github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 07:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github-mirrors:v1.3.2
Branches Tags
github-mirrors:master github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0
...
compare: github-mirrors:v1.3.6
Branches Tags
github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:master github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0

167 Commits
v1.3.2 ... v1.3.6

Author SHA1 Message Date
Jeremy Long
8722eae766 version 1.3.6 2016-04-10 07:06:07 -04:00
Jeremy Long
53776936ca fix FP per issue #469 2016-04-09 11:27:08 -04:00
Jeremy Long
dca465b801 fixed minor warning about file encoding during build 2016-04-09 07:31:40 -04:00
Jeremy Long
43cd115dc7 Merge pull request #482 from awhitford/DepUpg-160406 
Dependency Updates
 2016-04-09 06:59:29 -04:00
Jeremy Long
e7ba08e52c updated log message to assist in debugging an issue 2016-04-09 06:51:00 -04:00
Jeremy Long
9df12e6ff2 updated log message to assist in debugging an issue 2016-04-09 06:49:44 -04:00
Jeremy Long
b5c7fb747c updated log message to assist in debugging an issue 2016-04-09 06:38:37 -04:00
Anthony Whitford
a40a4afe80 SLF4J 1.7.21 released; commons-compress 1.11 released. 2016-04-06 21:39:27 -07:00
Jeremy Long
d4a6c58cc8 upgrade the transitive dependency commons-collections 2016-04-05 12:08:16 -04:00
Jeremy Long
d644431a4e Merge pull request #479 from awhitford/SLF4J1720LB117 
SLF4J 1.7.20 and Logback 1.1.7 released.
 2016-04-03 07:41:54 -04:00
Anthony Whitford
f4df263dfe SLF4J 1.7.20 and Logback 1.1.7 released. 2016-03-30 21:03:51 -07:00
Jeremy Long
0b699d45bf Merge pull request #467 from colezlaw/python-init 
Patch for jeremylong/DependencyCheck/#466
 2016-03-25 19:35:06 -04:00
Jeremy Long
54beafa262 Merge pull request #475 from biancajiang/master 
Fix test to skip the proper test case when bundle-audit is not available
 2016-03-25 19:34:34 -04:00
Jeremy Long
531d4923eb Merge pull request #470 from MrBerg/suppress-osvdb 
Make it possible to suppress vulnerabilities from OSVDB
 2016-03-25 19:33:43 -04:00
Jeremy Long
b160a4d1dd Merge pull request #478 from swapnilsm/master 
Added primary key to "software" table
 2016-03-25 19:32:45 -04:00
Swapnil S. Mahajan
ca54daf456 Added primary key to "software" table 
"software" is a bridge table so there should always be only one record for a pair of cpeEntryId and cveid.
 2016-03-25 16:55:53 +05:30
bjiang
a22fc550b3 #472 fix test to only skip the proper test case. 2016-03-21 11:38:52 -04:00
Jeremy Long
0650d93953 Merge pull request #474 from awhitford/SLF4J1719 
SLF4J 1.7.19 released.
 2016-03-21 08:18:41 -04:00
Jeremy Long
5633258fa7 Update README.md 2016-03-21 08:16:06 -04:00
Jeremy Long
12278cda58 Update README.md 
Fixed broken link to documentation.
 2016-03-21 08:12:39 -04:00
Jeremy Long
84d1f08fda updated documentation for NVD urls to match what is hosted by NIST 2016-03-21 07:58:02 -04:00
Jeremy Long
c184292a57 Merge pull request #473 from biancajiang/master 
Handle bundle-audit not available case and fix RubyBundleAuditAnalyzer test cases
 2016-03-21 07:52:17 -04:00
Anthony Whitford
4cdfcb9f9d SLF4J 1.7.19 released. 2016-03-20 20:47:07 -04:00
bjiang
343a78917c Fixed #472. Disable RubyBundleAuditAnalyzer if exception during initialize. 
changes:
1. disable self during initialize before bubbling exception
2. new test case RubyBundleAuditAnalyzerTest#testMissingBundleAudit()
 2016-03-20 17:06:03 -04:00
bjiang
ff7d0fdb9d #472 first fix and improve RubyBundleAuditAnalyzerTest.java 
Test were failing b/c Gemfile.lock and Gemfile were missing.
The files were missing b/c parent .gitignore them.
Changes:
1. Force added new test files, and updated test with more result
validation.
2. Added error logging from bundle-audit.
3. place holder for bundle-audit install directory in test
dependencycheck.properties.
 2016-03-20 15:54:24 -04:00
Jonas Berg
db26b46be0 Make it possible to suppress vulnerabilities from OSVDB 2016-03-16 13:59:23 +02:00
Will Stranathan
d77a70c360 Patch for jeremylong/DependencyCheck/#466 
This does two things:
1) Updates the PythonPackageAnalyzer to HIGH evidence for __init__.py
2) Removes evidence from the FileNameAnalyzer for __init__.py[co]?

TODO: Need for the PythonPackageAnalyzer to still add evidence for
__init__.py[co] even though it won't be able to analyze the contents of
it. Also, need to work up the tree for __init__.py files to get the
parent folders (not sure why subfolders are not being inspected).
 2016-03-12 15:09:43 -05:00
Jeremy Long
42f4ae65d1 Merge pull request #463 from chadjvw/master 
Updated Oracle init script
 2016-03-07 20:43:05 -05:00
Chad Van Wyhe
88daac31d2 Merge pull request #1 from chadjvw/oracle-init-fix 
fixed trigger compilation and added version number
 2016-03-07 12:59:02 -06:00
Chad Van Wyhe
ac04c173a8 fixed trigger compilation and added version number 2016-03-07 12:55:18 -06:00
Jeremy Long
8401494fbc Merge pull request #462 from thc202/issues-page-gradle-purge 
Fix issues in Gradle's dependencyCheckPurge task site page
 2016-03-06 18:54:03 -05:00
Jeremy Long
97af118cb9 Merge pull request #461 from thc202/broken-link-readme 
Fix broken link in README.md file... Thanks!
 2016-03-06 18:53:12 -05:00
thc202
091e6026bc Fix issues in Gradle's dependencyCheckPurge task site page 
Fix broken link to dependencyCheckUpdate task page, remove repeated
closing character ']'.
Replace $H with # in the heading of the example.
 2016-03-06 23:46:12 +00:00
thc202
c798ede7bf Fix broken link in README.md file 
Correct the link to NOTICE.txt file, change from NOTICES.txt to
NOTICE.txt.
 2016-03-06 23:46:04 +00:00
Jeremy Long
225851f067 Merge pull request #460 from awhitford/DepUpg160306 
Dependency Upgrades
 2016-03-06 18:01:03 -05:00
Jeremy Long
9dd65ecf70 Merge pull request #459 from awhitford/MPIR29 
maven-project-info-reports-plugin 2.9 released.
 2016-03-06 18:00:48 -05:00
Jeremy Long
1a9cc4b6be snapshot 2016-03-06 17:42:18 -05:00
Jeremy Long
a612f206bf version 1.3.5.1 2016-03-06 17:30:37 -05:00
Jeremy Long
e51031c62a fix bug in getLastProject for non-site executions 2016-03-06 17:28:40 -05:00
Anthony Whitford
e30c29ef50 SLF4J 1.7.18 released; Logback 1.1.6 released; jMockit 1.22 released. 2016-03-06 08:53:58 -08:00
Anthony Whitford
91ddcadbcd Removed maven-site-plugin from dependencyManagement. 2016-03-06 08:51:04 -08:00
Anthony Whitford
8c145860e5 maven-project-info-reports-plugin 2.9 released. 2016-03-06 08:35:09 -08:00
Jeremy Long
a19dd7687e v 1.3.6-SNAPSHOT 2016-03-05 16:13:29 -05:00
Jeremy Long
550d6ca083 v1.3.5 2016-03-05 16:08:59 -05:00
Jeremy Long
b425411357 doclint fixes 2016-03-05 13:18:42 -05:00
Jeremy Long
a1f0cf749d doclint fixes 2016-03-05 13:18:38 -05:00
Jeremy Long
22e0d1c74e doclint fixes 2016-03-05 13:18:37 -05:00
Jeremy Long
cdc07047aa doclint fixes 2016-03-05 13:18:37 -05:00
Jeremy Long
c832c2da28 doclint fixes 2016-03-05 13:18:37 -05:00
Jeremy Long
8daa713639 doclint fixes 2016-03-05 13:18:36 -05:00
Jeremy Long
e0a2966706 doclint fixes 2016-03-05 13:18:36 -05:00
Jeremy Long
354bfa14f9 doclint fixes 2016-03-05 13:18:35 -05:00
Jeremy Long
46b91702ba doclint fixes 2016-03-05 13:18:35 -05:00
Jeremy Long
de9516e368 doclint fixes 2016-03-05 13:18:35 -05:00
Jeremy Long
3924e07e5c doclint fixes 2016-03-05 13:18:34 -05:00
Jeremy Long
76bcbb5a7e doclint fixes 2016-03-05 13:18:34 -05:00
Jeremy Long
8022381d1c doclint fixes 2016-03-05 13:18:33 -05:00
Jeremy Long
feb1233081 doclint fixes 2016-03-05 13:18:33 -05:00
Jeremy Long
36eefd0836 doclint fixes 2016-03-05 13:18:32 -05:00
Jeremy Long
0e31e59759 doclint fixes 2016-03-05 13:18:32 -05:00
Jeremy Long
4a4c1e75da doclint fixes 2016-03-05 13:18:32 -05:00
Jeremy Long
b0bfd2292a doclint fixes 2016-03-05 13:18:31 -05:00
Jeremy Long
7214b24357 doclint fixes 2016-03-05 13:18:31 -05:00
Jeremy Long
24637f496f doclint fixes 2016-03-05 13:18:30 -05:00
Jeremy Long
d8ecde5265 doclint fixes 2016-03-05 13:18:30 -05:00
Jeremy Long
28840c6209 doclint fixes 2016-03-05 13:18:29 -05:00
Jeremy Long
1696213406 doclint fixes 2016-03-05 13:18:29 -05:00
Jeremy Long
6f315ac765 doclint fixes 2016-03-05 13:18:28 -05:00
Jeremy Long
a485307d92 doclint fixes 2016-03-05 13:18:28 -05:00
Jeremy Long
3d3b861ba0 doclint fixes 2016-03-05 13:18:28 -05:00
Jeremy Long
4b33ed25d5 doclint fixes 2016-03-05 13:18:27 -05:00
Jeremy Long
e264880c7b doclint fixes 2016-03-05 13:18:27 -05:00
Jeremy Long
ef8212701f doclint fixes 2016-03-05 13:18:26 -05:00
Jeremy Long
492157a502 doclint fixes 2016-03-05 13:18:26 -05:00
Jeremy Long
2605bc182e doclint fixes 2016-03-05 13:18:25 -05:00
Jeremy Long
fe8dfdd804 doclint fixes 2016-03-05 13:18:25 -05:00
Jeremy Long
bd917bc990 doclint fixes 2016-03-05 13:18:24 -05:00
Jeremy Long
c5c32f683f doclint fixes 2016-03-05 13:18:24 -05:00
Jeremy Long
5506e58c98 doclint fixes 2016-03-05 13:18:23 -05:00
Jeremy Long
5af2d49b18 doclint fixes 2016-03-05 13:18:23 -05:00
Jeremy Long
0fd35a4925 doclint fixes 2016-03-05 13:18:23 -05:00
Jeremy Long
7ed20b1244 doclint fixes 2016-03-05 13:18:22 -05:00
Jeremy Long
efa6a78255 doclint fixes 2016-03-05 13:18:22 -05:00
Jeremy Long
8b58df3b34 checkstyle/pmd/findbugs corrections 2016-03-05 07:07:53 -05:00
Jeremy Long
0d2a090e1f Merge pull request #456 from awhitford/Site35 
Upgrade for Maven Site Plugin 3.5
 2016-03-04 17:42:14 -05:00
Jeremy Long
7860d635a9 ensured deserialization is secure 2016-03-04 17:38:48 -05:00
Anthony Whitford
ba91c9fa9b Upgraded maven site plugin to 3.5, and doxia markdown module to 1.7. 2016-02-28 09:34:19 -08:00
Anthony Whitford
b3630e0d5e Upgraded the Fluido 1.5 skin and had to update site head for maven site plugin 3.5. See http://maven.apache.org/plugins/maven-site-plugin/examples/sitedescriptor.html#Inject_xhtml_into_head 2016-02-28 09:33:54 -08:00
Jeremy Long
f752285912 added test for parse manifest per issue #455 2016-02-27 07:14:27 -05:00
Jeremy Long
5a150d9b0e parsed additional entries in the manifest per issue #455 2016-02-27 07:13:57 -05:00
Jeremy Long
f0aa185832 added test dependency per issue #455 2016-02-27 07:12:30 -05:00
Jeremy Long
9592f058d4 add more false positives to the suppression list 2016-02-25 18:01:21 -05:00
Jeremy Long
f630794e22 added warning about site:stage with regards to the aggregate goal 2016-02-24 17:00:31 -05:00
Jeremy Long
93636e89c5 fixed broken hyperlinks 2016-02-23 20:54:24 -05:00
Jeremy Long
585002c25c resolution for issue #386 fixed the conditional so that execution occured on the last non-skipped project in the reactor 2016-02-23 20:42:10 -05:00
Jeremy Long
412ccc1be1 per issue #429 updates will only occur if the database schema and expected schema match exactly 2016-02-21 08:38:29 -05:00
Jeremy Long
8b1306a36c per issue #429 non-h2 databases may be used as long as the database schema is of the same major version and greater then or equal to the expected version. 2016-02-21 08:11:29 -05:00
Jeremy Long
81026e8dca isolate the analyze method to try and resolve multiple threads hitting the Lucene query parsers at the same time per issue #388 2016-02-20 08:18:00 -05:00
Jeremy Long
dd440c8f9f resolve issue #451 2016-02-20 08:12:14 -05:00
Jeremy Long
76f3e4b27e Merge pull request #449 from christiangalsterer/i444 
Support nonProxyHosts parameter in settings.xml #444
 2016-02-17 19:09:41 -05:00
Jeremy Long
5f5d3fdb66 Merge pull request #447 from kaimago/master 
Oracle DB Support
 2016-02-17 19:06:13 -05:00
Jeremy Long
853c92b87d Merge pull request #448 from awhitford/UpgFeb6-16 
Upgraded SLF4J to 1.7.14 and the maven-compiler-plugin to 3.5.
 2016-02-17 19:03:37 -05:00
Anthony Whitford
00080f2abc SLF4J 1.7.16 released; logback 1.1.5 released. 2016-02-15 10:23:07 -08:00
Anthony Whitford
55414208a3 SLF4J 1.7.15 released; maven-compiler-plugin 3.5.1 released. 2016-02-10 00:34:26 -08:00
Christian Galsterer
5091499563 [i444] Support nonProxyHosts parameter in settings.xml 2016-02-09 18:01:36 +01:00
Anthony Whitford
944b54d920 Upgraded SLF4J to 1.7.14 and the maven-compiler-plugin to 3.5. 2016-02-06 12:14:19 -08:00
Christian Galsterer
d023b2b2ff [i444] Support nonProxyHosts parameter in settings.xml 2016-02-06 16:13:01 +01:00
Jeremy Long
b45f9f514b base test case handles settings initialization 2016-02-06 08:40:33 -05:00
Jeremy Long
239a9383e0 fix for issue #446 2016-02-06 08:30:06 -05:00
Jeremy Long
2190c0229c added check to see if the file is xml prior to unzipping it per issue #441 2016-02-06 08:11:24 -05:00
I003306
01ef14dc92 Oracle DB Support 2016-02-04 15:23:57 +01:00
Jeremy Long
7b0784843c updated copyright 2016-01-31 17:23:13 -05:00
Jeremy Long
6fc805369e snapshot version 2016-01-31 17:11:37 -05:00
Jeremy Long
9e29939cd3 version 1.3.4 2016-01-31 16:50:34 -05:00
Jeremy Long
d750abca22 resolved issue with new databases not being created correctly if there was an intial download of the NVD data. 2016-01-31 08:26:23 -05:00
Jeremy Long
31df2fa131 findbugs/checkstyle corrections 2016-01-30 08:57:40 -05:00
Jeremy Long
6355a29a7a updated version to ensure there are no issues in the jenkins plugin per issue #445 2016-01-30 08:07:33 -05:00
Jeremy Long
86a2b38340 Merge pull request #440 from awhitford/DepUpg20160110 
Upgrades
 2016-01-24 08:40:51 -05:00
Jeremy Long
9cb2b58557 initial fix for issue #445 2016-01-24 08:35:44 -05:00
Jeremy Long
2b0e2e8d0d corrected link per issuue #443 2016-01-17 08:08:15 -05:00
Jeremy Long
cf46767196 resolution for issue #439 2016-01-16 07:39:48 -05:00
Anthony Whitford
ffc1034b5a findbugs-maven-plugin 3.0.3 released; JavaMail api 1.5.5 released; jMockit 1.21 released. 2016-01-10 10:01:33 -08:00
Jeremy Long
46bb19de9b supression rules to resolve issues #437 and #438 2016-01-10 07:45:29 -05:00
Jeremy Long
70bc7a6d01 Merge pull request #435 from awhitford/Surefire-2.19.1 
Upgraded Surefire to 2.19.1 release.
 2016-01-10 07:01:08 -05:00
Anthony Whitford
3164505273 Upgraded Surefire to 2.19.1 release. 2016-01-05 08:12:32 -08:00
Jeremy Long
3d84fcd037 resolves issue #433 2016-01-03 09:18:35 -05:00
Jeremy Long
578fa32243 updated to honor noupdate flag for version check and removed some complexity 2016-01-03 09:14:08 -05:00
Jeremy Long
fc00b7d1cc resolves issues #426 2016-01-03 08:51:03 -05:00
Jeremy Long
d7351bd3e5 Merge pull request #432 from awhitford/CodeTweaks20151228 
Code tweaks 2015-12-28
 2016-01-03 08:33:16 -05:00
Anthony Whitford
e7224c8f05 StringBuilder allocation more precise. 2015-12-31 09:25:44 -08:00
Anthony Whitford
b97622f45b Variables may be final. 2015-12-28 13:15:24 -08:00
Anthony Whitford
0e15f3b703 Add missing final keyword to local variables. 2015-12-28 13:14:31 -08:00
Anthony Whitford
6604c0da89 Default StringBuilder size should be larger than default 16. 2015-12-28 13:14:04 -08:00
Anthony Whitford
e0b8be20b3 Variable suppressionRules may be final. 2015-12-28 13:13:33 -08:00
Anthony Whitford
46965d8c96 Iterable does not need qualifying, and collection may be final. 2015-12-28 13:13:00 -08:00
Anthony Whitford
66e92f00ee Variable may be final. 2015-12-28 13:12:10 -08:00
Anthony Whitford
4a137b4e8e Use StringBuilder instead of String += concatenation. 2015-12-28 13:11:36 -08:00
Anthony Whitford
9d5ff28098 Variables can be final and the exception was unused so can be removed. 2015-12-28 13:10:37 -08:00
Anthony Whitford
313b114da5 Variables can be final. 2015-12-28 13:09:17 -08:00
Anthony Whitford
1b6bfc6338 Variables can be final. 2015-12-28 13:08:37 -08:00
Anthony Whitford
49fd89f34a Let's use logging parameters for lazy evaluation. 2015-12-28 13:07:34 -08:00
Anthony Whitford
a2e862886e Rather than an explicit StringBuilder, why not simply an implicit one? 2015-12-28 13:06:44 -08:00
Anthony Whitford
62f6c7c5a9 Rather than using instanceOf, just add a specific catch for AnalysisException. 2015-12-28 13:05:45 -08:00
Jeremy Long
2294ed1ce1 Merge pull request #430 from awhitford/PluginUpdates20151227 
Plugin updates
 2015-12-28 06:12:54 -05:00
Jeremy Long
c8a1c6a318 fixed issue #431 - missing dependency 2015-12-28 06:11:57 -05:00
Anthony Whitford
600ed66d5b maven-clean-plugin 3.0.0 released; maven-source-plugin 2.4 released; maven-javadoc-plugin 2.10.3 released. 2015-12-27 11:45:52 -08:00
Jeremy Long
512b17555c updated documentation for encrypted passwords per issue #417 2015-12-26 12:55:41 -05:00
Jeremy Long
dc7849c9e8 added support for encrypted passwords per issue #417 2015-12-26 07:13:40 -05:00
Jeremy Long
6a99a51b91 Merge pull request #425 from awhitford/PluginUpdate20151220 
maven-pmd-plugin 3.6 released.
 2015-12-25 07:07:22 -05:00
Anthony Whitford
8c7fa022a0 maven-pmd-plugin 3.6 released. 2015-12-20 10:10:55 -08:00
Jeremy Long
cca694a580 logs from issue #138 indicate multiple modules are calling a non-threadsafe operation; as such, the mojo is being marked as threadSafe=false 2015-12-18 06:36:14 -05:00
Jeremy Long
3a7f95b9b1 spelling correction 2015-12-18 06:28:11 -05:00
Jeremy Long
3a84dc3962 fixed casing per issue #418 2015-12-18 06:05:01 -05:00
Jeremy Long
5961a96a4c Merge pull request #424 from amandel/patch-1 
Fix casing of properties table name.
 2015-12-18 05:55:04 -05:00
Jeremy Long
a22382505f Merge pull request #420 from awhitford/Issue419 
Issue #419 - Avoiding a duplicate CPE Index Created message
 2015-12-18 05:51:26 -05:00
Jeremy Long
5faef75415 Merge pull request #422 from edgedalmacio/patch-1 
added tomcat suppressions
 2015-12-18 05:49:16 -05:00
Jeremy Long
fed60907dc snapshot version 2015-12-18 05:48:37 -05:00
Andreas Mandel
ce7e360b70 If casing of properties table name. 2015-12-17 14:06:16 +01:00
Edge Dalmacio
0b3def38b8 added tomcat suppressions 
tomcat-embed-el
tomcat-jdbc
tomcat-juli
 2015-12-17 15:27:17 +08:00
Anthony Whitford
25a15dea8c Issue #419 - Avoiding a duplicate CPE Index Created message and resource leak. 2015-12-14 00:52:48 -08:00
Jeremy Long
e204971a6c version 1.3.3 2015-12-10 19:44:38 -05:00
Jeremy Long
d5b3a118bc minor site tweaks 2015-12-10 19:44:26 -05:00
Jeremy Long
3396cb2887 fix for issue #416 2015-12-10 18:33:31 -05:00
Jeremy Long
3c5beea218 1.3.3-SNAPSHOT 2015-12-02 09:17:28 -05:00
Jeremy Long
e544384dd5 1.3.3-SNAPSHOT 2015-12-02 05:46:28 -05:00
Jeremy Long
0e90f460f4 reverted change, using the undocumented SERIALIZED file lock mode 2015-12-02 05:46:06 -05:00
Jeremy Long
921efc4d2b updated documentation 2015-11-30 06:50:15 -05:00
105 changed files with 1622 additions and 652 deletions
Expand all files Collapse all files

