mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-15 00:03:43 +01:00
Compare commits
54 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
9e29939cd3 | ||
|
|
d750abca22 | ||
|
|
31df2fa131 | ||
|
|
6355a29a7a | ||
|
|
86a2b38340 | ||
|
|
9cb2b58557 | ||
|
|
2b0e2e8d0d | ||
|
|
cf46767196 | ||
|
|
ffc1034b5a | ||
|
|
46bb19de9b | ||
|
|
70bc7a6d01 | ||
|
|
3164505273 | ||
|
|
3d84fcd037 | ||
|
|
578fa32243 | ||
|
|
fc00b7d1cc | ||
|
|
d7351bd3e5 | ||
|
|
e7224c8f05 | ||
|
|
b97622f45b | ||
|
|
0e15f3b703 | ||
|
|
6604c0da89 | ||
|
|
e0b8be20b3 | ||
|
|
46965d8c96 | ||
|
|
66e92f00ee | ||
|
|
4a137b4e8e | ||
|
|
9d5ff28098 | ||
|
|
313b114da5 | ||
|
|
1b6bfc6338 | ||
|
|
49fd89f34a | ||
|
|
a2e862886e | ||
|
|
62f6c7c5a9 | ||
|
|
2294ed1ce1 | ||
|
|
c8a1c6a318 | ||
|
|
600ed66d5b | ||
|
|
512b17555c | ||
|
|
dc7849c9e8 | ||
|
|
6a99a51b91 | ||
|
|
8c7fa022a0 | ||
|
|
cca694a580 | ||
|
|
3a7f95b9b1 | ||
|
|
3a84dc3962 | ||
|
|
5961a96a4c | ||
|
|
a22382505f | ||
|
|
5faef75415 | ||
|
|
fed60907dc | ||
|
|
ce7e360b70 | ||
|
|
0b3def38b8 | ||
|
|
25a15dea8c | ||
|
|
e204971a6c | ||
|
|
d5b3a118bc | ||
|
|
3396cb2887 | ||
|
|
3c5beea218 | ||
|
|
e544384dd5 | ||
|
|
0e90f460f4 | ||
|
|
921efc4d2b |
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.2</version>
|
||||
<version>1.3.4</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-ant</artifactId>
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
# the path to the data directory
|
||||
data.directory=data
|
||||
data.directory=data/3.0
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.2</version>
|
||||
<version>1.3.4</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-cli</artifactId>
|
||||
|
||||
@@ -27,7 +27,6 @@ import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import org.apache.commons.cli.ParseException;
|
||||
import org.apache.commons.lang.StringUtils;
|
||||
import org.owasp.dependencycheck.data.nvdcve.CveDB;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
|
||||
|
||||
@@ -344,7 +344,7 @@ public final class CliParser {
|
||||
final Option pathToMono = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.PATH_TO_MONO)
|
||||
.desc("The path to Mono for .NET Assembly analysis on non-windows systems.")
|
||||
.build();
|
||||
|
||||
|
||||
final Option pathToBundleAudit = Option.builder().argName("path").hasArg()
|
||||
.longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
|
||||
.desc("The path to bundle-audit for Gem bundle analysis.").build();
|
||||
@@ -576,7 +576,6 @@ public final class CliParser {
|
||||
return (line != null) && line.hasOption(ARGUMENT.DISABLE_BUNDLE_AUDIT);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Returns true if the disablePyDist command line argument was specified.
|
||||
*
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.2</version>
|
||||
<version>1.3.4</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-core</artifactId>
|
||||
|
||||
@@ -29,7 +29,7 @@ public enum AnalysisPhase {
|
||||
*/
|
||||
INITIAL,
|
||||
/**
|
||||
* Pre information collection phase
|
||||
* Pre information collection phase.
|
||||
*/
|
||||
PRE_INFORMATION_COLLECTION,
|
||||
/**
|
||||
|
||||
@@ -235,16 +235,14 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
this.setEnabled(false);
|
||||
throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
|
||||
}
|
||||
} catch (AnalysisException e) {
|
||||
throw e;
|
||||
} catch (Throwable e) {
|
||||
if (e instanceof AnalysisException) {
|
||||
throw (AnalysisException) e;
|
||||
} else {
|
||||
LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
|
||||
+ "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
|
||||
LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
|
||||
this.setEnabled(false);
|
||||
throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
|
||||
}
|
||||
LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
|
||||
+ "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
|
||||
LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
|
||||
this.setEnabled(false);
|
||||
throw new AnalysisException("An error occurred with the .NET AssemblyAnalyzer", e);
|
||||
}
|
||||
builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
|
||||
}
|
||||
|
||||
@@ -32,8 +32,10 @@ import org.slf4j.LoggerFactory;
|
||||
import java.io.File;
|
||||
import java.io.FileFilter;
|
||||
import java.io.IOException;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.security.MessageDigest;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.logging.Level;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
@@ -212,8 +214,13 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
|
||||
currentDep.setFilePath(filePath);
|
||||
|
||||
// prevents coalescing into the dependency provided by engine
|
||||
currentDep.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes())));
|
||||
byte[] path;
|
||||
try {
|
||||
path = filePath.getBytes("UTF-8");
|
||||
} catch (UnsupportedEncodingException ex) {
|
||||
path = filePath.getBytes();
|
||||
}
|
||||
currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
|
||||
engine.getDependencies().add(currentDep);
|
||||
}
|
||||
final String source = currentDep.getDisplayFileName();
|
||||
|
||||
@@ -134,17 +134,19 @@ public class CPEAnalyzer implements Analyzer {
|
||||
* process.
