github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-17 00:56:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github-mirrors:v1.2.8
Branches Tags
github-mirrors:master github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0
..
compare: github-mirrors:v1.2.9
Branches Tags
github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:master github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0

137 Commits
v1.2.8 ... v1.2.9

Author SHA1 Message Date
Jeremy Long
6f9ba0033f version 1.2.9 
Former-commit-id: f775a71e328b2ff44d9b004b9991b4bbad8a4725
 2015-03-06 05:59:59 -05:00
Jeremy Long
4d4672fc4d corrected & operator to use && 
Former-commit-id: cb1dd513f85db07ec54b1fa94328f2ec057eff94
 2015-03-05 06:16:31 -05:00
Jeremy Long
70859eb719 checkstyle correction 
Former-commit-id: 6ce90b5c6d192835568995cd33d56330cea53cfb
 2015-03-05 06:15:43 -05:00
Jeremy Long
ae9daf7f33 updated (c) 
Former-commit-id: 305ab5d6faa8f05a1689b57aabf551dd66fed070
 2015-03-03 05:59:52 -05:00
Jeremy Long
ff0daa8d66 reverted to lucene 4.7.2 - new versions of lucene are built using JDK 1.7+ and cause issues for the dependency-check Maven Plugin 
Former-commit-id: 514cc4922c7f00f55b1dcd102f6d45491e90a5d8
 2015-03-01 21:43:52 -05:00
Jeremy Long
09f1a0ac92 checkstyle corrections 
Former-commit-id: 6e12b975c1975566ebef47fedef24c179a753e05
 2015-03-01 10:00:13 -05:00
Jeremy Long
e562be77f6 additional hints added for spring 
Former-commit-id: e9e26f6c31b4ae220e1e7686efe6388638ec7c99
 2015-03-01 08:22:56 -05:00
Jeremy Long
af7c6bc2a0 additional patch for issue #196 
Former-commit-id: 10b55f932b5ee52fa1f9ae3b96c15649dd5d6062
 2015-03-01 07:01:24 -05:00
Jeremy Long
e49cbcf345 Merge pull request #198 from colezlaw/master 
Modified NexusAnalyzer to download POM if required

Former-commit-id: 286748f7227706fb0dd49ecd3fd26c127581e7a6
 2015-02-28 13:36:27 -05:00
Jeremy Long
b4218ff0e8 added maven-plugin-plugin to the checkfule suppressions 
Former-commit-id: 1e523645f46c51cef743370271db819ec00001a1
 2015-02-28 13:34:40 -05:00
Jeremy Long
4af174d27b updated checkstyle configuration so file summary is not displayed 
Former-commit-id: ee580f6fd2c78cedb96a2dd43917040a4df24133
 2015-02-28 13:34:06 -05:00
Jeremy Long
203a7da23a added test scope to test dependencies in the dependency management section 
Former-commit-id: 63281cbc83c6003cba2c8a441e0117ade505e5a4
 2015-02-28 13:33:19 -05:00
Jeremy Long
9833ff20d1 changed access modifier so tests will pass 
Former-commit-id: 95ccefd362c0dbea2dbc33f7aeea2d515f5e8b6c
 2015-02-28 07:13:52 -05:00
Jeremy Long
638b3c0695 checkstyle correction 
Former-commit-id: 01f643ad33e0475d2c2daaa5076ec604952df8d6
 2015-02-28 06:46:10 -05:00
Jeremy Long
01ef2e1061 checkstyle corrections 
Former-commit-id: b821a8b9a680c875a3013099a362b0277d97119f
 2015-02-26 09:15:28 -05:00
Jeremy Long
56aea8ad24 Merge branch 'master' of https://github.com/jeremylong/DependencyCheck 
Former-commit-id: 9d51cd721bb160351b4fc6ff27e835b8e3d2820b
 2015-02-26 08:47:30 -05:00
Jeremy Long
d530eddc57 final commit to patch issue #185 
Former-commit-id: 1e77bec21239a0ea228795df7bfa5678d9930d6c
 2015-02-26 08:47:07 -05:00
Will Stranathan
1eab76aab8 Updated error messages to reflect Nexus 
Former-commit-id: 60bd62aebbf52844150a58fe4afea45be867f249
 2015-02-22 14:56:25 -05:00
Will Stranathan
167dbd7368 Merging upstream/master 
Former-commit-id: f77993de8ea6e0de68d4b5cd0da653692ffcbaa9
 2015-02-22 14:55:27 -05:00
Jeremy Long
2594fb1c5f removed unused collection 
Former-commit-id: 5f3c6eab38eae99fef70909650a5eddf2a374a56
 2015-02-22 10:57:52 -05:00
Jeremy Long
c57d21e9bc Merge pull request #199 from hansjoachim/upgrade 
Upgrade jmockit to latest version

Former-commit-id: 3e0228c85439742b8188b6b3bf3ba8c8e16bfb82
 2015-02-22 10:28:47 -05:00
Jeremy Long
9c15bdfe41 Merge branch 'master' of https://github.com/jeremylong/DependencyCheck 
Former-commit-id: 7a189b5240ff2c831c6d6f42555148f5f00586bd
 2015-02-22 10:24:59 -05:00
Jeremy Long
64dedf892d work in progress 
Former-commit-id: 74f303b69fa5af225b75d6643aed60e66a4cf081
 2015-02-22 10:24:45 -05:00
Jeremy Long
d6fc456039 work in progress 
Former-commit-id: 0ff4b90e22accc5adb1d91735fe4979838fdc651
 2015-02-22 10:23:31 -05:00
Jeremy Long
df606674db added referenced projects to the report to resolve issue #185 
Former-commit-id: 61eb8b70dccedf12b745d4c9a73e8f6bc2a0f9c8
 2015-02-22 10:22:44 -05:00
Jeremy Long
1e3a7ff4ba Merge pull request #200 from hansjoachim/issues 
Fixes SonarQube Issues

Former-commit-id: dff1448e1897a6691a99977130b063a424645e8a
 2015-02-22 10:18:34 -05:00
Hans Joachim Desserud
b53de8c69b Move jmockit to dependencyManagement so that we get a common version in all places it is used 
Former-commit-id: 2cfab936074b17a8f9b080a5272c6da757e32921
 2015-02-22 12:50:52 +01:00
Hans Joachim Desserud
0f3ffaf270 Use dependencyManagement to keep track of version numbers 
Former-commit-id: 954e599f46ab4a18e00cbd09a968e2d5dd6e0d0d
 2015-02-22 12:46:54 +01:00
Hans Joachim Desserud
25238d5fb5 Prefer interfaces over concrete classes. I have updated internal usage and accepted parameters. I have not touched return values for public/protected methods since they may be called externally and I don't want to break assignments from these. 
Former-commit-id: e534f9acf569a258dd72a568dfe69e70486eb697
 2015-02-22 12:19:49 +01:00
Hans Joachim Desserud
cf677bd70e Prefer checking isEmpty over size() > 0. Plus fix some typos 
Former-commit-id: 754f300c0b120c0c9098c17c19dbd11aa7a39844
 2015-02-22 11:42:14 +01:00
Hans Joachim Desserud
42939e4922 Compare with equalsIgnoreCase instead of changing casing 
Former-commit-id: ab89ed68cb5e25d14d5fbd7ba93dc93948523d82
 2015-02-22 11:20:36 +01:00
Hans Joachim Desserud
7c4cc1334b Place array designator on the type instead of the variable 
Former-commit-id: 2e29bc1c61400e3bdb6b35b0b21a5cbb04cbf37a
 2015-02-22 11:05:58 +01:00
Hans Joachim Desserud
ff4a1e0ac6 Place modifiers in expected order 
Former-commit-id: 0cf3616fd9a737f4ca143b6f46165bdbf0e14aec
 2015-02-22 10:58:31 +01:00
Hans Joachim Desserud
069e22049d Upgrade jmockit to latest version 
Former-commit-id: 8e429f8b304f6c4db4ed7a88ee775f78e80260b3
 2015-02-21 16:35:45 +01:00
Jeremy Long
135ed5c614 fixed NPE 
Former-commit-id: 05f57ec103791b6c5ea019c54c828b3c97a415b9
 2015-02-21 10:29:41 -05:00
Will Stranathan
13d7d29630 Modified NexusAnalyzer to download POM if required 
NexusAnalyzer previously would just get GAV for a
match, but the POM may be separate from the jar
and contain other valuable information. This
includes refactoring of the analyzePom into
PomUtils.


Former-commit-id: f7311e08324d8bc6a5860f4be2b0e409fdcf9ba3
 2015-02-19 21:08:45 -05:00
Jeremy Long
889f315c0a general checkstyl, findbugs, and PMD corrections 
Former-commit-id: ec59d464725a33d8c07c79bf7128036a10fe1890
 2015-02-18 21:09:38 -05:00
Jeremy Long
5a0e280899 Merge pull request #197 from ahi/master 
Removes the test for default Maven repository directory.

Former-commit-id: cc261e0e6b54e169862118003bb639d52f5c94ba
 2015-02-18 20:17:17 -05:00
Jeremy Long
ccb5e234b3 moved methods from JarAnalyzer to the new PomUtils so that a POM could be parsed and analyzed within other analyzers (part of patch for issue #196) 
Former-commit-id: 4e649f678e59f4eaf379eba21a6ad87348fe8525
 2015-02-18 20:14:04 -05:00
Jeremy Long
2caccab85f set flag on URLConnection indicating that redirects should be followed (part of patch for issue #196) 
Former-commit-id: 52758186ebf2f818b6cf107af1e12b92e3c2e370
 2015-02-18 20:11:30 -05:00
Jeremy Long
085ab48f3f added code so that the Downloader now follows 1 level of redirection to download the file (part of patch for issue #196) 
Former-commit-id: ecd914dbcacad1e12a243fdff90f043ef114c160
 2015-02-18 20:10:44 -05:00
Jeremy Long
a28c2819fa added pom URL as part of patch for issue #196 and improved the URL provided for the jar file itself 
Former-commit-id: 8f485f53031a7e244d4a8f8d0c055e6b38fca746
 2015-02-18 20:09:42 -05:00
Jeremy Long
40beec2e40 additional parsing of the data from Central was used to determine if the POM file is available in Central (part of the patch for issue #196) 
Former-commit-id: 1805be75b101546b166c9eb4ad1efc30e53983cf
 2015-02-18 20:08:14 -05:00
Jeremy Long
d136aeda84 pom parsing was externalized so that it could be used in multiple locations to assist in the resolution of issue #196 
Former-commit-id: cbdde3b4b2dcabf0ff9e3f49cc3d36c62e67a1bb
 2015-02-18 20:06:51 -05:00
Jeremy Long
fdd6c47cd5 if pom was not found/analyzed by the JAR Analyzer and the POM exists in Central it is downloaded, parsed, and the resulting evidence is added to the dependency to resolve issue #196 
Former-commit-id: 9a36b30d4d4c265a41ae95bf5a9e95b281349425
 2015-02-18 20:05:00 -05:00
Jeremy Long
c5a2b5b3d8 minor code cleanup, reformatting, and added some additional verbose logging 
Former-commit-id: 9d6cf651a22a679f155a04313a09de56c90e0399
 2015-02-18 19:56:56 -05:00
Ahmet Kiyak
babe4739c5 Removes the test for default Maven repository directory. 
Error: If the M3_REPO directory is not set to a path that contains */m2/repository/* the DependencyCheck doesn't read <library>.pom file. Some dependencies like "spring-core-3.2.0.RELEASE.jar" are not found due to this error.

Fix: Remove the test for default Maven repository directory. The existing check for the existence of <library>.pom file is sufficient.

Former-commit-id: 8d7c51f611b5d26d505cfc3fe9f8b94c12174000
 2015-02-17 18:57:24 +01:00
Jeremy Long
49e8ee443c added generic methods to get references to resources to resolve issue #181 
Former-commit-id: 465d3310b1ad5b54e49ab65e5e0e4b003f79998b
 2015-02-13 06:18:56 -05:00
Jeremy Long
a5d8ce07d8 added @Ignore due to test case failure - this analyzer may need to be removed 
Former-commit-id: d3a2112342b66ab1b012678a7adf5b5492e9669f
 2015-02-13 06:17:29 -05:00
Jeremy Long
babc016b48 added project references 
Former-commit-id: ba4a058648203b8749b31e889994a5ddfc72d7b3
 2015-02-12 20:49:04 -05:00
Jeremy Long
a5f378d755 removed commented out code 
Former-commit-id: db1075a0d07f4c5af904691e200b3792533521b3
 2015-02-12 20:48:36 -05:00
Jeremy Long
ebf995537e added project references 
Former-commit-id: e6e63edce05c2985fd20b544839a033f5f050d20
 2015-02-12 20:47:55 -05:00
Jeremy Long
49edb6c2e1 nop 
Former-commit-id: 90c0ace35561abff762037b4388f5aedd6adfa4f
 2015-02-08 19:28:29 -05:00
Jeremy Long
423f26852f updated URL to central 
Former-commit-id: b2b0741a5c32de3dbfd6e2d7953447b3348ad7e5
 2015-02-08 19:28:04 -05:00
Jeremy Long
f931412bee changed the url for Maven Central 
Former-commit-id: cfe3c6efd45094b1a12d8e147e1d121064b48630
 2015-02-08 07:50:29 -05:00
Jeremy Long
bef0657801 fixed unit test 
Former-commit-id: 7bd2d15b7ae30f5a84f2ef4ce62bf893fb7c03e4
 2015-02-08 07:49:56 -05:00
Jeremy Long
d79d5b5f33 added project references as part of patch for issue #185 
Former-commit-id: 3146c47f89031eaf09e513b6eb757bcc98ee9edf
 2015-02-08 07:17:16 -05:00
Jeremy Long
4c5489efd3 added project references as part of patch for issue #185 
Former-commit-id: 5a4473d0b91b28de8c5caaba51ceed42e670532c
 2015-02-08 06:59:06 -05:00
Jeremy Long
d5753b9589 updated to address issue #193 
Former-commit-id: 8361c2fdbec4191e52db16b870406e3e45d97d0d
 2015-02-07 18:16:07 -05:00
Jeremy Long
a841027d48 added additional supporessions 
Former-commit-id: a9810fa2e2051204d481e975de0922ec7d4183ef
 2015-02-07 18:15:41 -05:00
Jeremy Long
73bea8e63f removed ignoreTrivial from the cobertura configuration to resolve NPE exceptions 
Former-commit-id: 228db3acc3260c5c0e8b4b0f4cf701993c33aaa1
 2015-02-04 07:26:06 -05:00
Jeremy Long
bbc8bab4da Updated the explanation of the report 
Former-commit-id: 5542025ae1e49797d224afabee822a6ca4460c23
 2015-02-04 07:21:31 -05:00
Jeremy Long
019f6dfb8b added properties file to the documentation 
Former-commit-id: 6e409f83b42828d97258d5bcdbb70e3c02d5ba80
 2015-02-03 23:04:17 -05:00
Jeremy Long
3b6a2a2908 added test dependency to verify the fix for issue #180 
Former-commit-id: 7f90c990b90b7a76a06be2318e578a98f8a7db13
 2015-01-30 05:31:42 -05:00
Jeremy Long
c2b757ad6f re-added the struts1/2 fix and fixed other bugs in patch for issue #180 
Former-commit-id: 93d45b91a46171788ac1a6c703055e5f196dcc0d
 2015-01-28 18:50:51 -05:00
Jeremy Long
efeba40f2b fixed bug in patch for issue #180 
Former-commit-id: a547268f56b373a6959d1be212629f39d66581d6
 2015-01-27 06:57:51 -05:00
Jeremy Long
018e4bc382 patch for issue #180 
Former-commit-id: 95760c8ee82b1e382dc3785525ac6027c0be8069
 2015-01-25 11:15:43 -05:00
Jeremy Long
88924ea520 changed where the flag is set to only update once in a multi-module project (from issue #168) to resolve issue #191 
Former-commit-id: 56b8342ffeead397b2c9554c36bf360cb4c2b7fe
 2015-01-21 19:27:13 -05:00
Jeremy Long
4461c2e4a4 patch to resolve the issue with xmltooling discussed in issue #186 
Former-commit-id: c3327bee9055c91659648d4835f8436478e7f41d
 2015-01-21 18:58:51 -05:00
Jeremy Long
1c4aceb0fb added additional optional dependencies for testing purposes for issue #186 
Former-commit-id: 5111120fee1f04a39e3144beb234895275581899
 2015-01-21 18:58:08 -05:00
Jeremy Long
a5b396a60d Merge branch 'hansjoachim-site' 
Former-commit-id: 4639280f19d7dcf26836321dfdd8da566c08be0b
 2015-01-21 06:55:56 -05:00
Jeremy Long
efd96ed892 Merge branch 'site' of https://github.com/hansjoachim/DependencyCheck into hansjoachim-site 
Former-commit-id: 43d9f4c5b73321bb945e1e57610f221d8fa2d4d7
 2015-01-21 06:48:51 -05:00
Jeremy Long
fe88785846 Merge branch 'hansjoachim-comment' 
Former-commit-id: 028894f4e5050e40a93a3fc7ec99c3ca149b9624
 2015-01-21 06:45:52 -05:00
Hans Joachim Desserud
0dcb0fb325 Add comment/warning 
Former-commit-id: a3f9bfa48cec45f8a55ce1bf6990f03b5f9290bd
 2015-01-17 16:42:38 +01:00
Hans Joachim Desserud
0825843d0f Roll back version of maven-site-plugin 
Former-commit-id: c2a9527e4050a7eb22e80a6e26c030d1b6fe6be6
 2015-01-17 16:01:46 +01:00
Hans Joachim Desserud
8c4df134e4 Move out github plugin for maven-site and upgraded to 0.10 
Former-commit-id: 45dad89f070e56febe09a3ccac2377db57bb3540
 2015-01-17 16:01:13 +01:00
Hans Joachim Desserud
dfed5067f3 Upgrade maven-site-plugin to 3.4 
Former-commit-id: e0f74e12a0a277f288ba0d50ef0c0960cafeb0df
 2015-01-17 13:21:57 +01:00
Hans Joachim Desserud
2b78e8fdc1 Unify maven-site-plugin version 
Former-commit-id: 1c22ab1a8eec75474f7612f3892d12490269f2ed
 2015-01-17 12:41:37 +01:00
Hans Joachim Desserud
63c7a9d926 And since the annotation was switched to avoid name collision, the full name is no longer needed 
Former-commit-id: ddbe16d074ca2fed635c2e9f4ca8157af0fe9c24
 2015-01-11 11:09:02 +01:00
Hans Joachim Desserud
6609481cc1 Switch to non-deprecated FindBugs-SuppressWarnings tags which should avoid name collision 
Former-commit-id: a4a978ee4a6621033064488a71577bdb93cddab4
 2015-01-10 21:23:44 +01:00
Hans Joachim Desserud
a37853def6 Also StandardAnalyzer can use the Version-less constructor. The superclass Analyzer will actually default to LUCENE_CURRENT which is equivalent with LATEST which was sent in 
Former-commit-id: 43c8e3350b72bac8eb952ff138887c7232ecb39c
 2015-01-10 19:52:42 +01:00
Hans Joachim Desserud
9f348cfa16 The Version-less constructor for StopFilter will simply default to Version.LATEST under the hood which is exactly what we send in. 
Former-commit-id: cc3010532e9203d663d977f0df0892d8f5694b5f
 2015-01-10 19:41:25 +01:00
Hans Joachim Desserud
52293f2596 More elaborate comment on issue which should be fixed once the next release of ant-testutil is out 
Former-commit-id: e65ea8afeeb2cc631385ad6bf1e80c7cee745c7a
 2015-01-10 19:28:12 +01:00
Jeremy Long
54d3a73282 Merge branch 'hansjoachim-annotation-plugin' 
Former-commit-id: 0a6db65e7fb24c2d6ba88390cf001dc9eb481813
 2015-01-08 05:19:11 -05:00
Jeremy Long
ab2d3b70cb Merge branch 'annotation-plugin' of https://github.com/hansjoachim/DependencyCheck into hansjoachim-annotation-plugin 
Former-commit-id: c9f32139e631cea5ea1ba8baa9424ae8e85e5dd5
 2015-01-08 05:18:52 -05:00
Jeremy Long
451df460f6 Merge branch 'hansjoachim-deprecated' 
Former-commit-id: ae805c6225dba9b15d406b7ccfb4e8240b1e9e46
 2015-01-08 05:17:24 -05:00
Jeremy Long
b4afa01887 Merge branch 'deprecated' of https://github.com/hansjoachim/DependencyCheck into hansjoachim-deprecated 
Former-commit-id: 201977aad5d979ef4615fa590f5d9113e9ff5727
 2015-01-08 05:15:21 -05:00
Jeremy Long
2ea95f5bf9 Merge branch 'hansjoachim-plugins' 
Former-commit-id: 222f2760d05cbf73dfff28488b4ce86faf50561e
 2015-01-07 20:42:37 -05:00
Jeremy Long
22602f42f2 moved the reports from the site plugin to the reporting section 
Former-commit-id: 885270d15bd24e921ddc97b112d612aaa7c48ac4
 2015-01-07 20:42:07 -05:00
Jeremy Long
b2c5183043 add reporting section and the hamcrest-core test dependency 
Former-commit-id: c0e857a71fe3c5136bdf261737cec165191bdafb
 2015-01-07 20:41:38 -05:00
Hans Joachim Desserud
9f6559c7fb Upgrade maven-plugin-annotations to latest version 
Former-commit-id: 4465128b4f06f0c1f17551afdc7652617ef7ceec
 2015-01-07 19:03:20 +01:00
Hans Joachim Desserud
ef04c16237 Removed deprecated classes 
Former-commit-id: 7b4de8148c8de485d39842b2fdecc8cbc2895da3
 2015-01-06 21:23:47 +01:00
Jeremy Long
dd85bfd2ab Merge branch 'plugins' of https://github.com/hansjoachim/DependencyCheck into hansjoachim-plugins 
Former-commit-id: 8666df46726bab861cbecd01319bad0219693092
 2015-01-06 06:23:13 -05:00
Jeremy Long
7152a05bfd Merge branch 'hansjoachim-deprecated' 
Former-commit-id: 72e1c4591f35bcd74a6c420c5a7322e263935169
 2015-01-06 06:21:54 -05:00
Hans Joachim Desserud
754c2fc9bf Replaced deprecated constructors which contained parameter Version. 
When looking into the code, these ended up toggling behaviour if Lucene version was later than 3.1.