4
README.md
View File

@@ -108,7 +108,7 @@ Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check
Copyright & License
-
Dependency-Check is Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
Dependency-Check is Copyright (c) 2012-2016 Jeremy Long. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
@@ -118,4 +118,4 @@ Dependency-Check makes use of several other open source libraries. Please see th
[wiki]: https://github.com/jeremylong/DependencyCheck/wiki
[subscribe]: mailto:dependency-check+subscribe@googlegroups.com
[post]: mailto:dependency-check@googlegroups.com
[notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
[notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICE.txt

139
dependency-check-ant/README.md
View File

@@ -1,134 +1,25 @@
Dependency-Check-Gradle
Dependency-Check Ant Task
=========
**Working in progress**
Dependency-Check Ant Task can be used to check the project dependencies for published security vulnerabilities. The checks
performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
This is a DependencyCheck gradle plugin designed for project which use Gradle as build script.
Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html).
Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
Mailing List
------------
=========
Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
## What's New
Current latest version is `0.0.8`
Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
## Usage
Copyright & License
-------------------
### Step 1, Apply dependency check gradle plugin
Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
Install from Maven central repo
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
```groovy
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:1.3.2'
}
}
apply plugin: 'dependency-check-gradle'
```
### Step 2, Run gradle task
Once gradle plugin applied, run following gradle task to check dependencies:
```
gradle dependencyCheck --info
```
The reports will be generated automatically under `./reports` folder.
If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
## FAQ
> **Questions List:**
> - What if I'm behind a proxy?
> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
> - How to customize the report directory?
### What if I'm behind a proxy?
Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
```groovy
dependencyCheck {
proxy {
server = "127.0.0.1" // required, the server name or IP address of the proxy
port = 3128 // required, the port number of the proxy
// optional, the proxy server might require username
// username = "username"
// optional, the proxy server might require password
// password = "password"
}
}
```
In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail,
the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action,
and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration:
```groovy
dependencyCheck {
quickQueryTimestamp = false // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
}
```
### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:
(1) For all projects including root project:
```groovy
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
}
}
allprojects {
apply plugin: "dependency-check"
}
```
(2) For all sub-projects:
```groovy
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
}
}
subprojects {
apply plugin: "dependency-check"
}
```
In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
### How to customize the report directory?
By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this:
```groovy
subprojects {
apply plugin: "dependency-check"
dependencyCheck {
outputDirectory = "./customized-path/security-report"
}
}
```
Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-ant/NOTICE.txt) file for more information.

3
dependency-check-ant/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.3.2</version>
<version>1.3.6</version>
</parent>
<artifactId>dependency-check-ant</artifactId>
@@ -256,6 +256,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<argLine>-Dfile.encoding=UTF-8</argLine>
<systemProperties>
<property>
<name>data.directory</name>

2
dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
View File

@@ -23,7 +23,7 @@ import org.slf4j.ILoggerFactory;
import org.slf4j.spi.LoggerFactoryBinder;
/**
* The binding of {@link LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using information
* The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
* returned by this class.
*
* @author colezlaw

2
dependency-check-ant/src/main/resources/task.properties
View File

@@ -1,2 +1,2 @@
# the path to the data directory
data.directory=data
data.directory=data/3.0

2
dependency-check-ant/src/site/site.xml
View File

@@ -27,7 +27,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<item name="dependency-check" href="../index.html"/>
</breadcrumbs>
<menu name="Getting Started">
<item name="Installation" href="installation.html"/>
<item name="Installation" href="index.html"/>
<item name="Configuration" href="configuration.html"/>
</menu>
<menu ref="reports" />

2
dependency-check-cli/README.md
View File

@@ -5,7 +5,7 @@ performed are a "best effort" and as such, there could be false positives as wel
vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html).
Mailing List
------------

3
dependency-check-cli/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.3.2</version>
<version>1.3.6</version>
</parent>
<artifactId>dependency-check-cli</artifactId>
@@ -110,6 +110,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<argLine>-Dfile.encoding=UTF-8</argLine>
<systemProperties>
<property>
<name>cpe</name>

1
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -27,7 +27,6 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.commons.cli.ParseException;
import org.apache.commons.lang.StringUtils;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;

3
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -344,7 +344,7 @@ public final class CliParser {
final Option pathToMono = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.PATH_TO_MONO)
.desc("The path to Mono for .NET Assembly analysis on non-windows systems.")
.build();
final Option pathToBundleAudit = Option.builder().argName("path").hasArg()
.longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
.desc("The path to bundle-audit for Gem bundle analysis.").build();
@@ -576,7 +576,6 @@ public final class CliParser {
return (line != null) && line.hasOption(ARGUMENT.DISABLE_BUNDLE_AUDIT);
}
/**
* Returns true if the disablePyDist command line argument was specified.
*

10
dependency-check-core/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.3.2</version>
<version>1.3.6</version>
</parent>
<artifactId>dependency-check-core</artifactId>
@@ -178,6 +178,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<argLine>-Dfile.encoding=UTF-8</argLine>
<systemProperties>
<property>
<name>data.directory</name>
@@ -454,6 +455,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>2.7.0</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
</dependencies>
<profiles>
<profile>

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
View File

@@ -41,7 +41,7 @@ import org.slf4j.LoggerFactory;
*
* <h2>Example:</h2>
* <pre>
* List<Dependency> dependencies = new ArrayList<Dependency>();
* List&lt;Dependency&gt; dependencies = new ArrayList&lt;Dependency&gt;();
* Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
* dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
* dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
@@ -55,7 +55,7 @@ import org.slf4j.LoggerFactory;
* scan.execute();
* </pre>
*
* @author Steve Springett <steve.springett@owasp.org>
* @author Steve Springett
*/
@SuppressWarnings("unused")
public class DependencyCheckScanAgent {

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
View File

@@ -104,12 +104,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
* <p>
* Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed. An example would be an analyzer
* that inspected Java jar files. Implementors may use {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
*
* @return the file filter used to determine which files are to be analyzed
* <p/>
* <p>
* If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against every file
* loaded.</p>
*
* @return the file filter used to determine which files are to be analyzed
*/
protected abstract FileFilter getFileFilter();
@@ -205,7 +204,6 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
* <p>
* Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a final static
* declaration.</p>
* <p/>
* <p>
* This implementation was copied from
* http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java
View File

@@ -29,7 +29,7 @@ public enum AnalysisPhase {
*/
INITIAL,
/**
* Pre information collection phase
* Pre information collection phase.
*/
PRE_INFORMATION_COLLECTION,
/**

16
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -235,16 +235,14 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
this.setEnabled(false);
throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
}
} catch (AnalysisException e) {
throw e;
} catch (Throwable e) {
if (e instanceof AnalysisException) {
throw (AnalysisException) e;
} else {
LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
+ "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
this.setEnabled(false);
throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
}
LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
+ "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
this.setEnabled(false);
throw new AnalysisException("An error occurred with the .NET AssemblyAnalyzer", e);
}
builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
View File

