration>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<id>default</id>
|
||||
<reports>
|
||||
<report>javadoc</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>versions-maven-plugin</artifactId>
|
||||
<version>2.1</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>dependency-updates-report</report>
|
||||
<report>plugin-updates-report</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jxr-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>taglist-maven-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<tagListOptions>
|
||||
<tagClasses>
|
||||
<tagClass>
|
||||
<displayName>Todo Work</displayName>
|
||||
<tags>
|
||||
<tag>
|
||||
<matchString>todo</matchString>
|
||||
<matchType>ignoreCase</matchType>
|
||||
</tag>
|
||||
<tag>
|
||||
<matchString>FIXME</matchString>
|
||||
<matchType>exact</matchType>
|
||||
</tag>
|
||||
</tags>
|
||||
</tagClass>
|
||||
</tagClasses>
|
||||
</tagListOptions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-site-plugin</artifactId>
|
||||
<version>3.3</version>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.apache.maven.doxia</groupId>
|
||||
<artifactId>doxia-module-markdown</artifactId>
|
||||
<version>1.5</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
<artifactId>maven-checkstyle-plugin</artifactId>
|
||||
<version>2.11</version>
|
||||
<configuration>
|
||||
<skipDeploy>true</skipDeploy>
|
||||
<reportPlugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-project-info-reports-plugin</artifactId>
|
||||
<version>2.7</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>index</report>
|
||||
<report>summary</report>
|
||||
<report>license</report>
|
||||
<report>help</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<configuration>
|
||||
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
|
||||
</configuration>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<id>default</id>
|
||||
<reports>
|
||||
<report>javadoc</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>versions-maven-plugin</artifactId>
|
||||
<version>2.1</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>dependency-updates-report</report>
|
||||
<report>plugin-updates-report</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jxr-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>cobertura-maven-plugin</artifactId>
|
||||
<version>2.6</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||
<version>2.16</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
<report>report-only</report>
|
||||
</reports>
|
||||
</reportSet>
|
||||
</reportSets>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>taglist-maven-plugin</artifactId>
|
||||
<version>2.4</version>
|
||||
<configuration>
|
||||
<tagListOptions>
|
||||
<tagClasses>
|
||||
<tagClass>
|
||||
<displayName>Todo Work</displayName>
|
||||
<tags>
|
||||
<tag>
|
||||
<matchString>todo</matchString>
|
||||
<matchType>ignoreCase</matchType>
|
||||
</tag>
|
||||
<tag>
|
||||
<matchString>FIXME</matchString>
|
||||
<matchType>exact</matchType>
|
||||
</tag>
|
||||
</tags>
|
||||
</tagClass>
|
||||
</tagClasses>
|
||||
</tagListOptions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-checkstyle-plugin</artifactId>
|
||||
<version>2.11</version>
|
||||
<configuration>
|
||||
<enableRulesSummary>false</enableRulesSummary>
|
||||
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
|
||||
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
|
||||
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
|
||||
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-pmd-plugin</artifactId>
|
||||
<version>3.0.1</version>
|
||||
<configuration>
|
||||
<targetJdk>1.6</targetJdk>
|
||||
<linkXref>true</linkXref>
|
||||
<sourceEncoding>utf-8</sourceEncoding>
|
||||
<excludes>
|
||||
<exclude>**/org/owasp/dependencycheck/org/apache/**/*.java</exclude>
|
||||
</excludes>
|
||||
<rulesets>
|
||||
<ruleset>../src/main/config/dcrules.xml</ruleset>
|
||||
<ruleset>/rulesets/java/basic.xml</ruleset>
|
||||
<ruleset>/rulesets/java/imports.xml</ruleset>
|
||||
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
|
||||
</rulesets>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>findbugs-maven-plugin</artifactId>
|
||||
<version>2.5.3</version>
|
||||
<configuration>
|
||||
<onlyAnalyze>org.owasp.dependencycheck.utils.*</onlyAnalyze>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</reportPlugins>
|
||||
<enableRulesSummary>false</enableRulesSummary>
|
||||
<enableFilesSummary>false</enableFilesSummary>
|
||||
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
|
||||
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
|
||||
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
|
||||
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-pmd-plugin</artifactId>
|
||||
<version>3.0.1</version>
|
||||
<configuration>
|
||||
<targetJdk>1.6</targetJdk>
|
||||
<linkXref>true</linkXref>
|
||||
<sourceEncoding>utf-8</sourceEncoding>
|
||||
<excludes>
|
||||
<exclude>**/org/owasp/dependencycheck/org/apache/**/*.java</exclude>
|
||||
</excludes>
|
||||
<rulesets>
|
||||
<ruleset>../src/main/config/dcrules.xml</ruleset>
|
||||
<ruleset>/rulesets/java/basic.xml</ruleset>
|
||||
<ruleset>/rulesets/java/imports.xml</ruleset>
|
||||
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
|
||||
</rulesets>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>findbugs-maven-plugin</artifactId>