Former-commit-id: b7641118b16ccfc904c8aaab3b2636d909d5b1d9
 2015-01-05 21:51:11 +01:00
Hans Joachim Desserud
85ad0b881f Also removed old version number from gpg-plugin 
Former-commit-id: 278ebc103fb3fb54e6f01f14cacfb2d93bbd074a
 2015-01-05 20:04:14 +01:00
Hans Joachim Desserud
db6c471cc6 Add gpg-plugin to pluginManagement and upgrade it to 1.5 
Former-commit-id: 28c94304a02bd3148a07ce37ef96a9259d61d7f9
 2015-01-05 19:49:37 +01:00
Hans Joachim Desserud
300d990276 Set required maven version to the strictest option for all modules 
Former-commit-id: 998498cd118460f42e35c10dfc42162e8f717de9
 2015-01-05 19:36:25 +01:00
Jeremy Long
9c55b889cb updated version to 1.2.9-SNAPSHOT 
Former-commit-id: bab73b0b3361a9b9689f272030e7a5b51e73a962
 2015-01-04 12:43:18 -05:00
Jeremy Long
735f76cc0b Merge branch 'hansjoachim-minor-fixes' 
Former-commit-id: b28f3820f63001c20a5c0d94efeb8afde58de9a4
 2015-01-04 12:35:54 -05:00
Jeremy Long
d1c27a4298 Merge branch 'minor-fixes' of https://github.com/hansjoachim/DependencyCheck into hansjoachim-minor-fixes 
Former-commit-id: b9de007127351691152d0403fa9d7a8656195fd2
 2015-01-04 12:35:44 -05:00
Jeremy Long
650f09bbc5 Merge branch 'hansjoachim-dependencies' 
Former-commit-id: 55ff93bf9425fc4d06f2282ed282d9b66982a8c9
 2015-01-04 12:34:40 -05:00
Hans Joachim Desserud
08bf16971a Removed redundant semicolon 
Former-commit-id: 45e93e66ff7a8f4fc67cb8680ffdbd362d763d5f
 2015-01-04 15:01:56 +01:00
Hans Joachim Desserud
ccb149240e Removed duplicate groupId already covered by parent 
Former-commit-id: 4db4a1186c947238339aef227154bad363d7ee85
 2015-01-04 14:44:50 +01:00
Hans Joachim Desserud
ae22719985 This deprecated value should be fixed at least 
Former-commit-id: b65317611bbe1784b0b8b14b7c31e86623952cf8
 2015-01-03 22:11:05 +01:00
Hans Joachim Desserud
55c4d729bb Upgrade maven-release-plugin to version 2.5.1 
Former-commit-id: 969df121db73b824e40137c9b6420bc85ec03e4d
 2015-01-03 17:28:59 +01:00
Hans Joachim Desserud
429f0966f0 Move maven-enforcer-plugin and -plugin-plugin to pluginManagement. Upgraded them to the latest version 
Former-commit-id: a8226623cddfbc034b6293f48946e2109c426dde
 2015-01-03 17:22:42 +01:00
Hans Joachim Desserud
7a246b90b9 Upgrade maven-shade-plugin to 2.3. This requires building with maven 3.0 or later for that module 
Former-commit-id: 9792754be3cb1c931a1736c41a258fa31556912a
 2015-01-03 16:42:13 +01:00
Hans Joachim Desserud
d2e7de5505 Unify cobertura-maven-plugin version number 
Former-commit-id: f3c995b91cf8b480f4c03ccec8d9371dba75eb35
 2015-01-03 16:34:08 +01:00
Hans Joachim Desserud
a9eab16502 Add and upgrade assembly-plugin 
Former-commit-id: e8c20c61a1bd78065f7ae4eed6751015a3d414c8
 2015-01-03 16:30:28 +01:00
Hans Joachim Desserud
d59cce8080 Move non-version configuration out of pluginManagement 
Former-commit-id: c3983849102331d42aa5dd562ccc319b1c5e9104
 2015-01-03 16:09:06 +01:00
Hans Joachim Desserud
9390e71dd9 Upgrade Apache Lucene to 4.10.3. Would have needed to import the type for a parameter in one constructor, but since it was unused I took the liberty of simply removing it 
Former-commit-id: 6e65307276619ed29354269fab2d5458b532766e
 2015-01-03 14:23:57 +01:00
Hans Joachim Desserud
65992243fa Upgrade dependency-plugin to 2.9 
Former-commit-id: 028218cd6c24e75216a41e14e79bd23a2073515a
 2015-01-03 13:48:12 +01:00
Hans Joachim Desserud
c81b8b0171 Excplicitly state version numbers for some plugins used 
Former-commit-id: b33cbe06b416423593c8b405747295cc86e998a7
 2015-01-03 13:45:17 +01:00
Hans Joachim Desserud
0671d12628 On second thought, try to upgrade the version numbers for this profile manually. 
Former-commit-id: 6ee31dfb9407fa9d04c1a2dd8e1eae2b2047109f
 2015-01-03 13:31:42 +01:00
Hans Joachim Desserud
a892c5e7b7 Turns out surefire-plugin was used a different place too, which is why the old version number still turned up. 
Former-commit-id: afab74d409527aae0e60094f18e48ed9e044ac37
 2015-01-03 11:53:40 +01:00
Hans Joachim Desserud
b5c21ffbf0 Unify maven-failsafe-plugin version and upgrade it to 2.18.1 
Former-commit-id: 73383c93e2bd5aecc2ad5005fe2cfaeaac700ca7
 2015-01-02 22:49:08 +01:00
Hans Joachim Desserud
bb2b25cca5 Unify maven-jar-plugin version and upgrade it to 2.5 
Former-commit-id: b0da5b80252e9b07ccb7d955487f595caef4d4bc
 2015-01-02 22:15:49 +01:00
Hans Joachim Desserud
b3867244ba Unify maven-surefire-plugin version and upgrade it to 2.18.1 
Former-commit-id: 0c5f41e379f4b20f32efb8435ab9efe9fd77d7d8
 2015-01-02 21:46:13 +01:00
Hans Joachim Desserud
6bf8d396e0 Upgraded Apache Lucene to 4.7.1. 
Former-commit-id: 2f723dc78ed258dc53685c917cb83aacf6f1eb25
 2015-01-02 18:03:01 +01:00
Hans Joachim Desserud
6394c1a7b4 Upgraded to Apache Lucene 4.6.1. The method BaseTokenStreamTestCase.checkOneTermReuse was removed in http://svn.apache.org/viewvc?view=revision&revision=1525362, updated copied test case accordingly. 
Former-commit-id: 0344bfcec4a08040eb693ca49c91218badbb2c96
 2015-01-02 17:41:04 +01:00
Hans Joachim Desserud
ccd656845d Use a common version number for resources-plugin 
Former-commit-id: 253864d637907491e2e21500540c3c2f6e03627c
 2015-01-02 16:44:19 +01:00
Hans Joachim Desserud
2931e8454c Upgrade maven-compiler-plugin to version 3.2 
Former-commit-id: 870aad70a81c782bd209f9c49288460234f69fca
 2015-01-02 15:53:52 +01:00
Hans Joachim Desserud
112b158795 Move maven-compiler-plugin (along with common configuration) in under pluginManagement so we have the information in a single place 
Former-commit-id: e729555a7edb1e41759bf8f1851cbfc81bd8917a
 2015-01-02 15:51:41 +01:00
Hans Joachim Desserud
921001000f Require maven 2.2.1 (based on current plugin usage) 
Former-commit-id: e8d8d98e84982792405af30b6dec11d201ac6895
 2015-01-02 15:35:47 +01:00
Hans Joachim Desserud
3e3a8e9f98 Added comment on now-deprecated class 
Former-commit-id: b5a365e8a60440462e25f132b4533ccb63a618f3
 2015-01-01 21:39:22 +01:00
Hans Joachim Desserud
7440a039fd commons-cli doens't seem to be used in -core 
Former-commit-id: 944ab0af44b76fb756d1364f3668a46f30e6db57
 2015-01-01 15:25:09 +01:00
Hans Joachim Desserud
e73f9ab02f Upgrade h2 to latest stable 1.3.x release. Changing to 1.4.x resulted in test failure, though from reading their website 1.4.x seem to still be a beta release. 
Former-commit-id: caaf2c9ab015efea1d9fb9e1a27cef2d80a2a8df
 2015-01-01 15:03:51 +01:00
Hans Joachim Desserud
59815b858e Upgrade commons-compress 
Former-commit-id: 10854e2ace5adda595f1c128967cd5b3651a8dee
 2015-01-01 14:38:31 +01:00
Hans Joachim Desserud
7df7f59d93 Coordinated lucene version numbers 
Former-commit-id: e01b8f67226f02b8e717b455053444d1388c6afd
 2015-01-01 14:18:43 +01:00
Hans Joachim Desserud
e971bc1991 Upgrade some dependencies in core 
Former-commit-id: 46e52a37b74f817b74c0c74f594ae848cdaa7de6
 2015-01-01 14:09:16 +01:00
Hans Joachim Desserud
a3f0f12779 Upgraded dependencies for maven plugin to latest version 
Former-commit-id: 8ec25f0991a91799e58b75e09cf78ae4ae3ebcb8
 2015-01-01 13:41:21 +01:00
Hans Joachim Desserud
2a9c214593 Upgrade ant to latest version 
Former-commit-id: ca9562702accbce4d924dd877d7045bfa603a3f4
 2015-01-01 12:59:09 +01:00
Jeremy Long
3fc37f3e5e Merge pull request #178 from hansjoachim/junit4.12 
Upgrade to junit 4.12

Former-commit-id: ea40044f7576c2281e734699b1f8a1d538b038f5
 2014-12-31 17:09:05 -05:00
=
ebe4423e25 Upgrade to junit 4.12 
Former-commit-id: 7cd88ac5702a5035d7a2e15b157ab6f8468d6f43
 2014-12-31 16:45:56 +01:00
Jeremy Long
cfafb4a101 ensured CentralAnalyzer is not enabled during some tests 
Former-commit-id: 69ca1ebf12080c448b4a3113f6c90da90e2e6da9
 2014-12-31 07:49:27 -05:00
Jeremy Long
8d538a9977 improved error reporting to assist users dealing with issue #177 
Former-commit-id: bc9191cb97d11b3c5455a5e1980d1be9c0bbc4d5
 2014-12-31 07:43:30 -05:00
79 changed files with 2354 additions and 1865 deletions
Expand all files Collapse all files

323
dependency-check-ant/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.8</version>
<version>1.2.9</version>
</parent>
<artifactId>dependency-check-ant</artifactId>
@@ -68,7 +68,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>2.6</version>
<configuration>
<escapeWindowsPaths>false</escapeWindowsPaths>
</configuration>
@@ -191,10 +190,18 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>2.1</version>
<version>2.3</version>
<configuration>
<transformers>
<transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" />
@@ -218,29 +225,13 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>2.4</version>
<configuration>
<archive>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
</archive>
<excludes>
<exclude>**/checkstyle*</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
<configuration>
<instrumentation>
<!--instrumentation>
<ignoreTrivial>true</ignoreTrivial>
</instrumentation>
</instrumentation-->
<check>
<branchRate>85</branchRate>
<lineRate>85</lineRate>
@@ -269,7 +260,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.16</version>
<configuration>
<systemProperties>
<property>
@@ -279,162 +269,139 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
</systemProperties>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version>
<configuration>
<showDeprecation>false</showDeprecation>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.3</version>
<dependencies>
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<configuration>
<skipDeploy>true</skipDeploy>
<reportPlugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<reportSets>
<reportSet>
<reports>
<report>index</report>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.0.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
</plugin>
</reportPlugins>
</configuration>
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<reportSets>
<reportSet>
<reports>
<report>index</report>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.0.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
</plugin>
</plugins>
</reporting>
<dependencies>
<dependency>
<groupId>org.owasp</groupId>
@@ -456,12 +423,12 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>1.9.3</version>
<version>1.9.4</version>
</dependency>
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant-testutil</artifactId>
<version>1.9.3</version>
<version>1.9.4</version>
<scope>test</scope>
</dependency>
</dependencies>

33
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
View File

@@ -98,8 +98,8 @@ public class DependencyCheckTask extends Task {
}
/**
* Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the
* path object.
* Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the path
* object.
*
* @return the path
*/
@@ -215,9 +215,9 @@ public class DependencyCheckTask extends Task {
this.reportOutputDirectory = reportOutputDirectory;
}
/**
* Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
* which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
* The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
* Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
* means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11. The valid range
* for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
*/
private float failBuildOnCVSS = 11;
@@ -239,8 +239,8 @@ public class DependencyCheckTask extends Task {
this.failBuildOnCVSS = failBuildOnCVSS;
}
/**
* Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
* false. Default is true.
* Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
* is true.
*/
private boolean autoUpdate = true;
@@ -262,8 +262,8 @@ public class DependencyCheckTask extends Task {
this.autoUpdate = autoUpdate;
}
/**
* The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
* within the Site plugin unless the externalReport is set to true. Default is HTML.
* The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
* Site plugin unless the externalReport is set to true. Default is HTML.
*/
private String reportFormat = "HTML";
@@ -322,8 +322,7 @@ public class DependencyCheckTask extends Task {
* Set the value of proxyServer.
*
* @param proxyUrl new value of proxyServer
* @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)}
* instead
* @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)} instead
*/
@Deprecated
public void setProxyUrl(String proxyUrl) {
@@ -565,7 +564,7 @@ public class DependencyCheckTask extends Task {
private boolean centralAnalyzerEnabled = false;
/**
* Get the value of centralAnalyzerEnabled
* Get the value of centralAnalyzerEnabled.
*
* @return the value of centralAnalyzerEnabled
*/
@@ -574,7 +573,7 @@ public class DependencyCheckTask extends Task {
}
/**
* Set the value of centralAnalyzerEnabled
* Set the value of centralAnalyzerEnabled.
*
* @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
*/
@@ -764,8 +763,8 @@ public class DependencyCheckTask extends Task {
}
/**
* Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
* like ZIP files.
* Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP
* files.
*/
private String zipExtensions;
@@ -980,8 +979,8 @@ public class DependencyCheckTask extends Task {
}
/**
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
* properties required to change the proxy server, port, and connection timeout.
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
* required to change the proxy server, port, and connection timeout.
*/
private void populateSettings() {
Settings.initialize();

2
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -51,7 +51,7 @@ Property | Description
archiveAnalyzerEnabled | Sets whether the Archive Analyzer will be used. | true
zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
jarAnalyzer | Sets whether the Jar Analyzer will be used. | true
centralAnalyzerEnabled | Sets whether the Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true
centralAnalyzerEnabled | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true
nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
nexusUrl | Defines the Nexus Pro URL. If not set the Nexus Analyzer will be disabled. | &nbsp;
nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true

4
dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
View File

@@ -30,6 +30,10 @@ import org.owasp.dependencycheck.utils.Settings;
* @author Jeremy Long <jeremy.long@owasp.org>
*/
public class DependencyCheckTaskTest extends BuildFileTest {
//TODO: The use of deprecated class BuildFileTestcan possibly
//be replaced with BuildFileRule. However, it currently isn't included in the ant-testutil jar.
//This should be fixed in ant-testutil 1.9.5, so we can check back once that has been released.
//Reference: http://mail-archives.apache.org/mod_mbox/ant-user/201406.mbox/%3C000001cf87ba$8949b690$9bdd23b0$@de%3E
@Before
@Override

294
dependency-check-cli/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.8</version>
<version>1.2.9</version>
</parent>
<artifactId>dependency-check-cli</artifactId>
@@ -60,27 +60,21 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>2.4</version>
<configuration>
<archive>
<manifest>
<mainClass>org.owasp.dependencycheck.App</mainClass>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
</archive>
<excludes>
<exclude>**/checkstyle*</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
<configuration>
<instrumentation>
<!--instrumentation>
<ignoreTrivial>true</ignoreTrivial>
</instrumentation>
</instrumentation-->
<check>
<branchRate>85</branchRate>
<lineRate>85</lineRate>
@@ -114,7 +108,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.16</version>
<configuration>
<systemProperties>
<property>
@@ -133,160 +126,10 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version>
<configuration>
<showDeprecation>false</showDeprecation>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.3</version>
<dependencies>
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<configuration>
<skipDeploy>true</skipDeploy>
<reportPlugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<reportSets>
<reportSet>
<reports>
<report>index</report>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
</plugin>
</reportPlugins>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>appassembler-maven-plugin</artifactId>
<version>1.8.1</version>
<configuration>
<programs>
<program>
@@ -332,6 +175,137 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<reportSets>
<reportSet>
<reports>
<report>index</report>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
</plugin>
</plugins>
</reporting>
<dependencies>
<dependency>
<groupId>commons-cli</groupId>

27
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -84,8 +84,8 @@ public final class CliParser {
/**
* Validates that the command line arguments are valid.
*
* @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that
* does not exist.
* @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that does not
* exist.
* @throws ParseException is thrown if there is an exception parsing the command line.
*/
private void validateArgs() throws FileNotFoundException, ParseException {
@@ -112,8 +112,8 @@ public final class CliParser {
}
/**
* Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing
* file a FileNotFoundException is thrown.
* Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing file a
* FileNotFoundException is thrown.
*
* @param paths the paths to validate if they exists
* @param optType the option being validated (e.g. scan, out, etc.)
@@ -140,7 +140,7 @@ public final class CliParser {
throw new FileNotFoundException(msg);
} else if (!path.contains("*") && !path.contains("?")) {
File f = new File(path);
if ("o".equals(argumentName.substring(0, 1).toLowerCase()) && !"ALL".equals(this.getReportFormat().toUpperCase())) {
if ("o".equalsIgnoreCase(argumentName.substring(0, 1)) && !"ALL".equalsIgnoreCase(this.getReportFormat())) {
final String checkPath = path.toLowerCase();
if (checkPath.endsWith(".html") || checkPath.endsWith(".xml") || checkPath.endsWith(".htm")) {
if (f.getParentFile() == null) {
@@ -257,8 +257,8 @@ public final class CliParser {
}
/**
* Adds the advanced command line options to the given options collection. These are split out for purposes of being
* able to display two different help messages.
* Adds the advanced command line options to the given options collection. These are split out for purposes of being able to
* display two different help messages.
*
* @param options a collection of command line arguments
* @throws IllegalArgumentException thrown if there is an exception
@@ -324,7 +324,8 @@ public final class CliParser {
.create();
final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL)
.withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable the Nexus Analyzer.")
.withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
+ "the Nexus Analyzer.")
.create();
final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS)
@@ -373,8 +374,8 @@ public final class CliParser {
}
/**
* Adds the deprecated command line options to the given options collection. These are split out for purposes of not
* including them in the help message. We need to add the deprecated options so as not to break existing scripts.
* Adds the deprecated command line options to the given options collection. These are split out for purposes of not including
* them in the help message. We need to add the deprecated options so as not to break existing scripts.
*
* @param options a collection of command line arguments
* @throws IllegalArgumentException thrown if there is an exception
@@ -484,8 +485,7 @@ public final class CliParser {
}
/**
* Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is
* returned.
* Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is returned.
*
* @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
*/
@@ -687,8 +687,7 @@ public final class CliParser {
}
/**
* Checks if the auto update feature has been disabled. If it has been disabled via the command line this will
* return false.
* Checks if the auto update feature has been disabled. If it has been disabled via the command line this will return false.
*
* @return if auto-update is allowed.
*/

3
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -21,10 +21,11 @@ Advanced Options
================
Short | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Parameter | Description | Default&nbsp;Value
-------|-----------------------|-----------------|-----------------------------------------------------------------------------|---------------
\-P | \-\-propertyfile | \<file\> | Specifies a file that contains properties to use instead of applicaion defaults. | &nbsp;
| \-\-disableArchive | | Sets whether the Archive Analyzer will be used. | false
| \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
| \-\-disableJar | | Sets whether the Jar Analyzer will be used. | false
| \-\-disableCentral | | Sets whether the Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false
| \-\-disableCentral | | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false
| \-\-disableNexus | | Sets whether the Nexus Analyzer will be used. Note, this has been superceded by the Central Analyzer. However, you can configure the Nexus URL to utilize an internally hosted Nexus Pro server. | false
| \-\-nexus | \<url\> | The url to the Nexus Pro Server. If not set the Nexus Analyzer will be disabled. | &nbsp;
| \-\-nexusUsesProxy | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | true

371
dependency-check-core/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.8</version>
<version>1.2.9</version>
</parent>
<artifactId>dependency-check-core</artifactId>
@@ -93,7 +93,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>2.8</version>
<executions>
<execution>
<phase>generate-resources</phase>
@@ -110,7 +109,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>2.4</version>
<executions>
<execution>
<id>jar</id>
@@ -127,24 +125,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</goals>
</execution>
</executions>
<configuration>
<archive>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
</archive>
<excludes>
<exclude>**/checkstyle*</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
<configuration>
<instrumentation>
<ignoreTrivial>true</ignoreTrivial>
<!--ignoreTrivial>true</ignoreTrivial-->
<ignores>
<ignore>.*\$KEYS\.class</ignore>
<ignore>.*\$Element\.class</ignore>
@@ -192,7 +179,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.16</version>
<configuration>
<systemProperties>
<property>
@@ -213,201 +199,149 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>2.16</version>
<configuration>
<systemProperties>
<property>
<name>data.directory</name>
<value>${project.build.directory}/data</value>
</property>
<property>
<name>temp.directory</name>
<value>${project.build.directory}/temp</value>
</property>
</systemProperties>
<includes>
<include>**/*IntegrationTest.java</include>
</includes>
</configuration>
<executions>
<execution>
<goals>
<goal>integration-test</goal>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.3</version>
<dependencies>
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<configuration>
<skipDeploy>true</skipDeploy>
<reportPlugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<reportSets>
<reportSet>
<reports>
<report>index</report>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
<reportSet>
<id>integration-tests</id>
<reports>
<report>report-only</report>
<report>failsafe-report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
</plugin>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>javancss-maven-plugin</artifactId>
<version>2.0</version>
</dependency>
</reportPlugins>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version>
<configuration>
<showDeprecation>false</showDeprecation>
<compilerArgument>-Xlint:unchecked</compilerArgument>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
<reportSet>
<id>integration-tests</id>
<reports>
<report>report-only</report>
<report>failsafe-report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/generated/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
</plugin>
</plugins>
</reporting>
<dependencies>
<!-- Note, to stay compatible with Jenkins installations only JARs compiled to 1.6 can be used -->
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-utils</artifactId>
@@ -416,30 +350,24 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-test-framework</artifactId>
<version>4.3.1</version>
<version>${apache.lucene.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.jmockit</groupId>
<artifactId>jmockit</artifactId>
<version>1.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.google.code.findbugs</groupId>
<artifactId>annotations</artifactId>
<version>2.0.1</version>
<version>3.0.0</version>
<optional>true</optional>
</dependency>
<dependency>
<groupId>commons-cli</groupId>
<artifactId>commons-cli</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.8.1</version>
<version>1.9</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
@@ -449,22 +377,22 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.5</version>
<version>2.6</version>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-core</artifactId>
<version>4.5.1</version>
<version>${apache.lucene.version}</version>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-analyzers-common</artifactId>
<version>4.5.1</version>
<version>${apache.lucene.version}</version>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-queryparser</artifactId>
<version>4.5.1</version>
<version>${apache.lucene.version}</version>
</dependency>
<dependency>
<groupId>org.apache.velocity</groupId>
@@ -474,7 +402,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>1.3.172</version>
<version>1.3.176</version>
</dependency>
<dependency>
<groupId>org.jsoup</groupId>
@@ -606,7 +534,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.16</version>
<version>2.18.1</version>
<configuration>
<skip>true</skip>
</configuration>
@@ -614,7 +542,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>2.16</version>
<version>2.18.1</version>
<configuration>
<systemProperties>
<property>
@@ -728,8 +656,33 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
<version>3.0</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>xmltooling</artifactId>
<version>1.4.1</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>3.2.12.RELEASE</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
</dependencies>
</profile>
</profiles>
<properties>
<!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
this, we cannot upgrade beyond 4.7.2 -->
<apache.lucene.version>4.7.2</apache.lucene.version>
</properties>
</project>

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -116,7 +116,7 @@ public class Engine {
* Loads the analyzers specified in the configuration file (or system properties).
*/
private void loadAnalyzers() {
if (analyzers.size() > 0) {
if (!analyzers.isEmpty()) {
return;
}
for (AnalysisPhase phase : AnalysisPhase.values()) {