@@ -39,7 +39,7 @@ import java.util.regex.Pattern;
* Used to analyze Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed,
* assuming they are generated by Autoconf, and contain certain special package descriptor variables.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
* @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project - Free Software Foundation (FSF)</a>
*/
public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
View File

@@ -32,6 +32,7 @@ import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.regex.Matcher;
@@ -40,14 +41,13 @@ import java.util.regex.Pattern;
/**
* <p>
* Used to analyze CMake build files, and collect information that can be used to determine the associated CPE.</p>
* <p/>
* <p>
* Note: This analyzer catches straightforward invocations of the project command, plus some other observed patterns of version
* inclusion in real CMake projects. Many projects make use of older versions of CMake and/or use custom "homebrew" ways to insert
* version information. Hopefully as the newer CMake call pattern grows in usage, this analyzer allow more CPEs to be
* identified.</p>
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
@@ -212,8 +212,13 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
currentDep.setFilePath(filePath);
// prevents coalescing into the dependency provided by engine
currentDep.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes())));
byte[] path;
try {
path = filePath.getBytes("UTF-8");
} catch (UnsupportedEncodingException ex) {
path = filePath.getBytes();
}
currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
engine.getDependencies().add(currentDep);
}
final String source = currentDep.getDisplayFileName();

30
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -134,17 +134,19 @@ public class CPEAnalyzer implements Analyzer {
* process.
*/
public void open() throws IOException, DatabaseException {
cve = new CveDB();
cve.open();
cpe = CpeMemoryIndex.getInstance();
try {
LOGGER.info("Creating the CPE Index");
final long creationStart = System.currentTimeMillis();
cpe.open(cve);
LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
} catch (IndexException ex) {
LOGGER.debug("IndexException", ex);
throw new DatabaseException(ex);
if (!isOpen()) {
cve = new CveDB();
cve.open();
cpe = CpeMemoryIndex.getInstance();
try {
LOGGER.info("Creating the CPE Index");
final long creationStart = System.currentTimeMillis();
cpe.open(cve);
LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
} catch (IndexException ex) {
LOGGER.debug("IndexException", ex);
throw new DatabaseException(ex);
}
}
}
@@ -284,10 +286,10 @@ public class CPEAnalyzer implements Analyzer {
}
return ret;
} catch (ParseException ex) {
LOGGER.warn("An error occured querying the CPE data. See the log for more details.");
LOGGER.warn("An error occurred querying the CPE data. See the log for more details.");
LOGGER.info("Unable to parse: {}", searchString, ex);
} catch (IOException ex) {
LOGGER.warn("An error occured reading CPE data. See the log for more details.");
LOGGER.warn("An error occurred reading CPE data. See the log for more details.");
LOGGER.info("IO Error with search string: {}", searchString, ex);
}
return null;
@@ -479,7 +481,7 @@ public class CPEAnalyzer implements Analyzer {
* @throws AnalysisException is thrown if there is an issue analyzing the dependency.
*/
@Override
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
try {
determineCPE(dependency);
} catch (CorruptIndexException ex) {

16
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
View File

@@ -44,27 +44,27 @@ import java.security.MessageDigest;
public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The logger
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockAnalyzer.class);
/**
* The analyzer name
* The analyzer name.
*/
private static final String ANALYZER_NAME = "Composer.lock analyzer";
/**
* composer.json
* composer.json.
*/
private static final String COMPOSER_LOCK = "composer.lock";
/**
* The FileFilter
* The FileFilter.
*/
private static final FileFilter FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(COMPOSER_LOCK).build();
/**
* Returns the FileFilter
* Returns the FileFilter.
*
* @return the FileFilter
*/
@@ -74,9 +74,9 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Initializes the analyzer
* Initializes the analyzer.
*
* @throws Exception
* @throws Exception thrown if an exception occurs getting an instance of SHA1
*/
@Override
protected void initializeFileTypeAnalyzer() throws Exception {
@@ -84,7 +84,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* The MessageDigest for calculating a new digest for the new dependencies added
* The MessageDigest for calculating a new digest for the new dependencies added.
*/
private MessageDigest sha1 = null;

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
View File

@@ -18,7 +18,9 @@
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.filefilter.NameFileFilter;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Confidence;
@@ -65,6 +67,13 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
}
//</editor-fold>
// Python init files
private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[] {
"__init__.py",
"__init__.pyc",
"__init__.pyo"
});
/**
* Collects information about the file name.
*
@@ -102,7 +111,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
fileName, Confidence.HIGHEST);
dependency.getVendorEvidence().addEvidence("file", "name",
fileName, Confidence.HIGHEST);
} else {
} else if (!IGNORED_FILES.accept(f)) {
dependency.getProductEvidence().addEvidence("file", "name",
fileName, Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("file", "name",

52
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -29,6 +29,7 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
@@ -320,7 +321,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
foundSomething |= setPomEvidence(dependency, pom, classes);
}
} catch (AnalysisException ex) {
LOGGER.warn("An error occured while analyzing '{}'.", dependency.getActualFilePath());
LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath());
LOGGER.trace("", ex);
}
}
@@ -627,9 +628,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
JarFile jar = null;
try {
jar = new JarFile(dependency.getActualFilePath());
final Manifest manifest = jar.getManifest();
if (manifest == null) {
//don't log this for javadoc or sources jar files
if (!dependency.getFileName().toLowerCase().endsWith("-sources.jar")
@@ -641,17 +640,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
return false;
}
final Attributes atts = manifest.getMainAttributes();
final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
final EvidenceCollection productEvidence = dependency.getProductEvidence();
final EvidenceCollection versionEvidence = dependency.getVersionEvidence();
final String source = "Manifest";
String source = "Manifest";
String specificationVersion = null;
boolean hasImplementationVersion = false;
Attributes atts = manifest.getMainAttributes();
for (Entry<Object, Object> entry : atts.entrySet()) {
String key = entry.getKey().toString();
String value = atts.getValue(key);
@@ -707,7 +704,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
// addMatchingValues(classInformation, value, productEvidence);
} else {
key = key.toLowerCase();
if (!IGNORE_KEYS.contains(key)
&& !key.endsWith("jdk")
&& !key.contains("lastmodified")
@@ -723,8 +719,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
foundSomething = true;
if (key.contains("version")) {
if (!key.contains("specification")) {
//versionEvidence.addEvidence(source, key, value, Confidence.LOW);
//} else {
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
}
} else if ("build-id".equals(key)) {
@@ -776,9 +770,36 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
}
}
final Map<String, Attributes> entries = manifest.getEntries();
for (Iterator<String> it = entries.keySet().iterator(); it.hasNext();) {
final String name = it.next();
source = "manifest: " + name;
atts = entries.get(name);
for (Entry<Object, Object> entry : atts.entrySet()) {
final String key = entry.getKey().toString();
final String value = atts.getValue(key);
if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
foundSomething = true;
productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, productEvidence);
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
foundSomething = true;
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
foundSomething = true;
vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, vendorEvidence);
} else if (key.equalsIgnoreCase(Attributes.Name.SPECIFICATION_TITLE.toString())) {
foundSomething = true;
productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
addMatchingValues(classInformation, value, productEvidence);
}
}
}
if (specificationVersion != null && !hasImplementationVersion) {
foundSomething = true;
versionEvidence.addEvidence(source, "specificationn-version", specificationVersion, Confidence.HIGH);
versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH);
}
} finally {
if (jar != null) {
@@ -835,10 +856,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
if (pos > 0) {
final StringBuilder sb = new StringBuilder(pos + 3);
sb.append(desc.substring(0, pos));
sb.append("...");
desc = sb.toString();
desc = desc.substring(0, pos) + "...";
}
dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.LOW);
dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.LOW);
@@ -1014,7 +1032,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
final String text = value.toLowerCase();
for (ClassNameInformation cni : classes) {
for (String key : cni.getPackageStructure()) {
if (text.contains(key)) { //note, package structure elements are already lowercase.
final Pattern p = Pattern.compile("\b" + key + "\b");
if (p.matcher(text).find()) {
//if (text.contains(key)) { //note, package structure elements are already lowercase.
evidence.addEvidence("jar", "package name", key, Confidence.HIGHEST);
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
View File

@@ -43,7 +43,7 @@ import javax.json.JsonValue;
* Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the
* associated CPE.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java
View File

@@ -34,7 +34,7 @@ import java.util.regex.Pattern;
/**
* Used to analyze OpenSSL source code present in the file system.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
View File

@@ -48,7 +48,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
* Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
* to determine the associated CPE.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
View File

@@ -40,7 +40,7 @@ import java.util.regex.Pattern;
/**
* Used to analyze a Python package, and collect information that can be used to determine the associated CPE.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
@@ -185,7 +185,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
if (found) {
dependency.setDisplayFileName(parentName + "/__init__.py");
dependency.getProductEvidence().addEvidence(file.getName(),
"PackageName", parentName, Confidence.MEDIUM);
"PackageName", parentName, Confidence.HIGH);
} else {
// copy, alter and set in case some other thread is iterating over
final List<Dependency> dependencies = new ArrayList<Dependency>(

34
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
View File

@@ -35,7 +35,7 @@ import java.util.*;
/**
* Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
@@ -51,8 +51,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
private static final FileFilter FILTER =
FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
private static final FileFilter FILTER
= FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
public static final String NAME = "Name: ";
public static final String VERSION = "Version: ";
public static final String ADVISORY = "Advisory: ";
@@ -83,6 +83,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
final ProcessBuilder builder = new ProcessBuilder(args);
builder.directory(folder);
try {
LOGGER.info("Launching: " + args + " from " + folder);
return builder.start();
} catch (IOException ioe) {
throw new AnalysisException("bundle-audit failure", ioe);
@@ -97,7 +98,16 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
@Override
public void initializeFileTypeAnalyzer() throws Exception {
// Now, need to see if bundle-audit actually runs from this location.
Process process = launchBundleAudit(Settings.getTempDirectory());
Process process = null;
try {
process = launchBundleAudit(Settings.getTempDirectory());
}
catch(AnalysisException ae) {
LOGGER.warn("Exception from bundle-audit process: {}. Disabling {}", ae.getCause(), ANALYZER_NAME);
setEnabled(false);
throw ae;
}
int exitValue = process.waitFor();
if (0 == exitValue) {
LOGGER.warn("Unexpected exit code from bundle-audit process. Disabling {}: {}", ANALYZER_NAME, exitValue);
@@ -113,7 +123,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
throw new AnalysisException("Bundle-audit error stream unexpectedly not ready.");
} else {
final String line = reader.readLine();
if (!line.contains("Errno::ENOENT")) {
if (line == null || !line.contains("Errno::ENOENT")) {
LOGGER.warn("Unexpected bundle-audit output. Disabling {}: {}", ANALYZER_NAME, line);
setEnabled(false);
throw new AnalysisException("Unexpected bundle-audit output.");
@@ -125,9 +135,10 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
}
}
}
if (isEnabled()) {
LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" " +
"occasionally to keep its database up to date.");
LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" "
+ "occasionally to keep its database up to date.");
}
}
@@ -162,8 +173,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will
* be necessary to disable {@link RubyGemspecAnalyzer}.
* If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will be necessary
* to disable {@link RubyGemspecAnalyzer}.
*/
private boolean needToDisableGemspecAnalyzer = true;
@@ -194,6 +205,11 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
}
BufferedReader rdr = null;
try {
BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
while(errReader.ready()) {
String error = errReader.readLine();
LOGGER.warn(error);
}
rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"));
processBundlerAuditOutput(dependency, engine, rdr);
} catch (IOException ioe) {

18
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
View File

@@ -32,10 +32,10 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE.
* Regular expressions are used to parse the well-defined Ruby syntax that forms the specification.
* Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE. Regular
* expressions are used to parse the well-defined Ruby syntax that forms the specification.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
@@ -51,8 +51,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
private static final String GEMSPEC = "gemspec";
private static final FileFilter FILTER =
FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
private static final FileFilter FILTER
= FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
private static final String EMAIL = "email";
@@ -102,8 +102,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
/**
* The capture group #1 is the block variable.
*/
private static final Pattern GEMSPEC_BLOCK_INIT =
Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
private static final Pattern GEMSPEC_BLOCK_INIT
= Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
@@ -138,7 +138,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
}
private void addListEvidence(EvidenceCollection evidences, String contents,
String blockVariable, String field, Confidence confidence) {
String blockVariable, String field, Confidence confidence) {
final Matcher matcher = Pattern.compile(
String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents);
if (matcher.find()) {
@@ -148,7 +148,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
}
private String addStringEvidence(EvidenceCollection evidences, String contents,
String blockVariable, String field, Confidence confidence) {
String blockVariable, String field, Confidence confidence) {
final Matcher matcher = Pattern.compile(
String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)).matcher(contents);
String value = "";

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java
View File

@@ -1,6 +1,6 @@
/**
*
* Contains classes related to searching Maven Central.<br/><br/>
* Contains classes related to searching Maven Central.<br><br>
*
* These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.
*/

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java
View File

@@ -37,7 +37,7 @@ public class CweHandler extends DefaultHandler {
/**
* Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).
*
* @return a HashMap of CWE entries <String, String>
* @return a HashMap of CWE entries &lt;String, String&gt;
*/
public HashMap<String, String> getCwe() {
return cwe;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java
View File

@@ -27,7 +27,7 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
* <p>
* Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p>
* <p>
* <b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
* <b>Example:</b> "Spring Framework Core" -&gt; "Spring SpringFramework Framework FrameworkCore Core".</p>
*
* @author Jeremy Long
*/

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java
View File

@@ -31,15 +31,17 @@ import org.slf4j.LoggerFactory;
* <p>
* Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
* <p>
* <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
* <b>Example:</b> "3.0.0.RELEASE" -&gt; "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
*
* @author Jeremy Long
*/
public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
/**
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(UrlTokenizingFilter.class);
/**
* Constructs a new VersionTokenizingFilter.
*
@@ -50,8 +52,8 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
}
/**
* Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
* concatenating tokens with the previous token.
* Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by concatenating
* tokens with the previous token.
*
* @return whether or not we have hit the end of the TokenStream
* @throws IOException is thrown when an IOException occurs

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/package-info.java
View File

@@ -1,5 +1,5 @@
/**
* Contains classes related to searching a Nexus repository.<br/><br/>
* Contains classes related to searching a Nexus repository.<br><br>
*
* These are used to abstract Nexus searching away from OWASP Dependency Check so they can be reused elsewhere.
*/

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java
View File

@@ -1,5 +1,5 @@
/**
* Contains classes related to parsing Nuget related files<br/><br/>
* Contains classes related to parsing Nuget related files<br><br>
* These are used to abstract away Nuget-related handling from Dependency Check so they can be used elsewhere.
*/
package org.owasp.dependencycheck.data.nuget;