|
||||
<version>2.5.3</version>
|
||||
<configuration>
|
||||
<onlyAnalyze>org.owasp.dependencycheck.utils.*</onlyAnalyze>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
</reporting>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>commons-io</groupId>
|
||||
<artifactId>commons-io</artifactId>
|
||||
<version>2.4</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>junit</groupId>
|
||||
<artifactId>junit</artifactId>
|
||||
<version>4.11</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</project>
|
||||
|
||||
@@ -25,6 +25,7 @@ import java.io.InputStream;
|
||||
import java.net.HttpURLConnection;
|
||||
import java.net.URISyntaxException;
|
||||
import java.net.URL;
|
||||
import java.security.InvalidAlgorithmParameterException;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import java.util.zip.GZIPInputStream;
|
||||
@@ -80,11 +81,11 @@ public final class Downloader {
|
||||
try {
|
||||
org.apache.commons.io.FileUtils.copyFile(file, outputPath);
|
||||
} catch (IOException ex) {
|
||||
final String msg = String.format("Download failed, unable to copy '%s'", url.toString());
|
||||
final String msg = String.format("Download failed, unable to copy '%s' to '%s'", url.toString(), outputPath.getAbsolutePath());
|
||||
throw new DownloadFailedException(msg);
|
||||
}
|
||||
} else {
|
||||
final String msg = String.format("Download failed, file does not exist '%s'", url.toString());
|
||||
final String msg = String.format("Download failed, file ('%s') does not exist", url.toString());
|
||||
throw new DownloadFailedException(msg);
|
||||
}
|
||||
} else {
|
||||
@@ -93,6 +94,34 @@ public final class Downloader {
|
||||
conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
|
||||
conn.setRequestProperty("Accept-Encoding", "gzip, deflate");
|
||||
conn.connect();
|
||||
int status = conn.getResponseCode();
|
||||
if (status != HttpURLConnection.HTTP_OK) {
|
||||
if (status == HttpURLConnection.HTTP_MOVED_TEMP
|
||||
|| status == HttpURLConnection.HTTP_MOVED_PERM
|
||||
|| status == HttpURLConnection.HTTP_SEE_OTHER) {
|
||||
final String location = conn.getHeaderField("Location");
|
||||
try {
|
||||
conn.disconnect();
|
||||
} finally {
|
||||
conn = null;
|
||||
}
|
||||
LOGGER.fine(String.format("Download is being redirected from %s to %s", url.toString(), location));
|
||||
conn = URLConnectionFactory.createHttpURLConnection(new URL(location), useProxy);
|
||||
conn.setRequestProperty("Accept-Encoding", "gzip, deflate");
|
||||
conn.connect();
|
||||
status = conn.getResponseCode();
|
||||
}
|
||||
}
|
||||
if (status != 200) {
|
||||
try {
|
||||
conn.disconnect();
|
||||
} finally {
|
||||
conn = null;
|
||||
}
|
||||
final String msg = String.format("Error downloading file %s; received response code %s.", url.toString(), status);
|
||||
throw new DownloadFailedException(msg);
|
||||
|
||||
}
|
||||
} catch (IOException ex) {
|
||||
try {
|
||||
if (conn != null) {
|
||||
@@ -101,10 +130,11 @@ public final class Downloader {
|
||||
} finally {
|
||||
conn = null;
|
||||
}
|
||||
throw new DownloadFailedException("Error downloading file.", ex);
|
||||
final String msg = String.format("Error downloading file %s; unable to connect.", url.toString());
|
||||
throw new DownloadFailedException(msg, ex);
|
||||
}
|
||||
final String encoding = conn.getContentEncoding();
|
||||
|
||||
final String encoding = conn.getContentEncoding();
|
||||
BufferedOutputStream writer = null;
|
||||
InputStream reader = null;
|
||||
try {
|
||||
@@ -122,23 +152,28 @@ public final class Downloader {
|
||||
while ((bytesRead = reader.read(buffer)) > 0) {
|
||||
writer.write(buffer, 0, bytesRead);
|
||||
}
|
||||
} catch (IOException ex) {
|
||||
analyzeException(ex);
|
||||
final String msg = String.format("Error saving '%s' to file '%s'%nConnection Timeout: %d%nEncoding: %s%n",
|
||||
url.toString(), outputPath.getAbsolutePath(), conn.getConnectTimeout(), encoding);
|
||||
throw new DownloadFailedException(msg, ex);
|
||||
} catch (Throwable ex) {
|
||||
throw new DownloadFailedException("Error saving downloaded file.", ex);
|
||||
final String msg = String.format("Unexpected exception saving '%s' to file '%s'%nConnection Timeout: %d%nEncoding: %s%n",
|
||||
url.toString(), outputPath.getAbsolutePath(), conn.getConnectTimeout(), encoding);
|
||||
throw new DownloadFailedException(msg, ex);
|
||||
} finally {
|
||||
if (writer != null) {
|
||||
try {
|
||||
writer.close();
|
||||
} catch (Throwable ex) {
|
||||
LOGGER.log(Level.FINEST,
|
||||
"Error closing the writer in Downloader.", ex);
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.FINEST, "Error closing the writer in Downloader.", ex);
|
||||
}
|
||||
}
|
||||
if (reader != null) {
|
||||
try {
|
||||
reader.close();
|
||||
} catch (Throwable ex) {
|
||||
LOGGER.log(Level.FINEST,
|
||||
"Error closing the reader in Downloader.", ex);
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.FINEST, "Error closing the reader in Downloader.", ex);
|
||||
}
|
||||
}
|
||||
try {
|
||||
@@ -151,8 +186,8 @@ public final class Downloader {
|
||||
}
|
||||
|
||||
/**
|
||||
* Makes an HTTP Head request to retrieve the last modified date of the given URL. If the file:// protocol is
|
||||
* specified, then the lastTimestamp of the file is returned.