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -110,7 +110,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
static {
final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
if (additionalZipExt != null) {
final HashSet<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
final Set<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
ZIPPABLES.addAll(ext);
}
EXTENSIONS.addAll(ZIPPABLES);
@@ -382,7 +382,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
int count;
final byte data[] = new byte[BUFFER_SIZE];
final byte[] data = new byte[BUFFER_SIZE];
while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
bos.write(data, 0, count);
}

66
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -51,8 +51,8 @@ import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
/**
* CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE.
* It uses the evidence contained within the dependency to search the Lucene index.
* CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE. It uses
* the evidence contained within the dependency to search the Lucene index.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
@@ -130,8 +130,8 @@ public class CPEAnalyzer implements Analyzer {
* Opens the data source.
*
* @throws IOException when the Lucene directory to be queried does not exist or is corrupt.
* @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use
* by another process.
* @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use by another
* process.
*/
public void open() throws IOException, DatabaseException {
LOGGER.log(Level.FINE, "Opening the CVE Database");
@@ -161,8 +161,8 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence
* contained within. The dependency passed in is updated with any identified CPE values.
* Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence contained
* within. The dependency passed in is updated with any identified CPE values.
*
* @param dependency the dependency to search for CPE entries on.
* @throws CorruptIndexException is thrown when the Lucene index is corrupt.
@@ -176,15 +176,12 @@ public class CPEAnalyzer implements Analyzer {
for (Confidence confidence : Confidence.values()) {
if (dependency.getVendorEvidence().contains(confidence)) {
vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
LOGGER.fine(String.format("vendor search: %s", vendors));
}
if (dependency.getProductEvidence().contains(confidence)) {
products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
LOGGER.fine(String.format("product search: %s", products));
}
/* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
* CPE identified. As such, we are "using" the evidence and ignoring the results. */
// if (dependency.getVersionEvidence().contains(confidence)) {
// addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
// }
if (!vendors.isEmpty() && !products.isEmpty()) {
final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
dependency.getVendorEvidence().getWeighting());
@@ -193,9 +190,11 @@ public class CPEAnalyzer implements Analyzer {
}
boolean identifierAdded = false;
for (IndexEntry e : entries) {
LOGGER.fine(String.format("Verifying entry: %s", e.toString()));
if (verifyEntry(e, dependency)) {
final String vendor = e.getVendor();
final String product = e.getProduct();
LOGGER.fine(String.format("identified vendor/product: %s/%s", vendor, product));
identifierAdded |= determineIdentifiers(dependency, vendor, product, confidence);
}
}
@@ -207,9 +206,9 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a
* specific confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence
* is longer then 200 characters it will be truncated.
* Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a specific
* confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence is longer then 200
* characters it will be truncated.
*
* @param text the base text.
* @param ec an EvidenceCollection
@@ -244,8 +243,8 @@ public class CPEAnalyzer implements Analyzer {
* version.</p>
*
* <p>
* If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting
* factors to the search.</p>
* If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting factors to
* the search.</p>
*
* @param vendor the text used to search the vendor field
* @param product the text used to search the product field
@@ -256,7 +255,7 @@ public class CPEAnalyzer implements Analyzer {
protected List<IndexEntry> searchCPE(String vendor, String product,
Set<String> vendorWeightings, Set<String> productWeightings) {
final ArrayList<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
final List<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
if (searchString == null) {
@@ -270,13 +269,6 @@ public class CPEAnalyzer implements Analyzer {
final IndexEntry entry = new IndexEntry();
entry.setVendor(doc.get(Fields.VENDOR));
entry.setProduct(doc.get(Fields.PRODUCT));
// if (d.score < 0.08) {
// System.out.print(entry.getVendor());
// System.out.print(":");
// System.out.print(entry.getProduct());
// System.out.print(":");
// System.out.println(d.score);
// }
entry.setSearchScore(d.score);
if (!ret.contains(entry)) {
ret.add(entry);
@@ -301,8 +293,8 @@ public class CPEAnalyzer implements Analyzer {
* Builds a Lucene search string by properly escaping data and constructing a valid search query.</p>
*
* <p>
* If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting
* factors to the search string generated.</p>
* If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting factors to
* the search string generated.</p>
*
* @param vendor text to search the vendor field
* @param product text to search the product field
@@ -328,9 +320,8 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* This method constructs a Lucene query for a given field. The searchText is split into separate words and if the
* word is within the list of weighted words then an additional weighting is applied to the term as it is appended
* into the query.
* This method constructs a Lucene query for a given field. The searchText is split into separate words and if the word is
* within the list of weighted words then an additional weighting is applied to the term as it is appended into the query.
*
* @param sb a StringBuilder that the query text will be appended to.
* @param field the field within the Lucene index that the query is searching.
@@ -401,8 +392,8 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version
* information for the CPE are contained within the dependencies evidence.
* Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version information
* for the CPE are contained within the dependencies evidence.
*
* @param entry a CPE entry.
* @param dependency the dependency that the CPE entries could be for.
@@ -491,9 +482,9 @@ public class CPEAnalyzer implements Analyzer {
}
/**
* Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then
* validated to find only CPEs that are valid for the given dependency. It is possible that the CPE identified is a
* best effort "guess" based on the vendor, product, and version information.
* Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then validated to find
* only CPEs that are valid for the given dependency. It is possible that the CPE identified is a best effort "guess" based on
* the vendor, product, and version information.
*
* @param dependency the Dependency being analyzed
* @param vendor the vendor for the CPE being analyzed
@@ -601,8 +592,8 @@ public class CPEAnalyzer implements Analyzer {
*/
BEST_GUESS,
/**
* The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS
* that only specifies vendor/product.
* The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS that only
* specifies vendor/product.
*/
BROAD_MATCH
}
@@ -750,8 +741,7 @@ public class CPEAnalyzer implements Analyzer {
//</editor-fold>
/**
* Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the
* identifier.
* Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the identifier.
*
* @param o the IdentifierMatch to compare to
* @return the natural ordering of IdentifierMatch

52
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URL;
@@ -24,18 +25,23 @@ import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.central.CentralSearch;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.jaxb.pom.PomUtils;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
/**
* Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's
* SHA-1 digest.
* Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
* digest.
*
* @author colezlaw
*/
@@ -62,8 +68,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
/**
* The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has
* occurred.
* The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
*/
private boolean errorFlag = false;
@@ -71,7 +76,10 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
* The searcher itself.
*/
private CentralSearch searcher;
/**
* Utility to read POM files.
*/
private PomUtils pomUtil = new PomUtils();
/**
* Field indicating if the analyzer is enabled.
*/
@@ -188,6 +196,39 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
for (MavenArtifact ma : mas) {
LOGGER.fine(String.format("Central analyzer found artifact (%s) for dependency (%s)", ma.toString(), dependency.getFileName()));
dependency.addAsEvidence("central", ma, confidence);
boolean pomAnalyzed = false;
for (Evidence e : dependency.getVendorEvidence()) {
if ("pom".equals(e.getSource())) {
pomAnalyzed = true;
break;
}
}
if (!pomAnalyzed && ma.getPomUrl() != null) {
File pomFile = null;
try {
final File baseDir = Settings.getTempDirectory();
pomFile = File.createTempFile("pom", ".xml", baseDir);
if (!pomFile.delete()) {
final String msg = String.format("Unable to fetch pom.xml for %s from Central; "
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
LOGGER.warning(msg);
LOGGER.fine("Unable to delete temp file");
}
LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
pomUtil.analyzePOM(dependency, pomFile);
} catch (DownloadFailedException ex) {
final String msg = String.format("Unable to download pom.xml for %s from Central; "
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
LOGGER.warning(msg);
} finally {
if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
pomFile.deleteOnExit();
}
}
}
}
} catch (IllegalArgumentException iae) {
LOGGER.info(String.format("invalid sha1-hash on %s", dependency.getFileName()));
@@ -198,4 +239,5 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
errorFlag = true;
}
}
}

55
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
View File

@@ -36,9 +36,9 @@ import org.owasp.dependencycheck.utils.LogUtils;
/**
* <p>
* This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are
* grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the
* same relative path then these should be grouped into a single dependency under the core/main library.</p>
* This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are grouped. An
* example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the same relative path
* then these should be grouped into a single dependency under the core/main library.</p>
* <p>
* Note, this grouping only works on dependencies with identified CVE entries</p>
*
@@ -91,8 +91,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
//</editor-fold>
/**
* Analyzes a set of dependencies. If they have been found to have the same base path and the same set of
* identifiers they are likely related. The related dependencies are bundled into a single reportable item.
* Analyzes a set of dependencies. If they have been found to have the same base path and the same set of identifiers they are
* likely related. The related dependencies are bundled into a single reportable item.
*
* @param ignore this analyzer ignores the dependency being analyzed
* @param engine the engine that is scanning the dependencies
@@ -130,7 +130,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
} else if (cpeIdentifiersMatch(dependency, nextDependency)
&& hasSameBasePath(dependency, nextDependency)
&& fileNameMatch(dependency, nextDependency)) {
if (isCore(dependency, nextDependency)) {
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
} else {
@@ -151,10 +150,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
* Adds the relatedDependency to the dependency's related dependencies.
*
* @param dependency the main dependency
* @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the
* source of dependencies to remove
* @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this
* function adds to this collection
* @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the source of
* dependencies to remove
* @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this function
* adds to this collection
*/
private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
dependency.addRelatedDependency(relatedDependency);
@@ -163,12 +162,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
dependency.addRelatedDependency(i.next());
i.remove();
}
if (dependency.getSha1sum().equals(relatedDependency.getSha1sum())) {
dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
}
dependenciesToRemove.add(relatedDependency);
}
/**
* Attempts to trim a maven repo to a common base path. This is typically
* [drive]\[repo_location]\repository\[path1]\[path2].
* Attempts to trim a maven repo to a common base path. This is typically [drive]\[repo_location]\repository\[path1]\[path2].
*
* @param path the path to trim
* @return a string representing the base path.
@@ -207,21 +208,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
final String fileName1 = dependency1.getActualFile().getName();
final String fileName2 = dependency2.getActualFile().getName();
// //REMOVED because this is attempting to duplicate what is in the hasSameBasePath function.
// final File one = new File(fileName1);
// final File two = new File(fileName2);
// final String oneParent = one.getParent();
// final String twoParent = two.getParent();
// if (oneParent != null) {
// if (oneParent.equals(twoParent)) {
// fileName1 = one.getName();
// fileName2 = two.getName();
// } else {
// return false;
// }
// } else if (twoParent != null) {
// return false;
// }
//version check
final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
@@ -321,8 +307,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
}
/**
* This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison
* to the 'right' library.
* This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the
* 'right' library.
*
* @param left the dependency to test
* @param right the dependency to test against
@@ -379,13 +365,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
}
/**
* Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml
* dependency should be removed.
* Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml dependency
* should be removed.
*
* @param dependency a dependency to check
* @param nextDependency another dependency to check
* @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match;
* otherwise false
* @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match; otherwise false
*/
private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
final String mainName = dependency.getFileName().toLowerCase();
@@ -399,8 +384,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
}
/**
* Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to
* determine if the first path is smaller.
* Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to determine if the
* first path is smaller.
*
* @param left the first path to compare
* @param right the second path to compare

32
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.analyzer;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -64,8 +65,8 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
//</editor-fold>
/**
* The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of
* identifiers or vulnerabilities.
* The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of identifiers
* or vulnerabilities.
*
* @param dependency The dependency being analyzed
* @param engine The scanning engine
@@ -84,24 +85,39 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
Confidence.HIGH);
final Evidence springTest3 = new Evidence("Manifest",
"Implementation-Title",
"spring-core",
Confidence.HIGH);
final Evidence springTest4 = new Evidence("Manifest",
"Bundle-Vendor",
"SpringSource",
Confidence.HIGH);
Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
final Evidence springTest5 = new Evidence("jar",
"package name",
"springframework",
Confidence.LOW);
//springsource/vware problem
final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
|| (dependency.getFileName().contains("spring") && (product.contains(springTest5) || vendor.contains(springTest5)))) {
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
}
evidence = dependency.getVendorEvidence().getEvidence();
if (evidence.contains(springTest3)) {
if (vendor.contains(springTest4)) {
dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
}
//sun/oracle problem
final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();
final List<Evidence> newEntries = new ArrayList<Evidence>();
while (itr.hasNext()) {
final Evidence e = itr.next();
if ("sun".equalsIgnoreCase(e.getValue(false))) {

205
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -46,13 +46,6 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import java.util.zip.ZipEntry;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.sax.SAXSource;
import org.jsoup.Jsoup;
import org.owasp.dependencycheck.Engine;
@@ -60,7 +53,7 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.jaxb.pom.MavenNamespaceFilter;
import org.owasp.dependencycheck.jaxb.pom.PomUtils;
import org.owasp.dependencycheck.jaxb.pom.generated.License;
import org.owasp.dependencycheck.jaxb.pom.generated.Model;
import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
@@ -68,9 +61,6 @@ import org.owasp.dependencycheck.utils.FileUtils;
import org.owasp.dependencycheck.utils.NonClosingStream;
import org.owasp.dependencycheck.utils.Settings;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.XMLFilter;
import org.xml.sax.XMLReader;
/**
* Used to load a JAR file and collect information that can be used to determine the associated CPE.
@@ -158,24 +148,18 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* A pattern to detect HTML within text.
*/
private static final Pattern HTML_DETECTION_PATTERN = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE);
/**
* The unmarshaller used to parse the pom.xml from a JAR file.
* The POM Utility for parsing POM files.
*/
private Unmarshaller pomUnmarshaller;
private PomUtils pomUtils = null;
//</editor-fold>
/**
* Constructs a new JarAnalyzer.
*/
public JarAnalyzer() {
try {
//final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
final JAXBContext jaxbContext = JAXBContext.newInstance(Model.class);
pomUnmarshaller = jaxbContext.createUnmarshaller();
} catch (JAXBException ex) { //guess we will just have a null pointer exception later...
LOGGER.log(Level.SEVERE, "Unable to load parser. See the log for more details.");
LOGGER.log(Level.FINE, null, ex);
}
pomUtils = new PomUtils();
}
//<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
@@ -243,7 +227,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
@Override
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
try {
final ArrayList<ClassNameInformation> classNames = collectClassNames(dependency);
final List<ClassNameInformation> classNames = collectClassNames(dependency);
final String fileName = dependency.getFileName().toLowerCase();
if (classNames.isEmpty()
&& (fileName.endsWith("-sources.jar")
@@ -262,8 +246,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence.
* This will attempt to interpolate the strings contained within the pom.properties if one exists.
* Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence. This will
* attempt to interpolate the strings contained within the pom.properties if one exists.
*
* @param dependency the dependency being analyzed
* @param classes a collection of class name information
@@ -271,7 +255,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @throws AnalysisException is thrown if there is an exception parsing the pom
* @return whether or not evidence was added to the dependency
*/
protected boolean analyzePOM(Dependency dependency, ArrayList<ClassNameInformation> classes, Engine engine) throws AnalysisException {
protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
boolean foundSomething = false;
final JarFile jar;
try {
@@ -295,15 +279,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
File externalPom = null;
if (pomEntries.isEmpty()) {
if (dependency.getActualFilePath().matches(".*\\.m2.repository\\b.*")) {
String pomPath = dependency.getActualFilePath();
pomPath = pomPath.substring(0, pomPath.lastIndexOf('.')) + ".pom";
externalPom = new File(pomPath);
if (externalPom.isFile()) {
pomEntries.add(pomPath);
} else {
return false;
}
String pomPath = dependency.getActualFilePath();
pomPath = pomPath.substring(0, pomPath.lastIndexOf('.')) + ".pom";
externalPom = new File(pomPath);
if (externalPom.isFile()) {
pomEntries.add(pomPath);
} else {
return false;
}
@@ -342,7 +322,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
if (externalPom == null) {
pom = retrievePom(path, jar);
} else {
pom = retrievePom(externalPom);
pom = pomUtils.readPom(externalPom);
}
foundSomething |= setPomEvidence(dependency, pom, pomProperties, classes);
}
@@ -428,7 +408,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
int count;
final byte data[] = new byte[BUFFER_SIZE];
final byte[] data = new byte[BUFFER_SIZE];
while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
bos.write(data, 0, count);
}
@@ -450,7 +430,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
final InputStreamReader reader = new InputStreamReader(fis, "UTF-8");
final InputSource xml = new InputSource(reader);
final SAXSource source = new SAXSource(xml);
model = readPom(source);
model = pomUtils.readPom(source);
} catch (FileNotFoundException ex) {
final String msg = String.format("Unable to parse pom '%s' in jar '%s' (File Not Found)", path, jar.getName());
LOGGER.log(Level.WARNING, msg);
@@ -520,7 +500,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
final InputSource xml = new InputSource(reader);
final SAXSource source = new SAXSource(xml);
model = readPom(source);
model = pomUtils.readPom(source);
} catch (SecurityException ex) {
final String msg = String.format("Unable to parse pom '%s' in jar '%s'; invalid signature", path, jar.getName());
LOGGER.log(Level.WARNING, msg);
@@ -541,84 +521,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
return model;
}
/**
* Reads in the specified POM and converts it to a Model.
*
* @param file the pom.xml file
* @return returns a
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
*/
private Model retrievePom(File file) throws AnalysisException {
Model model = null;
try {
final FileInputStream stream = new FileInputStream(file);
final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
final InputSource xml = new InputSource(reader);
final SAXSource source = new SAXSource(xml);
model = readPom(source);
} catch (SecurityException ex) {
final String msg = String.format("Unable to parse pom '%s'; invalid signature", file.getPath());
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, null, ex);
throw new AnalysisException(ex);
} catch (IOException ex) {
final String msg = String.format("Unable to parse pom '%s'(IO Exception)", file.getPath());
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, "", ex);
throw new AnalysisException(ex);
} catch (Throwable ex) {
final String msg = String.format("Unexpected error during parsing of the pom '%s'", file.getPath());
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, "", ex);
throw new AnalysisException(ex);
}
return model;
}
/**
* Retrieves the specified POM from a jar file and converts it to a Model.
*
* @param source the SAXSource input stream to read the POM from
* @return returns the POM object
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
*/
private Model readPom(SAXSource source) throws AnalysisException {
Model model = null;
try {
final XMLFilter filter = new MavenNamespaceFilter();
final SAXParserFactory spf = SAXParserFactory.newInstance();
final SAXParser sp = spf.newSAXParser();
final XMLReader xr = sp.getXMLReader();
filter.setParent(xr);
final JAXBElement<Model> el = pomUnmarshaller.unmarshal(source, Model.class);
model = el.getValue();
} catch (SecurityException ex) {
throw new AnalysisException(ex);
} catch (ParserConfigurationException ex) {
throw new AnalysisException(ex);
} catch (SAXException ex) {
throw new AnalysisException(ex);
} catch (JAXBException ex) {
throw new AnalysisException(ex);
} catch (Throwable ex) {
throw new AnalysisException(ex);
}
return model;
}
/**
* Sets evidence from the pom on the supplied dependency.
*
* @param dependency the dependency to set data on
* @param pom the information from the pom
* @param pomProperties the pom properties file (null if none exists)
* @param classes a collection of ClassNameInformation - containing data about the fully qualified class names
* within the JAR file being analyzed
* @param classes a collection of ClassNameInformation - containing data about the fully qualified class names within the JAR
* file being analyzed
* @return true if there was evidence within the pom that we could use; otherwise false
*/
private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, List<ClassNameInformation> classes) {
boolean foundSomething = false;
boolean addAsIdentifier = true;
if (pom == null) {
@@ -739,17 +652,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible
* vendor or product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
* Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible vendor or
* product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
*
* @param classNames a list of class names
* @param dependency a dependency to analyze
* @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence.
*/
protected void analyzePackageNames(ArrayList<ClassNameInformation> classNames,
protected void analyzePackageNames(List<ClassNameInformation> classNames,
Dependency dependency, boolean addPackagesAsEvidence) {
final HashMap<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
final HashMap<String, Integer> productIdentifiers = new HashMap<String, Integer>();
final Map<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
final Map<String, Integer> productIdentifiers = new HashMap<String, Integer>();
analyzeFullyQualifiedClassNames(classNames, vendorIdentifiers, productIdentifiers);
final int classCount = classNames.size();
@@ -791,7 +704,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @return whether evidence was identified parsing the manifest
* @throws IOException if there is an issue reading the JAR file
*/
protected boolean parseManifest(Dependency dependency, ArrayList<ClassNameInformation> classInformation) throws IOException {
protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) throws IOException {
boolean foundSomething = false;
JarFile jar = null;
try {
@@ -948,18 +861,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Adds a description to the given dependency. If the description contains one of the following strings beyond 100
* characters, then the description used will be trimmed to that position:
* Adds a description to the given dependency. If the description contains one of the following strings beyond 100 characters,
* then the description used will be trimmed to that position:
* <ul><li>"such as"</li><li>"like "</li><li>"will use "</li><li>"* uses "</li></ul>
*
* @param dependency a dependency
* @param description the description
* @param source the source of the evidence
* @param key the "name" of the evidence
* @return if the description is trimmed, the trimmed version is returned; otherwise the original description is
* returned
* @return if the description is trimmed, the trimmed version is returned; otherwise the original description is returned
*/
private String addDescription(Dependency dependency, String description, String source, String key) {
public static String addDescription(Dependency dependency, String description, String source, String key) {
if (dependency.getDescription() == null) {
dependency.setDescription(description);
}
@@ -1064,12 +976,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
/**
* <p>
* A utility function that will interpolate strings based on values given in the properties file. It will also
* interpolate the strings contained within the properties file so that properties can reference other
* properties.</p>
* A utility function that will interpolate strings based on values given in the properties file. It will also interpolate the
* strings contained within the properties file so that properties can reference other properties.</p>
* <p>
* <b>Note:</b> if there is no property found the reference will be removed. In other words, if the interpolated
* string will be replaced with an empty string.
* <b>Note:</b> if there is no property found the reference will be removed. In other words, if the interpolated string will
* be replaced with an empty string.
* </p>
* <p>
* Example:</p>
@@ -1089,13 +1000,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @param properties a collection of properties that may be referenced within the text.
* @return the interpolated text.
*/
protected String interpolateString(String text, Properties properties) {
Properties props = properties;
public static String interpolateString(String text, Properties properties) {
final Properties props = properties;
if (text == null) {
return text;
}
if (props == null) {
props = new Properties();
return text;
}
final int pos = text.indexOf("${");
@@ -1133,14 +1044,14 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class
* names. This does not include core Java package names (i.e. java.* or javax.*).
* Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class names. This
* does not include core Java package names (i.e. java.* or javax.*).
*
* @param dependency the dependency being analyzed
* @return an list of fully qualified class names
*/
private ArrayList<ClassNameInformation> collectClassNames(Dependency dependency) {
final ArrayList<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
private List<ClassNameInformation> collectClassNames(Dependency dependency) {
final List<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
JarFile jar = null;
try {
jar = new JarFile(dependency.getActualFilePath());
@@ -1171,17 +1082,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Cycles through the list of class names and places the package levels 0-3 into the provided maps for vendor and
* product. This is helpful when analyzing vendor/product as many times this is included in the package name.
* Cycles through the list of class names and places the package levels 0-3 into the provided maps for vendor and product.
* This is helpful when analyzing vendor/product as many times this is included in the package name.
*
* @param classNames a list of class names
* @param vendor HashMap of possible vendor names from package names (e.g. owasp)
* @param product HashMap of possible product names from package names (e.g. dependencycheck)
*/
private void analyzeFullyQualifiedClassNames(ArrayList<ClassNameInformation> classNames,
HashMap<String, Integer> vendor, HashMap<String, Integer> product) {
private void analyzeFullyQualifiedClassNames(List<ClassNameInformation> classNames,
Map<String, Integer> vendor, Map<String, Integer> product) {
for (ClassNameInformation entry : classNames) {
final ArrayList<String> list = entry.getPackageStructure();
final List<String> list = entry.getPackageStructure();
addEntry(vendor, list.get(0));
if (list.size() == 2) {
@@ -1203,13 +1114,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Adds an entry to the specified collection and sets the Integer (e.g. the count) to 1. If the entry already exists
* in the collection then the Integer is incremented by 1.
* Adds an entry to the specified collection and sets the Integer (e.g. the count) to 1. If the entry already exists in the
* collection then the Integer is incremented by 1.
*
* @param collection a collection of strings and their occurrence count
* @param key the key to add to the collection
*/
private void addEntry(HashMap<String, Integer> collection, String key) {
private void addEntry(Map<String, Integer> collection, String key) {
if (collection.containsKey(key)) {
collection.put(key, collection.get(key) + 1);
} else {
@@ -1218,15 +1129,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Cycles through the collection of class name information to see if parts of the package names are contained in the
* provided value. If found, it will be added as the HIGHEST confidence evidence because we have more then one
* source corroborating the value.
* Cycles through the collection of class name information to see if parts of the package names are contained in the provided
* value. If found, it will be added as the HIGHEST confidence evidence because we have more then one source corroborating the
* value.
*
* @param classes a collection of class name information
* @param value the value to check to see if it contains a package name
* @param evidence the evidence collection to add new entries too
*/
private void addMatchingValues(ArrayList<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
private void addMatchingValues(List<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
return;
}
@@ -1261,7 +1172,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @param pomProperties the properties, used for string interpolation
* @param dependency the dependency to add license information too
*/
private void extractLicense(Model pom, Properties pomProperties, Dependency dependency) {
public static void extractLicense(Model pom, Properties pomProperties, Dependency dependency) {
//license
if (pom.getLicenses() != null) {
String license = null;
@@ -1302,9 +1213,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
/**
* <p>
* Stores information about a given class name. This class will keep the fully qualified class name and a list
* of the important parts of the package structure. Up to the first four levels of the package structure are
* stored, excluding a leading "org" or "com". Example:</p>
* Stores information about a given class name. This class will keep the fully qualified class name and a list of the
* important parts of the package structure. Up to the first four levels of the package structure are stored, excluding a
* leading "org" or "com". Example:</p>
* <code>ClassNameInformation obj = new ClassNameInformation("org.owasp.dependencycheck.analyzer.JarAnalyzer");
* System.out.println(obj.getName());
* for (String p : obj.getPackageStructure())