|
||||
*/
|
||||
public void open() throws IOException, DatabaseException {
|
||||
cve = new CveDB();
|
||||
cve.open();
|
||||
cpe = CpeMemoryIndex.getInstance();
|
||||
try {
|
||||
LOGGER.info("Creating the CPE Index");
|
||||
final long creationStart = System.currentTimeMillis();
|
||||
cpe.open(cve);
|
||||
LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
|
||||
} catch (IndexException ex) {
|
||||
LOGGER.debug("IndexException", ex);
|
||||
throw new DatabaseException(ex);
|
||||
if (!isOpen()) {
|
||||
cve = new CveDB();
|
||||
cve.open();
|
||||
cpe = CpeMemoryIndex.getInstance();
|
||||
try {
|
||||
LOGGER.info("Creating the CPE Index");
|
||||
final long creationStart = System.currentTimeMillis();
|
||||
cpe.open(cve);
|
||||
LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
|
||||
} catch (IndexException ex) {
|
||||
LOGGER.debug("IndexException", ex);
|
||||
throw new DatabaseException(ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -284,10 +286,10 @@ public class CPEAnalyzer implements Analyzer {
|
||||
}
|
||||
return ret;
|
||||
} catch (ParseException ex) {
|
||||
LOGGER.warn("An error occured querying the CPE data. See the log for more details.");
|
||||
LOGGER.warn("An error occurred querying the CPE data. See the log for more details.");
|
||||
LOGGER.info("Unable to parse: {}", searchString, ex);
|
||||
} catch (IOException ex) {
|
||||
LOGGER.warn("An error occured reading CPE data. See the log for more details.");
|
||||
LOGGER.warn("An error occurred reading CPE data. See the log for more details.");
|
||||
LOGGER.info("IO Error with search string: {}", searchString, ex);
|
||||
}
|
||||
return null;
|
||||
|
||||
@@ -320,7 +320,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
foundSomething |= setPomEvidence(dependency, pom, classes);
|
||||
}
|
||||
} catch (AnalysisException ex) {
|
||||
LOGGER.warn("An error occured while analyzing '{}'.", dependency.getActualFilePath());
|
||||
LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath());
|
||||
LOGGER.trace("", ex);
|
||||
}
|
||||
}
|
||||
@@ -835,10 +835,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
if (pos > 0) {
|
||||
final StringBuilder sb = new StringBuilder(pos + 3);
|
||||
sb.append(desc.substring(0, pos));
|
||||
sb.append("...");
|
||||
desc = sb.toString();
|
||||
desc = desc.substring(0, pos) + "...";
|
||||
}
|
||||
dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.LOW);
|
||||
dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.LOW);
|
||||
|
||||
@@ -51,8 +51,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
*/
|
||||
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
|
||||
|
||||
private static final FileFilter FILTER =
|
||||
FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
|
||||
private static final FileFilter FILTER
|
||||
= FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
|
||||
public static final String NAME = "Name: ";
|
||||
public static final String VERSION = "Version: ";
|
||||
public static final String ADVISORY = "Advisory: ";
|
||||
@@ -113,7 +113,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
throw new AnalysisException("Bundle-audit error stream unexpectedly not ready.");
|
||||
} else {
|
||||
final String line = reader.readLine();
|
||||
if (!line.contains("Errno::ENOENT")) {
|
||||
if (line == null || !line.contains("Errno::ENOENT")) {
|
||||
LOGGER.warn("Unexpected bundle-audit output. Disabling {}: {}", ANALYZER_NAME, line);
|
||||
setEnabled(false);
|
||||
throw new AnalysisException("Unexpected bundle-audit output.");
|
||||
@@ -126,8 +126,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
}
|
||||
if (isEnabled()) {
|
||||
LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" " +
|
||||
"occasionally to keep its database up to date.");
|
||||
LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" "
|
||||
+ "occasionally to keep its database up to date.");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -162,8 +162,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
/**
|
||||
* If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will
|
||||
* be necessary to disable {@link RubyGemspecAnalyzer}.
|
||||
* If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will be necessary
|
||||
* to disable {@link RubyGemspecAnalyzer}.
|
||||
*/
|
||||
private boolean needToDisableGemspecAnalyzer = true;
|
||||
|
||||
|
||||
@@ -345,8 +345,8 @@ public final class ConnectionFactory {
|
||||
final DependencyVersion current = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
|
||||
final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
|
||||
if (current.compareTo(db) > 0) {
|
||||
LOGGER.debug("Current Schema: " + DB_SCHEMA_VERSION);
|
||||
LOGGER.debug("DB Schema: " + rs.getString(1));
|
||||
LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
|
||||
LOGGER.debug("DB Schema: {}", rs.getString(1));
|
||||
updateSchema(conn, rs.getString(1));
|
||||
if (++callDepth < 10) {
|
||||
ensureSchemaVersion(conn);
|
||||
|
||||
@@ -70,11 +70,11 @@ public class DatabaseProperties {
|
||||
/**
|
||||
* A collection of properties about the data.
|
||||
*/
|
||||
private Properties properties;
|
||||
private final Properties properties;
|
||||
/**
|
||||
* A reference to the database.
|
||||
*/
|
||||
private CveDB cveDB;
|
||||
private final CveDB cveDB;
|
||||
|
||||
/**
|
||||
* Constructs a new data properties object.
|
||||
@@ -83,13 +83,6 @@ public class DatabaseProperties {
|
||||
*/
|
||||
DatabaseProperties(CveDB cveDB) {
|
||||
this.cveDB = cveDB;
|
||||
loadProperties();
|
||||
}
|
||||
|
||||
/**
|
||||
* Loads the properties from the database.