38
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
View File

@@ -276,10 +276,13 @@ public final class ConnectionFactory {
* execute it against the database. The upgrade script must update the 'version' in the properties table.
*
* @param conn the database connection object
* @param schema the current schema version that is being upgraded
* @param appExpectedVersion the schema version that the application expects
* @param currentDbVersion the current schema version of the database
* @throws DatabaseException thrown if there is an exception upgrading the database schema
*/
private static void updateSchema(Connection conn, String schema) throws DatabaseException {
private static void updateSchema(Connection conn, DependencyVersion appExpectedVersion, DependencyVersion currentDbVersion)
throws DatabaseException {
final String databaseProductName;
try {
databaseProductName = conn.getMetaData().getDatabaseProductName();
@@ -291,7 +294,7 @@ public final class ConnectionFactory {
InputStream is = null;
String updateFile = null;
try {
updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, currentDbVersion.toString());
is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
if (is == null) {
throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
@@ -303,7 +306,8 @@ public final class ConnectionFactory {
statement = conn.createStatement();
final boolean success = statement.execute(dbStructureUpdate);
if (!success && statement.getUpdateCount() <= 0) {
throw new DatabaseException(String.format("Unable to upgrade the database schema to %s", schema));
throw new DatabaseException(String.format("Unable to upgrade the database schema to %s",
currentDbVersion.toString()));
}
} catch (SQLException ex) {
LOGGER.debug("", ex);
@@ -318,8 +322,20 @@ public final class ConnectionFactory {
IOUtils.closeQuietly(is);
}
} else {
LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.", UPGRADE_HELP_URL);
throw new DatabaseException("Database schema is out of date");
final int e0 = Integer.parseInt(appExpectedVersion.getVersionParts().get(0));
final int c0 = Integer.parseInt(currentDbVersion.getVersionParts().get(0));
final int e1 = Integer.parseInt(appExpectedVersion.getVersionParts().get(1));
final int c1 = Integer.parseInt(currentDbVersion.getVersionParts().get(1));
if (e0 == c0 && e1 < c1) {
LOGGER.warn("A new version of dependency-check is available; consider upgrading");
Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
} else if (e0 == c0 && e1 == c1) {
//do nothing - not sure how we got here, but just incase...
} else {
LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.",
UPGRADE_HELP_URL);
throw new DatabaseException("Database schema is out of date");
}
}
}
@@ -342,12 +358,12 @@ public final class ConnectionFactory {
cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
rs = cs.executeQuery();
if (rs.next()) {
final DependencyVersion current = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
final DependencyVersion appDbVersion = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
if (current.compareTo(db) > 0) {
LOGGER.debug("Current Schema: " + DB_SCHEMA_VERSION);
LOGGER.debug("DB Schema: " + rs.getString(1));
updateSchema(conn, rs.getString(1));
if (appDbVersion.compareTo(db) > 0) {
LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
LOGGER.debug("DB Schema: {}", rs.getString(1));
updateSchema(conn, appDbVersion, db);
if (++callDepth < 10) {
ensureSchemaVersion(conn);
}

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
View File

@@ -70,11 +70,11 @@ public class DatabaseProperties {
/**
* A collection of properties about the data.
*/
private Properties properties;
private final Properties properties;
/**
* A reference to the database.
*/
private CveDB cveDB;
private final CveDB cveDB;
/**
* Constructs a new data properties object.
@@ -83,13 +83,6 @@ public class DatabaseProperties {
*/
DatabaseProperties(CveDB cveDB) {
this.cveDB = cveDB;
loadProperties();
}
/**
* Loads the properties from the database.
*/
private void loadProperties() {
this.properties = cveDB.getProperties();
}

46
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
View File

@@ -28,6 +28,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.DateUtil;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.URLConnectionFactory;
import org.owasp.dependencycheck.utils.URLConnectionFailureException;
@@ -82,27 +83,33 @@ public class EngineVersionCheck implements CachedWebDataSource {
@Override
public void update() throws UpdateException {
try {
openDatabase();
LOGGER.debug("Begin Engine Version Check");
final DatabaseProperties properties = cveDB.getDatabaseProperties();
final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
final long now = System.currentTimeMillis();
updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
LOGGER.debug("Last checked: {}", lastChecked);
LOGGER.debug("Now: {}", now);
LOGGER.debug("Current version: {}", currentVersion);
final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
if (updateNeeded) {
LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
updateToVersion);
if (Settings.getBoolean(Settings.KEYS.AUTO_UPDATE)) {
openDatabase();
LOGGER.debug("Begin Engine Version Check");
final DatabaseProperties properties = cveDB.getDatabaseProperties();
final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
final long now = System.currentTimeMillis();
updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
LOGGER.debug("Last checked: {}", lastChecked);
LOGGER.debug("Now: {}", now);
LOGGER.debug("Current version: {}", currentVersion);
final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
if (updateNeeded) {
LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
updateToVersion);
}
}
} catch (DatabaseException ex) {
LOGGER.debug("Database Exception opening databases to retrieve properties", ex);
throw new UpdateException("Error occured updating database properties.");
} catch (InvalidSettingException ex) {
LOGGER.debug("Unable to determine if autoupdate is enabled", ex);
} finally {
closeDatabase();
}
}
@@ -120,10 +127,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
String currentVersion) throws UpdateException {
//check every 30 days if we know there is an update, otherwise check every 7 days
int checkRange = 30;
if (updateToVersion.isEmpty()) {
checkRange = 7;
}
final int checkRange = 30;
if (!DateUtil.withinDateRange(lastChecked, now, checkRange)) {
LOGGER.debug("Checking web for new version.");
final String currentRelease = getCurrentReleaseVersion();
@@ -133,14 +137,16 @@ public class EngineVersionCheck implements CachedWebDataSource {
updateToVersion = v.toString();
if (!currentRelease.equals(updateToVersion)) {
properties.save(CURRENT_ENGINE_RELEASE, updateToVersion);
} else {
properties.save(CURRENT_ENGINE_RELEASE, "");
}
properties.save(ENGINE_VERSION_CHECKED_ON, Long.toString(now));
}
}
LOGGER.debug("Current Release: {}", updateToVersion);
}
if (updateToVersion == null) {
LOGGER.debug("Unable to obtain current release");
return false;
}
final DependencyVersion running = new DependencyVersion(currentVersion);
final DependencyVersion released = new DependencyVersion(updateToVersion);
if (running.compareTo(released) < 0) {

32
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
View File

@@ -25,6 +25,8 @@ import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
@@ -66,7 +68,13 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
public void update() throws UpdateException {
try {
openDataStores();
if (checkUpdate()) {
boolean autoUpdate = true;
try {
autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
} catch (InvalidSettingException ex) {
LOGGER.debug("Invalid setting for auto-update; using true.");
}
if (autoUpdate && checkUpdate()) {
final UpdateableNvdCve updateable = getUpdatesNeeded();
if (updateable.isUpdateNeeded()) {
performUpdate(updateable);
@@ -101,7 +109,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
boolean proceed = true;
// If the valid setting has not been specified, then we proceed to check...
final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
if (0 < validForHours) {
if (dataExists() && 0 < validForHours) {
// ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
final long msValid = validForHours * 60L * 60L * 1000L;
final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
@@ -118,6 +126,26 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
return proceed;
}
/**
* Checks the CVE Index to ensure data exists and analysis can continue.
*
* @return true if the database contains data
*/
private boolean dataExists() {
CveDB cve = null;
try {
cve = new CveDB();
cve.open();
return cve.dataExists();
} catch (DatabaseException ex) {
return false;
} finally {
if (cve != null) {
cve.close();
}
}
}
/**
* Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
*

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java
View File

@@ -46,7 +46,7 @@ public class CPEHandler extends DefaultHandler {
/**
* A reference to the current element.
*/
private Element current = new Element();
private final Element current = new Element();
/**
* The logger.
*/
@@ -54,7 +54,7 @@ public class CPEHandler extends DefaultHandler {
/**
* The list of CPE values.
*/
private List<Cpe> data = new ArrayList<Cpe>();
private final List<Cpe> data = new ArrayList<Cpe>();
/**
* Returns the list of CPE values.

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/package-info.java
View File

@@ -1,5 +1,5 @@
/**
* Contains classes used to parse the CPE XML file from NIST.<br/><br/>
* Contains classes used to parse the CPE XML file from NIST.<br><br>
*
* These classes are not used as they add no value over the existing CPE data contained within the CVE data from the NVD. However,
* we may consider pulling the more descriptive data from the CPE data in the future.

74
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
View File

@@ -22,6 +22,7 @@ import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService;
@@ -80,11 +81,11 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
/**
* The CVE DB to use when processing the files.
*/
private CveDB cveDB;
private final CveDB cveDB;
/**
* The processor service to pass the results of the download to.
*/
private ExecutorService processorService;
private final ExecutorService processorService;
/**
* The NVD CVE Meta Data.
*/
@@ -92,7 +93,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
/**
* A reference to the global settings object.
*/
private Settings settings;
private final Settings settings;
/**
* Get the value of nvdCveInfo.
@@ -155,28 +156,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
public void setSecond(File second) {
this.second = second;
}
/**
* A placeholder for an exception.
*/
private Exception exception = null;
/**
* Get the value of exception.
*
* @return the value of exception
*/
public Exception getException() {
return exception;
}
/**
* returns whether or not an exception occurred during download.
*
* @return whether or not an exception occurred during download
*/
public boolean hasException() {
return exception != null;
}
@Override
public Future<ProcessTask> call() throws Exception {
@@ -198,15 +177,15 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
LOGGER.debug("", ex);
return null;
}
if (url1.toExternalForm().endsWith(".xml.gz")) {
if (url1.toExternalForm().endsWith(".xml.gz") && !isXml(first)) {
extractGzip(first);
}
if (url2.toExternalForm().endsWith(".xml.gz")) {
if (url2.toExternalForm().endsWith(".xml.gz") && !isXml(second)) {
extractGzip(second);
}
LOGGER.info("Download Complete for NVD CVE - {} ({} ms)", nvdCveInfo.getId(),
System.currentTimeMillis() - startDownload);
System.currentTimeMillis() - startDownload);
if (this.processorService == null) {
return null;
}
@@ -248,6 +227,45 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
}
}
/**
* Checks the file header to see if it is an XML file.
*
* @param file the file to check
* @return true if the file is XML
*/
public static boolean isXml(File file) {
if (file == null || !file.isFile()) {
return false;
}
InputStream is = null;
try {
is = new FileInputStream(file);
final byte[] buf = new byte[5];
int read = 0;
try {
read = is.read(buf);
} catch (IOException ex) {
return false;
}
return read == 5
&& buf[0] == '<'
&& (buf[1] == '?')
&& (buf[2] == 'x' || buf[2] == 'X')
&& (buf[3] == 'm' || buf[3] == 'M')
&& (buf[4] == 'l' || buf[4] == 'L');
} catch (FileNotFoundException ex) {
return false;
} finally {
if (is != null) {
try {
is.close();
} catch (IOException ex) {
}
}
}
}
/**
* Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
*

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java
View File

@@ -99,7 +99,6 @@ public class NvdCve12Handler extends DefaultHandler {
software = null;
}
} else if (!skip && current.isProdNode()) {
vendor = attributes.getValue("vendor");
product = attributes.getValue("name");
} else if (!skip && current.isVersNode()) {
@@ -112,15 +111,19 @@ public class NvdCve12Handler extends DefaultHandler {
/*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
purposes this is good enough as we won't use this if we don't find a corresponding "a"
in the nvd cve 2.0. */
String cpe = "cpe:/a:" + vendor + ":" + product;
final int cpeLen = 8 + vendor.length() + product.length()
+ (null != num ? (1 + num.length()) : 0)
+ (null != edition ? (1 + edition.length()) : 0);
final StringBuilder cpe = new StringBuilder(cpeLen);
cpe.append("cpe:/a:").append(vendor).append(':').append(product);
if (num != null) {
cpe += ':' + num;
cpe.append(':').append(num);
}
if (edition != null) {
cpe += ':' + edition;
cpe.append(':').append(edition);
}
final VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe(cpe);
vs.setCpe(cpe.toString());
vs.setPreviousVersion(prev);
software.add(vs);
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java
View File

@@ -85,7 +85,7 @@ public class ProcessTask implements Callable<ProcessTask> {
/**
* A reference to the global settings object.
*/
private Settings settings;
private final Settings settings;
/**
* Constructs a new ProcessTask used to process an NVD CVE update.

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java
View File

@@ -32,12 +32,12 @@ import org.owasp.dependencycheck.utils.Downloader;
*
* @author Jeremy Long
*/
public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
public class UpdateableNvdCve implements Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
/**
* A collection of sources of data.
*/
private Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
private final Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
/**
* Returns the collection of NvdCveInfo objects. This method is mainly used for testing.

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/package-info.java
View File

@@ -1,4 +1,4 @@
/**
* Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br/><br/>
* Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br><br>
*/
package org.owasp.dependencycheck.data.update.nvd;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/package-info.java
View File

@@ -1,6 +1,6 @@
/**
*
* Contains classes used to update the data stores.<br/><br/>
* Contains classes used to update the data stores.<br><br>
*
* The UpdateService will load, any correctly defined CachedWebDataSource(s) and call update() on them. The Cached Data Source
* must determine if it needs to be updated and if so perform the update. The sub packages contain classes used to perform the

68
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -692,7 +692,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
}
/**
* Implementation of the Comparable<Dependency> interface. The comparison is solely based on the file path.
* Implementation of the Comparable&lt;Dependency&gt; interface. The comparison is solely based on the file path.
*
* @param o a dependency to compare
* @return an integer representing the natural ordering
@@ -715,23 +715,23 @@ public class Dependency implements Serializable, Comparable<Dependency> {
}
final Dependency other = (Dependency) obj;
return new EqualsBuilder()
.appendSuper(super.equals(obj))
.append(this.actualFilePath, other.actualFilePath)
.append(this.filePath, other.filePath)
.append(this.fileName, other.fileName)
.append(this.md5sum, other.md5sum)
.append(this.sha1sum, other.sha1sum)
.append(this.identifiers, other.identifiers)
.append(this.vendorEvidence, other.vendorEvidence)
.append(this.productEvidence, other.productEvidence)
.append(this.versionEvidence, other.versionEvidence)
.append(this.description, other.description)
.append(this.license, other.license)
.append(this.vulnerabilities, other.vulnerabilities)
//.append(this.relatedDependencies, other.relatedDependencies)
.append(this.projectReferences, other.projectReferences)
.append(this.availableVersions, other.availableVersions)
.isEquals();
.appendSuper(super.equals(obj))
.append(this.actualFilePath, other.actualFilePath)
.append(this.filePath, other.filePath)
.append(this.fileName, other.fileName)
.append(this.md5sum, other.md5sum)
.append(this.sha1sum, other.sha1sum)
.append(this.identifiers, other.identifiers)
.append(this.vendorEvidence, other.vendorEvidence)
.append(this.productEvidence, other.productEvidence)
.append(this.versionEvidence, other.versionEvidence)
.append(this.description, other.description)
.append(this.license, other.license)
.append(this.vulnerabilities, other.vulnerabilities)
//.append(this.relatedDependencies, other.relatedDependencies)
.append(this.projectReferences, other.projectReferences)
.append(this.availableVersions, other.availableVersions)
.isEquals();
}
/**
@@ -742,22 +742,22 @@ public class Dependency implements Serializable, Comparable<Dependency> {
@Override
public int hashCode() {
return new HashCodeBuilder(MAGIC_HASH_INIT_VALUE, MAGIC_HASH_MULTIPLIER)
.append(actualFilePath)
.append(filePath)
.append(fileName)
.append(md5sum)
.append(sha1sum)
.append(identifiers)
.append(vendorEvidence)
.append(productEvidence)
.append(versionEvidence)
.append(description)
.append(license)
.append(vulnerabilities)
//.append(relatedDependencies)
.append(projectReferences)
.append(availableVersions)
.toHashCode();
.append(actualFilePath)
.append(filePath)
.append(fileName)
.append(md5sum)
.append(sha1sum)
.append(identifiers)
.append(vendorEvidence)
.append(productEvidence)
.append(versionEvidence)
.append(description)
.append(license)
.append(vulnerabilities)
//.append(relatedDependencies)
.append(projectReferences)
.append(availableVersions)
.toHashCode();
}
/**