42
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.MalformedURLException;
@@ -24,13 +25,18 @@ import java.net.URL;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.nexus.NexusSearch;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.jaxb.pom.PomUtils;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.Settings;
/**
@@ -83,6 +89,10 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
* Field indicating if the analyzer is enabled.
*/
private final boolean enabled = checkEnabled();
/**
* Field for doing POM work
*/
private final PomUtils pomUtil = new PomUtils();
/**
* Determines if this analyzer is enabled
@@ -202,6 +212,38 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
try {
final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
boolean pomAnalyzed = false;
LOGGER.fine("POM URL " + ma.getPomUrl());
for (Evidence e : dependency.getVendorEvidence()) {
if ("pom".equals(e.getSource())) {
pomAnalyzed = true;
break;
}
}
if (!pomAnalyzed && ma.getPomUrl() != null) {
File pomFile = null;
try {
final File baseDir = Settings.getTempDirectory();
pomFile = File.createTempFile("pom", ".xml", baseDir);
if (!pomFile.delete()) {
final String msg = String.format("Unable to fetch pom.xml for %s from Nexus repository; "
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
LOGGER.warning(msg);
LOGGER.fine("Unable to delete temp file");
}
LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
pomUtil.analyzePOM(dependency, pomFile);
} catch (DownloadFailedException ex) {
final String msg = String.format("Unable to download pom.xml for %s from Nexus repository; "
+ "this could result in undetected CPE/CVEs.", dependency.getFileName());
LOGGER.warning(msg);
} finally {
if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
pomFile.deleteOnExit();
}
}
}
} catch (IllegalArgumentException iae) {
//dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
View File

@@ -60,8 +60,8 @@ public class CentralSearch {
/**
* Creates a NexusSearch for the given repository URL.
*
* @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so
* it should end in /select)
* @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so it should
* end in /select)
*/
public CentralSearch(URL rootURL) {
this.rootURL = rootURL;
@@ -75,13 +75,12 @@ public class CentralSearch {
}
/**
* Searches the configured Central URL for the given sha1 hash. If the artifact is found, a
* <code>MavenArtifact</code> is populated with the GAV.
* Searches the configured Central URL for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
* populated with the GAV.
*
* @param sha1 the SHA-1 hash string for which to search
* @return the populated Maven GAV.
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
* found.
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
*/
public List<MavenArtifact> searchSha1(String sha1) throws IOException {
if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
@@ -124,8 +123,19 @@ public class CentralSearch {
final String a = xpath.evaluate("./str[@name='a']", docs.item(i));
LOGGER.finest(String.format("ArtifactId: %s", a));
final String v = xpath.evaluate("./str[@name='v']", docs.item(i));
final NodeList atts = (NodeList) xpath.evaluate("./arr[@name='ec']/str", docs.item(i), XPathConstants.NODESET);
boolean pomAvailable = false;
boolean jarAvailable = false;
for (int x = 0; x < atts.getLength(); x++) {
final String tmp = xpath.evaluate(".", atts.item(x));
if (".pom".equals(tmp)) {
pomAvailable = true;
} else if (".jar".equals(tmp)) {
jarAvailable = true;
}
}
LOGGER.finest(String.format("Version: %s", v));
result.add(new MavenArtifact(g, a, v, url.toString()));
result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable));
}
return result;

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
View File

@@ -48,8 +48,8 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.utils.Pair;
/**
* An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within
* the NVD CVE data.
* An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within the NVD
* CVE data.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java
View File

@@ -72,7 +72,7 @@ public abstract class AbstractTokenizingFilter extends TokenFilter {
* @return whether or not a new term was added
*/
protected boolean addTerm() {
final boolean termAdded = tokens.size() > 0;
final boolean termAdded = !tokens.isEmpty();
if (termAdded) {
final String term = tokens.pop();
clearAttributes();

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java
View File

@@ -29,8 +29,8 @@ import org.apache.lucene.util.Version;
/**
* <p>
* A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The
* intended purpose of this Analyzer is to index the CPE fields vendor and product.</p>
* A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The intended
* purpose of this Analyzer is to index the CPE fields vendor and product.</p>
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.data.lucene;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.apache.lucene.util.Version;
/**
@@ -28,10 +29,10 @@ import org.apache.lucene.util.Version;
public final class LuceneUtils {
/**
* The current version of Lucene being used. Declaring this one place so an upgrade doesn't require hunting through
* the code base.
* The current version of Lucene being used. Declaring this one place so an upgrade doesn't require hunting through the code
* base.
*/
public static final Version CURRENT_VERSION = Version.LUCENE_45;
public static final Version CURRENT_VERSION = Version.LUCENE_47;
/**
* Private constructor as this is a utility class.
@@ -46,7 +47,7 @@ public final class LuceneUtils {
* @param text the data to be escaped
*/
@SuppressWarnings("fallthrough")
@edu.umd.cs.findbugs.annotations.SuppressWarnings(
@SuppressFBWarnings(
value = "SF_SWITCH_NO_DEFAULT",
justification = "The switch below does have a default.")
public static void appendEscapedLuceneQuery(StringBuilder buf,

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java
View File

@@ -39,8 +39,7 @@ public class SearchFieldAnalyzer extends Analyzer {
*/
private final Version version;
/**
* A local reference to the TokenPairConcatenatingFilter so that we can clear any left over state if this analyzer
* is re-used.
* A local reference to the TokenPairConcatenatingFilter so that we can clear any left over state if this analyzer is re-used.
*/
private TokenPairConcatenatingFilter concatenatingFilter;
@@ -85,8 +84,7 @@ public class SearchFieldAnalyzer extends Analyzer {
/**
* <p>
* Resets the analyzer and clears any internal state data that may have been left-over from previous uses of the
* analyzer.</p>
* Resets the analyzer and clears any internal state data that may have been left-over from previous uses of the analyzer.</p>
* <p>
* <b>If this analyzer is re-used this method must be called between uses.</b></p>
*/

72
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java
View File

@@ -1,72 +0,0 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.lucene;
import java.io.Reader;
import org.apache.lucene.analysis.Analyzer;
import org.apache.lucene.analysis.TokenStream;
import org.apache.lucene.analysis.Tokenizer;
import org.apache.lucene.analysis.core.LowerCaseFilter;
import org.apache.lucene.analysis.core.WhitespaceTokenizer;
import org.apache.lucene.util.Version;
/**
* SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
*
* @author Jeremy Long <jeremy.long@owasp.org>
* @deprecated version information is no longer stored in lucene
*/
@Deprecated
public class SearchVersionAnalyzer extends Analyzer {
//TODO consider implementing payloads/custom attributes...
// use custom attributes for major, minor, x, x, x, rcx
// these can then be used to weight the score for searches on the version.
// see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
// look at this article to implement
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
/**
* The Lucene Version used.
*/
private final Version version;
/**
* Creates a new SearchVersionAnalyzer.
*
* @param version the Lucene version
*/
public SearchVersionAnalyzer(Version version) {
this.version = version;
}
/**
* Creates the TokenStreamComponents
*
* @param fieldName the field name being analyzed
* @param reader the reader containing the input
* @return the TokenStreamComponents
*/
@Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source;
stream = new LowerCaseFilter(version, stream);
stream = new VersionTokenizingFilter(stream);
return new TokenStreamComponents(source, stream);
}
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java
View File

@@ -92,7 +92,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
//if we have a previousTerm - write it out as its own token concatenated
// with the current word (if one is available).
if (previousWord != null && words.size() > 0) {
if (previousWord != null && !words.isEmpty()) {
final String word = words.getFirst();
clearAttributes();
termAtt.append(previousWord).append(word);
@@ -100,7 +100,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
return true;
}
//if we have words, write it out as a single token
if (words.size() > 0) {
if (!words.isEmpty()) {
final String word = words.removeFirst();
clearAttributes();
termAtt.append(word);

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java
View File

@@ -60,7 +60,7 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
public boolean incrementToken() throws IOException {
final LinkedList<String> tokens = getTokens();
final CharTermAttribute termAtt = getTermAtt();
if (tokens.size() == 0 && input.incrementToken()) {
if (tokens.isEmpty() && input.incrementToken()) {
final String text = new String(termAtt.buffer(), 0, termAtt.length());
if (UrlStringUtils.containsUrl(text)) {
final String[] parts = text.split("\\s");

71
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java
View File

@@ -1,71 +0,0 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.lucene;
import java.io.Reader;
import org.apache.lucene.analysis.Analyzer;
import org.apache.lucene.analysis.TokenStream;
import org.apache.lucene.analysis.Tokenizer;
import org.apache.lucene.analysis.core.LowerCaseFilter;
import org.apache.lucene.analysis.core.WhitespaceTokenizer;
import org.apache.lucene.util.Version;
/**
* VersionAnalyzer is a Lucene Analyzer used to analyze version information.
*
* @author Jeremy Long <jeremy.long@owasp.org>
* @deprecated version information is no longer stored in lucene
*/
@Deprecated
public class VersionAnalyzer extends Analyzer {
//TODO consider implementing payloads/custom attributes...
// use custom attributes for major, minor, x, x, x, rcx
// these can then be used to weight the score for searches on the version.
// see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
// look at this article to implement
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
/**
* The Lucene Version used.
*/
private final Version version;
/**
* Creates a new VersionAnalyzer.
*
* @param version the Lucene version
*/
public VersionAnalyzer(Version version) {
this.version = version;
}
/**
* Creates the TokenStreamComponents
*
* @param fieldName the field name being analyzed
* @param reader the reader containing the input
* @return the TokenStreamComponents
*/
@Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source;
stream = new LowerCaseFilter(version, stream);
return new TokenStreamComponents(source, stream);
}
}

98
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java
View File

@@ -1,98 +0,0 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.data.lucene;
import java.io.IOException;
import java.util.LinkedList;
import org.apache.lucene.analysis.TokenStream;
import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
/**
* <p>
* Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
* <p>
* <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
*
* @author Jeremy Long <jeremy.long@owasp.org>
* @deprecated version information is no longer stored in lucene
*/
@Deprecated
public final class VersionTokenizingFilter extends AbstractTokenizingFilter {
/**
* Constructs a new VersionTokenizingFilter.
*
* @param stream the TokenStream that this filter will process
*/
public VersionTokenizingFilter(TokenStream stream) {
super(stream);
}
/**
* Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
* concatenating tokens with the previous token.
*
* @return whether or not we have hit the end of the TokenStream
* @throws IOException is thrown when an IOException occurs
*/
@Override
public boolean incrementToken() throws IOException {
final LinkedList<String> tokens = getTokens();
final CharTermAttribute termAtt = getTermAtt();
if (tokens.size() == 0 && input.incrementToken()) {
final String version = new String(termAtt.buffer(), 0, termAtt.length());
final String[] toAnalyze = version.split("[_-]");
//ensure we analyze the whole string as one too
analyzeVersion(version);
for (String str : toAnalyze) {
analyzeVersion(str);
}
}
return addTerm();
}
/**
* <p>
* Analyzes the version and adds several copies of the version as different tokens. For example, the version 1.2.7
* would create the tokens 1 1.2 1.2.7. This is useful in discovering the correct version - sometimes a maintenance
* or build number will throw off the version identification.</p>
*
* <p>
* expected&nbsp;format:&nbps;major.minor[.maintenance[.build]]</p>
*
* @param version the version to analyze
*/
private void analyzeVersion(String version) {
//todo should we also be splitting on dash or underscore? we would need
// to incorporate the dash or underscore back in...
final LinkedList<String> tokens = getTokens();
final String[] versionParts = version.split("\\.");
String dottedVersion = null;
for (String current : versionParts) {
if (!current.matches("^/d+$")) {
tokens.add(current);
}
if (dottedVersion == null) {
dottedVersion = current;
} else {
dottedVersion = dottedVersion + "." + current;
}
tokens.add(dottedVersion);
}
}
}

67
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java
View File

@@ -24,6 +24,11 @@ package org.owasp.dependencycheck.data.nexus;
*/
public class MavenArtifact {
/**
* The base URL for download artifacts from Central.
*/
private static final String CENTRAL_CONTENT_URL = "http://search.maven.org/remotecontent?filepath=";
/**
* The groupId
*/
@@ -43,6 +48,10 @@ public class MavenArtifact {
* The artifact url. This may change depending on which Nexus server the search took place.
*/
private String artifactUrl;
/**
* The url to download the POM from.
*/
private String pomUrl;
/**
* Creates an empty MavenArtifact.
@@ -58,9 +67,34 @@ public class MavenArtifact {
* @param version the version
*/
public MavenArtifact(String groupId, String artifactId, String version) {
setGroupId(groupId);
setArtifactId(artifactId);
setVersion(version);
this.groupId = groupId;
this.artifactId = artifactId;
this.version = version;
}
/**
* Creates a MavenArtifact with the given attributes.
*
* @param groupId the groupId
* @param artifactId the artifactId
* @param version the version
* @param jarAvailable if the jar file is available from central
* @param pomAvailable if the pom file is available from central
*/
public MavenArtifact(String groupId, String artifactId, String version, boolean jarAvailable, boolean pomAvailable) {
this.groupId = groupId;
this.artifactId = artifactId;
this.version = version;
if (jarAvailable) {
//org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
this.artifactUrl = this.CENTRAL_CONTENT_URL + groupId.replace('.', '/') + "/" + artifactId.replace('.', '/') + "/"
+ version + "/" + artifactId + "-" + version + ".jar";
}
if (pomAvailable) {
//org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
this.pomUrl = this.CENTRAL_CONTENT_URL + groupId.replace('.', '/') + "/" + artifactId.replace('.', '/') + "/"
+ version + "/" + artifactId + "-" + version + ".pom";
}
}
/**
@@ -72,10 +106,10 @@ public class MavenArtifact {
* @param url the artifactLink url
*/
public MavenArtifact(String groupId, String artifactId, String version, String url) {
setGroupId(groupId);
setArtifactId(artifactId);
setVersion(version);
setArtifactUrl(url);
this.groupId = groupId;
this.artifactId = artifactId;
this.version = version;
this.artifactUrl = url;
}
/**
@@ -159,6 +193,25 @@ public class MavenArtifact {
public String getArtifactUrl() {
return artifactUrl;
}
/**
* Get the value of pomUrl.
*
* @return the value of pomUrl
*/
public String getPomUrl() {
return pomUrl;
}
/**
* Set the value of pomUrl.
*
* @param pomUrl new value of pomUrl
*/
public void setPomUrl(String pomUrl) {
this.pomUrl = pomUrl;
}
}
// vim: cc=120:sw=4:ts=4:sts=4

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
View File

@@ -58,8 +58,8 @@ public class NexusSearch {
/**
* Creates a NexusSearch for the given repository URL.
*
* @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated
* relative to this URL, so it should end with a /
* @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated relative to this
* URL, so it should end with a /
*/
public NexusSearch(URL rootURL) {
this.rootURL = rootURL;
@@ -78,13 +78,12 @@ public class NexusSearch {
}
/**
* Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a
* <code>MavenArtifact</code> is populated with the coordinate information.
* Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
* populated with the coordinate information.
*
* @param sha1 The SHA-1 hash string for which to search
* @return the populated Maven coordinates
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
* found.
* @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
*/
public MavenArtifact searchSha1(String sha1) throws IOException {
if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
@@ -131,7 +130,18 @@ public class NexusSearch {
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
doc);
return new MavenArtifact(groupId, artifactId, version, link);
final String pomLink = xpath
.evaluate(
"/org.sonatype.nexus.rest.model.NexusArtifact/pomLink",
doc);
final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
if (link != null && !"".equals(link)) {
ma.setArtifactUrl(link);
}
if (pomLink != null && !"".equals(pomLink)) {
ma.setPomUrl(pomLink);
}
return ma;
} catch (Throwable e) {
// Anything else is jacked-up XML stuff that we really can't recover
// from well

148
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
View File

@@ -25,8 +25,10 @@ import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Properties;
import java.util.Set;
@@ -59,8 +61,8 @@ public class CveDB {
private Connection conn;
/**
* Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller
* by calling the close method.
* Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller by calling
* the close method.
*
* @throws DatabaseException thrown if there is an exception opening the database.
*/
@@ -174,8 +176,8 @@ public class CveDB {
*/
private static final String DELETE_VULNERABILITY = "DELETE FROM vulnerability WHERE id = ?";
/**
* SQL Statement to cleanup orphan entries. Yes, the db schema could be a little tighter, but what we have works
* well to keep the data file size down a bit.
* SQL Statement to cleanup orphan entries. Yes, the db schema could be a little tighter, but what we have works well to keep
* the data file size down a bit.
*/
private static final String CLEANUP_ORPHANS = "DELETE FROM CpeEntry WHERE id not in (SELECT CPEEntryId FROM Software); ";
/**
@@ -212,7 +214,8 @@ public class CveDB {
private static final String SELECT_CVE_FROM_SOFTWARE = "SELECT cve, cpe, previousVersion "
+ "FROM software INNER JOIN vulnerability ON vulnerability.id = software.cveId "
+ "INNER JOIN cpeEntry ON cpeEntry.id = software.cpeEntryId "
+ "WHERE vendor = ? AND product = ?";
+ "WHERE vendor = ? AND product = ? "
+ "ORDER BY cve, cpe"; //, previousVersion
//unfortunately, the version info is too complicated to do in a select. Need to filter this afterwards
// + " AND (version = '-' OR previousVersion IS NOT NULL OR version=?)";
//
@@ -270,8 +273,8 @@ public class CveDB {
//</editor-fold>
/**
* Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination.
* The returned list will include all versions of the product that are registered in the NVD CVE data.
* Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination. The returned
* list will include all versions of the product that are registered in the NVD CVE data.
*
* @param vendor the identified vendor name of the dependency being analyzed
* @param product the identified name of the product of the dependency being analyzed
@@ -456,30 +459,41 @@ public class CveDB {
final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
PreparedStatement ps;
final HashSet<String> cveEntries = new HashSet<String>();
try {
ps = getConnection().prepareStatement(SELECT_CVE_FROM_SOFTWARE);
ps.setString(1, cpe.getVendor());
ps.setString(2, cpe.getProduct());
rs = ps.executeQuery();
String currentCVE = "";
final Map<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
while (rs.next()) {
final String cveId = rs.getString(1);
if (!currentCVE.equals(cveId)) { //check for match and add
final Entry<String, Boolean> matchedCPE = getMatchingSoftware(vulnSoftware, cpe.getVendor(), cpe.getProduct(), detectedVersion);
if (matchedCPE != null) {
final Vulnerability v = getVulnerability(currentCVE);
v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
vulnerabilities.add(v);
}
vulnSoftware.clear();
currentCVE = cveId;
}
final String cpeId = rs.getString(2);
final String previous = rs.getString(3);
if (!cveEntries.contains(cveId) && isAffected(cpe.getVendor(), cpe.getProduct(), detectedVersion, cpeId, previous)) {
cveEntries.add(cveId);
final Vulnerability v = getVulnerability(cveId);
v.setMatchedCPE(cpeId, previous);
vulnerabilities.add(v);
}
final Boolean p = previous != null && !previous.isEmpty();
vulnSoftware.put(cpeId, p);
}
//remember to process the last set of CVE/CPE entries
final Entry<String, Boolean> matchedCPE = getMatchingSoftware(vulnSoftware, cpe.getVendor(), cpe.getProduct(), detectedVersion);
if (matchedCPE != null) {
final Vulnerability v = getVulnerability(currentCVE);
v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
vulnerabilities.add(v);
}
DBUtils.closeResultSet(rs);
DBUtils.closeStatement(ps);
// for (String cve : cveEntries) {
// final Vulnerability v = getVulnerability(cve);
// vulnerabilities.add(v);
// }
} catch (SQLException ex) {
throw new DatabaseException("Exception retrieving vulnerability for " + cpeStr, ex);
} finally {
@@ -742,8 +756,8 @@ public class CveDB {
}
/**
* It is possible that orphaned rows may be generated during database updates. This should be called after all
* updates have been completed to ensure orphan entries are removed.
* It is possible that orphaned rows may be generated during database updates. This should be called after all updates have
* been completed to ensure orphan entries are removed.
*/
public void cleanupDatabase() {
PreparedStatement ps = null;
@@ -762,46 +776,80 @@ public class CveDB {
}
/**
* Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null,
* non-empty string passed to the previous version argument indicates that all previous versions are affected.
* Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null, non-empty
* string passed to the previous version argument indicates that all previous versions are affected.
*
* @param vendor the vendor of the dependency being analyzed
* @param product the product name of the dependency being analyzed
* @param vulnerableSoftware a map of the vulnerable software with a boolean indicating if all previous versions are affected
* @param identifiedVersion the identified version of the dependency being analyzed
* @param cpeId the cpe identifier of software that has a known vulnerability
* @param previous a flag indicating if previous versions of the product are vulnerable
* @return true if the identified version is affected, otherwise false
*/
protected boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
boolean affected = false;
final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
final DependencyVersion v = parseDependencyVersion(cpeId);
final boolean prevAffected = previous != null && !previous.isEmpty();
if (v == null || "-".equals(v.toString())) { //all versions
affected = true;
} else if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
if (prevAffected) {
affected = true;
Entry<String, Boolean> getMatchingSoftware(Map<String, Boolean> vulnerableSoftware, String vendor, String product,
DependencyVersion identifiedVersion) {
final boolean isVersionTwoADifferentProduct = "apache".equals(vendor) && "struts".equals(product);
final Set<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
final boolean matchesAnyPrevious = identifiedVersion == null || "-".equals(identifiedVersion.toString());
String majorVersionMatch = null;
for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
final DependencyVersion v = parseDependencyVersion(entry.getKey());
if (v == null || "-".equals(v.toString())) { //all versions
return entry;
}
} else if (identifiedVersion.equals(v) || (prevAffected && identifiedVersion.compareTo(v) < 0)) {
if (isStruts) { //struts 2 vulns don't affect struts 1
if (identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0))) {
affected = true;
if (entry.getValue()) {
if (matchesAnyPrevious) {
return entry;
}
} else {
affected = true;
if (identifiedVersion != null && identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0))) {
majorVersionMatch = v.getVersionParts().get(0);
}
majorVersionsAffectingAllPrevious.add(v.getVersionParts().get(0));
}
}
/*
* TODO consider utilizing the matchThreeVersion method to get additional results. However, this
* might also introduce false positives.
*/
return affected;
if (matchesAnyPrevious) {
return null;
}
final boolean canSkipVersions = majorVersionMatch != null && majorVersionsAffectingAllPrevious.size() > 1;
//yes, we are iterating over this twice. The first time we are skipping versions those that affect all versions
//then later we process those that affect all versions. This could be done with sorting...
for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
if (!entry.getValue()) {
final DependencyVersion v = parseDependencyVersion(entry.getKey());
//this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
continue;
}
//this can't dereference a null 'identifiedVersion' because if it was null we would have exited
//in the above loop or just after loop (if matchesAnyPrevious return null).
if (identifiedVersion.equals(v)) {
return entry;
}
}
}
for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
if (entry.getValue()) {
final DependencyVersion v = parseDependencyVersion(entry.getKey());
//this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
continue;
}
//this can't dereference a null 'identifiedVersion' because if it was null we would have exited
//in the above loop or just after loop (if matchesAnyPrevious return null).
if (entry.getValue() && identifiedVersion.compareTo(v) <= 0) {
if (!(isVersionTwoADifferentProduct && !identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0)))) {
return entry;
}
}
}
}
return null;
}
/**
* Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is
* returned.
* Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is returned.
*
* @param cpeStr a cpe identifier
* @return a dependency version
@@ -825,9 +873,9 @@ public class CveDB {
*/
private DependencyVersion parseDependencyVersion(VulnerableSoftware cpe) {
DependencyVersion cpeVersion;
if (cpe.getVersion() != null && cpe.getVersion().length() > 0) {
if (cpe.getVersion() != null && !cpe.getVersion().isEmpty()) {
String versionText;
if (cpe.getRevision() != null && cpe.getRevision().length() > 0) {
if (cpe.getRevision() != null && !cpe.getRevision().isEmpty()) {
versionText = String.format("%s.%s", cpe.getVersion(), cpe.getRevision());
} else {
versionText = cpe.getVersion();