|
||||
*/
|
||||
private void loadProperties() {
|
||||
this.properties = cveDB.getProperties();
|
||||
}
|
||||
|
||||
|
||||
@@ -28,6 +28,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
|
||||
import org.owasp.dependencycheck.data.update.exception.UpdateException;
|
||||
import org.owasp.dependencycheck.utils.DateUtil;
|
||||
import org.owasp.dependencycheck.utils.DependencyVersion;
|
||||
import org.owasp.dependencycheck.utils.InvalidSettingException;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.owasp.dependencycheck.utils.URLConnectionFactory;
|
||||
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
|
||||
@@ -82,27 +83,33 @@ public class EngineVersionCheck implements CachedWebDataSource {
|
||||
|
||||
@Override
|
||||
public void update() throws UpdateException {
|
||||
|
||||
try {
|
||||
openDatabase();
|
||||
LOGGER.debug("Begin Engine Version Check");
|
||||
final DatabaseProperties properties = cveDB.getDatabaseProperties();
|
||||
final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
|
||||
final long now = System.currentTimeMillis();
|
||||
updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
|
||||
final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
|
||||
LOGGER.debug("Last checked: {}", lastChecked);
|
||||
LOGGER.debug("Now: {}", now);
|
||||
LOGGER.debug("Current version: {}", currentVersion);
|
||||
final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
|
||||
if (updateNeeded) {
|
||||
LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
|
||||
updateToVersion);
|
||||
if (Settings.getBoolean(Settings.KEYS.AUTO_UPDATE)) {
|
||||
openDatabase();
|
||||
LOGGER.debug("Begin Engine Version Check");
|
||||
final DatabaseProperties properties = cveDB.getDatabaseProperties();
|
||||
final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
|
||||
final long now = System.currentTimeMillis();
|
||||
updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
|
||||
final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
|
||||
LOGGER.debug("Last checked: {}", lastChecked);
|
||||
LOGGER.debug("Now: {}", now);
|
||||
LOGGER.debug("Current version: {}", currentVersion);
|
||||
final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
|
||||
if (updateNeeded) {
|
||||
LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
|
||||
updateToVersion);
|
||||
}
|
||||
}
|
||||
} catch (DatabaseException ex) {
|
||||
LOGGER.debug("Database Exception opening databases to retrieve properties", ex);
|
||||
throw new UpdateException("Error occured updating database properties.");
|
||||
} catch (InvalidSettingException ex) {
|
||||
LOGGER.debug("Unable to determine if autoupdate is enabled", ex);
|
||||
} finally {
|
||||
closeDatabase();
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -120,10 +127,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
|
||||
protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
|
||||
String currentVersion) throws UpdateException {
|
||||
//check every 30 days if we know there is an update, otherwise check every 7 days
|
||||
int checkRange = 30;
|
||||
if (updateToVersion.isEmpty()) {
|
||||
checkRange = 7;
|
||||
}
|
||||
final int checkRange = 30;
|
||||
if (!DateUtil.withinDateRange(lastChecked, now, checkRange)) {
|
||||
LOGGER.debug("Checking web for new version.");
|
||||
final String currentRelease = getCurrentReleaseVersion();
|
||||
@@ -133,14 +137,16 @@ public class EngineVersionCheck implements CachedWebDataSource {
|
||||
updateToVersion = v.toString();
|
||||
if (!currentRelease.equals(updateToVersion)) {
|
||||
properties.save(CURRENT_ENGINE_RELEASE, updateToVersion);
|
||||
} else {
|
||||
properties.save(CURRENT_ENGINE_RELEASE, "");
|
||||
}
|
||||
properties.save(ENGINE_VERSION_CHECKED_ON, Long.toString(now));
|
||||
}
|
||||
}
|
||||
LOGGER.debug("Current Release: {}", updateToVersion);
|
||||
}
|
||||
if (updateToVersion == null) {
|
||||
LOGGER.debug("Unable to obtain current release");
|
||||
return false;
|
||||
}
|
||||
final DependencyVersion running = new DependencyVersion(currentVersion);
|
||||
final DependencyVersion released = new DependencyVersion(updateToVersion);
|
||||
if (running.compareTo(released) < 0) {
|
||||
|
||||
@@ -25,6 +25,8 @@ import java.util.concurrent.ExecutionException;
|
||||
import java.util.concurrent.ExecutorService;
|
||||
import java.util.concurrent.Executors;
|
||||
import java.util.concurrent.Future;
|
||||
import org.owasp.dependencycheck.data.nvdcve.CveDB;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
|
||||
import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
|
||||
import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
|
||||
@@ -33,6 +35,7 @@ import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
|
||||
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
|
||||
import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
|
||||
import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
|
||||
import org.owasp.dependencycheck.exception.NoDataException;
|
||||
import org.owasp.dependencycheck.utils.DateUtil;
|
||||
import org.owasp.dependencycheck.utils.DownloadFailedException;
|
||||
import org.owasp.dependencycheck.utils.InvalidSettingException;
|
||||
@@ -101,7 +104,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
|
||||
boolean proceed = true;
|
||||
// If the valid setting has not been specified, then we proceed to check...
|
||||
final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
|
||||
if (0 < validForHours) {
|
||||
if (dataExists() && 0 < validForHours) {
|
||||
// ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
|
||||
final long msValid = validForHours * 60L * 60L * 1000L;
|
||||
final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
|
||||
@@ -118,6 +121,24 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
|
||||
return proceed;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks the CPE Index to ensure documents exists.
|
||||
*/
|
||||
private boolean dataExists() {
|
||||
CveDB cve = null;
|
||||
try {
|
||||
cve = new CveDB();
|
||||
cve.open();
|
||||
return cve.dataExists();
|
||||
} catch (DatabaseException ex) {
|
||||
return false;
|
||||
} finally {
|
||||
if (cve != null) {
|
||||
cve.close();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
|
||||
*
|
||||
|
||||
@@ -46,7 +46,7 @@ public class CPEHandler extends DefaultHandler {
|
||||
/**
|
||||
* A reference to the current element.
|
||||
*/
|
||||
private Element current = new Element();
|
||||
private final Element current = new Element();
|
||||
/**
|
||||
* The logger.