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -97,7 +97,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
* Used to iterate over evidence of the specified confidence.
*
* @param confidence the confidence level for the evidence to be iterated over.
* @return Iterable<Evidence> an iterable collection of evidence
* @return Iterable&lt;Evidence&gt; an iterable collection of evidence
*/
public final Iterable<Evidence> iterator(Confidence confidence) {
if (confidence == Confidence.HIGHEST) {
@@ -168,7 +168,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
* Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
* location.
*
* @return Set<String>
* @return Set&lt;String&gt;
*/
public Set<String> getWeighting() {
return weightedStrings;
@@ -225,7 +225,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
/**
* Implements the iterator interface for the Evidence Collection.
*
* @return an Iterator<Evidence>.
* @return an Iterator&lt;Evidence&gt;
*/
@Override
public Iterator<Evidence> iterator() {

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java
View File

@@ -22,7 +22,7 @@ import java.io.IOException;
/**
* An exception used when using @{link DependencyCheckScanAgent} to conduct a scan and the scan fails.
*
* @author Steve Springett <steve.springett@owasp.org>
* @author Steve Springett
*/
public class ScanAgentException extends IOException {

20
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java
View File

@@ -24,15 +24,14 @@ import org.slf4j.LoggerFactory;
/**
* <p>
* DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom
* logging implementation that outputs to a file named velocity.log by default. This class is an implementation of a
* custom Velocity logger that redirects all velocity logging to the Java Logger class.
* DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom logging implementation
* that outputs to a file named velocity.log by default. This class is an implementation of a custom Velocity logger that
* redirects all velocity logging to the Java Logger class.
* </p><p>
* This class was written to address permission issues when using Dependency-Check in a server environment (such as the
* Jenkins plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable
* directory.</p>
* This class was written to address permission issues when using Dependency-Check in a server environment (such as the Jenkins
* plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable directory.</p>
*
* @author Steve Springett <steve.springett@owasp.org>
* @author Steve Springett
*/
public class VelocityLoggerRedirect implements LogChute {
@@ -52,8 +51,7 @@ public class VelocityLoggerRedirect implements LogChute {
}
/**
* Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified
* values.
* Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified values.
*
* @param level the logging level
* @param message the message to be logged
@@ -82,8 +80,8 @@ public class VelocityLoggerRedirect implements LogChute {
}
/**
* Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the
* specified values.
* Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the specified
* values.
*
* @param level the logging level
* @param message the message to be logged

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
View File

@@ -65,7 +65,7 @@ public class SuppressionHandler extends DefaultHandler {
/**
* A list of suppression rules.
*/
private List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
/**
* Get the value of suppressionRules.

30
dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
View File

@@ -20,7 +20,6 @@ package org.owasp.dependencycheck.suppression;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
@@ -268,8 +267,8 @@ public class SuppressionRule {
}
/**
* A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the
* resulting report in the "suppressed" section.
* A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the resulting
* report in the "suppressed" section.
*/
private boolean base;
@@ -292,8 +291,8 @@ public class SuppressionRule {
}
/**
* Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
* should be, they are removed from the dependency.
* Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any should be, they
* are removed from the dependency.
*
* @param dependency a project dependency to analyze
*/
@@ -382,7 +381,24 @@ public class SuppressionRule {
* @return true if the property type does not specify a version; otherwise false
*/
boolean cpeHasNoVersion(PropertyType c) {
return !c.isRegex() && StringUtils.countMatches(c.getValue(), ':') == 3;
return !c.isRegex() && countCharacter(c.getValue(), ':') <= 3;
}
/**
* Counts the number of occurrences of the character found within the string.
*
* @param str the string to check
* @param c the character to count
* @return the number of times the character is found in the string
*/
int countCharacter(String str, char c) {
int count = 0;
int pos = str.indexOf(c) + 1;
while (pos > 0) {
count += 1;
pos = str.indexOf(c, pos) + 1;
}
return count;
}
/**
@@ -417,7 +433,7 @@ public class SuppressionRule {
*/
@Override
public String toString() {
final StringBuilder sb = new StringBuilder();
final StringBuilder sb = new StringBuilder(64);
sb.append("SuppressionRule{");
if (filePath != null) {
sb.append("filePath=").append(filePath).append(',');

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
View File

@@ -48,10 +48,11 @@ public final class DependencyVersionUtil {
/**
* <p>
* A utility class to extract version numbers from file names (or other strings containing version numbers.<br/>
* Example:<br/>
* Give the file name: library-name-1.4.1r2-release.jar<br/>
* This function would return: 1.4.1.r2</p>
* A utility class to extract version numbers from file names (or other strings containing version numbers.</p>
* <pre>
* Example:
* Give the file name: library-name-1.4.1r2-release.jar
* This function would return: 1.4.1.r2</pre>
*
* @param text the text being analyzed
* @return a DependencyVersion containing the version

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java
View File

@@ -40,7 +40,7 @@ import java.util.Set;
* FileFilter filter = FileFilterBuilder.newInstance().addExtensions("jar", "war").build();
* </pre>
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
* @see <a href="https://en.wikipedia.org/wiki/Builder_pattern">Builder pattern</a>
*/
public class FileFilterBuilder {

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java
View File

@@ -50,7 +50,7 @@ public abstract class Filter<T> {
if (next == null) {
throw new NoSuchElementException();
}
T returnValue = next;
final T returnValue = next;
toNext();
return returnValue;
}
@@ -63,7 +63,7 @@ public abstract class Filter<T> {
private void toNext() {
next = null;
while (iterator.hasNext()) {
T item = iterator.next();
final T item = iterator.next();
if (item != null && passes(item)) {
next = item;
break;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java
View File

@@ -241,7 +241,7 @@ public class Model {
/**
* The list of licenses.
*/
private List<License> licenses = new ArrayList<License>();
private final List<License> licenses = new ArrayList<License>();
/**
* Returns the list of licenses.

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java
View File

@@ -78,7 +78,7 @@ public class PomHandler extends DefaultHandler {
/**
* The pom model.
*/
private Model model = new Model();
private final Model model = new Model();
/**
* Returns the model obtained from the pom.xml.

1
dependency-check-core/src/main/resources/data/dbStatements_oracle.properties Normal file
View File

@@ -0,0 +1 @@
CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id not in (SELECT CPEEntryId FROM software)

5
dependency-check-core/src/main/resources/data/initialize_mysql.sql
View File

@@ -25,7 +25,8 @@ CREATE TABLE cpeEntry (id INT auto_increment PRIMARY KEY, cpe VARCHAR(250), vend
CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
, CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
, CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
, CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id)
, PRIMARY KEY (cveid, cpeEntryId));
CREATE INDEX idxVulnerability ON vulnerability(cve);
CREATE INDEX idxReference ON reference(cveid);
@@ -53,4 +54,4 @@ DELIMITER ;
GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
UPDATE Properties SET value='3.0' WHERE ID='version';
UPDATE Properties SET value='3.0' WHERE ID='version';

112
dependency-check-core/src/main/resources/data/initialize_oracle.sql Normal file
View File

@@ -0,0 +1,112 @@
-- Drop
BEGIN
EXECUTE IMMEDIATE 'DROP SEQUENCE vulnerability_seq';
EXCEPTION
WHEN OTHERS THEN
IF SQLCODE != -2289 THEN
RAISE;
END IF;
END;
BEGIN
EXECUTE IMMEDIATE 'DROP SEQUENCE cpeEntry_seq';
EXCEPTION
WHEN OTHERS THEN
IF SQLCODE != -2289 THEN
RAISE;
END IF;
END;
BEGIN
EXECUTE IMMEDIATE 'DROP TABLE software CASCADE CONSTRAINTS';
EXCEPTION
WHEN OTHERS THEN
IF SQLCODE != -942 THEN
RAISE;
END IF;
END;
BEGIN
EXECUTE IMMEDIATE 'DROP TABLE cpeEntry CASCADE CONSTRAINTS';
EXCEPTION
WHEN OTHERS THEN
IF SQLCODE != -942 THEN
RAISE;
END IF;
END;
BEGIN
EXECUTE IMMEDIATE 'DROP TABLE reference CASCADE CONSTRAINTS';
EXCEPTION
WHEN OTHERS THEN
IF SQLCODE != -942 THEN
RAISE;
END IF;
END;
BEGIN
EXECUTE IMMEDIATE 'DROP TABLE vulnerability CASCADE CONSTRAINTS';
EXCEPTION
WHEN OTHERS THEN
IF SQLCODE != -942 THEN
RAISE;
END IF;
END;
BEGIN
EXECUTE IMMEDIATE 'DROP TABLE properties CASCADE CONSTRAINTS';
EXCEPTION
WHEN OTHERS THEN
IF SQLCODE != -942 THEN
RAISE;
END IF;
END;
CREATE TABLE vulnerability (id INT NOT NULL PRIMARY KEY, cve VARCHAR(20) UNIQUE,
description CLOB, cwe VARCHAR(10), cvssScore DECIMAL(3,1), cvssAccessVector VARCHAR(20),
cvssAccessComplexity VARCHAR(20), cvssAuthentication VARCHAR(20), cvssConfidentialityImpact VARCHAR(20),
cvssIntegrityImpact VARCHAR(20), cvssAvailabilityImpact VARCHAR(20));
CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
CREATE TABLE cpeEntry (id INT NOT NULL PRIMARY KEY, cpe VARCHAR(250), vendor VARCHAR(255), product VARCHAR(255));
CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
, CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
, CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
CREATE INDEX idxVulnerability ON vulnerability(cve);
CREATE INDEX idxReference ON reference(cveid);
CREATE INDEX idxCpe ON cpeEntry(cpe);
CREATE INDEX idxCpeEntry ON cpeEntry(vendor, product);
CREATE INDEX idxSoftwareCve ON software(cveid);
CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
CREATE TABLE properties (id varchar(50) PRIMARY KEY, value varchar(500));
CREATE SEQUENCE cpeEntry_seq;
CREATE SEQUENCE vulnerability_seq;
CREATE OR REPLACE TRIGGER VULNERABILITY_TRG
BEFORE INSERT
ON VULNERABILITY
REFERENCING NEW AS New OLD AS Old
FOR EACH ROW
BEGIN
:new.ID := VULNERABILITY_SEQ.nextval;
END VULNERABILITY_TRG;
/
CREATE OR REPLACE TRIGGER CPEENTRY_TRG
BEFORE INSERT
ON CPEENTRY
REFERENCING NEW AS New OLD AS Old
FOR EACH ROW
BEGIN
:new.ID := CPEENTRY_SEQ.nextval;
END CPEENTRY_TRG;
/
INSERT INTO properties(id,value) VALUES ('version','3.0');

2
dependency-check-core/src/main/resources/data/upgrade_mysql_2.9.sql
View File

@@ -12,4 +12,4 @@ DELIMITER ;
GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
UPDATE Properties SET value='3.0' WHERE ID='version';
UPDATE properties SET value='3.0' WHERE ID='version';

132
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -161,6 +161,13 @@
<gav regex="true">.*\bhk2\b.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
HK2-utils is flagged as glassfish.
]]></notes>
<filePath regex="true">.*\bhk2-utils.*\.jar</filePath>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
@@ -189,4 +196,127 @@
<gav regex="true">org.apache.geronimo.specs:.*</gav>
<cpe>cpe:/a:apache:geronimo</cpe>
</suppress>
</suppressions>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on tomcat-embed-el.
]]></notes>
<gav regex="true">org\.apache\.tomcat\.embed:tomcat-embed-el:.*</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on tomcat-jdbc.
]]></notes>
<gav regex="true">org\.apache\.tomcat:tomcat-jdbc:.*</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This suppresses false positives identified on tomcat-juli.
]]></notes>
<gav regex="true">org\.apache\.tomcat:tomcat-juli:.*</gav>
<cpe>cpe:/a:apache:tomcat</cpe>
<cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positive per issue #433
]]></notes>
<gav regex="true">com\.google\.javascript:closure-compiler:.*</gav>
<cpe>cpe:/a:google:google_apps:-</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #437
]]></notes>
<gav regex="true">.*mongodb.*:.*:.*</gav>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
suppress false positives per issue #438
Note, there will be more false positives for Netty. Trying to figure out a better suppression.
]]></notes>
<gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
<cpe>cpe:/a:netty_project:netty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
JVM instrumentation to Ganglia
]]></notes>
<gav regex="true">info\.ganglia\.gmetric4j:gmetric4j:.*</gav>
<cpe>cpe:/a:ganglia:ganglia</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
A reporter for Metrics which announces measurements to a Ganglia cluster
]]></notes>
<gav regex="true">io\.dropwizard\.metrics:metrics-ganglia:.*</gav>
<cpe>cpe:/a:ganglia:ganglia</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">io\.dropwizard:dropwizard-jetty:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">io\.dropwizard\.metrics:metrics-jetty:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">org\.eclipse\.jetty\.toolchain\.setuid:jetty-setuid-java:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">org\.eclipse\.jetty:jetty-io:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">org\.eclipse\.jetty\.http2:http2-hpack:.*</gav>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
drop wizard false positives
]]></notes>
<gav regex="true">io\.dropwizard\.metrics:metrics-httpclient:.*</gav>
<cpe>cpe:/a:apache:httpclient</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
javax.transaction false positives
]]></notes>
<gav regex="true">javax\.transaction:javax\.transaction-api:.*</gav>
<cpe>cpe:/a:oracle:glassfish</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
false positive in drop wizard
]]></notes>
<filePath regex="true">.*\.(jar|ear|war|pom)</filePath>
<cpe>cpe:/a:tiger:tiger</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
php cpe
]]></notes>
<filePath regex="true">.*\.(jar|exe|dll|ear|war|pom)</filePath>
<cpe>cpe:/a:class:class</cpe>
</suppress>
</suppressions>

7
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -18,8 +18,13 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
data.directory=[JAR]/data
#if the filename has a %s it will be replaced with the current expected version
data.file_name=dc.h2.db
### if you increment the DB version then you must increment the database file path
### in the mojo.properties, task.properties (maven and ant respectively), and
### the gradle PurgeDataExtension.
data.version=3.0
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=FS;AUTOCOMMIT=ON;
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
# user name and password for the database connection. The inherent case is to use H2.