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
View File

@@ -154,7 +154,7 @@ public class DatabaseProperties {
* @return a map of the database meta data
*/
public Map<String, String> getMetaData() {
final TreeMap<String, String> map = new TreeMap<String, String>();
final Map<String, String> map = new TreeMap<String, String>();
for (Entry<Object, Object> entry : properties.entrySet()) {
final String key = (String) entry.getKey();
if (!"version".equals(key)) {

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
View File

@@ -27,6 +27,7 @@ import java.sql.Driver;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -75,7 +76,7 @@ public final class DriverLoader {
*/
public static Driver load(String className, String pathToDriver) throws DriverLoadException {
final URLClassLoader parent = (URLClassLoader) ClassLoader.getSystemClassLoader();
final ArrayList<URL> urls = new ArrayList<URL>();
final List<URL> urls = new ArrayList<URL>();
final String[] paths = pathToDriver.split(File.pathSeparator);
for (String path : paths) {
final File file = new File(path);

108
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -21,6 +21,9 @@ import java.io.File;
import java.io.IOException;
import java.io.Serializable;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
@@ -31,9 +34,9 @@ import org.owasp.dependencycheck.utils.Checksum;
import org.owasp.dependencycheck.utils.FileUtils;
/**
* A program dependency. This object is one of the core components within DependencyCheck. It is used to collect
* information about the dependency in the form of evidence. The Evidence is then used to determine if there are any
* known, published, vulnerabilities associated with the program dependency.
* A program dependency. This object is one of the core components within DependencyCheck. It is used to collect information about
* the dependency in the form of evidence. The Evidence is then used to determine if there are any known, published,
* vulnerabilities associated with the program dependency.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
@@ -121,8 +124,8 @@ public class Dependency implements Serializable, Comparable<Dependency> {
}
/**
* Returns the file name of the dependency with the backslash escaped for use in JavaScript. This is a complete hack
* as I could not get the replace to work in the template itself.
* Returns the file name of the dependency with the backslash escaped for use in JavaScript. This is a complete hack as I
* could not get the replace to work in the template itself.
*
* @return the file name of the dependency with the backslash escaped for use in JavaScript
*/
@@ -194,8 +197,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
}
/**
* Returns the file name to display in reports; if no display file name has been set it will default to the actual
* file name.
* Returns the file name to display in reports; if no display file name has been set it will default to the actual file name.
*
* @return the file name to display
*/
@@ -210,8 +212,8 @@ public class Dependency implements Serializable, Comparable<Dependency> {
* <p>
* Gets the file path of the dependency.</p>
* <p>
* <b>NOTE:</b> This may not be the actual path of the file on disk. The actual path of the file on disk can be
* obtained via the getActualFilePath().</p>
* <b>NOTE:</b> This may not be the actual path of the file on disk. The actual path of the file on disk can be obtained via
* the getActualFilePath().</p>
*
* @return the file path of the dependency
*/
@@ -340,7 +342,9 @@ public class Dependency implements Serializable, Comparable<Dependency> {
if ("maven".equals(i.getType()) && i.getValue().equals(mavenArtifact.toString())) {
found = true;
i.setConfidence(Confidence.HIGHEST);
i.setUrl(mavenArtifact.getArtifactUrl());
final String url = "http://search.maven.org/#search|ga|1|1%3A%22" + this.getSha1sum() + "%22";
i.setUrl(url);
//i.setUrl(mavenArtifact.getArtifactUrl());
LOGGER.fine(String.format("Already found identifier %s. Confidence set to highest", i.getValue()));
break;
}
@@ -595,6 +599,47 @@ public class Dependency implements Serializable, Comparable<Dependency> {
return relatedDependencies;
}
/**
* A list of projects that reference this dependency.
*/
private Set<String> projectReferences = new HashSet<String>();
/**
* Get the value of projectReferences.
*
* @return the value of projectReferences
*/
public Set<String> getProjectReferences() {
return projectReferences;
}
/**
* Set the value of projectReferences.
*
* @param projectReferences new value of projectReferences
*/
public void setProjectReferences(Set<String> projectReferences) {
this.projectReferences = projectReferences;
}
/**
* Adds a project reference.
*
* @param projectReference a project reference
*/
public void addProjectReference(String projectReference) {
this.projectReferences.add(projectReference);
}
/**
* Add a collection of project reference.
*
* @param projectReferences a set of project references
*/
public void addAllProjectReferences(Set<String> projectReferences) {
this.projectReferences.addAll(projectReferences);
}
/**
* Set the value of relatedDependencies.
*
@@ -620,6 +665,38 @@ public class Dependency implements Serializable, Comparable<Dependency> {
}
}
/**
* A list of available versions.
*/
private List<String> availableVersions = new ArrayList<String>();
/**
* Get the value of availableVersions.
*
* @return the value of availableVersions
*/
public List<String> getAvailableVersions() {
return availableVersions;
}
/**
* Set the value of availableVersions.
*
* @param availableVersions new value of availableVersions
*/
public void setAvailableVersions(List<String> availableVersions) {
this.availableVersions = availableVersions;
}
/**
* Adds a version to the available version list.
*
* @param version the version to add to the list
*/
public void addAvailableVersion(String version) {
this.availableVersions.add(version);
}
/**
* Implementation of the Comparable<Dependency> interface. The comparison is solely based on the file name.
*
@@ -688,6 +765,15 @@ public class Dependency implements Serializable, Comparable<Dependency> {
&& (this.relatedDependencies == null || !this.relatedDependencies.equals(other.relatedDependencies))) {
return false;
}
if (this.projectReferences != other.projectReferences
&& (this.projectReferences == null || !this.projectReferences.equals(other.projectReferences))) {
return false;
}
if (this.availableVersions != other.availableVersions
&& (this.availableVersions == null || !this.availableVersions.equals(other.availableVersions))) {
return false;
}
return true;
}
@@ -713,6 +799,8 @@ public class Dependency implements Serializable, Comparable<Dependency> {
hash = 47 * hash + (this.license != null ? this.license.hashCode() : 0);
hash = 47 * hash + (this.vulnerabilities != null ? this.vulnerabilities.hashCode() : 0);
hash = 47 * hash + (this.relatedDependencies != null ? this.relatedDependencies.hashCode() : 0);
hash = 47 * hash + (this.projectReferences != null ? this.projectReferences.hashCode() : 0);
hash = 47 * hash + (this.availableVersions != null ? this.availableVersions.hashCode() : 0);
return hash;
}

226
dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/PomUtils.java Normal file
View File

@@ -0,0 +1,226 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2015 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.jaxb.pom;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.sax.SAXSource;
import org.owasp.dependencycheck.analyzer.JarAnalyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.jaxb.pom.generated.Model;
import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.XMLFilter;
import org.xml.sax.XMLReader;
/**
*
* @author jeremy
*/
public class PomUtils {
/**
* The logger.
*/
private static final Logger LOGGER = Logger.getLogger(PomUtils.class.getName());
/**
* The unmarshaller used to parse the pom.xml from a JAR file.
*/
private Unmarshaller pomUnmarshaller;
/**
* Constructs a new POM Utility.
*/
public PomUtils() {
try {
//final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
final JAXBContext jaxbContext = JAXBContext.newInstance(Model.class);
pomUnmarshaller = jaxbContext.createUnmarshaller();
} catch (JAXBException ex) { //guess we will just have a null pointer exception later...
LOGGER.log(Level.SEVERE, "Unable to load parser. See the log for more details.");
LOGGER.log(Level.FINE, null, ex);
}
}
/**
* Reads in the specified POM and converts it to a Model.
*
* @param file the pom.xml file
* @return returns a
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
*/
public Model readPom(File file) throws AnalysisException {
Model model = null;
try {
final FileInputStream stream = new FileInputStream(file);
final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
final InputSource xml = new InputSource(reader);
final SAXSource source = new SAXSource(xml);
model = readPom(source);
} catch (SecurityException ex) {
final String msg = String.format("Unable to parse pom '%s'; invalid signature", file.getPath());
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, "", ex);
throw new AnalysisException(ex);
} catch (IOException ex) {
final String msg = String.format("Unable to parse pom '%s'(IO Exception)", file.getPath());
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, "", ex);
throw new AnalysisException(ex);
} catch (Throwable ex) {
final String msg = String.format("Unexpected error during parsing of the pom '%s'", file.getPath());
LOGGER.log(Level.WARNING, msg);
LOGGER.log(Level.FINE, "", ex);
throw new AnalysisException(ex);
}
return model;
}
/**
* Retrieves the specified POM from a jar file and converts it to a Model.
*
* @param source the SAXSource input stream to read the POM from
* @return returns the POM object
* @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
* {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
*/
public Model readPom(SAXSource source) throws AnalysisException {
Model model = null;
try {
final XMLFilter filter = new MavenNamespaceFilter();
final SAXParserFactory spf = SAXParserFactory.newInstance();
final SAXParser sp = spf.newSAXParser();
final XMLReader xr = sp.getXMLReader();
filter.setParent(xr);
final JAXBElement<Model> el = pomUnmarshaller.unmarshal(source, Model.class);
model = el.getValue();
} catch (SecurityException ex) {
throw new AnalysisException(ex);
} catch (ParserConfigurationException ex) {
throw new AnalysisException(ex);
} catch (SAXException ex) {
throw new AnalysisException(ex);
} catch (JAXBException ex) {
throw new AnalysisException(ex);
} catch (Throwable ex) {
throw new AnalysisException(ex);
}
return model;
}
/**
* Reads in the pom file and adds elements as evidence to the given dependency.
*
* @param dependency the dependency being analyzed
* @param pomFile the pom file to read
* @throws AnalysisException is thrown if there is an exception parsing the pom
*/
public void analyzePOM(Dependency dependency, File pomFile) throws AnalysisException {
final Model pom = this.readPom(pomFile);
String groupid = pom.getGroupId();
String parentGroupId = null;
if (pom.getParent() != null) {
parentGroupId = pom.getParent().getGroupId();
if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
groupid = parentGroupId;
}
}
if (groupid != null && !groupid.isEmpty()) {
dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGHEST);
dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW);
}
}
String artifactid = pom.getArtifactId();
String parentArtifactId = null;
if (pom.getParent() != null) {
parentArtifactId = pom.getParent().getArtifactId();
if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
artifactid = parentArtifactId;
}
}
if (artifactid != null && !artifactid.isEmpty()) {
if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
artifactid = artifactid.substring(4);
}
dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST);
dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
}
}
//version
String version = pom.getVersion();
String parentVersion = null;
if (pom.getParent() != null) {
parentVersion = pom.getParent().getVersion();
if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
version = parentVersion;
}
}
if (version != null && !version.isEmpty()) {
dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) {
dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW);
}
}
final Organization org = pom.getOrganization();
if (org != null) {
final String orgName = org.getName();
if (orgName != null && !orgName.isEmpty()) {
dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
}
}
final String pomName = pom.getName();
if (pomName != null && !pomName.isEmpty()) {
dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
}
if (pom.getDescription() != null) {
final String description = pom.getDescription();
if (description != null && !description.isEmpty()) {
JarAnalyzer.addDescription(dependency, description, "pom", "description");
}
}
JarAnalyzer.extractLicense(pom, null, dependency);
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/generated/ObjectFactory.java
View File

@@ -31,7 +31,7 @@ import javax.xml.namespace.QName;
@XmlRegistry
public class ObjectFactory {
private final static QName _Project_QNAME = new QName("http://maven.apache.org/POM/4.0.0", "project");
private static final QName _Project_QNAME = new QName("http://maven.apache.org/POM/4.0.0", "project");
/**
* Create a new ObjectFactory that can be used to create new instances of schema derived classes for package: org.owasp.dependencycheck.analyzer.pom.generated

16
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
View File

@@ -112,7 +112,7 @@ public class SuppressionRule {
* @return whether or not this suppression rule as CPE entries
*/
public boolean hasCpe() {
return cpe.size() > 0;
return !cpe.isEmpty();
}
/**
* The list of cvssBelow scores.
@@ -152,7 +152,7 @@ public class SuppressionRule {
* @return whether or not this suppression rule has cvss suppressions
*/
public boolean hasCvssBelow() {
return cvssBelow.size() > 0;
return !cvssBelow.isEmpty();
}
/**
* The list of cwe entries to suppress.
@@ -192,7 +192,7 @@ public class SuppressionRule {
* @return whether this suppression rule has CWE entries
*/
public boolean hasCwe() {
return cwe.size() > 0;
return !cwe.isEmpty();
}
/**
* The list of cve entries to suppress.
@@ -232,7 +232,7 @@ public class SuppressionRule {
* @return whether this suppression rule has CVE entries
*/
public boolean hasCve() {
return cve.size() > 0;
return !cve.isEmpty();
}
/**
* A Maven GAV to suppression.
@@ -450,28 +450,28 @@ public class SuppressionRule {
if (gav != null) {
sb.append("gav=").append(gav).append(",");
}
if (cpe != null && cpe.size() > 0) {
if (cpe != null && !cpe.isEmpty()) {
sb.append("cpe={");
for (PropertyType pt : cpe) {
sb.append(pt).append(",");
}
sb.append("}");
}
if (cwe != null && cwe.size() > 0) {
if (cwe != null && !cwe.isEmpty()) {
sb.append("cwe={");
for (String s : cwe) {
sb.append(s).append(",");
}
sb.append("}");
}
if (cve != null && cve.size() > 0) {
if (cve != null && !cve.isEmpty()) {
sb.append("cve={");
for (String s : cve) {
sb.append(s).append(",");
}
sb.append("}");
}
if (cvssBelow != null && cvssBelow.size() > 0) {
if (cvssBelow != null && !cvssBelow.isEmpty()) {
sb.append("cvssBelow={");
for (Float s : cvssBelow) {
sb.append(s).append(",");

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
View File

@@ -18,6 +18,7 @@
package org.owasp.dependencycheck.utils;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -62,7 +63,7 @@ public final class DependencyVersionUtil {
//'-' is a special case used within the CVE entries, just include it as the version.
if ("-".equals(text)) {
final DependencyVersion dv = new DependencyVersion();
final ArrayList<String> list = new ArrayList<String>();
final List<String> list = new ArrayList<String>();
list.add(text);
dv.setVersionParts(list);
return dv;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
View File

@@ -107,7 +107,7 @@ public final class ExtractionUtil {
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos, BUFFER_SIZE);
int count;
final byte data[] = new byte[BUFFER_SIZE];
final byte[] data = new byte[BUFFER_SIZE];
while ((count = zis.read(data, 0, BUFFER_SIZE)) != -1) {
bos.write(data, 0, count);
}

5
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java
View File

@@ -23,6 +23,7 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
/**
@@ -68,7 +69,7 @@ public final class UrlStringUtils {
/**
* A listing of domain parts that should not be used as evidence. Yes, this is an incomplete list.
*/
private static final HashSet<String> IGNORE_LIST = new HashSet<String>(
private static final Set<String> IGNORE_LIST = new HashSet<String>(
Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx"));
/**
@@ -86,7 +87,7 @@ public final class UrlStringUtils {
* @throws MalformedURLException thrown if the URL is malformed
*/
public static List<String> extractImportantUrlData(String text) throws MalformedURLException {
final ArrayList<String> importantParts = new ArrayList<String>();
final List<String> importantParts = new ArrayList<String>();
final URL url = new URL(text);
final String[] domain = url.getHost().split("\\.");
//add the domain except www and the tld.

26
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -48,18 +48,40 @@
<cpe>cpe:/a:oracle:glassfish</cpe>
<cpe>cpe:/a:oracle:oracle_client</cpe>
</suppress>
<suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on the grizzly-framework
]]></notes>
<gav regex="true">org\.glassfish\.grizzly:grizzly-framework:.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on the grizzly-framework
]]></notes>
<gav regex="true">org\.forgerock\.opendj:opendj-ldap-sdk:.*</gav>
<cpe>cpe:/a:ldap_project:ldap</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on the org.opensaml:xmltooling
]]></notes>
<gav regex="true">org\.opensaml:xmltooling:.*</gav>
<cpe>cpe:/a:shibboleth:opensaml</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on the org.opensaml:openws
]]></notes>
<gav regex="true">org\.opensaml:openws:.*</gav>
<cpe>cpe:/a:internet2:opensaml</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Suppresses false positives on the org.opensaml:xmltooling
]]></notes>
<gav regex="true">org\.opensaml:xmltooling:.*</gav>
<cpe>cpe:/a:internet2:opensaml</cpe>
</suppress>
</suppressions>

31
dependency-check-core/src/main/resources/templates/HtmlReport.vsl
View File

@@ -534,7 +534,7 @@ arising out of or in connection with the use of this tool, the analysis performe
<li class="scaninfo hidden"><i>$enc.html($prop.key)</i>: $enc.html($prop.value)</li>
#end
</ul><br/>
Display:&nbsp;<a href="#" title="Click to toggle display" onclick="return toggleDisplay(this, '.notvulnerable', 'Showing Vulnerable Dependencies', 'Showing All Dependencies'); return false;">Showing Vulnerable Dependencies</a><br/><br/>
Display:&nbsp;<a href="#" title="Click to toggle display" onclick="return toggleDisplay(this, '.notvulnerable', 'Showing Vulnerable Dependencies (click to show all)', 'Showing All Dependencies (click to show less)'); return false;">Showing Vulnerable Dependencies (click to show all)</a><br/><br/>
#set($lnkcnt=0)
<table class="lined">
<tr style="text-align:left">
@@ -606,22 +606,6 @@ arising out of or in connection with the use of this tool, the analysis performe
</tr>
#end
</table>
## <ul class="indent">
## #set($lnkcnt=0)
## #foreach($dependency in $dependencies)
## #set($lnkcnt=$lnkcnt+1)
## <li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
## <a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.DisplayFileName)</a>
## #if($dependency.getRelatedDependencies().size()>0)
## <ul>
## #foreach($related in $dependency.getRelatedDependencies())
## <li>$enc.html($related.DisplayFileName)</li>
## #end
## </ul>
## #end
## </li>
## #end
## </ul>
<h2>Dependencies</h2>
#set($lnkcnt=0)
#set($cnt=0)
@@ -644,6 +628,19 @@ arising out of or in connection with the use of this tool, the analysis performe
<b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
<b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
<b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
#if ($dependency.projectReferences.size()==1)
<br/><b>Referenced In Project:</b>
#foreach($ref in $dependency.projectReferences)
$enc.html($ref)
#end
#end
#if ($dependency.projectReferences.size()>1)
<br/><b>Referenced In Projects:</b><ul>
#foreach($ref in $dependency.projectReferences)
<li>$enc.html($ref)</li>
#end
</ul>
#end
</p>
#set($cnt=$cnt+1)
<h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>

30
dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseTest.java
View File

@@ -15,7 +15,10 @@
*/
package org.owasp.dependencycheck;
import java.io.File;
import java.io.InputStream;
import org.junit.AfterClass;
import org.junit.Assume;
import org.junit.BeforeClass;
import org.owasp.dependencycheck.utils.Settings;
@@ -34,4 +37,31 @@ public class BaseTest {
public static void tearDownClass() throws Exception {
Settings.cleanup(true);
}
/**
* Returns the given resource as an InputStream using the object's class loader. The org.junit.Assume API is used so that test
* cases are skipped if the resource is not available.
*
* @param o the object used to obtain a reference to the class loader
* @param resource the name of the resource to load
* @return the resource as an InputStream
*/
public static InputStream getResourceAsStream(Object o, String resource) {
getResourceAsFile(o, resource);
return o.getClass().getClassLoader().getResourceAsStream(resource);
}
/**
* Returns the given resource as a File using the object's class loader. The org.junit.Assume API is used so that test cases
* are skipped if the resource is not available.
*
* @param o the object used to obtain a reference to the class loader
* @param resource the name of the resource to load
* @return the resource as an File
*/
public static File getResourceAsFile(Object o, String resource) {
File f = new File(o.getClass().getClassLoader().getResource(resource).getPath());
Assume.assumeTrue(String.format("%n%n[SEVERE] Unable to load resource for test case: %s%n%n", resource), f.exists());
return f;
}
}