|
||||
*/
|
||||
@@ -54,7 +54,7 @@ public class CPEHandler extends DefaultHandler {
|
||||
/**
|
||||
* The list of CPE values.
|
||||
*/
|
||||
private List<Cpe> data = new ArrayList<Cpe>();
|
||||
private final List<Cpe> data = new ArrayList<Cpe>();
|
||||
|
||||
/**
|
||||
* Returns the list of CPE values.
|
||||
|
||||
@@ -80,11 +80,11 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
|
||||
/**
|
||||
* The CVE DB to use when processing the files.
|
||||
*/
|
||||
private CveDB cveDB;
|
||||
private final CveDB cveDB;
|
||||
/**
|
||||
* The processor service to pass the results of the download to.
|
||||
*/
|
||||
private ExecutorService processorService;
|
||||
private final ExecutorService processorService;
|
||||
/**
|
||||
* The NVD CVE Meta Data.
|
||||
*/
|
||||
@@ -92,7 +92,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
|
||||
/**
|
||||
* A reference to the global settings object.
|
||||
*/
|
||||
private Settings settings;
|
||||
private final Settings settings;
|
||||
|
||||
/**
|
||||
* Get the value of nvdCveInfo.
|
||||
@@ -155,28 +155,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
|
||||
public void setSecond(File second) {
|
||||
this.second = second;
|
||||
}
|
||||
/**
|
||||
* A placeholder for an exception.
|
||||
*/
|
||||
private Exception exception = null;
|
||||
|
||||
/**
|
||||
* Get the value of exception.
|
||||
*
|
||||
* @return the value of exception
|
||||
*/
|
||||
public Exception getException() {
|
||||
return exception;
|
||||
}
|
||||
|
||||
/**
|
||||
* returns whether or not an exception occurred during download.
|
||||
*
|
||||
* @return whether or not an exception occurred during download
|
||||
*/
|
||||
public boolean hasException() {
|
||||
return exception != null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Future<ProcessTask> call() throws Exception {
|
||||
|
||||
@@ -99,7 +99,6 @@ public class NvdCve12Handler extends DefaultHandler {
|
||||
software = null;
|
||||
}
|
||||
} else if (!skip && current.isProdNode()) {
|
||||
|
||||
vendor = attributes.getValue("vendor");
|
||||
product = attributes.getValue("name");
|
||||
} else if (!skip && current.isVersNode()) {
|
||||
@@ -112,15 +111,19 @@ public class NvdCve12Handler extends DefaultHandler {
|
||||
/*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
|
||||
purposes this is good enough as we won't use this if we don't find a corresponding "a"
|
||||
in the nvd cve 2.0. */
|
||||
String cpe = "cpe:/a:" + vendor + ":" + product;
|
||||
final int cpeLen = 8 + vendor.length() + product.length()
|
||||
+ (null != num ? (1 + num.length()) : 0)
|
||||
+ (null != edition ? (1 + edition.length()) : 0);
|
||||
final StringBuilder cpe = new StringBuilder(cpeLen);
|
||||
cpe.append("cpe:/a:").append(vendor).append(':').append(product);
|
||||
if (num != null) {
|
||||
cpe += ':' + num;
|
||||
cpe.append(':').append(num);
|
||||
}
|
||||
if (edition != null) {
|
||||
cpe += ':' + edition;
|
||||
cpe.append(':').append(edition);
|
||||
}
|
||||
final VulnerableSoftware vs = new VulnerableSoftware();
|
||||
vs.setCpe(cpe);
|
||||
vs.setCpe(cpe.toString());
|
||||
vs.setPreviousVersion(prev);
|
||||
software.add(vs);
|
||||
}
|
||||
|
||||
@@ -85,7 +85,7 @@ public class ProcessTask implements Callable<ProcessTask> {
|
||||
/**
|
||||
* A reference to the global settings object.
|
||||
*/
|
||||
private Settings settings;
|
||||
private final Settings settings;
|
||||
|
||||
/**
|
||||
* Constructs a new ProcessTask used to process an NVD CVE update.
|
||||
|
||||
@@ -32,12 +32,12 @@ import org.owasp.dependencycheck.utils.Downloader;
|
||||
*
|
||||
* @author Jeremy Long
|
||||
*/
|
||||
public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
|
||||
public class UpdateableNvdCve implements Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
|
||||
|
||||
/**
|
||||
* A collection of sources of data.
|
||||
*/
|
||||
private Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
|
||||
private final Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
|
||||
|
||||
/**
|
||||
* Returns the collection of NvdCveInfo objects. This method is mainly used for testing.
|
||||
|
||||
@@ -65,7 +65,7 @@ public class SuppressionHandler extends DefaultHandler {
|
||||
/**
|
||||
* A list of suppression rules.
|
||||
*/
|
||||
private List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
|
||||
private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
|
||||
|
||||
/**
|
||||
* Get the value of suppressionRules.
|
||||
|
||||
@@ -20,7 +20,6 @@ package org.owasp.dependencycheck.suppression;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Identifier;
|
||||
import org.owasp.dependencycheck.dependency.Vulnerability;
|
||||
@@ -268,8 +267,8 @@ public class SuppressionRule {
|
||||
}
|
||||
|
||||
/**
|
||||
* A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the
|
||||
* resulting report in the "suppressed" section.
|
||||
* A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the resulting
|
||||
* report in the "suppressed" section.
|
||||
*/
|
||||
private boolean base;
|
||||
|
||||
@@ -292,8 +291,8 @@ public class SuppressionRule {
|
||||
}
|
||||
|
||||
/**
|
||||
* Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
|
||||
* should be, they are removed from the dependency.
|
||||
* Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any should be, they
|
||||
* are removed from the dependency.