4
dependency-check-core/src/main/resources/schema/suppression.xsd
View File

@@ -21,7 +21,7 @@
</xs:simpleType>
<xs:simpleType name="cveType">
<xs:restriction base="xs:string">
<xs:pattern value="CVE\-\d\d\d\d\-\d+"/>
<xs:pattern value="((\w+\-)?CVE\-\d\d\d\d\-\d+|\d+)"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="sha1Type">
@@ -56,4 +56,4 @@
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
</xs:schema>

2
dependency-check-core/src/main/resources/templates/HtmlReport.vsl
View File

@@ -503,7 +503,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<body>
<div id="modal-background"></div>
<div id="modal-content">
<div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
<div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/general/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
<textarea id="modal-text" cols="50" rows="10" readonly></textarea><br/>
<button id="modal-add-header" title="Add the parent XML nodes to create the complete XML file that can be used to suppress this finding" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
</div>

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
View File

@@ -159,7 +159,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
aanalyzer.initialize();
fail("Expected an AnalysisException");
} catch (AnalysisException ae) {
assertEquals("An error occured with the .NET AssemblyAnalyzer", ae.getMessage());
assertEquals("An error occurred with the .NET AssemblyAnalyzer", ae.getMessage());
} finally {
System.setProperty(LOG_KEY, oldProp);
// Recover the logger

244
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java
View File

@@ -30,147 +30,137 @@ import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
/**
* Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were
* obtained from outside open source software projects. Links to those projects
* are given below.
* Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were obtained from outside open source software projects.
* Links to those projects are given below.
*
* @author Dale Visser <dvisser@ida.org>
* @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions
* Project</a>
* @author Dale Visser
* @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions Project</a>
* @see <a href="https://gnu.org/software/binutils/">GNU Binutils</a>
* @see <a href="https://gnu.org/software/ghostscript/">GNU Ghostscript</a>
*/
public class AutoconfAnalyzerTest extends BaseTest {
/**
* The analyzer to test.
*/
AutoconfAnalyzer analyzer;
/**
* The analyzer to test.
*/
AutoconfAnalyzer analyzer;
private void assertCommonEvidence(Dependency result, String product,
String version, String vendor) {
assertProductAndVersion(result, product, version);
assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
result.getVendorEvidence().toString().contains(vendor));
}
private void assertCommonEvidence(Dependency result, String product,
String version, String vendor) {
assertProductAndVersion(result, product, version);
assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
result.getVendorEvidence().toString().contains(vendor));
}
private void assertProductAndVersion(Dependency result, String product,
String version) {
assertTrue("Expected product evidence to contain \"" + product + "\".",
result.getProductEvidence().toString().contains(product));
assertTrue("Expected version evidence to contain \"" + version + "\".",
result.getVersionEvidence().toString().contains(version));
}
private void assertProductAndVersion(Dependency result, String product,
String version) {
assertTrue("Expected product evidence to contain \"" + product + "\".",
result.getProductEvidence().toString().contains(product));
assertTrue("Expected version evidence to contain \"" + version + "\".",
result.getVersionEvidence().toString().contains(version));
}
/**
* Correctly setup the analyzer for testing.
*
* @throws Exception
* thrown if there is a problem
*/
@Before
public void setUp() throws Exception {
analyzer = new AutoconfAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();
}
/**
* Correctly setup the analyzer for testing.
*
* @throws Exception thrown if there is a problem
*/
@Before
public void setUp() throws Exception {
analyzer = new AutoconfAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();
}
/**
* Cleanup the analyzer's temp files, etc.
*
* @throws Exception
* thrown if there is a problem
*/
@After
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
}
/**
* Cleanup the analyzer's temp files, etc.
*
* @throws Exception thrown if there is a problem
*/
@After
public void tearDown() throws Exception {
analyzer.close();
analyzer = null;
}
/**
* Test whether expected evidence is gathered from Ghostscript's
* configure.ac.
*
* @throws AnalysisException
* is thrown when an exception occurs.
*/
@Test
public void testAnalyzeConfigureAC1() throws AnalysisException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
this, "autoconf/ghostscript/configure.ac"));
analyzer.analyze(result, null);
assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
}
/**
* Test whether expected evidence is gathered from Ghostscript's configure.ac.
*
* @throws AnalysisException is thrown when an exception occurs.
*/
@Test
public void testAnalyzeConfigureAC1() throws AnalysisException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
this, "autoconf/ghostscript/configure.ac"));
analyzer.analyze(result, null);
assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
}
/**
* Test whether expected evidence is gathered from Readable's configure.ac.
*
* @throws AnalysisException
* is thrown when an exception occurs.
*/
@Test
public void testAnalyzeConfigureAC2() throws AnalysisException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
this, "autoconf/readable-code/configure.ac"));
analyzer.analyze(result, null);
assertReadableCodeEvidence(result);
}
/**
* Test whether expected evidence is gathered from Readable's configure.ac.
*
* @throws AnalysisException is thrown when an exception occurs.
*/
@Test
public void testAnalyzeConfigureAC2() throws AnalysisException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
this, "autoconf/readable-code/configure.ac"));
analyzer.analyze(result, null);
assertReadableCodeEvidence(result);
}
private void assertReadableCodeEvidence(final Dependency result) {
assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
final String url = "http://readable.sourceforge.net/";
assertTrue("Expected product evidence to contain \"" + url + "\".",
result.getVendorEvidence().toString().contains(url));
}
private void assertReadableCodeEvidence(final Dependency result) {
assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
final String url = "http://readable.sourceforge.net/";
assertTrue("Expected product evidence to contain \"" + url + "\".",
result.getVendorEvidence().toString().contains(url));
}
/**
* Test whether expected evidence is gathered from GNU Binutil's configure.
*
* @throws AnalysisException
* is thrown when an exception occurs.
*/
@Test
public void testAnalyzeConfigureScript() throws AnalysisException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
this, "autoconf/binutils/configure"));
analyzer.analyze(result, null);
assertProductAndVersion(result, "binutils", "2.25.51");
}
/**
* Test whether expected evidence is gathered from GNU Binutil's configure.
*
* @throws AnalysisException is thrown when an exception occurs.
*/
@Test
public void testAnalyzeConfigureScript() throws AnalysisException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
this, "autoconf/binutils/configure"));
analyzer.analyze(result, null);
assertProductAndVersion(result, "binutils", "2.25.51");
}
/**
* Test whether expected evidence is gathered from GNU Ghostscript's
* configure.
*
* @throws AnalysisException
* is thrown when an exception occurs.
*/
@Test
public void testAnalyzeReadableConfigureScript() throws AnalysisException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
this, "autoconf/readable-code/configure"));
analyzer.analyze(result, null);
assertReadableCodeEvidence(result);
}
/**
* Test whether expected evidence is gathered from GNU Ghostscript's configure.
*
* @throws AnalysisException is thrown when an exception occurs.
*/
@Test
public void testAnalyzeReadableConfigureScript() throws AnalysisException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(
this, "autoconf/readable-code/configure"));
analyzer.analyze(result, null);
assertReadableCodeEvidence(result);
}
/**
* Test of getName method, of {@link AutoconfAnalyzer}.
*/
@Test
public void testGetName() {
assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
analyzer.getName());
}
/**
* Test of getName method, of {@link AutoconfAnalyzer}.
*/
@Test
public void testGetName() {
assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
analyzer.getName());
}
/**
* Test of {@link AutoconfAnalyzer#accept(File)}.
*/
@Test
public void testSupportsFileExtension() {
assertTrue("Should support \"ac\" extension.",
analyzer.accept(new File("configure.ac")));
assertTrue("Should support \"in\" extension.",
analyzer.accept(new File("configure.in")));
assertTrue("Should support \"configure\" extension.",
analyzer.accept(new File("configure")));
}
}
/**
* Test of {@link AutoconfAnalyzer#accept(File)}.
*/
@Test
public void testSupportsFileExtension() {
assertTrue("Should support \"ac\" extension.",
analyzer.accept(new File("configure.ac")));
assertTrue("Should support \"in\" extension.",
analyzer.accept(new File("configure.in")));
assertTrue("Should support \"configure\" extension.",
analyzer.accept(new File("configure")));
}
}

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java
View File

@@ -38,7 +38,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
/**
* Unit tests for CmakeAnalyzer.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class CMakeAnalyzerTest extends BaseDBTestCase {

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
View File

@@ -39,7 +39,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
/**
* Unit tests for NodePackageAnalyzer.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class ComposerLockAnalyzerTest extends BaseDBTestCase {

12
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
View File

@@ -23,6 +23,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
@@ -113,4 +115,14 @@ public class JarAnalyzerTest extends BaseTest {
assertEquals(expResult, result);
}
@Test
public void testParseManifest() throws Exception {
File file = BaseTest.getResourceAsFile(this, "xalan-2.7.0.jar");
Dependency result = new Dependency(file);
JarAnalyzer instance = new JarAnalyzer();
List<JarAnalyzer.ClassNameInformation> cni = new ArrayList<JarAnalyzer.ClassNameInformation>();
instance.parseManifest(result, cni);
assertTrue(result.getVersionEvidence().getEvidence("manifest: org/apache/xalan/").size() > 0);
}
}

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java
View File

@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
/**
* Unit tests for NodePackageAnalyzer.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class NodePackageAnalyzerTest extends BaseTest {

25
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java
View File

@@ -32,7 +32,7 @@ import static org.junit.Assert.*;
/**
* Unit tests for OpenSSLAnalyzerAnalyzer.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class OpenSSLAnalyzerTest extends BaseTest {
@@ -84,22 +84,15 @@ public class OpenSSLAnalyzerTest extends BaseTest {
@Test
public void testVersionConstantExamples() {
final long[] constants = {0x1000203fL
, 0x00903000
, 0x00903001
, 0x00903002l
, 0x0090300f
, 0x0090301f
, 0x0090400f
, 0x102031af};
final long[] constants = {0x1000203fL, 0x00903000, 0x00903001, 0x00903002l, 0x0090300f, 0x0090301f, 0x0090400f, 0x102031af};
final String[] versions = {"1.0.2c",
"0.9.3-dev",
"0.9.3-beta1",
"0.9.3-beta2",
"0.9.3",
"0.9.3a",
"0.9.4",
"1.2.3z"};
"0.9.3-dev",
"0.9.3-beta1",
"0.9.3-beta2",
"0.9.3",
"0.9.3a",
"0.9.4",
"1.2.3z"};
assertEquals(constants.length, versions.length);
for (int i = 0; i < constants.length; i++) {
assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i]));

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java
View File

@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
/**
* Unit tests for PythonDistributionAnalyzer.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class PythonDistributionAnalyzerTest extends BaseTest {

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java
View File

@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
/**
* Unit tests for PythonPackageAnalyzer.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class PythonPackageAnalyzerTest extends BaseTest {

71
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java
View File

@@ -17,6 +17,12 @@
*/
package org.owasp.dependencycheck.analyzer;
import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import java.io.File;
import org.junit.After;
import org.junit.Assume;
import org.junit.Before;
@@ -26,19 +32,14 @@ import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.CoreMatchers.not;
import static org.junit.Assert.assertThat;
/**
* Unit tests for {@link RubyBundleAuditAnalyzer}.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class RubyBundleAuditAnalyzerTest extends BaseTest {
@@ -56,14 +57,9 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
*/
@Before
public void setUp() throws Exception {
try {
analyzer = new RubyBundleAuditAnalyzer();
analyzer.setFilesMatched(true);
analyzer.initialize();
} catch (Exception e) {
//LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Tests will be incomplete", e);
Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed. Tests will be incomplete", e);
}
Settings.initialize();
analyzer = new RubyBundleAuditAnalyzer();
analyzer.setFilesMatched(true);
}
/**
@@ -73,6 +69,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
*/
@After
public void tearDown() throws Exception {
Settings.cleanup();
analyzer.close();
analyzer = null;
}
@@ -100,10 +97,44 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
*/
@Test
public void testAnalysis() throws AnalysisException, DatabaseException {
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
"ruby/vulnerable/Gemfile.lock"));
final Engine engine = new Engine();
analyzer.analyze(result, engine);
assertThat(engine.getDependencies().size(), is(not(0)));
try {
analyzer.initialize();
final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
"ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock"));
final Engine engine = new Engine();
analyzer.analyze(result, engine);
int size = engine.getDependencies().size();
assertThat(size, is(1));
Dependency dependency = engine.getDependencies().get(0);
assertTrue(dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet"));
assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2"));
} catch (Exception e) {
LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\".", e);
Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e);
}
}
/**
* Test when Ruby bundle-audit is not available on the system.
*
* @throws AnalysisException is thrown when an exception occurs.
*/
@Test
public void testMissingBundleAudit() throws AnalysisException, DatabaseException {
//set a non-exist bundle-audit
Settings.setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, "phantom-bundle-audit");
try {
//initialize should fail.
analyzer.initialize();
} catch (Exception e) {
//expected, so ignore.
}
finally {
assertThat(analyzer.isEnabled(), is(false));
LOGGER.info("phantom-bundle-audit is not available. Ruby Bundle Audit Analyzer is disabled as expected.");
}
}
}

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java
View File

@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
/**
* Unit tests for {@link RubyGemspecAnalyzer}.
*
* @author Dale Visser <dvisser@ida.org>
* @author Dale Visser
*/
public class RubyGemspecAnalyzerTest extends BaseTest {

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java
View File

@@ -124,7 +124,7 @@ public class EngineVersionCheckTest extends BaseTest {
updateToVersion = "";
currentVersion = "1.2.5";
lastChecked = df.parse("2014-12-01").getTime();
now = df.parse("2014-12-08").getTime();
now = df.parse("2015-12-08").getTime();
expResult = true;
instance.setUpdateToVersion(updateToVersion);
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);

39
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java
View File

@@ -17,47 +17,30 @@
*/
package org.owasp.dependencycheck.data.update.nvd;
import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
import java.io.File;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long
*/
public class DownloadTaskTest {
public class DownloadTaskTest extends BaseTest {
public DownloadTaskTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
Settings.initialize();
}
@After
public void tearDown() {
Settings.cleanup();
}
/**
* Test of call method, of class DownloadTask.
*/
@@ -74,4 +57,16 @@ public class DownloadTaskTest {
Future<ProcessTask> result = instance.call();
assertNull(result);
}
/**
* Test of isXml(file).
*/
@Test
public void testIsXML() {
File f = getResourceAsFile(this, "nvdcve-modified.xml");
assertTrue(DownloadTask.isXml(f));
f = getResourceAsFile(this, "file.tar.gz");
assertFalse(DownloadTask.isXml(f));
}
}