23
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
View File

@@ -23,6 +23,7 @@ import java.util.Set;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -129,11 +130,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
instance.supportsExtension("ear");
try {
instance.initialize();
File file = new File(this.getClass().getClassLoader().getResource("daytrader-ear-2.1.7.ear").getPath());
File file = BaseTest.getResourceAsFile(this, "daytrader-ear-2.1.7.ear");
//File file = new File(this.getClass().getClassLoader().getResource("daytrader-ear-2.1.7.ear").getPath());
Dependency dependency = new Dependency(file);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
int initial_size = engine.getDependencies().size();
@@ -161,10 +163,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
instance.initialize();
//File file = new File(this.getClass().getClassLoader().getResource("file.tar").getPath());
File file = new File(this.getClass().getClassLoader().getResource("stagedhttp-modified.tar").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("stagedhttp-modified.tar").getPath());
File file = BaseTest.getResourceAsFile(this, "stagedhttp-modified.tar");
Dependency dependency = new Dependency(file);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
int initial_size = engine.getDependencies().size();
@@ -189,10 +193,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
try {
instance.initialize();
File file = new File(this.getClass().getClassLoader().getResource("file.tar.gz").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("file.tar.gz").getPath());
File file = BaseTest.getResourceAsFile(this, "file.tar.gz");
//Dependency dependency = new Dependency(file);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
int initial_size = engine.getDependencies().size();
@@ -220,6 +226,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
// File file = new File(this.getClass().getClassLoader().getResource("nested.zip").getPath());
// Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
// Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
// Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
// Engine engine = new Engine();
//
// engine.scan(file);
@@ -239,9 +246,11 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
try {
instance.initialize();
File file = new File(this.getClass().getClassLoader().getResource("file.tgz").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("file.tgz").getPath());
File file = BaseTest.getResourceAsFile(this, "file.tgz");
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
int initial_size = engine.getDependencies().size();
@@ -265,10 +274,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
try {
instance.initialize();
File file = new File(this.getClass().getClassLoader().getResource("test.zip").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("test.zip").getPath());
File file = BaseTest.getResourceAsFile(this, "test.zip");
Dependency dependency = new Dependency(file);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
int initial_size = engine.getDependencies().size();
// boolean failed = false;

10
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
View File

@@ -78,7 +78,8 @@ public class AssemblyAnalyzerTest extends BaseTest {
@Test
public void testAnalysis() throws Exception {
File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("GrokAssembly.exe").getPath());
//File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("GrokAssembly.exe").getPath());
File f = BaseTest.getResourceAsFile(this, "GrokAssembly.exe");
Dependency d = new Dependency(f);
analyzer.analyze(d, null);
boolean foundVendor = false;
@@ -100,7 +101,9 @@ public class AssemblyAnalyzerTest extends BaseTest {
@Test
public void testLog4Net() throws Exception {
File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
//File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
File f = BaseTest.getResourceAsFile(this, "log4net.dll");
Dependency d = new Dependency(f);
analyzer.analyze(d, null);
assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.2.13.0", Confidence.HIGHEST)));
@@ -115,7 +118,8 @@ public class AssemblyAnalyzerTest extends BaseTest {
// Tweak the log level so the warning doesn't show in the console
Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(Level.OFF);
Logger.getLogger(Dependency.class.getName()).setLevel(Level.OFF);
File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
//File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
File f = BaseTest.getResourceAsFile(this, "log4net.dll");
File test = new File(f.getParent(), "nonexistent.dll");
Dependency d = new Dependency(test);

16
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
View File

@@ -27,6 +27,7 @@ import org.apache.lucene.queryparser.classic.ParseException;
import org.junit.Assert;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
import org.owasp.dependencycheck.data.cpe.IndexEntry;
import org.owasp.dependencycheck.dependency.Confidence;
@@ -110,7 +111,8 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
*/
public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer instance, FileNameAnalyzer fnAnalyzer, JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp) throws Exception {
File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
//File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
File file = BaseTest.getResourceAsFile(this, depName);
Dependency dep = new Dependency(file);
@@ -137,7 +139,8 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
*/
@Test
public void testDetermineCPE() throws Exception {
File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
//File file = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
Dependency struts = new Dependency(file);
@@ -147,15 +150,18 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
JarAnalyzer jarAnalyzer = new JarAnalyzer();
jarAnalyzer.analyze(struts, null);
File fileCommonValidator = new File(this.getClass().getClassLoader().getResource("commons-validator-1.4.0.jar").getPath());
//File fileCommonValidator = new File(this.getClass().getClassLoader().getResource("commons-validator-1.4.0.jar").getPath());
File fileCommonValidator = BaseTest.getResourceAsFile(this, "commons-validator-1.4.0.jar");
Dependency commonValidator = new Dependency(fileCommonValidator);
jarAnalyzer.analyze(commonValidator, null);
File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
//File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
File fileSpring = BaseTest.getResourceAsFile(this, "spring-core-2.5.5.jar");
Dependency spring = new Dependency(fileSpring);
jarAnalyzer.analyze(spring, null);
File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
//File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
File fileSpring3 = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
Dependency spring3 = new Dependency(fileSpring3);
jarAnalyzer.analyze(spring3, null);

7
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
View File

@@ -21,6 +21,7 @@ import java.io.File;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.Dependency;
/**
@@ -56,9 +57,11 @@ public class FileNameAnalyzerTest {
*/
@Test
public void testAnalyze() throws Exception {
File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
//File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
Dependency resultStruts = new Dependency(struts);
File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
//File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
File axis = BaseTest.getResourceAsFile(this, "axis2-adb-1.4.1.jar");
Dependency resultAxis = new Dependency(axis);
FileNameAnalyzer instance = new FileNameAnalyzer();
instance.analyze(resultStruts, null);

7
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
View File

@@ -69,12 +69,15 @@ public class HintAnalyzerTest extends BaseTest {
public void testAnalyze() throws Exception {
HintAnalyzer instance = new HintAnalyzer();
File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
//File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
File guice = BaseTest.getResourceAsFile(this, "guice-3.0.jar");
//Dependency guice = new Dependency(fileg);
File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
//File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
File spring = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
//Dependency spring = new Dependency(files);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
engine.scan(guice);

9
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
View File

@@ -41,14 +41,16 @@ public class JarAnalyzerTest extends BaseTest {
*/
@Test
public void testAnalyze() throws Exception {
File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
Dependency result = new Dependency(file);
JarAnalyzer instance = new JarAnalyzer();
instance.analyze(result, null);
assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache"));
assertTrue(result.getVendorEvidence().getWeighting().contains("apache"));
file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
//file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
file = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar");
result = new Dependency(file);
instance.analyze(result, null);
boolean found = false;
@@ -81,7 +83,8 @@ public class JarAnalyzerTest extends BaseTest {
}
assertTrue("implementation-version of 4.2.27 not found in org.mortbay.jetty.jar", found);
file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath());
//file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath());
file = BaseTest.getResourceAsFile(this, "org.mortbay.jmx.jar");
result = new Dependency(file);
instance.analyze(result, null);
assertEquals("org.mortbar,jmx.jar has version evidence?", result.getVersionEvidence().size(), 0);

9
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
View File

@@ -84,9 +84,12 @@ public class JavaScriptAnalyzerTest extends BaseTest {
*/
@Test
public void testAnalyze() throws Exception {
File jq6 = new File(this.getClass().getClassLoader().getResource("jquery-1.6.2.min.js").getPath());
File jq10 = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.js").getPath());
File jq10min = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.min.js").getPath());
//File jq6 = new File(this.getClass().getClassLoader().getResource("jquery-1.6.2.min.js").getPath());
File jq6 = BaseTest.getResourceAsFile(this, "jquery-1.6.2.min.js");
//File jq10 = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.js").getPath());
File jq10 = BaseTest.getResourceAsFile(this, "jquery-1.10.2.js");
//File jq10min = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.min.js").getPath());
File jq10min = BaseTest.getResourceAsFile(this, "jquery-1.10.2.min.js");
Dependency depJQ6 = new Dependency(jq6);
Dependency depJQ10 = new Dependency(jq10);
Dependency depJQ10min = new Dependency(jq10min);

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.java
View File

@@ -21,6 +21,7 @@ import java.io.File;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -61,10 +62,13 @@ public class VulnerabilitySuppressionAnalyzerIntegrationTest extends AbstractDat
@Test
public void testAnalyze() throws Exception {
File file = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.jar").getPath());
File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.jar").getPath());
File file = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.jar");
//File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
File suppression = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.suppression.xml");
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
Engine engine = new Engine();
engine.scan(file);
engine.analyzeDependencies();

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java
View File

@@ -20,16 +20,10 @@ package org.owasp.dependencycheck.data.lucene;
import java.io.IOException;
import java.io.Reader;
import org.apache.lucene.analysis.Analyzer;
import org.apache.lucene.analysis.Analyzer.TokenStreamComponents;
import org.apache.lucene.analysis.BaseTokenStreamTestCase;
import static org.apache.lucene.analysis.BaseTokenStreamTestCase.checkOneTerm;
import org.apache.lucene.analysis.MockTokenizer;
import org.apache.lucene.analysis.Tokenizer;
import org.apache.lucene.analysis.core.KeywordTokenizer;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
/**
*
@@ -50,24 +44,6 @@ public class UrlTokenizingFilterTest extends BaseTokenStreamTestCase {
};
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() throws Exception {
super.setUp();
}
@After
public void tearDown() throws Exception {
super.tearDown();
}
/**
* test some example domains
*/
@@ -102,6 +78,6 @@ public class UrlTokenizingFilterTest extends BaseTokenStreamTestCase {
return new TokenStreamComponents(tokenizer, new UrlTokenizingFilter(tokenizer));
}
};
checkOneTermReuse(a, "", "");
checkOneTerm(a, "", "");
}
}

5
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusSearchTest.java
View File

@@ -24,6 +24,7 @@ import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.utils.Settings;
@@ -42,11 +43,13 @@ public class NexusSearchTest extends BaseTest {
}
@Test(expected = IllegalArgumentException.class)
@Ignore
public void testNullSha1() throws Exception {
searcher.searchSha1(null);
}
@Test(expected = IllegalArgumentException.class)
@Ignore
public void testMalformedSha1() throws Exception {
searcher.searchSha1("invalid");
}
@@ -55,6 +58,7 @@ public class NexusSearchTest extends BaseTest {
// you may not be able to reach. Remove the @Ignore annotation if you want to
// test it anyway
@Test
@Ignore
public void testValidSha1() throws Exception {
MavenArtifact ma = searcher.searchSha1("9977a8d04e75609cf01badc4eb6a9c7198c4c5ea");
assertEquals("Incorrect group", "org.apache.maven.plugins", ma.getGroupId());
@@ -67,6 +71,7 @@ public class NexusSearchTest extends BaseTest {
// you may not be able to reach. Remove the @Ignore annotation if you want to
// test it anyway
@Test(expected = FileNotFoundException.class)
@Ignore
public void testMissingSha1() throws Exception {
searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
}

10
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java
View File

@@ -18,6 +18,7 @@
package org.owasp.dependencycheck.data.nuget;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.InputStream;
import java.io.PrintStream;
import static org.junit.Assert.assertEquals;
@@ -39,7 +40,8 @@ public class XPathNuspecParserTest extends BaseTest {
@Test
public void testGoodDocument() throws Exception {
NuspecParser parser = new XPathNuspecParser();
InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("log4net.2.0.3.nuspec");
//InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("log4net.2.0.3.nuspec");
InputStream is = BaseTest.getResourceAsStream(this, "log4net.2.0.3.nuspec");
NugetPackage np = parser.parse(is);
assertEquals("log4net", np.getId());
assertEquals("2.0.3", np.getVersion());
@@ -57,7 +59,8 @@ public class XPathNuspecParserTest extends BaseTest {
@Test(expected = NuspecParseException.class)
public void testMissingDocument() throws Exception {
NuspecParser parser = new XPathNuspecParser();
InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("dependencycheck.properties");
//InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("dependencycheck.properties");
InputStream is = BaseTest.getResourceAsStream(this, "dependencycheck.properties");
//hide the fatal message from the core parser
final ByteArrayOutputStream myOut = new ByteArrayOutputStream();
@@ -74,7 +77,8 @@ public class XPathNuspecParserTest extends BaseTest {
@Test(expected = NuspecParseException.class)
public void testNotNuspec() throws Exception {
NuspecParser parser = new XPathNuspecParser();
InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("suppressions.xml");
//InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("suppressions.xml");
InputStream is = BaseTest.getResourceAsStream(this, "suppressions.xml");
NugetPackage np = parser.parse(is);
}
}

89
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
View File

@@ -17,11 +17,14 @@
*/
package org.owasp.dependencycheck.data.nvdcve;
import java.util.HashMap;
import java.util.List;
import java.util.Map.Entry;
import java.util.Set;
import static org.junit.Assert.assertFalse;
import org.junit.Assert;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.DependencyVersion;
@@ -66,28 +69,94 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
public void testGetVulnerabilities() throws Exception {
String cpeStr = "cpe:/a:apache:struts:2.1.2";
CveDB instance = new CveDB();
List<Vulnerability> results;
try {
instance.open();
List result = instance.getVulnerabilities(cpeStr);
assertTrue(result.size() > 5);
results = instance.getVulnerabilities(cpeStr);
assertTrue(results.size() > 5);
cpeStr = "cpe:/a:jruby:jruby:1.6.3";
results = instance.getVulnerabilities(cpeStr);
assertTrue(results.size() > 1);
boolean found = false;
String expected = "CVE-2011-4838";
for (Vulnerability v : results) {
if (expected.equals(v.getName())) {
found = true;
break;
}
}
assertTrue("Expected " + expected + ", but was not identified", found);
found = false;
expected = "CVE-2012-5370";
for (Vulnerability v : results) {
if (expected.equals(v.getName())) {
found = true;
break;
}
}
assertTrue("Expected " + expected + ", but was not identified", found);
} finally {
instance.close();
}
}
/**
* Test of isAffected method, of class CveDB.
* Test of getMatchingSoftware method, of class CveDB.
*/
@Test
public void testIsAffected() throws Exception {
String vendor = "openssl";
String product = "openssl";
public void testGetMatchingSoftware() throws Exception {
HashMap<String, Boolean> versions = new HashMap<String, Boolean>();
DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
String cpeId = "cpe:/a:openssl:openssl:1.0.1e";
String previous = "y";
versions.put("cpe:/a:openssl:openssl:1.0.1e", Boolean.FALSE);
CveDB instance = new CveDB();
assertFalse(instance.isAffected(vendor, product, identifiedVersion, cpeId, previous));
Entry<String, Boolean> results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNull(results);
versions.put("cpe:/a:openssl:openssl:1.0.1p", Boolean.FALSE);
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNull(results);
versions.put("cpe:/a:openssl:openssl:1.0.1q", Boolean.TRUE);
results = instance.getMatchingSoftware(versions, "openssl", "openssl", identifiedVersion);
Assert.assertNotNull(results);
Assert.assertEquals("cpe:/a:openssl:openssl:1.0.1q", results.getKey());
versions.clear();
versions.put("cpe:/a:springsource:spring_framework:3.2.5", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.6", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:3.2.7", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:4.0.1", Boolean.TRUE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m1", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:m2", Boolean.FALSE);
versions.put("cpe:/a:springsource:spring_framework:4.0.0:rc1", Boolean.FALSE);
identifiedVersion = new DependencyVersion("3.2.2");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertEquals("cpe:/a:springsource:spring_framework:3.2.7", results.getKey());
Assert.assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("3.2.12");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNull(results);
identifiedVersion = new DependencyVersion("4.0.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertEquals("cpe:/a:springsource:spring_framework:4.0.1", results.getKey());
Assert.assertTrue(results.getValue());
identifiedVersion = new DependencyVersion("4.1.0");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNull(results);
versions.clear();
versions.put("cpe:/a:jruby:jruby:-", Boolean.FALSE);
identifiedVersion = new DependencyVersion("1.6.3");
results = instance.getMatchingSoftware(versions, "springsource", "spring_framework", identifiedVersion);
Assert.assertNotNull(results);
}

13
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java
View File

@@ -27,6 +27,7 @@ import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*
@@ -85,7 +86,8 @@ public class DriverLoaderTest {
public void testLoad_String_String() throws Exception {
String className = "com.mysql.jdbc.Driver";
//we know this is in target/test-classes
File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
//File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
File testClassPath = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar").getParentFile();
File driver = new File(testClassPath, "../../src/test/resources/mysql-connector-java-5.1.27-bin.jar");
assertTrue("MySQL Driver JAR file not found in src/test/resources?", driver.isFile());
@@ -108,7 +110,8 @@ public class DriverLoaderTest {
public void testLoad_String_String_multiple_paths() throws Exception {
final String className = "com.mysql.jdbc.Driver";
//we know this is in target/test-classes
final File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
//final File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
final File testClassPath = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar").getParentFile();
final File dir1 = new File(testClassPath, "../../src/test/");
final File dir2 = new File(testClassPath, "../../src/test/resources/");
final String paths = String.format("%s" + File.pathSeparator + "%s", dir1.getAbsolutePath(), dir2.getAbsolutePath());
@@ -130,7 +133,8 @@ public class DriverLoaderTest {
public void testLoad_String_String_badClassName() throws Exception {
String className = "com.mybad.jdbc.Driver";
//we know this is in target/test-classes
File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
//File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
File testClassPath = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar").getParentFile();
File driver = new File(testClassPath, "../../src/test/resources/mysql-connector-java-5.1.27-bin.jar");
assertTrue("MySQL Driver JAR file not found in src/test/resources?", driver.isFile());
@@ -144,7 +148,8 @@ public class DriverLoaderTest {
public void testLoad_String_String_badPath() throws Exception {
String className = "com.mysql.jdbc.Driver";
//we know this is in target/test-classes
File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
//File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
File testClassPath = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar").getParentFile();
File driver = new File(testClassPath, "../../src/test/bad/mysql-connector-java-5.1.27-bin.jar");
Driver d = DriverLoader.load(className, driver.getAbsolutePath());
}

3
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/NvdCveUpdaterIntegrationTest.java
View File

@@ -34,7 +34,8 @@ public class NvdCveUpdaterIntegrationTest extends BaseTest {
public void setUp() throws Exception {
int year = Calendar.getInstance().get(Calendar.YEAR);
if (year <= 2014) {
File f = new File(NvdCveUpdaterIntegrationTest.class.getClassLoader().getResource("nvdcve-2.0-2014.xml").getPath());
//File f = new File(NvdCveUpdaterIntegrationTest.class.getClassLoader().getResource("nvdcve-2.0-2014.xml").getPath());
File f = BaseTest.getResourceAsFile(this, "nvdcve-2.0-2014.xml");
String baseURL = f.toURI().toURL().toString();
String modified12 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-modified.xml");
String modified20 = baseURL.replace("nvdcve-2.0-2014.xml", "nvdcve-2.0-modified.xml");

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java
View File

@@ -68,7 +68,7 @@ public class DownloadTaskTest {
cve.setOldSchemaVersionUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL));
ExecutorService processExecutor = null;
CveDB cveDB = null;
DownloadTask instance = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());;
DownloadTask instance = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
Future<ProcessTask> result = instance.call();
assertNull(result);
}

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/xml/NvdCve_1_2_HandlerTest.java
View File

@@ -28,6 +28,7 @@ import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
/**
@@ -60,7 +61,8 @@ public class NvdCve_1_2_HandlerTest {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2012.xml").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2012.xml").getPath());
File file = BaseTest.getResourceAsFile(this, "nvdcve-2012.xml");
NvdCve12Handler instance = new NvdCve12Handler();
saxParser.parse(file, instance);

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/xml/NvdCve_2_0_HandlerTest.java
View File

@@ -26,6 +26,7 @@ import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
*
@@ -59,7 +60,8 @@ public class NvdCve_2_0_HandlerTest {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2.0-2012.xml").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("nvdcve-2.0-2012.xml").getPath());
File file = BaseTest.getResourceAsFile(this, "nvdcve-2.0-2012.xml");
NvdCve20Handler instance = new NvdCve20Handler();

8
dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
View File

@@ -28,6 +28,7 @@ import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
/**
@@ -152,7 +153,9 @@ public class DependencyTest {
*/
@Test
public void testGetMd5sum() {
File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
Dependency instance = new Dependency(file);
//assertEquals("89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B", result.getSha1sum());
String expResult = "C30B57142E1CCBC1EFD5CD15F307358F";
@@ -176,7 +179,8 @@ public class DependencyTest {
*/
@Test
public void testGetSha1sum() {
File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
Dependency instance = new Dependency(file);
String expResult = "89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B";
String result = instance.getSha1sum();

13
dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java
View File

@@ -105,8 +105,8 @@ public class ReportGeneratorIntegrationTest extends BaseTest {
}
/**
* Generates an XML report containing known vulnerabilities and realistic data and validates the generated XML
* document against the XSD.
* Generates an XML report containing known vulnerabilities and realistic data and validates the generated XML document
* against the XSD.
*
* @throws Exception
*/
@@ -120,9 +120,12 @@ public class ReportGeneratorIntegrationTest extends BaseTest {
}
String writeTo = "target/test-reports/Report.xml";
File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
File jetty = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
//File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
//File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
File axis = BaseTest.getResourceAsFile(this, "axis2-adb-1.4.1.jar");
//File jetty = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
File jetty = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar");
boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);

7
dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionHandlerTest.java
View File

@@ -31,6 +31,7 @@ import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.xml.sax.InputSource;
import org.xml.sax.XMLReader;
@@ -66,9 +67,11 @@ public class SuppressionHandlerTest {
*/
@Test
public void testHandler() throws Exception {
File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
File file = BaseTest.getResourceAsFile(this, "suppressions.xml");
File schema = new File(this.getClass().getClassLoader().getResource("schema/suppression.xsd").getPath());
//File schema = new File(this.getClass().getClassLoader().getResource("schema/suppression.xsd").getPath());
File schema = BaseTest.getResourceAsFile(this, "schema/suppression.xsd");
SuppressionHandler handler = new SuppressionHandler();
SAXParserFactory factory = SAXParserFactory.newInstance();

4
dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionParserTest.java
View File

@@ -25,6 +25,7 @@ import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
/**
* Test of the suppression parser.
@@ -57,7 +58,8 @@ public class SuppressionParserTest {
*/
@Test
public void testParseSuppressionRules() throws Exception {
File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
//File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
File file = BaseTest.getResourceAsFile(this, "suppressions.xml");
SuppressionParser instance = new SuppressionParser();
List result = instance.parseSuppressionRules(file);
assertTrue(result.size() > 3);

7
dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java
View File

@@ -28,6 +28,7 @@ import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
@@ -422,7 +423,8 @@ public class SuppressionRuleTest {
*/
@Test
public void testProcess() {
File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
//File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
Dependency dependency = new Dependency(struts);
dependency.addIdentifier("cpe", "cpe:/a:microsoft:.net_framework:4.5", "some url not needed for this test");
String sha1 = dependency.getSha1sum();
@@ -501,7 +503,8 @@ public class SuppressionRuleTest {
*/
@Test
public void testProcessGAV() {
File spring = new File(this.getClass().getClassLoader().getResource("spring-security-web-3.0.0.RELEASE.jar").getPath());
//File spring = new File(this.getClass().getClassLoader().getResource("spring-security-web-3.0.0.RELEASE.jar").getPath());
File spring = BaseTest.getResourceAsFile(this, "spring-security-web-3.0.0.RELEASE.jar");
Dependency dependency = new Dependency(spring);
dependency.addIdentifier("cpe", "cpe:/a:vmware:springsource_spring_framework:3.0.0", "some url not needed for this test");
dependency.addIdentifier("cpe", "cpe:/a:springsource:spring_framework:3.0.0", "some url not needed for this test");