|
||||
*
|
||||
* @param dependency a project dependency to analyze
|
||||
*/
|
||||
@@ -382,7 +381,24 @@ public class SuppressionRule {
|
||||
* @return true if the property type does not specify a version; otherwise false
|
||||
*/
|
||||
boolean cpeHasNoVersion(PropertyType c) {
|
||||
return !c.isRegex() && StringUtils.countMatches(c.getValue(), ':') == 3;
|
||||
return !c.isRegex() && countCharacter(c.getValue(), ':') <= 3;
|
||||
}
|
||||
|
||||
/**
|
||||
* Counts the number of occurrences of the character found within the string.
|
||||
*
|
||||
* @param str the string to check
|
||||
* @param c the character to count
|
||||
* @return the number of times the character is found in the string
|
||||
*/
|
||||
int countCharacter(String str, char c) {
|
||||
int count = 0;
|
||||
int pos = str.indexOf(c) + 1;
|
||||
while (pos > 0) {
|
||||
count += 1;
|
||||
pos = str.indexOf(c, pos) + 1;
|
||||
}
|
||||
return count;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -417,7 +433,7 @@ public class SuppressionRule {
|
||||
*/
|
||||
@Override
|
||||
public String toString() {
|
||||
final StringBuilder sb = new StringBuilder();
|
||||
final StringBuilder sb = new StringBuilder(64);
|
||||
sb.append("SuppressionRule{");
|
||||
if (filePath != null) {
|
||||
sb.append("filePath=").append(filePath).append(',');
|
||||
|
||||
@@ -50,7 +50,7 @@ public abstract class Filter<T> {
|
||||
if (next == null) {
|
||||
throw new NoSuchElementException();
|
||||
}
|
||||
T returnValue = next;
|
||||
final T returnValue = next;
|
||||
toNext();
|
||||
return returnValue;
|
||||
}
|
||||
@@ -63,7 +63,7 @@ public abstract class Filter<T> {
|
||||
private void toNext() {
|
||||
next = null;
|
||||
while (iterator.hasNext()) {
|
||||
T item = iterator.next();
|
||||
final T item = iterator.next();
|
||||
if (item != null && passes(item)) {
|
||||
next = item;
|
||||
break;
|
||||
|
||||
@@ -241,7 +241,7 @@ public class Model {
|
||||
/**
|
||||
* The list of licenses.
|
||||
*/
|
||||
private List<License> licenses = new ArrayList<License>();
|
||||
private final List<License> licenses = new ArrayList<License>();
|
||||
|
||||
/**
|
||||
* Returns the list of licenses.
|
||||
|
||||
@@ -78,7 +78,7 @@ public class PomHandler extends DefaultHandler {
|
||||
/**
|
||||
* The pom model.
|
||||
*/
|
||||
private Model model = new Model();
|
||||
private final Model model = new Model();
|
||||
|
||||
/**
|
||||
* Returns the model obtained from the pom.xml.
|
||||
|
||||
@@ -12,4 +12,4 @@ DELIMITER ;
|
||||
|
||||
GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
|
||||
|
||||
UPDATE Properties SET value='3.0' WHERE ID='version';
|
||||
UPDATE properties SET value='3.0' WHERE ID='version';
|
||||
|
||||
@@ -189,4 +189,50 @@
|
||||
<gav regex="true">org.apache.geronimo.specs:.*</gav>
|
||||
<cpe>cpe:/a:apache:geronimo</cpe>
|
||||
</suppress>
|
||||
</suppressions>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
This suppresses false positives identified on tomcat-embed-el.
|
||||
]]></notes>
|
||||
<gav regex="true">org\.apache\.tomcat\.embed:tomcat-embed-el:.*</gav>
|
||||
<cpe>cpe:/a:apache:tomcat</cpe>
|
||||
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
This suppresses false positives identified on tomcat-jdbc.
|
||||
]]></notes>
|
||||
<gav regex="true">org\.apache\.tomcat:tomcat-jdbc:.*</gav>
|
||||
<cpe>cpe:/a:apache:tomcat</cpe>
|
||||
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
This suppresses false positives identified on tomcat-juli.
|
||||
]]></notes>
|
||||
<gav regex="true">org\.apache\.tomcat:tomcat-juli:.*</gav>
|
||||
<cpe>cpe:/a:apache:tomcat</cpe>
|
||||
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
suppress false positive per issue #433
|
||||
]]></notes>
|
||||
<gav regex="true">com\.google\.javascript:closure-compiler:.*</gav>
|
||||
<cpe>cpe:/a:google:google_apps:-</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
suppress false positives per issue #437
|
||||
]]></notes>
|
||||
<gav regex="true">.*mongodb.*:.*:.*</gav>
|
||||
<cpe>cpe:/a:mongodb:mongodb</cpe>
|
||||
</suppress>
|
||||
<suppress base="true">
|
||||
<notes><![CDATA[
|
||||
suppress false positives per issue #438
|
||||
Note, there will be more false positives for Netty. Trying to figure out a better suppression.
|
||||
]]></notes>
|
||||
<gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
|
||||
<cpe>cpe:/a:netty_project:netty:1.1.4</cpe>
|
||||
</suppress>
|
||||
</suppressions>
|
||||
|
||||
@@ -18,8 +18,13 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
|
||||
data.directory=[JAR]/data
|
||||
#if the filename has a %s it will be replaced with the current expected version
|
||||
data.file_name=dc.h2.db
|
||||
|
||||
### if you increment the DB version then you must increment the database file path
|
||||
### in the mojo.properties, task.properties (maven and ant respectively), and
|
||||
### the gradle PurgeDataExtension.
|
||||
data.version=3.0
|
||||
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=FS;AUTOCOMMIT=ON;