2
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -100,3 +100,5 @@ analyzer.nexus.enabled=false
#whether the nexus analyzer uses the proxy
analyzer.nexus.proxy=true
#Use your own bundle-audit install directory.
#analyzer.bundle.audit.path=/usr/local/bin/bundle-audit

102
dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile Executable file
View File

@@ -0,0 +1,102 @@
source 'https://rubygems.org'
gemspec
# This needs to be with require false as it is
# loaded after loading the test library to
# ensure correct loading order
gem 'mocha', '~> 0.14', require: false
gem 'rack-cache', '~> 1.2'
gem 'jquery-rails', '~> 3.1.0'
gem 'turbolinks'
gem 'coffee-rails', '~> 4.0.0'
gem 'sprockets', '~> 3.0.0.rc.1'
# require: false so bcrypt is loaded only when has_secure_password is used.
# This is to avoid ActiveModel (and by extension the entire framework)
# being dependent on a binary library.
gem 'bcrypt', '~> 3.1.7', require: false
# This needs to be with require false to avoid
# it being automatically loaded by sprockets
gem 'uglifier', '>= 1.3.0', require: false
group :doc do
gem 'sdoc', '~> 0.4.0'
gem 'redcarpet', '~> 2.2.2', platforms: :ruby
gem 'w3c_validators'
gem 'kindlerb', '0.1.1'
gem 'mustache', '~> 0.99.8'
end
# AS
gem 'dalli', '>= 2.2.1'
# Add your own local bundler stuff
local_gemfile = File.dirname(__FILE__) + "/.Gemfile"
instance_eval File.read local_gemfile if File.exist? local_gemfile
group :test do
# FIX: Our test suite isn't ready to run in random order yet
gem 'minitest', '< 5.3.4'
platforms :mri_19 do
gem 'ruby-prof', '~> 0.11.2'
end
# platforms :mri_19, :mri_20 do
# gem 'debugger'
# end
platforms :mri do
gem 'stackprof'
end
gem 'benchmark-ips'
end
platforms :ruby do
gem 'nokogiri', '>= 1.4.5'
# Needed for compiling the ActionDispatch::Journey parser
gem 'racc', '>=1.4.6', require: false
# AR
gem 'sqlite3', '~> 1.3.6'
group :db do
gem 'pg', '>= 0.11.0'
gem 'mysql', '>= 2.9.0'
gem 'mysql2', '>= 0.3.13', '< 0.4'
end
end
platforms :jruby do
gem 'json'
if ENV['AR_JDBC']
gem 'activerecord-jdbcsqlite3-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
group :db do
gem 'activerecord-jdbcmysql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
gem 'activerecord-jdbcpostgresql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
end
else
gem 'activerecord-jdbcsqlite3-adapter', '>= 1.3.0'
group :db do
gem 'activerecord-jdbcmysql-adapter', '>= 1.3.0'
gem 'activerecord-jdbcpostgresql-adapter', '>= 1.3.0'
end
end
end
# gems that are necessary for ActiveRecord tests with Oracle database
if ENV['ORACLE_ENHANCED']
platforms :ruby do
gem 'ruby-oci8', '>= 2.0.4'
end
gem 'activerecord-oracle_enhanced-adapter', github: 'rsim/oracle-enhanced', branch: 'master'
end
# A gem necessary for ActiveRecord tests with IBM DB
gem 'ibm_db' if ENV['IBM_DB']

154
dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock Executable file
View File

@@ -0,0 +1,154 @@
PATH
remote: .
specs:
actionmailer (4.1.15)
actionpack (= 4.1.15)
actionview (= 4.1.15)
mail (~> 2.5, >= 2.5.4)
actionpack (4.1.15)
actionview (= 4.1.15)
activesupport (= 4.1.15)
rack (~> 1.5.2)
rack-test (~> 0.6.2)
actionview (4.1.15)
activesupport (= 4.1.15)
builder (~> 3.1)
erubis (~> 2.7.0)
activemodel (4.1.15)
activesupport (= 4.1.15)
builder (~> 3.1)
activerecord (4.1.15)
activemodel (= 4.1.15)
activesupport (= 4.1.15)
arel (~> 5.0.0)
activesupport (4.1.15)
i18n (~> 0.6, >= 0.6.9)
json (~> 1.7, >= 1.7.7)
minitest (~> 5.1)
thread_safe (~> 0.1)
tzinfo (~> 1.1)
rails (4.1.15)
actionmailer (= 4.1.15)
actionpack (= 4.1.15)
actionview (= 4.1.15)
activemodel (= 4.1.15)
activerecord (= 4.1.15)
activesupport (= 4.1.15)
bundler (>= 1.3.0, < 2.0)
railties (= 4.1.15)
sprockets-rails (~> 2.0)
railties (4.1.15)
actionpack (= 4.1.15)
activesupport (= 4.1.15)
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
GEM
remote: https://rubygems.org/
specs:
arel (5.0.1.20140414130214)
bcrypt (3.1.10)
benchmark-ips (2.3.0)
builder (3.2.2)
coffee-rails (4.0.1)
coffee-script (>= 2.2.0)
railties (>= 4.0.0, < 5.0)
coffee-script (2.4.1)
coffee-script-source
execjs
coffee-script-source (1.10.0)
dalli (2.7.5)
erubis (2.7.0)
execjs (2.6.0)
i18n (0.7.0)
jquery-rails (3.1.4)
railties (>= 3.0, < 5.0)
thor (>= 0.14, < 2.0)
json (1.8.3)
kindlerb (0.1.1)
mustache
nokogiri
mail (2.6.3)
mime-types (>= 1.16, < 3)
metaclass (0.0.4)
mime-types (2.99.1)
mini_portile2 (2.0.0)
minitest (5.3.3)
mocha (0.14.0)
metaclass (~> 0.0.1)
mustache (0.99.8)
mysql (2.9.1)
mysql2 (0.3.20)
nokogiri (1.6.7.2)
mini_portile2 (~> 2.0.0.rc2)
pg (0.18.4)
racc (1.4.14)
rack (1.5.5)
rack-cache (1.5.1)
rack (>= 0.4)
rack-test (0.6.3)
rack (>= 1.0)
rake (10.5.0)
rdoc (4.2.1)
redcarpet (2.2.2)
ruby-prof (0.11.3)
sdoc (0.4.1)
json (~> 1.7, >= 1.7.7)
rdoc (~> 4.0)
sprockets (3.0.3)
rack (~> 1.0)
sprockets-rails (2.3.3)
actionpack (>= 3.0)
activesupport (>= 3.0)
sprockets (>= 2.8, < 4.0)
sqlite3 (1.3.11)
stackprof (0.2.8)
thor (0.19.1)
thread_safe (0.3.5)
turbolinks (2.5.3)
coffee-rails
tzinfo (1.2.2)
thread_safe (~> 0.1)
uglifier (2.7.2)
execjs (>= 0.3.0)
json (>= 1.8.0)
w3c_validators (1.2)
json
nokogiri
PLATFORMS
ruby
DEPENDENCIES
activerecord-jdbcmysql-adapter (>= 1.3.0)
activerecord-jdbcpostgresql-adapter (>= 1.3.0)
activerecord-jdbcsqlite3-adapter (>= 1.3.0)
bcrypt (~> 3.1.7)
benchmark-ips
coffee-rails (~> 4.0.0)
dalli (>= 2.2.1)
jquery-rails (~> 3.1.0)
json
kindlerb (= 0.1.1)
minitest (< 5.3.4)
mocha (~> 0.14)
mustache (~> 0.99.8)
mysql (>= 2.9.0)
mysql2 (>= 0.3.13, < 0.4)
nokogiri (>= 1.4.5)
pg (>= 0.11.0)
racc (>= 1.4.6)
rack-cache (~> 1.2)
rails!
redcarpet (~> 2.2.2)
ruby-prof (~> 0.11.2)
sdoc (~> 0.4.0)
sprockets (~> 3.0.0.rc.1)
sqlite3 (~> 1.3.6)
stackprof
turbolinks
uglifier (>= 1.3.0)
w3c_validators
BUNDLED WITH
1.11.2

8
dependency-check-maven/pom.xml
View File

@@ -20,12 +20,11 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.3.2</version>
<version>1.3.6</version>
</parent>
<artifactId>dependency-check-maven</artifactId>
<packaging>maven-plugin</packaging>
<name>Dependency-Check Maven Plugin</name>
<description>dependency-check-maven is a Maven Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
<inceptionYear>2013</inceptionYear>
@@ -88,6 +87,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<argLine>-Dfile.encoding=UTF-8</argLine>
<systemProperties>
<property>
<name>data.directory</name>
@@ -204,6 +204,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.reporting</groupId>
<artifactId>maven-reporting-api</artifactId>
</dependency>
<dependency>
<groupId>org.sonatype.plexus</groupId>
<artifactId>plexus-sec-dispatcher</artifactId>
</dependency>
<dependency>
<groupId>org.jmockit</groupId>
<artifactId>jmockit</artifactId>

36
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
View File

@@ -48,7 +48,7 @@ import org.owasp.dependencycheck.utils.Settings;
name = "aggregate",
defaultPhase = LifecyclePhase.VERIFY,
/*aggregator = true,*/
threadSafe = true,
threadSafe = false,
requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
requiresOnline = true
)
@@ -64,12 +64,13 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
public void runCheck() throws MojoExecutionException, MojoFailureException {
final Engine engine = generateDataFile();
if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
//if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
if (getProject() == getLastProject()) {
//ensure that the .ser file was created for each.
for (MavenProject current : getReactorProjects()) {
final File dataFile = getDataFile(current);
if (dataFile == null) { //dc was never run on this project. write the ser to the target.
if (dataFile == null && !skipProject(current)) { //dc was never run on this project. write the ser to the target.
getLog().error(String.format("Module '%s' did not execute dependency-check; an attempt will be made to perform "
+ "the check but dependencies may be missed resulting in false negatives.", current.getName()));
generateDataFile(engine, current);
@@ -107,7 +108,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
getLog().debug(String.format("Dependency count post-bundler: %s", engine.getDependencies().size()));
}
} catch (AnalysisException ex) {
getLog().warn("An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
getLog().warn("An error occurred grouping the dependencies; duplicate entries may exist in the report", ex);
getLog().debug("Bundling Exception", ex);
}
@@ -124,6 +125,33 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
Settings.cleanup();
}
/**
* Gets the last project in the reactor - taking into account skipped projects.
*
* @return the last project in the reactor
*/
private MavenProject getLastProject() {
for (int x = getReactorProjects().size() - 1; x >= 0; x--) {
final MavenProject p = getReactorProjects().get(x);
if (!skipProject(p)) {
return p;
}
}
return null;
}
/**
* Tests if the project is being skipped in the Maven site report.
*
* @param project a project in the reactor
* @return true if the project is skipped; otherwise false
*/
private boolean skipProject(MavenProject project) {
final String skip = (String) project.getProperties().get("maven.site.skip");
return "true".equalsIgnoreCase(skip) && isGeneratingSite();
}
/**
* Returns a set containing all the descendant projects of the given project.
*

105
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -24,7 +24,6 @@ import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.List;
import java.util.Locale;
@@ -33,11 +32,13 @@ import org.apache.maven.doxia.sink.Sink;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.project.MavenProject;
import org.apache.maven.reporting.MavenReport;
import org.apache.maven.reporting.MavenReportException;
import org.apache.maven.settings.Proxy;
import org.apache.maven.settings.Server;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -47,7 +48,11 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.ExpectedOjectInputStream;
import org.owasp.dependencycheck.utils.Settings;
import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
import org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException;
/**
*
@@ -105,7 +110,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
* is true.
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "autoupdate")
@Parameter(property = "autoUpdate")
private Boolean autoUpdate;
/**
* Generate aggregate reports in multi-module projects.
@@ -262,6 +267,21 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
*/
@Parameter(property = "databaseDriverPath", defaultValue = "", required = false)
private String databaseDriverPath;
/**
* The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml.
*/
@Parameter(property = "serverId", defaultValue = "", required = false)
private String serverId;
/**
* A reference to the settings.xml settings.
*/
@Parameter(defaultValue = "${settings}", readonly = true, required = true)
private org.apache.maven.settings.Settings settingsXml;
/**
* The security dispatcher that can decrypt passwords in the settings.xml.
*/
@Component(role = SecDispatcher.class, hint = "default")
private SecDispatcher securityDispatcher;
/**
* The database user name.
*/
@@ -367,6 +387,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
*/
@Override
public void execute() throws MojoExecutionException, MojoFailureException {
generatingSite = false;
if (skip) {
getLog().info("Skipping " + getName(Locale.US));
} else {
@@ -404,6 +425,20 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
generate((Sink) sink, locale);
}
/**
* A flag indicating whether or not the maven site is being generated.
*/
private boolean generatingSite = false;
/**
* Returns true if the Maven site is being generated.
*
* @return true if the Maven site is being generated
*/
protected boolean isGeneratingSite() {
return generatingSite;
}
/**
* Generates the Dependency-Check Site Report.
*
@@ -412,6 +447,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
* @throws MavenReportException if a maven report exception occurs
*/
public void generate(Sink sink, Locale locale) throws MavenReportException {
generatingSite = true;
try {
validateAggregate();
} catch (MojoExecutionException ex) {
@@ -647,6 +683,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
final String password = proxy.getPassword();
Settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName);
Settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password);
Settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, proxy.getNonProxyHosts());
}
Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
@@ -677,9 +714,49 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
if (databaseUser == null && databasePassword == null && serverId != null) {
final Server server = settingsXml.getServer(serverId);
if (server != null) {
databaseUser = server.getUsername();
try {
//The following fix was copied from:
// https://github.com/bsorrentino/maven-confluence-plugin/blob/master/maven-confluence-reporting-plugin/src/main/java/org/bsc/maven/confluence/plugin/AbstractBaseConfluenceMojo.java
//
// FIX to resolve
// org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException:
// java.io.FileNotFoundException: ~/.settings-security.xml (No such file or directory)
//
if (securityDispatcher instanceof DefaultSecDispatcher) {
((DefaultSecDispatcher) securityDispatcher).setConfigurationFile("~/.m2/settings-security.xml");
}
databasePassword = securityDispatcher.decrypt(server.getPassword());
} catch (SecDispatcherException ex) {
if (ex.getCause() instanceof FileNotFoundException
|| (ex.getCause() != null && ex.getCause().getCause() instanceof FileNotFoundException)) {
//maybe its not encrypted?
final String tmp = server.getPassword();
if (tmp.startsWith("{") && tmp.endsWith("}")) {
getLog().error(String.format(
"Unable to decrypt the server password for server id '%s' in settings.xml%n\tCause: %s",
serverId, ex.getMessage()));
} else {
databasePassword = tmp;
}
} else {
getLog().error(String.format(
"Unable to decrypt the server password for server id '%s' in settings.xml%n\tCause: %s",
serverId, ex.getMessage()));
}
}
} else {
getLog().error(String.format("Server '%s' not found in the settings.xml file", serverId));
}
}
Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
Settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
@@ -974,9 +1051,27 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
List<Dependency> ret = null;
final String path = (String) oPath;
ObjectInputStream ois = null;
//ObjectInputStream ois = null;
ExpectedOjectInputStream ois = null;
try {
ois = new ObjectInputStream(new FileInputStream(path));
//ois = new ObjectInputStream(new FileInputStream(path));
ois = new ExpectedOjectInputStream(new FileInputStream(path),
"java.util.ArrayList",
"java.util.HashSet",
"java.util.TreeSet",
"java.lang.AbstractSet",
"java.lang.AbstractCollection",
"java.lang.Enum",
"org.owasp.dependencycheck.dependency.Confidence",
"org.owasp.dependencycheck.dependency.Dependency",
"org.owasp.dependencycheck.dependency.Evidence",
"org.owasp.dependencycheck.dependency.EvidenceCollection",
"org.owasp.dependencycheck.dependency.Identifier",
"org.owasp.dependencycheck.dependency.Reference",
"org.owasp.dependencycheck.dependency.Vulnerability",
"org.owasp.dependencycheck.dependency.VulnerabilityComparator",
"org.owasp.dependencycheck.dependency.VulnerableSoftware",
"org.owasp.dependencycheck.data.cpe.IndexEntry");
ret = (List<Dependency>) ois.readObject();
} catch (FileNotFoundException ex) {
//TODO fix logging