4
dependency-check-jenkins/pom.xml
View File

@@ -3,9 +3,8 @@
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.8</version>
<version>1.2.9</version>
</parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-jenkins</artifactId>
<name>Dependency-Check Jenkins Plugin</name>
<url>http://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin</url>
@@ -59,7 +58,6 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.3</version>
<dependencies>
<dependency>
<groupId>org.apache.maven.doxia</groupId>

302
dependency-check-maven/pom.xml
View File

@@ -22,7 +22,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.8</version>
<version>1.2.9</version>
</parent>
<artifactId>dependency-check-maven</artifactId>
@@ -40,9 +40,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</site>
</distributionManagement>
<!-- end copy -->
<prerequisites>
<maven>3.0</maven>
</prerequisites>
<build>
<resources>
<resource>
@@ -66,7 +63,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>3.2</version>
<configuration>
<skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
<goalPrefix>dependency-check</goalPrefix>
@@ -89,7 +85,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.16</version>
<configuration>
<systemProperties>
<property>
@@ -107,7 +102,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<inherited>true</inherited>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>1.2</version>
<executions>
<execution>
<id>enforce-maven-3</id>
@@ -127,169 +121,135 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.3</version>
<dependencies>
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>3.2</version>
<configuration>
<skipDeploy>true</skipDeploy>
<reportPlugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<reportSets>
<reportSet>
<reports>
<report>index</report>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>3.2</version>
<configuration>
<goalPrefix>dependency-check</goalPrefix>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/generated/**/*.java</exclude>
<exclude>**/HelpMojo.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
</plugin>
</reportPlugins>
<goalPrefix>dependency-check</goalPrefix>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<showDeprecation>false</showDeprecation>
<source>1.6</source>
<target>1.6</target>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/generated/**/*.java</exclude>
<exclude>**/HelpMojo.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
</plugin>
</plugins>
</build>
</reporting>
<dependencies>
<dependency>
<groupId>org.owasp</groupId>
@@ -304,27 +264,27 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-plugin-api</artifactId>
<version>3.0</version>
<version>3.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-settings</artifactId>
<version>3.0</version>
<version>3.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId>
<version>3.0</version>
<version>3.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.0</version>
<version>3.4</version>
</dependency>
<dependency>
<groupId>org.apache.maven.plugin-tools</groupId>
<artifactId>maven-plugin-annotations</artifactId>
<version>3.0</version>
<version>3.4</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -335,20 +295,12 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<dependency>
<groupId>org.jmockit</groupId>
<artifactId>jmockit</artifactId>
<version>1.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.apache.maven.plugin-testing</groupId>
<artifactId>maven-plugin-testing-harness</artifactId>
<version>2.1</version>
<version>3.3.0</version>
<scope>test</scope>
</dependency>
</dependencies>

197
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
View File

@@ -18,13 +18,12 @@
package org.owasp.dependencycheck.maven;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -41,8 +40,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.Settings;
/**
* Maven Plugin that checks project dependencies and the dependencies of all child modules to see if they have any known
* published vulnerabilities.
* Maven Plugin that checks project dependencies and the dependencies of all child modules to see if they have any known published
* vulnerabilities.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
@@ -72,55 +71,50 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
final Engine engine = generateDataFile();
if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
final Map<MavenProject, Set<MavenProject>> children = buildAggregateInfo();
boolean hasOrchestration = false;
//ensure that the .ser file was created for each.
for (MavenProject current : getReactorProjects()) {
final List<Dependency> dependencies = readDataFile(current);
final List<MavenProject> childProjects = getAllChildren(current, children);
//check for orchestration build - execution root with no children or dependencies
if ((dependencies == null || dependencies.isEmpty()) && childProjects.isEmpty() && current.isExecutionRoot()) {
hasOrchestration = true;
final File dataFile = getDataFile(current);
if (dataFile == null) { //dc was never run on this project. write the ser to the target.
LOGGER.fine(String.format("Executing dependency-check on %s", current.getName()));
generateDataFile(engine, current);
}
}
for (MavenProject current : getReactorProjects()) {
List<Dependency> dependencies = readDataFile(current);
final List<MavenProject> childProjects = getAllChildren(current, children);
//check for orchestration build - execution root with no children or dependencies
if ((dependencies == null || dependencies.isEmpty()) && childProjects.isEmpty() && current.isExecutionRoot()) {
engine.resetFileTypeAnalyzers();
for (MavenProject mod : getReactorProjects()) {
scanArtifacts(mod, engine);
}
engine.analyzeDependencies();
} else {
if (dependencies == null) {
dependencies = new ArrayList<Dependency>();
}
for (MavenProject reportOn : childProjects) {
final List<Dependency> childDeps = readDataFile(reportOn);
if (childDeps != null && !childDeps.isEmpty()) {
dependencies.addAll(childDeps);
}
}
engine.getDependencies().clear();
engine.getDependencies().addAll(dependencies);
final DependencyBundlingAnalyzer bundler = new DependencyBundlingAnalyzer();
try {
bundler.analyze(null, engine);
} catch (AnalysisException ex) {
LOGGER.log(Level.WARNING, "An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
LOGGER.log(Level.FINE, "Bundling Exception", ex);
if (dependencies == null) {
dependencies = new ArrayList<Dependency>();
}
final Set<MavenProject> childProjects = getDescendants(current);
for (MavenProject reportOn : childProjects) {
final List<Dependency> childDeps = readDataFile(reportOn);
if (childDeps != null && !childDeps.isEmpty()) {
LOGGER.fine(String.format("Adding %d dependencies from %s", childDeps.size(), reportOn.getName()));
dependencies.addAll(childDeps);
} else {
LOGGER.fine(String.format("No dependencies read for %s", reportOn.getName()));
}
}
engine.getDependencies().clear();
engine.getDependencies().addAll(dependencies);
final DependencyBundlingAnalyzer bundler = new DependencyBundlingAnalyzer();
try {
final File outputDir = getCorrectOutputDirectory(current);
writeReports(engine, current, outputDir);
} catch (MojoExecutionException ex) {
if (!hasOrchestration) {
throw ex;
} // else ignore this
LOGGER.fine(String.format("Dependency count pre-bundler: %s", engine.getDependencies().size()));
bundler.analyze(null, engine);
LOGGER.fine(String.format("Dependency count post-bundler: %s", engine.getDependencies().size()));
} catch (AnalysisException ex) {
LOGGER.log(Level.WARNING, "An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
LOGGER.log(Level.FINE, "Bundling Exception", ex);
}
File outputDir = getCorrectOutputDirectory(current);
if (outputDir == null) {
//in some regards we shouldn't be writting this, but we are anyway.
//we shouldn't write this because nothing is configured to generate this report.
outputDir = new File(current.getBuild().getDirectory());
}
writeReports(engine, current, outputDir);
}
}
engine.cleanup();
@@ -128,26 +122,67 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
}
/**
* Returns a list containing all the recursive, non-pom children of the given project, never <code>null</code>.
* Returns a set containing all the descendant projects of the given project.
*
* @param project the parent project to collect the child project references
* @param childMap a map of the parent-child relationships
* @return a list of child projects
* @param project the project for which all descendants will be returned
* @return the set of descendant projects
*/
protected List<MavenProject> getAllChildren(MavenProject project, Map<MavenProject, Set<MavenProject>> childMap) {
final Set<MavenProject> children = childMap.get(project);
if (children == null) {
return Collections.emptyList();
protected Set<MavenProject> getDescendants(MavenProject project) {
if (project == null) {
return Collections.emptySet();
}
final List<MavenProject> result = new ArrayList<MavenProject>();
for (MavenProject child : children) {
if (isMultiModule(child)) {
result.addAll(getAllChildren(child, childMap));
} else {
result.add(child);
final Set<MavenProject> descendants = new HashSet<MavenProject>();
int size = 0;
LOGGER.fine(String.format("Collecting descendants of %s", project.getName()));
for (String m : project.getModules()) {
for (MavenProject mod : getReactorProjects()) {
try {
File mpp = new File(project.getBasedir(), m);
mpp = mpp.getCanonicalFile();
if (mpp.compareTo(mod.getBasedir()) == 0) {
if (descendants.add(mod)) {
LOGGER.fine(String.format("Decendent module %s added", mod.getName()));
}
}
} catch (IOException ex) {
LOGGER.log(Level.FINE, "Unable to determine module path", ex);
}
}
}
return result;
do {
size = descendants.size();
for (MavenProject p : getReactorProjects()) {
if (project.equals(p.getParent()) || descendants.contains(p.getParent())) {
if (descendants.add(p)) {
LOGGER.fine(String.format("Decendent %s added", p.getName()));
}
for (MavenProject modTest : getReactorProjects()) {
if (p.getModules() != null && p.getModules().contains(modTest.getName())) {
if (descendants.add(modTest)) {
LOGGER.fine(String.format("Decendent %s added", modTest.getName()));
}
}
}
}
for (MavenProject dec : descendants) {
for (String mod : dec.getModules()) {
try {
File mpp = new File(dec.getBasedir(), mod);
mpp = mpp.getCanonicalFile();
if (mpp.compareTo(p.getBasedir()) == 0) {
if (descendants.add(p)) {
LOGGER.fine(String.format("Decendent module %s added", p.getName()));
}
}
} catch (IOException ex) {
LOGGER.log(Level.FINE, "Unable to determine module path", ex);
}
}
}
}
} while (size != 0 && size != descendants.size());
LOGGER.fine(String.format("%s has %d children", project, descendants.size()));
return descendants;
}
/**
@@ -161,30 +196,11 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
}
/**
* Builds the parent-child map.
*
* @return a map of the parent/child relationships
*/
private Map<MavenProject, Set<MavenProject>> buildAggregateInfo() {
final Map<MavenProject, Set<MavenProject>> parentChildMap = new HashMap<MavenProject, Set<MavenProject>>();
for (MavenProject proj : getReactorProjects()) {
Set<MavenProject> depList = parentChildMap.get(proj.getParent());
if (depList == null) {
depList = new HashSet<MavenProject>();
parentChildMap.put(proj.getParent(), depList);
}
depList.add(proj);
}
return parentChildMap;
}
/**
* Runs dependency-check's Engine and writes the serialized dependencies to disk.
* Initilizes the engine, runs a scan, and writes the serialized dependencies to disk.
*
* @return the Engine used to execute dependency-check
* @throws MojoExecutionException thrown if there is an exception running the mojo
* @throws MojoFailureException thrown if dependency-check is configured to fail the build if severe CVEs are
* identified.
* @throws MojoFailureException thrown if dependency-check is configured to fail the build if severe CVEs are identified.
*/
protected Engine generateDataFile() throws MojoExecutionException, MojoFailureException {
final Engine engine;
@@ -194,10 +210,27 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
LOGGER.log(Level.FINE, "Database connection error", ex);
throw new MojoExecutionException("An exception occured connecting to the local database. Please see the log file for more details.", ex);
}
scanArtifacts(getProject(), engine);
return generateDataFile(engine, getProject());
}
/**
* Runs dependency-check's Engine and writes the serialized dependencies to disk.
*
* @param engine the Engine to use when scanning.
* @param project the project to scan and generate the data file for
* @return the Engine used to execute dependency-check
* @throws MojoExecutionException thrown if there is an exception running the mojo
* @throws MojoFailureException thrown if dependency-check is configured to fail the build if severe CVEs are identified.
*/
protected Engine generateDataFile(Engine engine, MavenProject project) throws MojoExecutionException, MojoFailureException {
LOGGER.fine(String.format("Begin Scanning: %s", project.getName()));
engine.getDependencies().clear();
engine.resetFileTypeAnalyzers();
scanArtifacts(project, engine);
engine.analyzeDependencies();
writeDataFile(engine.getDependencies());
showSummary(engine.getDependencies());
final File target = new File(project.getBuild().getDirectory());
writeDataFile(project, target, engine.getDependencies());
showSummary(project, engine.getDependencies());
checkForFailure(engine.getDependencies());
return engine;
}

190
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -32,6 +32,10 @@ import java.util.Locale;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.artifact.metadata.ArtifactMetadataRetrievalException;
import org.apache.maven.artifact.metadata.ArtifactMetadataSource;
import org.apache.maven.artifact.repository.ArtifactRepository;
import org.apache.maven.artifact.versioning.ArtifactVersion;
import org.apache.maven.doxia.sink.Sink;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
@@ -51,6 +55,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.LogUtils;
import org.owasp.dependencycheck.utils.Settings;
@@ -90,6 +95,21 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
*/
@Component
private MavenProject project;
/**
* The meta data source for retrieving artifact version information.
*/
@Component
private ArtifactMetadataSource metadataSource;
/**
* A reference to the local repository.
*/
@Parameter(property = "localRepository", readonly = true)
private ArtifactRepository localRepository;
/**
* References to the remote repositories.
*/
@Parameter(property = "project.remoteArtifactRepositories", readonly = true)
private List<ArtifactRepository> remoteRepositories;
/**
* List of Maven project of the current build
*/
@@ -101,21 +121,29 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@SuppressWarnings("CanBeFinal")
@Parameter(property = "logFile", defaultValue = "")
private String logFile = null;
//"project.reporting.outputDirectory"
/**
* The output directory. This generally maps to "target".
*/
@Parameter(defaultValue = "${project.build.directory}", required = true)
private File outputDirectory;
/**
* Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
* which means since the CVSS scores are 0-10, by default the build will never fail.
* Specifies the destination directory for the generated Dependency-Check report. This generally maps to "target/site".
*/
//Parameter(property = "reportOutputDirectory", defaultValue = "${project.reporting.outputDirectory}", required = true)
@Parameter(property = "project.reporting.outputDirectory", required = true)
private File reportOutputDirectory;
/**
* Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
* means since the CVSS scores are 0-10, by default the build will never fail.
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
private float failBuildOnCVSS = 11;
/**
* Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
* false. Default is true.
* Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
* is true.
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "autoupdate", defaultValue = "true", required = true)
@@ -129,8 +157,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@Deprecated
private boolean aggregate;
/**
* The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
* within the Site plug-in unless the externalReport is set to true. Default is HTML.
* The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
* Site plug-in unless the externalReport is set to true. Default is HTML.
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "format", defaultValue = "HTML", required = true)
@@ -317,13 +345,6 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@Parameter(property = "externalReport")
@Deprecated
private String externalReport = null;
/**
* Specifies the destination directory for the generated Dependency-Check report. This generally maps to
* "target/site".
*/
@Parameter(property = "reportOutputDirectory", defaultValue = "${project.reporting.outputDirectory}", required = true)
private File reportOutputDirectory;
// </editor-fold>
//<editor-fold defaultstate="collapsed" desc="Base Maven implementation">
@@ -341,8 +362,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
/**
* Checks if the aggregate configuration parameter has been set to true. If it has a MojoExecutionException is
* thrown because the aggregate configuration parameter is no longer supported.
* Checks if the aggregate configuration parameter has been set to true. If it has a MojoExecutionException is thrown because
* the aggregate configuration parameter is no longer supported.
*
* @throws MojoExecutionException thrown if aggregate is set to true
*/
@@ -405,15 +426,38 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
*
* @param current the Maven project to get the output directory from
* @return the directory to write the report(s)
* @throws MojoExecutionException thrown if there is an error loading the file path
*/
protected File getCorrectOutputDirectory(MavenProject current) throws MojoExecutionException {
protected File getCorrectOutputDirectory(MavenProject current) {
final Object obj = current.getContextValue(getOutputDirectoryContextKey());
if (obj != null && obj instanceof File) {
return (File) obj;
} else {
throw new MojoExecutionException(String.format("Unable to determine output directory for '%s'", current.getName()));
if (obj != null) {
if (obj instanceof File) {
return (File) obj;
}
}
File target = new File(current.getBuild().getDirectory());
if (target.getParentFile() != null && "target".equals(target.getParentFile().getName())) {
target = target.getParentFile();
}
return target;
}
/**
* Returns the correct output directory depending on if a site is being executed or not.
*
* @param current the Maven project to get the output directory from
* @return the directory to write the report(s)
*/
protected File getDataFile(MavenProject current) {
LOGGER.fine(String.format("Getting data filefor %s using key '%s'", current.getName(), getDataFileContextKey()));
final Object obj = current.getContextValue(getDataFileContextKey());
if (obj != null) {
if (obj instanceof File) {
return (File) obj;
}
} else {
LOGGER.fine("Context value not found");
}
return null;
}
/**
@@ -434,11 +478,35 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
if (d != null) {
final MavenArtifact ma = new MavenArtifact(a.getGroupId(), a.getArtifactId(), a.getVersion());
d.addAsEvidence("pom", ma, Confidence.HIGHEST);
d.addProjectReference(project.getName());
LOGGER.fine(String.format("Adding project reference %s on dependency %s", project.getName(),
d.getDisplayFileName()));
if (metadataSource != null) {
try {
final DependencyVersion currentVersion = new DependencyVersion(a.getVersion());
final List<ArtifactVersion> versions = metadataSource.retrieveAvailableVersions(a,
localRepository, remoteRepositories);
for (ArtifactVersion av : versions) {
final DependencyVersion newVersion = new DependencyVersion(av.toString());
if (currentVersion.compareTo(newVersion) < 0) {
d.addAvailableVersion(av.toString());
}
}
} catch (ArtifactMetadataRetrievalException ex) {
LOGGER.log(Level.WARNING,
"Unable to check for new versions of dependencies; see the log for more details.");
LOGGER.log(Level.FINE, null, ex);
} catch (Throwable t) {
LOGGER.log(Level.WARNING,
"Unexpected error occured checking for new versions; see the log for more details.");
LOGGER.log(Level.FINE, "", t);
}
}
}
} else {
final String msg = String.format("More then 1 dependency was identified in first pass scan of '%s:%s:%s'",
a.getGroupId(), a.getArtifactId(), a.getVersion());
LOGGER.info(msg);
LOGGER.fine(msg);
}
}
}
@@ -526,15 +594,19 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
* @throws DatabaseException thrown if there is a database exception
*/
protected Engine initializeEngine() throws DatabaseException {
final InputStream in = BaseDependencyCheckMojo.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
final InputStream in = BaseDependencyCheckMojo.class
.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
LogUtils.prepareLogger(in, logFile);
populateSettings();
return new Engine(this.project, this.reactorProjects);
return new Engine(this.project,
this.reactorProjects);
}
/**
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
* properties required to change the proxy url, port, and connection timeout.
* Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
* required to change the proxy url, port, and connection timeout.
*/
private void populateSettings() {
Settings.initialize();
@@ -659,7 +731,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
private Proxy getMavenProxy() {
if (mavenSettings != null) {
final List<Proxy> proxies = mavenSettings.getProxies();
if (proxies != null && proxies.size() > 0) {
if (proxies != null && !proxies.isEmpty()) {
if (mavenSettingsProxyId != null) {
for (Proxy proxy : proxies) {
if (mavenSettingsProxyId.equalsIgnoreCase(proxy.getId())) {
@@ -669,8 +741,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
} else if (proxies.size() == 1) {
return proxies.get(0);
} else {
LOGGER.warning("Multiple proxy defentiions exist in the Maven settings. In the dependency-check "
+ "configuration set the maveSettingsProxyId so that the correct proxy will be used.");
LOGGER.warning("Multiple proxy definitions exist in the Maven settings. In the dependency-check "
+ "configuration set the mavenSettingsProxyId so that the correct proxy will be used.");
throw new IllegalStateException("Ambiguous proxy definition");
}
}
@@ -699,9 +771,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
/**
* Returns a reference to the current project. This method is used instead of auto-binding the project via component
* annotation in concrete implementations of this. If the child has a <code>@Component MavenProject project;</code>
* defined then the abstract class (i.e. this class) will not have access to the current project (just the way Maven
* works with the binding).
* annotation in concrete implementations of this. If the child has a <code>@Component MavenProject project;</code> defined
* then the abstract class (i.e. this class) will not have access to the current project (just the way Maven works with the
* binding).
*
* @return returns a reference to the current project
*/
@@ -799,9 +871,10 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
/**
* Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
*
* @param mp the Maven project for which the summary is shown
* @param dependencies a list of dependency objects
*/
protected void showSummary(List<Dependency> dependencies) {
protected void showSummary(MavenProject mp, List<Dependency> dependencies) {
if (showSummary) {
final StringBuilder summary = new StringBuilder();
for (Dependency d : dependencies) {
@@ -830,8 +903,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
}
if (summary.length() > 0) {
final String msg = String.format("%n%n" + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+ "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
final String msg = String.format("%n%n" + "One or more dependencies were identified with known vulnerabilities in %s:%n%n%s"
+ "%n%nSee the dependency-check report for more details.%n%n", mp.getName(), summary.toString());
LOGGER.log(Level.WARNING, msg);
}
}
@@ -840,8 +913,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Methods to read/write the serialized data file">
/**
* Returns the key used to store the path to the data file that is saved by <code>writeDataFile()</code>. This key
* is used in the <code>MavenProject.(set|get)ContextValue</code>.
* Returns the key used to store the path to the data file that is saved by <code>writeDataFile()</code>. This key is used in
* the <code>MavenProject.(set|get)ContextValue</code>.
*
* @return the key used to store the path to the data file
*/
@@ -862,27 +935,38 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
/**
* Writes the scan data to disk. This is used to serialize the scan data between the "check" and "aggregate" phase.
*
* @param mp the mMven project for which the data file was created
* @param writeTo the directory to write the data file
* @param dependencies the list of dependencies to serialize
*/
protected void writeDataFile(List<Dependency> dependencies) {
File file = null;
if (dependencies != null && project.getContextValue(this.getDataFileContextKey()) == null) {
file = new File(project.getBuild().getDirectory(), dataFileName);
protected void writeDataFile(MavenProject mp, File writeTo, List<Dependency> dependencies) {
File file;
//check to see if this was already written out
if (mp.getContextValue(this.getDataFileContextKey()) == null) {
if (writeTo == null) {
file = new File(mp.getBuild().getDirectory());
file = new File(file, dataFileName);
} else {
file = new File(writeTo, dataFileName);
}
OutputStream os = null;
OutputStream bos = null;
ObjectOutputStream out = null;
try {
os = new FileOutputStream(file);
bos = new BufferedOutputStream(os);
out = new ObjectOutputStream(bos);
out.writeObject(dependencies);
out.flush();
if (dependencies != null) {
os = new FileOutputStream(file);
bos = new BufferedOutputStream(os);
out = new ObjectOutputStream(bos);
out.writeObject(dependencies);
out.flush();
//call reset to prevent resource leaks per
//https://www.securecoding.cert.org/confluence/display/java/SER10-J.+Avoid+memory+and+resource+leaks+during+serialization
out.reset();
project.setContextValue(this.getDataFileContextKey(), file.getAbsolutePath());
LOGGER.fine(String.format("Serialized data file written to '%s'", file.getAbsolutePath()));
//call reset to prevent resource leaks per
//https://www.securecoding.cert.org/confluence/display/java/SER10-J.+Avoid+memory+and+resource+leaks+during+serialization
out.reset();
}
LOGGER.fine(String.format("Serialized data file written to '%s' for %s, referenced by key %s",
file.getAbsolutePath(), mp.getName(), this.getDataFileContextKey()));
mp.setContextValue(this.getDataFileContextKey(), file.getAbsolutePath());
} catch (IOException ex) {
LOGGER.log(Level.WARNING, "Unable to create data file used for report aggregation; "
+ "if report aggregation is being used the results may be incomplete.");
@@ -914,8 +998,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
/**
* Reads the serialized scan data from disk. This is used to serialize the scan data between the "check" and
* "aggregate" phase.
* Reads the serialized scan data from disk. This is used to serialize the scan data between the "check" and "aggregate"
* phase.
*
* @param project the Maven project to read the data file from
* @return a <code>Engine</code> object populated with dependencies if the serialized data file exists; otherwise