|
||||
|
||||
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
|
||||
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
|
||||
|
||||
# user name and password for the database connection. The inherent case is to use H2.
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
</xs:simpleType>
|
||||
<xs:simpleType name="cveType">
|
||||
<xs:restriction base="xs:string">
|
||||
<xs:pattern value="CVE\-\d\d\d\d\-\d+"/>
|
||||
<xs:pattern value="(\w+\-)?CVE\-\d\d\d\d\-\d+"/>
|
||||
</xs:restriction>
|
||||
</xs:simpleType>
|
||||
<xs:simpleType name="sha1Type">
|
||||
|
||||
@@ -503,7 +503,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|
||||
<body>
|
||||
<div id="modal-background"></div>
|
||||
<div id="modal-content">
|
||||
<div>Press CTR-C to copy XML <a href="http://jeremylong.github.io/DependencyCheck/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
|
||||
<div>Press CTR-C to copy XML <a href="http://jeremylong.github.io/DependencyCheck/general/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
|
||||
<textarea id="modal-text" cols="50" rows="10" readonly></textarea><br/>
|
||||
<button id="modal-add-header" title="Add the parent XML nodes to create the complete XML file that can be used to suppress this finding" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
|
||||
</div>
|
||||
|
||||
@@ -159,7 +159,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
|
||||
aanalyzer.initialize();
|
||||
fail("Expected an AnalysisException");
|
||||
} catch (AnalysisException ae) {
|
||||
assertEquals("An error occured with the .NET AssemblyAnalyzer", ae.getMessage());
|
||||
assertEquals("An error occurred with the .NET AssemblyAnalyzer", ae.getMessage());
|
||||
} finally {
|
||||
System.setProperty(LOG_KEY, oldProp);
|
||||
// Recover the logger
|
||||
|
||||
@@ -124,7 +124,7 @@ public class EngineVersionCheckTest extends BaseTest {
|
||||
updateToVersion = "";
|
||||
currentVersion = "1.2.5";
|
||||
lastChecked = df.parse("2014-12-01").getTime();
|
||||
now = df.parse("2014-12-08").getTime();
|
||||
now = df.parse("2015-12-08").getTime();
|
||||
expResult = true;
|
||||
instance.setUpdateToVersion(updateToVersion);
|
||||
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.2</version>
|
||||
<version>1.3.4</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-maven</artifactId>
|
||||
@@ -204,6 +204,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
<groupId>org.apache.maven.reporting</groupId>
|
||||
<artifactId>maven-reporting-api</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.sonatype.plexus</groupId>
|
||||
<artifactId>plexus-sec-dispatcher</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.jmockit</groupId>
|
||||
<artifactId>jmockit</artifactId>
|
||||
|
||||
@@ -48,7 +48,7 @@ import org.owasp.dependencycheck.utils.Settings;
|
||||
name = "aggregate",
|
||||
defaultPhase = LifecyclePhase.VERIFY,
|
||||
/*aggregator = true,*/
|
||||
threadSafe = true,
|
||||
threadSafe = false,
|
||||
requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
|
||||
requiresOnline = true
|
||||
)
|
||||
@@ -107,7 +107,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
|
||||
getLog().debug(String.format("Dependency count post-bundler: %s", engine.getDependencies().size()));
|
||||
}
|
||||
} catch (AnalysisException ex) {
|
||||
getLog().warn("An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
|
||||
getLog().warn("An error occurred grouping the dependencies; duplicate entries may exist in the report", ex);
|
||||
getLog().debug("Bundling Exception", ex);
|
||||
}
|
||||
|
||||
|
||||
@@ -33,11 +33,13 @@ import org.apache.maven.doxia.sink.Sink;
|
||||
import org.apache.maven.plugin.AbstractMojo;
|
||||
import org.apache.maven.plugin.MojoExecutionException;
|
||||
import org.apache.maven.plugin.MojoFailureException;
|
||||
import org.apache.maven.plugins.annotations.Component;
|
||||
import org.apache.maven.plugins.annotations.Parameter;
|
||||
import org.apache.maven.project.MavenProject;
|
||||
import org.apache.maven.reporting.MavenReport;
|
||||
import org.apache.maven.reporting.MavenReportException;
|
||||
import org.apache.maven.settings.Proxy;
|
||||
import org.apache.maven.settings.Server;
|
||||
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
|
||||
import org.owasp.dependencycheck.data.nvdcve.CveDB;
|
||||
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
|
||||
@@ -48,6 +50,9 @@ import org.owasp.dependencycheck.dependency.Identifier;
|
||||
import org.owasp.dependencycheck.dependency.Vulnerability;
|
||||
import org.owasp.dependencycheck.reporting.ReportGenerator;
|
||||
import org.owasp.dependencycheck.utils.Settings;
|
||||
import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
|
||||
import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
|
||||
import org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -105,7 +110,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
||||
* is true.
|
||||
*/
|
||||
@SuppressWarnings("CanBeFinal")
|
||||
@Parameter(property = "autoupdate")
|
||||
@Parameter(property = "autoUpdate")
|
||||
private Boolean autoUpdate;
|
||||
/**
|
||||
* Generate aggregate reports in multi-module projects.
|
||||
@@ -262,6 +267,21 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
||||
*/
|
||||
@Parameter(property = "databaseDriverPath", defaultValue = "", required = false)
|
||||
private String databaseDriverPath;
|
||||
/**
|
||||
* The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml.
|
||||
*/
|
||||
@Parameter(property = "serverId", defaultValue = "", required = false)
|
||||
private String serverId;
|
||||
/**
|
||||
* A reference to the settings.xml settings.
|
||||
*/
|
||||
@Parameter(defaultValue = "${settings}", readonly = true, required = true)
|
||||
private org.apache.maven.settings.Settings settingsXml;
|
||||
/**
|
||||
* The security dispatcher that can decrypt passwords in the settings.xml.
|
||||
*/
|
||||
@Component(role = SecDispatcher.class, hint = "default")
|
||||
private SecDispatcher securityDispatcher;
|
||||
/**
|
||||
* The database user name.