|
||||
* Makes an HTTP Head request to retrieve the last modified date of the given URL. If the file:// protocol is specified, then
|
||||
* the lastTimestamp of the file is returned.
|
||||
*
|
||||
* @param url the URL to retrieve the timestamp from
|
||||
* @return an epoch timestamp
|
||||
@@ -185,6 +220,7 @@ public final class Downloader {
|
||||
} catch (URLConnectionFailureException ex) {
|
||||
throw new DownloadFailedException("Error creating URL Connection for HTTP HEAD request.", ex);
|
||||
} catch (IOException ex) {
|
||||
analyzeException(ex);
|
||||
throw new DownloadFailedException("Error making HTTP HEAD request.", ex);
|
||||
} finally {
|
||||
if (conn != null) {
|
||||
@@ -198,4 +234,29 @@ public final class Downloader {
|
||||
}
|
||||
return timestamp;
|
||||
}
|
||||
|
||||
/**
|
||||
* Analyzes the IOException, logs the appropriate information for debugging purposes, and then throws a
|
||||
* DownloadFailedException that wraps the IO Exception.
|
||||
*
|
||||
* @param ex the original exception
|
||||
* @throws DownloadFailedException a wrapper exception that contains the original exception as the cause
|
||||
*/
|
||||
protected static void analyzeException(IOException ex) throws DownloadFailedException {
|
||||
Throwable cause = ex;
|
||||
while (cause != null) {
|
||||
if (cause instanceof InvalidAlgorithmParameterException) {
|
||||
final String keystore = System.getProperty("javax.net.ssl.keyStore");
|
||||
final String version = System.getProperty("java.version");
|
||||
final String vendor = System.getProperty("java.vendor");
|
||||
LOGGER.info("Error making HTTPS request - InvalidAlgorithmParameterException");
|
||||
LOGGER.info("There appears to be an issue with the installation of Java and the cacerts."
|
||||
+ "See closed issue #177 here: https://github.com/jeremylong/DependencyCheck/issues/177");
|
||||
LOGGER.info(String.format("Java Info:%njavax.net.ssl.keyStore='%s'%njava.version='%s'%njava.vendor='%s'",
|
||||
keystore, version, vendor));
|
||||
throw new DownloadFailedException("Error making HTTPS request. Please see the log for more details.");
|
||||
}
|
||||
cause = cause.getCause();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,6 +17,7 @@
|
||||
*/
|
||||
package org.owasp.dependencycheck.utils;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.util.logging.FileHandler;
|
||||
@@ -57,6 +58,13 @@ public final class LogUtils {
|
||||
if (verboseLogFile != null && !verboseLogFile.isEmpty()) {
|
||||
verboseLoggingEnabled = true;
|
||||
final Logger logger = Logger.getLogger("");
|
||||
final File logFile = new File(verboseLogFile);
|
||||
final File logDir = logFile.getParentFile();
|
||||
if (logDir != null && !logDir.isDirectory() && !logDir.mkdirs()) {
|
||||
final String msg = String.format("Unable to create directory '%s', verbose logging will be disabled.",
|
||||
logDir.getAbsolutePath());
|
||||
throw new IOException(msg);
|
||||
}
|
||||
final FileHandler fileHandler = new FileHandler(verboseLogFile, true);
|
||||
fileHandler.setFormatter(new SimpleFormatter());
|
||||
fileHandler.setLevel(Level.FINE);
|
||||
@@ -75,7 +83,7 @@ public final class LogUtils {
|
||||
if (in != null) {
|
||||
try {
|
||||
in.close();
|
||||
} catch (Throwable ex) {
|
||||
} catch (IOException ex) {
|
||||
LOGGER.log(Level.FINEST, "Error closing resource stream", ex);
|
||||
}
|
||||
}
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user