4
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java
View File

@@ -86,8 +86,8 @@ public class CheckMojo extends BaseDependencyCheckMojo {
} else {
engine.analyzeDependencies();
writeReports(engine, getProject(), getCorrectOutputDirectory());
writeDataFile(engine.getDependencies());
showSummary(engine.getDependencies());
writeDataFile(getProject(), null, engine.getDependencies());
showSummary(getProject(), engine.getDependencies());
checkForFailure(engine.getDependencies());
}
engine.cleanup();

40
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/Engine.java
View File

@@ -27,8 +27,8 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.utils.Settings;
/**
* A modified version of the core engine specifically designed to persist some data between multiple executions of a
* multi-module Maven project.
* A modified version of the core engine specifically designed to persist some
* data between multiple executions of a multi-module Maven project.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
@@ -51,7 +51,8 @@ public class Engine extends org.owasp.dependencycheck.Engine {
*/
private List<MavenProject> reactorProjects;
/**
* Key used in the MavenProject context values to note whether or not an update has been executed.
* Key used in the MavenProject context values to note whether or not an
* update has been executed.
*/
public static final String UPDATE_EXECUTED_FLAG = "dependency-check-update-executed";
@@ -59,12 +60,22 @@ public class Engine extends org.owasp.dependencycheck.Engine {
* Creates a new Engine to perform anyalsis on dependencies.
*
* @param project the current Maven project
* @param reactorProjects the reactor projects for the current Maven execution
* @throws DatabaseException thrown if there is an issue connecting to the database
* @param reactorProjects the reactor projects for the current Maven
* execution
* @throws DatabaseException thrown if there is an issue connecting to the
* database
*/
public Engine(MavenProject project, List<MavenProject> reactorProjects) throws DatabaseException {
this.currentProject = project;
this.reactorProjects = reactorProjects;
initializeEngine();
}
/**
* Runs the analyzers against all of the dependencies.
*/
@Override
public void analyzeDependencies() {
final MavenProject root = getExecutionRoot();
if (root != null) {
LOGGER.fine(String.format("Checking root project, %s, if updates have already been completed", root.getArtifactId()));
@@ -74,7 +85,7 @@ public class Engine extends org.owasp.dependencycheck.Engine {
if (root != null && root.getContextValue(UPDATE_EXECUTED_FLAG) != null) {
System.setProperty(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE.toString());
}
initializeEngine();
super.analyzeDependencies();
if (root != null) {
root.setContextValue(UPDATE_EXECUTED_FLAG, Boolean.TRUE);
}
@@ -83,14 +94,15 @@ public class Engine extends org.owasp.dependencycheck.Engine {
/**
* This constructor should not be called. Use Engine(MavenProject) instead.
*
* @throws DatabaseException thrown if there is an issue connecting to the database
* @throws DatabaseException thrown if there is an issue connecting to the
* database
*/
private Engine() throws DatabaseException {
}
/**
* Initializes the given analyzer. This skips the initialization of the CPEAnalyzer if it has been initialized by a
* previous execution.
* Initializes the given analyzer. This skips the initialization of the
* CPEAnalyzer if it has been initialized by a previous execution.
*
* @param analyzer the analyzer to initialize
* @return the initialized analyzer
@@ -109,7 +121,8 @@ public class Engine extends org.owasp.dependencycheck.Engine {
}
/**
* Releases resources used by the analyzers by calling close() on each analyzer.
* Releases resources used by the analyzers by calling close() on each
* analyzer.
*/
@Override
public void cleanup() {
@@ -196,9 +209,10 @@ public class Engine extends org.owasp.dependencycheck.Engine {
}
/**
* Resets the file type analyzers so that they can be re-used to scan additional directories. Without the reset the
* analyzer might be disabled because the first scan/analyze did not identify any files that could be processed by
* the analyzer.
* Resets the file type analyzers so that they can be re-used to scan
* additional directories. Without the reset the analyzer might be disabled
* because the first scan/analyze did not identify any files that could be
* processed by the analyzer.
*/
public void resetFileTypeAnalyzers() {
for (FileTypeAnalyzer a : getFileTypeAnalyzers()) {

5
dependency-check-maven/src/test/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojoTest.java
View File

@@ -65,6 +65,11 @@ public class BaseDependencyCheckMojoTest extends BaseTest {
return artifacts;
}
@Mock
public String getName() {
return "test-project";
}
}.getMockInstance();
boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);

293
dependency-check-utils/pom.xml
View File

@@ -21,7 +21,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.8</version>
<version>1.2.9</version>
</parent>
<artifactId>dependency-check-utils</artifactId>
@@ -45,11 +45,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
<configuration>
<instrumentation>
<!--instrumentation>
<ignoreTrivial>true</ignoreTrivial>
</instrumentation>
</instrumentation-->
<check>
<branchRate>85</branchRate>
<lineRate>85</lineRate>
@@ -78,7 +77,6 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.16</version>
<configuration>
<systemProperties>
<property>
@@ -94,196 +92,137 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>2.16</version>
<configuration>
<systemProperties>
<property>
<name>temp.directory</name>
<value>${project.build.directory}/temp</value>
</property>
</systemProperties>
<includes>
<include>**/*IntegrationTest.java</include>
</includes>
</configuration>
<executions>
<execution>
<goals>
<goal>integration-test</goal>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version>
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<showDeprecation>false</showDeprecation>
<source>1.6</source>
<target>1.6</target>
<bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.3</version>
<dependencies>
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<configuration>
<skipDeploy>true</skipDeploy>
<reportPlugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<reportSets>
<reportSet>
<reports>
<report>index</report>
<report>summary</report>
<report>license</report>
<report>help</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
</configuration>
<reportSets>
<reportSet>
<id>default</id>
<reports>
<report>javadoc</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.16</version>
<reportSets>
<reportSet>
<reports>
<report>report-only</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.4</version>
<configuration>
<tagListOptions>
<tagClasses>
<tagClass>
<displayName>Todo Work</displayName>
<tags>
<tag>
<matchString>todo</matchString>
<matchType>ignoreCase</matchType>
</tag>
<tag>
<matchString>FIXME</matchString>
<matchType>exact</matchType>
</tag>
</tags>
</tagClass>
</tagClasses>
</tagListOptions>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>2.11</version>
<configuration>
<enableRulesSummary>false</enableRulesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.0.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/org/owasp/dependencycheck/org/apache/**/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
<configuration>
<onlyAnalyze>org.owasp.dependencycheck.utils.*</onlyAnalyze>
</configuration>
</plugin>
</reportPlugins>
<enableRulesSummary>false</enableRulesSummary>
<enableFilesSummary>false</enableFilesSummary>
<configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
<headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
<suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
<suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.0.1</version>
<configuration>
<targetJdk>1.6</targetJdk>
<linkXref>true</linkXref>
<sourceEncoding>utf-8</sourceEncoding>
<excludes>
<exclude>**/org/owasp/dependencycheck/org/apache/**/*.java</exclude>
</excludes>
<rulesets>
<ruleset>../src/main/config/dcrules.xml</ruleset>
<ruleset>/rulesets/java/basic.xml</ruleset>
<ruleset>/rulesets/java/imports.xml</ruleset>
<ruleset>/rulesets/java/unusedcode.xml</ruleset>
</rulesets>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>2.5.3</version>
<configuration>
<onlyAnalyze>org.owasp.dependencycheck.utils.*</onlyAnalyze>
</configuration>
</plugin>
</plugins>
</build>
</reporting>
<dependencies>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.4</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>

68
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -25,6 +25,7 @@ import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.GZIPInputStream;
@@ -93,6 +94,34 @@ public final class Downloader {
conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
conn.setRequestProperty("Accept-Encoding", "gzip, deflate");
conn.connect();
int status = conn.getResponseCode();
if (status != HttpURLConnection.HTTP_OK) {
if (status == HttpURLConnection.HTTP_MOVED_TEMP
|| status == HttpURLConnection.HTTP_MOVED_PERM
|| status == HttpURLConnection.HTTP_SEE_OTHER) {
final String location = conn.getHeaderField("Location");
try {
conn.disconnect();
} finally {
conn = null;
}
LOGGER.fine(String.format("Download is being redirected from %s to %s", url.toString(), location));
conn = URLConnectionFactory.createHttpURLConnection(new URL(location), useProxy);
conn.setRequestProperty("Accept-Encoding", "gzip, deflate");
conn.connect();
status = conn.getResponseCode();
}
}
if (status != 200) {
try {
conn.disconnect();
} finally {
conn = null;
}
final String msg = String.format("Error downloading file %s; received response code %s.", url.toString(), status);
throw new DownloadFailedException(msg);
}
} catch (IOException ex) {
try {
if (conn != null) {
@@ -104,8 +133,8 @@ public final class Downloader {
final String msg = String.format("Error downloading file %s; unable to connect.", url.toString());
throw new DownloadFailedException(msg, ex);
}
final String encoding = conn.getContentEncoding();
final String encoding = conn.getContentEncoding();
BufferedOutputStream writer = null;
InputStream reader = null;
try {
@@ -124,6 +153,7 @@ public final class Downloader {
writer.write(buffer, 0, bytesRead);
}
} catch (IOException ex) {
analyzeException(ex);
final String msg = String.format("Error saving '%s' to file '%s'%nConnection Timeout: %d%nEncoding: %s%n",
url.toString(), outputPath.getAbsolutePath(), conn.getConnectTimeout(), encoding);
throw new DownloadFailedException(msg, ex);
@@ -136,16 +166,14 @@ public final class Downloader {
try {
writer.close();
} catch (IOException ex) {
LOGGER.log(Level.FINEST,
"Error closing the writer in Downloader.", ex);
LOGGER.log(Level.FINEST, "Error closing the writer in Downloader.", ex);
}
}
if (reader != null) {
try {
reader.close();
} catch (IOException ex) {
LOGGER.log(Level.FINEST,
"Error closing the reader in Downloader.", ex);
LOGGER.log(Level.FINEST, "Error closing the reader in Downloader.", ex);
}
}
try {
@@ -158,8 +186,8 @@ public final class Downloader {
}
/**
* Makes an HTTP Head request to retrieve the last modified date of the given URL. If the file:// protocol is
* specified, then the lastTimestamp of the file is returned.
* Makes an HTTP Head request to retrieve the last modified date of the given URL. If the file:// protocol is specified, then
* the lastTimestamp of the file is returned.
*
* @param url the URL to retrieve the timestamp from
* @return an epoch timestamp
@@ -192,6 +220,7 @@ public final class Downloader {
} catch (URLConnectionFailureException ex) {
throw new DownloadFailedException("Error creating URL Connection for HTTP HEAD request.", ex);
} catch (IOException ex) {
analyzeException(ex);
throw new DownloadFailedException("Error making HTTP HEAD request.", ex);
} finally {
if (conn != null) {
@@ -205,4 +234,29 @@ public final class Downloader {
}
return timestamp;
}
/**
* Analyzes the IOException, logs the appropriate information for debugging purposes, and then throws a
* DownloadFailedException that wraps the IO Exception.
*
* @param ex the original exception
* @throws DownloadFailedException a wrapper exception that contains the original exception as the cause
*/
protected static void analyzeException(IOException ex) throws DownloadFailedException {
Throwable cause = ex;
while (cause != null) {
if (cause instanceof InvalidAlgorithmParameterException) {
final String keystore = System.getProperty("javax.net.ssl.keyStore");
final String version = System.getProperty("java.version");
final String vendor = System.getProperty("java.vendor");
LOGGER.info("Error making HTTPS request - InvalidAlgorithmParameterException");
LOGGER.info("There appears to be an issue with the installation of Java and the cacerts."
+ "See closed issue #177 here: https://github.com/jeremylong/DependencyCheck/issues/177");
LOGGER.info(String.format("Java Info:%njavax.net.ssl.keyStore='%s'%njava.version='%s'%njava.vendor='%s'",
keystore, version, vendor));
throw new DownloadFailedException("Error making HTTPS request. Please see the log for more details.");
}
cause = cause.getCause();
}
}
}

14
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
View File

@@ -27,8 +27,8 @@ import java.net.SocketAddress;
import java.net.URL;
/**
* A URLConnection Factory to create new connections. This encapsulates several configuration checks to ensure that the
* connection uses the correct proxy settings.
* A URLConnection Factory to create new connections. This encapsulates several configuration checks to ensure that the connection
* uses the correct proxy settings.
*
* @author Jeremy Long <jeremy.long@owasp.org>
*/
@@ -41,8 +41,8 @@ public final class URLConnectionFactory {
}
/**
* Utility method to create an HttpURLConnection. If the application is configured to use a proxy this method will
* retrieve the proxy settings and use them when setting up the connection.
* Utility method to create an HttpURLConnection. If the application is configured to use a proxy this method will retrieve
* the proxy settings and use them when setting up the connection.
*
* @param url the url to connect to
* @return an HttpURLConnection
@@ -79,6 +79,7 @@ public final class URLConnectionFactory {
}
final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 60000);
conn.setConnectTimeout(timeout);
conn.setInstanceFollowRedirects(true);
} catch (IOException ex) {
if (conn != null) {
try {
@@ -93,8 +94,8 @@ public final class URLConnectionFactory {
}
/**
* Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a
* proxy is configured but we don't want to use it (for example, if there's an internal repository configured)
* Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a proxy is
* configured but we don't want to use it (for example, if there's an internal repository configured)
*
* @param url the URL to connect to
* @param proxy whether to use the proxy (if configured)
@@ -110,6 +111,7 @@ public final class URLConnectionFactory {
conn = (HttpURLConnection) url.openConnection();
final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 60000);
conn.setConnectTimeout(timeout);
conn.setInstanceFollowRedirects(true);
} catch (IOException ioe) {
throw new URLConnectionFailureException("Error getting connection.", ioe);
}

255
pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.2.8</version>
<version>1.2.9</version>
<packaging>pom</packaging>
<modules>
@@ -125,26 +125,162 @@ Copyright (c) 2012 - Jeremy Long
</site>
</distributionManagement>
<!-- end copy -->
<prerequisites>
<maven>3.0</maven>
</prerequisites>
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>appassembler-maven-plugin</artifactId>
<version>1.9</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>2.5.3</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-clean-plugin</artifactId>
<version>2.6.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.2</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>2.9</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>1.3.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>2.18.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.5</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>2.5</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-plugin-plugin</artifactId>
<version>3.3</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<version>2.5.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>2.7</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<!-- Before upgrading this to a newer version, verify the pages produced by `mvn site` still works.
In particular, pay attention to all pages under "File type analyzers" as well as those under "General".
Previously when testing with maven-site-plugin 3.4, these links have stopped working for some reason.
-->
<version>3.3</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.18.1</version>
</plugin>
<plugin>
<groupId>com.github.github</groupId>
<artifactId>site-maven-plugin</artifactId>
<version>0.10</version>
</plugin>
</plugins>
</pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<version>2.4.2</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version>
<configuration>
<showDeprecation>false</showDeprecation>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
<systemProperties>
<property>
<name>temp.directory</name>
<value>${project.build.directory}/temp</value>
</property>
</systemProperties>
<includes>
<include>**/*IntegrationTest.java</include>
</includes>
</configuration>
<executions>
<execution>
<goals>
<goal>integration-test</goal>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<archive>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
</archive>
<excludes>
<exclude>**/checkstyle*</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>2.7</version>
<executions>
<execution>
<id>site-filtering-hack</id>
@@ -170,13 +306,8 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.3</version>
<dependencies>
<dependency>
<!--
| allows markdown syntax for site generation. To use it place files below
| src/site/markdown/[filename].md
-->
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId>
<version>1.5</version>
@@ -184,41 +315,11 @@ Copyright (c) 2012 - Jeremy Long
</dependencies>
<configuration>
<skipDeploy>true</skipDeploy>
<reportPlugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<reportSets>
<reportSet>
<reports>
<!--
<report>cim</report>
<report>dependencies</report>
<report>dependency-convergence</report>
<report>dependency-info</report>
<report>dependency-management</report>
<report>distribution-management</report>
-->
<report>index</report>
<report>summary</report>
<report>mailing-list</report>
<report>issue-tracking</report>
<report>modules</report>
<report>project-team</report>
<report>scm</report>
<report>license</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</reportPlugins>
</configuration>
</plugin>
<plugin>
<groupId>com.github.github</groupId>
<artifactId>site-maven-plugin</artifactId>
<version>0.9</version>
<configuration>
<message>Creating site for ${project.artifactId}, ${project.version}</message>
<!-- this does the trick to place every module in the correct subfolder -->
@@ -236,29 +337,71 @@ Copyright (c) 2012 - Jeremy Long
</executions>
</plugin>
<!-- end copy -->
<!--<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.4</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>-->
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
<reportSets>
<reportSet>
<reports>
<!--
<report>cim</report>
<report>dependencies</report>
<report>dependency-convergence</report>
<report>dependency-info</report>
<report>dependency-management</report>
<report>distribution-management</report>
-->
<report>index</report>
<report>summary</report>
<report>mailing-list</report>
<report>issue-tracking</report>
<report>modules</report>
<report>project-team</report>
<report>scm</report>
<report>license</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest-core</artifactId>
<version>1.3</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.jmockit</groupId>
<artifactId>jmockit</artifactId>
<version>1.15</version>
<scope>test</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest-core</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
</project>
</project>

2
src/main/config/checkstyle-header.txt
View File

@@ -13,6 +13,6 @@
^ \* See the License for the specific language governing permissions and\s*$
^ \* limitations under the License\.\s*$
^ \*\s*$
^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
^ \*/\s*$
^package

1
src/main/config/checkstyle-suppressions.xml
View File

@@ -9,5 +9,6 @@
<suppress checks=".*" files=".*[\\/]org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Filter.java" />
<suppress checks=".*" files=".*[\\/]org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Checksum.java" />
<suppress checks=".*" files=".*[\\/]generated[\\/].*.java" />
<suppress checks=".*" files=".*[\\/]maven-plugin-plugin-sources[\\/].*.properties" />
<suppress checks=".*" files=".*[\\/]org[\\/]owasp[\\/]dependencycheck[\\/]org[\\/]apache[\\/].*.java" />
</suppressions>

54
src/site/markdown/thereport.md
View File

@@ -1,26 +1,46 @@
How To Read The Report
How To Read The Reports
========
There is a lot of information contained in the HTML version of the report. When analyzing the results, the first thing one should do is determine if the CPE looks
appropriate. Due to the way dependency-check works (see above) the report may contain false positives; these false positives are primarily on the CPE values. If the CPE value
is wrong, this is usually obvious and one should use the suppression feature in the report to generate a suppression XML file that can be used on future scans. In addition
to just looking at the CPE values in comparison to the name of the dependency - one may also consider the confidence of the CPE (as discussed in [How does dependency-check
work](./internals.html)). See the [Suppressing False Positives](./suppression.html) page for more information on how to generate and use the suppression file.
The top of the report contains a list of the identified vulnerable components. By clicking the 'Showing Vulnerable
Dependencies' link the list will be expanded to include all of the dependencies scanned. The table lists:
Once you have weeded out any obvious false positives one can then look at the remaining entries and determine if any of the identified CVE entries are actually
exploitable in your environment. Determining if a CVE is exploitable in your environment can be tricky - for this I do not currently have any tips other then
upgrade the library if you can just to be safe. Note, some CVE entries can be fixed by either upgrading the library or changing configuration options.
* Dependency - the file name of the dependency scanned.
* CPE - any Common Platform Enumeration identifiers found.
* GAV - the Maven Group, Artifact, Version (GAV).
* Highest Severity - the highest severity of any associated CVEs.
* CVE Count - the number of associated CVEs.
* CPE Confidence - a ranking of how confident dependency-check is that the CPE was identified correctly.
* Evidence Count - the quantity of data extracted from the dependency that was used to identify the CPE.
One item that dependency-check flags that many may think is a false positive are old database drivers. One thing to consider about an old database driver is that the
CPE/CVEs identified are usually for the server rather then the driver. However, the presence of an old driver may indicate that you have an older version of the server
running in your environment and that server may need to be patched or upgraded. However, in some cases the old database drivers are actually unused, transitive dependencies
from other dependencies.
There is a lot of information contained in the HTML version of the report. When analyzing the results, the first
thing one should do is determine if the identified CPE is correct. Due to the way dependency-check works (see
[How it works](./internals.html) for more information) the report may contain false positives. These false positives
are primarily on the CPE values. If the CPE value is wrong, this is usually obvious, one should use the suppression
feature in the report to generate a suppression XML file that can be used on future scans. In addition to looking
at the CPE values in comparison to the name of the dependency one may also consider the confidence of the CPE
(as discussed in [How does dependency-check work](./internals.html)). See the [Suppressing False Positives](./suppression.html)
page for more information on how to generate and use the suppression file.
Once you have weeded out any obvious false positives one can then look at the remaining entries and determine if
any of the identified CVE entries are actually exploitable in your environment. Determining if a CVE is exploitable
in your environment can be tricky, for this we do not currently have any tips other then upgrade the library if you
can just to be safe. Note, some CVE entries can be fixed by either upgrading the library or changing configuration
options.
One item that dependency-check flags that many may think is a false positive are old database drivers. One thing to
consider about an old database driver is that the CPE/CVEs identified are usually for the server rather then the driver.
However, the presence of an old driver may indicate that you have an older version of the server running in your
environment and that server may need to be patched or upgraded. However, in some cases the old database drivers are
actually unused, transitive dependencies.
Regarding False Negatives
=======
As stated above, due to the nature of dependency-check there may be publicly disclosed vulnerabilities in the project dependencies scanned by dependency-check that
are not identified. With the current version of dependency-check the HTML report has a table at the top that initially displays just the dependencies with identified
vulnerabilities. This can be toggled to show all dependencies. If you examine the rows that do not have identified CPE/CVE entries you will see an "evidence count".
If the evidence count is extremely low (0-5 entries) then there may not have been enough information contained in the dependency to identify a CPE and associated CVEs.
As stated above, due to the nature of dependency-check there may be publicly disclosed vulnerabilities in the project
dependencies scanned by dependency-check that
are not identified. With the current version of dependency-check the HTML report has a table at the top that initially
displays just the dependencies with identified vulnerabilities. This can be toggled to show all dependencies. If you
examine the rows that do not have identified CPE/CVE entries you will see an "evidence count". If the evidence count
is extremely low (0-5 entries) then there may not have been enough information contained in the dependency to identify
a CPE and associated CVEs.
It should be noted that while the false positives described above are bad, more concerning is that there may be vulnerabilities within the project dependencies that
have yet to be publicly known. If one has the resources consider performing security assessments on the project dependencies.

2
src/site/site.xml
View File

@@ -131,6 +131,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<description>A set of utility classes used by dependency-check.</description>
</item>
</menu>
<footer>Copyright © 2012-2014 Jeremy Long. All Rights Reserved.</footer>
<footer>Copyright © 2012-2015 Jeremy Long. All Rights Reserved.</footer>
</body>
</project>