|
||||
*/
|
||||
@@ -677,9 +697,49 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
||||
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
|
||||
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
|
||||
Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
|
||||
|
||||
if (databaseUser == null && databasePassword == null && serverId != null) {
|
||||
final Server server = settingsXml.getServer(serverId);
|
||||
if (server != null) {
|
||||
databaseUser = server.getUsername();
|
||||
try {
|
||||
//The following fix was copied from:
|
||||
// https://github.com/bsorrentino/maven-confluence-plugin/blob/master/maven-confluence-reporting-plugin/src/main/java/org/bsc/maven/confluence/plugin/AbstractBaseConfluenceMojo.java
|
||||
//
|
||||
// FIX to resolve
|
||||
// org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException:
|
||||
// java.io.FileNotFoundException: ~/.settings-security.xml (No such file or directory)
|
||||
//
|
||||
if (securityDispatcher instanceof DefaultSecDispatcher) {
|
||||
((DefaultSecDispatcher) securityDispatcher).setConfigurationFile("~/.m2/settings-security.xml");
|
||||
}
|
||||
|
||||
databasePassword = securityDispatcher.decrypt(server.getPassword());
|
||||
} catch (SecDispatcherException ex) {
|
||||
if (ex.getCause() instanceof FileNotFoundException
|
||||
|| (ex.getCause() != null && ex.getCause().getCause() instanceof FileNotFoundException)) {
|
||||
//maybe its not encrypted?
|
||||
final String tmp = server.getPassword();
|
||||
if (tmp.startsWith("{") && tmp.endsWith("}")) {
|
||||
getLog().error(String.format(
|
||||
"Unable to decrypt the server password for server id '%s' in settings.xml%n\tCause: %s",
|
||||
serverId, ex.getMessage()));
|
||||
} else {
|
||||
databasePassword = tmp;
|
||||
}
|
||||
} else {
|
||||
getLog().error(String.format(
|
||||
"Unable to decrypt the server password for server id '%s' in settings.xml%n\tCause: %s",
|
||||
serverId, ex.getMessage()));
|
||||
}
|
||||
}
|
||||
} else {
|
||||
getLog().error(String.format("Server '%s' not found in the settings.xml file", serverId));
|
||||
}
|
||||
}
|
||||
|
||||
Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
|
||||
Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
|
||||
|
||||
Settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
|
||||
|
||||
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
|
||||
|
||||
@@ -36,7 +36,7 @@ import org.owasp.dependencycheck.utils.Settings;
|
||||
@Mojo(
|
||||
name = "check",
|
||||
defaultPhase = LifecyclePhase.VERIFY,
|
||||
threadSafe = true,
|
||||
threadSafe = false,
|
||||
requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
|
||||
requiresOnline = true
|
||||
)
|
||||
|
||||
@@ -35,7 +35,7 @@ import org.owasp.dependencycheck.utils.Settings;
|
||||
@Mojo(
|
||||
name = "purge",
|
||||
defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
|
||||
threadSafe = true,
|
||||
threadSafe = false,
|
||||
requiresDependencyResolution = ResolutionScope.NONE,
|
||||
requiresOnline = true
|
||||
)
|
||||
|
||||
@@ -34,7 +34,7 @@ import org.owasp.dependencycheck.utils.Settings;
|
||||
@Mojo(
|
||||
name = "update-only",
|
||||
defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
|
||||
threadSafe = true,
|
||||
threadSafe = false,
|
||||
requiresDependencyResolution = ResolutionScope.NONE,
|
||||
requiresOnline = true
|
||||
)
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
# the path to the data directory
|
||||
data.directory=[JAR]/../../dependency-check-data
|
||||
data.directory=[JAR]/../../dependency-check-data/3.0
|
||||
|
||||
@@ -71,6 +71,7 @@ dataDirectory | Sets the data directory to hold SQL CVEs contents. This s
|
||||
databaseDriverName | The name of the database driver. Example: org.h2.Driver. |
|
||||
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |
|
||||
connectionString | The connection string used to connect to the database. |
|
||||
serverId | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information. |
|
||||
databaseUser | The username used when connecting to the database. |
|
||||
databasePassword | The password used when connecting to the database. |
|
||||
metaFileName | Sets the name of the file to use for storing the metadata about the project. | dependency-check.ser
|
||||
|
||||
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
|
||||
<parent>
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.2</version>
|
||||
<version>1.3.4</version>
|
||||
</parent>
|
||||
|
||||
<artifactId>dependency-check-utils</artifactId>
|
||||
|
||||
30
pom.xml
30
pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
|
||||
<groupId>org.owasp</groupId>
|
||||
<artifactId>dependency-check-parent</artifactId>
|
||||
<version>1.3.2</version>
|
||||
<version>1.3.4</version>
|
||||
<packaging>pom</packaging>
|
||||
|
||||
<modules>
|
||||
@@ -129,7 +129,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<logback.version>1.1.3</logback.version>
|
||||
<reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
|
||||
<reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>
|
||||
<reporting.pmd-plugin.version>3.5</reporting.pmd-plugin.version>
|
||||
<reporting.pmd-plugin.version>3.6</reporting.pmd-plugin.version>
|
||||
</properties>
|
||||
<distributionManagement>
|
||||
<snapshotRepository>
|
||||
@@ -170,7 +170,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-clean-plugin</artifactId>
|
||||
<version>2.6.1</version>
|
||||
<version>3.0.0</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
@@ -195,7 +195,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-failsafe-plugin</artifactId>
|
||||
<version>2.19</version>
|
||||
<version>2.19.1</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
@@ -230,7 +230,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<version>2.18.1</version>
|
||||
<version>2.19.1</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
@@ -240,12 +240,12 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-source-plugin</artifactId>
|
||||
<version>2.2.1</version>
|
||||
<version>2.4</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-javadoc-plugin</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<version>2.10.3</version>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</pluginManagement>
|
||||
@@ -472,7 +472,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||
<version>2.19</version>
|
||||
<version>2.19.1</version>
|
||||
<reportSets>
|
||||
<reportSet>
|
||||
<reports>
|
||||
@@ -496,7 +496,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>findbugs-maven-plugin</artifactId>
|
||||
<version>3.0.2</version>
|
||||
<version>3.0.3</version>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
@@ -562,12 +562,13 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<dependency>
|
||||
<groupId>org.apache.commons</groupId>
|
||||
<artifactId>commons-lang3</artifactId>
|
||||
<version>3.4</version>
|
||||
<!--upgrading beyond this may cause issues with the Jenkins plugin-->
|
||||
<version>3.3.2</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>com.sun.mail</groupId>
|
||||
<artifactId>mailapi</artifactId>
|
||||
<version>1.5.4</version>
|
||||
<version>1.5.5</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>ch.qos.logback</groupId>
|
||||
@@ -660,6 +661,11 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<artifactId>velocity</artifactId>
|
||||
<version>1.7</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.sonatype.plexus</groupId>
|
||||
<artifactId>plexus-sec-dispatcher</artifactId>
|
||||
<version>1.4</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.glassfish</groupId>
|
||||
<artifactId>javax.json</artifactId>
|
||||
@@ -674,7 +680,7 @@ Copyright (c) 2012 - Jeremy Long
|
||||
<dependency>
|
||||
<groupId>org.jmockit</groupId>
|
||||
<artifactId>jmockit</artifactId>
|
||||
<version>1.20</version>
|
||||
<version>1.21</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
|
||||
@@ -17,7 +17,7 @@ autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is ena
|
||||
cveValidForHours | Sets the number of hours to wait before checking for new updates from the NVD. | 4
|
||||
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. | 11
|
||||
format | The report format to be generated (HTML, XML, VULN, ALL). | HTML
|
||||
reportsDirName | The location to write the report(s). This directory will be located in the build directory. | reports
|
||||
outputDirectory | The location to write the report(s). This directory will be located in the build directory. | build/reports
|
||||
skipTestGroups | When set to true (the default) all dependency groups that being with 'test' will be skipped. | true
|
||||
suppressionFile | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html) |
|
||||
|
||||
@@ -81,7 +81,7 @@ dependencyCheck {
|
||||
### Analyzer Configuration
|
||||
|
||||
In addition to the above, the dependencyCheck plugin can be configured to enable or disable specific
|
||||
analyzers by configuring the `analyzer` section. Note, specific file type analyzers will automatically
|
||||
analyzers by configuring the `analyzers` section. Note, specific file type analyzers will automatically
|
||||
disable themselves if no file types that they support are detected - so specifically disabling the
|
||||
analyzers is likely not needed.
|
||||
|
||||
@@ -109,7 +109,7 @@ pathToMono | The path to Mono for .NET assembly analysis on non-windo
|
||||
#### Example
|
||||
```groovy
|
||||
dependencyCheck {
|
||||
analyzer {
|
||||
analyzers {
|
||||
assemblyEnabled=false
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,6 +12,8 @@ seven days the update will only take a few seconds.
|
||||
|
||||
#set( $H = '#' )
|
||||
|
||||
$H$H Quick Start
|
||||
|
||||
$H$H$H Step 1, Apply dependency-check-gradle plugin
|
||||
Install from Maven central repo
|
||||
|
||||
@@ -25,7 +27,7 @@ buildscript {
|
||||
}
|
||||
}
|
||||
|
||||
apply plugin: 'dependencyCheck'
|
||||
apply plugin: 'org.owasp.dependencycheck'
|
||||
```
|
||||
|
||||
$H$H$H Step 2, Run the dependencyCheck task
|
||||
@@ -36,9 +38,14 @@ Once gradle plugin applied, run following gradle task to check dependencies:
|
||||
gradle dependencyCheck --info
|
||||
```
|
||||
|
||||
The reports will be generated automatically under `buildDir/reports` folder.
|
||||
The reports will be generated automatically under `build/reports` folder.
|
||||
|
||||
|
||||
$H$H Task Configuration
|
||||
The OWASP dependency-check-gradle plugin contains three tasks: [dependencyCheck](configuration.html),
|
||||
[dependencyCheckUpdate](configuration-update.html), and [dependencyCheckPurge](configuration-purge.html).
|
||||
Please see each tasks configuration page for more information.
|
||||
|
||||
Mailing List
|
||||
------------
|
||||
|
||||
|
||||
@@ -74,7 +74,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
</breadcrumbs>
|
||||
|
||||
<menu name="OWASP dependency-check">
|
||||
<item collapse="false" name="General" href="./index.html">
|
||||
<item collapse="true" name="General" href="./index.html">
|
||||
<item name="How it Works" href="./general/internals.html">
|
||||
<description>How does dependency-check work?</description>
|
||||
</item>
|
||||
@@ -156,9 +156,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
|
||||
</item>
|
||||
<item collapse="true" name="Gradle Plugin" href="./dependency-check-gradle/index.html">
|
||||
<description>Gradle plugin for OWASP dependency-check.</description>
|
||||
<item name="dependencyCheck" href="./dependency-check-gradle/configuration.html" />
|
||||
<item name="dependencyCheckUpdate" href="./dependency-check-gradle/configuration-update.html" />
|
||||
<item name="dependencyCheckPurge" href="./dependency-check-gradle/configuration-purge.html" />
|
||||
<item name="Check Task" href="./dependency-check-gradle/configuration.html" />
|
||||
<item name="Update Task" href="./dependency-check-gradle/configuration-update.html" />
|
||||
<item name="Purge Task" href="./dependency-check-gradle/configuration-purge.html" />
|
||||
</item>
|
||||
<item name="Jenkins Plugin" href="./dependency-check-jenkins/index.html">
|
||||
<description>A Jenkins plugin for OWASP dependency-check.</description>
|
||||
|
||||
Reference in New Issue
Block a user