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java
View File

@@ -36,7 +36,7 @@ import org.owasp.dependencycheck.utils.Settings;
@Mojo(
name = "check",
defaultPhase = LifecyclePhase.VERIFY,
threadSafe = true,
threadSafe = false,
requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
requiresOnline = true
)

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java
View File

@@ -35,7 +35,7 @@ import org.owasp.dependencycheck.utils.Settings;
@Mojo(
name = "purge",
defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
threadSafe = true,
threadSafe = false,
requiresDependencyResolution = ResolutionScope.NONE,
requiresOnline = true
)

2
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java
View File

@@ -34,7 +34,7 @@ import org.owasp.dependencycheck.utils.Settings;
@Mojo(
name = "update-only",
defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
threadSafe = true,
threadSafe = false,
requiresDependencyResolution = ResolutionScope.NONE,
requiresOnline = true
)

4
dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
View File

@@ -23,8 +23,8 @@ import org.slf4j.ILoggerFactory;
import org.slf4j.spi.LoggerFactoryBinder;
/**
* The binding of {@link org.slf4j.LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using
* information returned by this class.
* The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
* returned by this class.
*
* @author colezlaw
*/

2
dependency-check-maven/src/main/resources/mojo.properties
View File

@@ -1,2 +1,2 @@
# the path to the data directory
data.directory=[JAR]/../../dependency-check-data
data.directory=[JAR]/../../dependency-check-data/3.0

3
dependency-check-maven/src/site/markdown/configuration.md
View File

@@ -3,7 +3,7 @@ Goals
Goal | Description
------------|-----------------------
aggregate | Runs dependency-check against the child projects and aggregates the results into a single report.
aggregate | Runs dependency-check against the child projects and aggregates the results into a single report. **Warning**: if the aggregate goal is used within the site reporting a blank report will likely be present for any goal beyond site:site (i.e. site:stage or site:deploy will likely result in blank reports being staged or deployed); however, site:site will work. See issue [#325](https://github.com/jeremylong/DependencyCheck/issues/325) for more information.
check | Runs dependency-check against the project and generates a report.
update-only | Updates the local cache of the NVD data from NIST.
purge | Deletes the local copy of the NVD. This is used to force a refresh of the data.
@@ -71,6 +71,7 @@ dataDirectory | Sets the data directory to hold SQL CVEs contents. This s
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp;
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
connectionString | The connection string used to connect to the database. | &nbsp;
serverId | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information. | &nbsp;
databaseUser | The username used when connecting to the database. | &nbsp;
databasePassword | The password used when connecting to the database. | &nbsp;
metaFileName | Sets the name of the file to use for storing the metadata about the project. | dependency-check.ser

4
dependency-check-maven/src/site/markdown/index.md.vm
View File

@@ -156,8 +156,8 @@ Create the DependencyCheck-report.html and use internal mirroring of CVE content
<artifactId>dependency-check-maven</artifactId>
<version>${project.version}</version>
<configuration>
<cveUrl12Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-modified.xml</cveUrl12Modified>
<cveUrl20Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-modified.xml</cveUrl20Modified>
<cveUrl12Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-Modified.xml.gz</cveUrl12Modified>
<cveUrl20Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-Modified.xml.gz</cveUrl20Modified>
<cveUrl12Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-%d.xml</cveUrl12Base>
<cveUrl20Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-%d.xml</cveUrl20Base>
</configuration>

7
dependency-check-utils/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.3.2</version>
<version>1.3.6</version>
</parent>
<artifactId>dependency-check-utils</artifactId>
@@ -77,6 +77,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<argLine>-Dfile.encoding=UTF-8</argLine>
<systemProperties>
<property>
<name>data.directory</name>
@@ -139,6 +140,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>

14
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -33,8 +33,6 @@ import java.util.zip.GZIPInputStream;
import java.util.zip.InflaterInputStream;
import static java.lang.String.format;
import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP;
import static org.owasp.dependencycheck.utils.Settings.getBoolean;
/**
* A utility to download files from the Internet.
@@ -243,6 +241,16 @@ public final class Downloader {
throw new DownloadFailedException(format("Error creating URL Connection for HTTP %s request.", httpMethod), ex);
} catch (IOException ex) {
analyzeException(ex);
try {
//retry
if (!Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP)) {
Settings.setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
return getLastModified(url);
}
} catch (InvalidSettingException ex1) {
LOGGER.debug("invalid setting?", ex);
}
throw new DownloadFailedException(format("Error making HTTP %s request.", httpMethod), ex);
} finally {
if (conn != null) {
@@ -300,7 +308,7 @@ public final class Downloader {
boolean quickQuery;
try {
quickQuery = getBoolean(DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
quickQuery = Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
} catch (InvalidSettingException e) {
quickQuery = true;
}

70
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStream.java Normal file
View File

@@ -0,0 +1,70 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2016 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.io.IOException;
import java.io.InputStream;
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
/**
* An ObjectInputStream that will only deserialize expected classes.
*
* @author Jeremy Long
*/
public class ExpectedOjectInputStream extends ObjectInputStream {
/**
* The list of fully qualified class names that are able to be deserialized.
*/
private List<String> expected = new ArrayList<String>();
/**
* Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes
* that can deserialized to a known set of expected classes.
*
* @param inputStream the input stream that contains the object to deserialize
* @param expected the fully qualified class names of the classes that can be deserialized
* @throws IOException thrown if there is an error reading from the stream
*/
public ExpectedOjectInputStream(InputStream inputStream, String... expected) throws IOException {
super(inputStream);
this.expected.addAll(Arrays.asList(expected));
}
/**
* Only deserialize instances of expected classes by validating the class name prior to deserialization.
*
* @param desc the class from the object stream to validate
* @return the resolved class
* @throws java.io.IOException thrown if the class being read is not one of the expected classes or if there is an error
* reading from the stream
* @throws java.lang.ClassNotFoundException thrown if there is an error finding the class to deserialize
*/
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if (!this.expected.contains(desc.getName())) {
throw new InvalidClassException("Unexpected deserialization ", desc.getName());
}
return super.resolveClass(desc);
}
}

18
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -165,6 +165,10 @@ public final class Settings {
* The properties key for the proxy password.
*/
public static final String PROXY_PASSWORD = "proxy.password";
/**
* The properties key for the non proxy hosts.
*/
public static final String PROXY_NON_PROXY_HOSTS = "proxy.nonproxyhosts";
/**
* The properties key for the connection timeout.
*/
@@ -523,8 +527,8 @@ public final class Settings {
/**
* Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
* file.<br/><br/>
* Note: even if using this method - system properties will be loaded before properties loaded from files.
* file.<br><br>
* <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
*
* @param filePath the path to the properties file to merge.
* @throws FileNotFoundException is thrown when the filePath points to a non-existent file
@@ -548,7 +552,7 @@ public final class Settings {
/**
* Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
* file.<br/><br/>
* file.<br><br>
* Note: even if using this method - system properties will be loaded before properties loaded from files.
*
* @param filePath the path to the properties file to merge.
@@ -573,8 +577,8 @@ public final class Settings {
/**
* Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
* file.<br/><br/>
* Note: even if using this method - system properties will be loaded before properties loaded from files.
* file.<br><br>
* <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
*
* @param stream an Input Stream pointing at a properties file to merge
* @throws IOException is thrown when there is an exception loading/merging the properties
@@ -739,7 +743,9 @@ public final class Settings {
try {
value = Integer.parseInt(Settings.getString(key));
} catch (NumberFormatException ex) {
LOGGER.trace("Could not convert property '{}' to an int.", key, ex);
if (!Settings.getString(key, "").isEmpty()) {
LOGGER.debug("Could not convert property '{}={}' to an int; using {} instead.", key, Settings.getString(key), defaultValue);
}
value = defaultValue;
}
return value;

47
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
View File

@@ -18,6 +18,8 @@
package org.owasp.dependencycheck.utils;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.apache.commons.lang3.StringUtils;
import java.io.IOException;
import java.net.Authenticator;
import java.net.HttpURLConnection;
@@ -53,13 +55,15 @@ public final class URLConnectionFactory {
public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
HttpURLConnection conn = null;
final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
try {
if (proxyUrl != null) {
if (proxyUrl != null && !matchNonProxy(url)) {
final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
if (username != null && password != null) {
final Authenticator auth = new Authenticator() {
@Override
@@ -94,6 +98,47 @@ public final class URLConnectionFactory {
return conn;
}
/**
* Check if hostname matches nonProxy settings
*
* @param url the url to connect to
* @return matching result. true: match nonProxy
*/
private static boolean matchNonProxy(final URL url) {
final String host = url.getHost();
// code partially from org.apache.maven.plugins.site.AbstractDeployMojo#getProxyInfo
final String nonProxyHosts = Settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
if (null != nonProxyHosts) {
final String[] nonProxies = nonProxyHosts.split("(,)|(;)|(\\|)");
for (final String nonProxyHost : nonProxies) {
//if ( StringUtils.contains( nonProxyHost, "*" ) )
if (null != nonProxyHost && nonProxyHost.contains("*")) {
// Handle wildcard at the end, beginning or middle of the nonProxyHost
final int pos = nonProxyHost.indexOf('*');
final String nonProxyHostPrefix = nonProxyHost.substring(0, pos);
final String nonProxyHostSuffix = nonProxyHost.substring(pos + 1);
// prefix*
if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && StringUtils.isEmpty(nonProxyHostSuffix)) {
return true;
}
// *suffix
if (StringUtils.isEmpty(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
return true;
}
// prefix*suffix
if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix)
&& host.endsWith(nonProxyHostSuffix)) {
return true;
}
} else if (host.equals(nonProxyHost)) {
return true;
}
}
}
return false;
}
/**
* Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a proxy is
* configured but we don't want to use it (for example, if there's an internal repository configured)

96
dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStreamTest.java Normal file
View File

@@ -0,0 +1,96 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2016 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import java.io.BufferedOutputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.util.ArrayList;
import java.util.List;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
/**
*
* @author jeremy
*/
public class ExpectedOjectInputStreamTest {
public ExpectedOjectInputStreamTest() {
}
@BeforeClass
public static void setUpClass() {
}
@AfterClass
public static void tearDownClass() {
}
@Before
public void setUp() {
}
@After
public void tearDown() {
}
/**
* Test of resolveClass method, of class ExpectedOjectInputStream.
*/
@Test
public void testResolveClass() throws Exception {
List<SimplePojo> data = new ArrayList<SimplePojo>();
data.add(new SimplePojo());
ByteArrayOutputStream mem = new ByteArrayOutputStream();
ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
out.writeObject(data);
out.flush();
byte[] buf = mem.toByteArray();
out.close();
ByteArrayInputStream in = new ByteArrayInputStream(buf);
ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo", "java.lang.Integer", "java.lang.Number");
instance.readObject();
}
/**
* Test of resolveClass method, of class ExpectedOjectInputStream.
*/
@Test(expected = java.io.InvalidClassException.class)
public void testResolveClassException() throws Exception {
List<SimplePojo> data = new ArrayList<SimplePojo>();
data.add(new SimplePojo());
ByteArrayOutputStream mem = new ByteArrayOutputStream();
ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
out.writeObject(data);
out.flush();
byte[] buf = mem.toByteArray();
out.close();
ByteArrayInputStream in = new ByteArrayInputStream(buf);
ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo");
instance.readObject();
}
}

12
dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java
View File

@@ -139,6 +139,18 @@ public class SettingsTest extends BaseTest {
Assert.assertEquals(expResult, result);
}
/**
* Test of getInt method, of class Settings.
*/
@Test
public void testGetIntDefault() throws InvalidSettingException {
String key = "SomeKey";
int expResult = 85;
Settings.setString(key, "blue");
int result = Settings.getInt(key, expResult);
Assert.assertEquals(expResult, result);
}
/**
* Test of getLong method, of class Settings.
*/

29
dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/SimplePojo.java Normal file
View File

@@ -0,0 +1,29 @@
/*
* Copyright 2016 OWASP.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.owasp.dependencycheck.utils;
import java.io.Serializable;
/**
* Simple pojo used to test the ExpectedObjectInputStream.
*
* @author jeremy
*/
public class SimplePojo implements Serializable {
public String s = "3";
public Integer i = 3;
}

55
pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.3.2</version>
<version>1.3.6</version>
<packaging>pom</packaging>
<modules>
@@ -125,11 +125,11 @@ Copyright (c) 2012 - Jeremy Long
<!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
thus, we cannot upgrade beyond 4.7.2 -->
<apache.lucene.version>4.7.2</apache.lucene.version>
<slf4j.version>1.7.13</slf4j.version>
<logback.version>1.1.3</logback.version>
<slf4j.version>1.7.21</slf4j.version>
<logback.version>1.1.7</logback.version>
<reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
<reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>
<reporting.pmd-plugin.version>3.5</reporting.pmd-plugin.version>
<reporting.pmd-plugin.version>3.6</reporting.pmd-plugin.version>
</properties>
<distributionManagement>
<snapshotRepository>
@@ -170,12 +170,12 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-clean-plugin</artifactId>
<version>2.6.1</version>
<version>3.0.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.3</version>
<version>3.5.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -195,7 +195,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>2.19</version>
<version>2.19.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -225,12 +225,12 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.4</version>
<version>3.5</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.18.1</version>
<version>2.19.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -240,12 +240,12 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>2.2.1</version>
<version>2.4</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<version>2.10.3</version>
</plugin>
</plugins>
</pluginManagement>
@@ -335,7 +335,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-module-markdown</artifactId>
<version>1.6</version>
<version>1.7</version>
</dependency>
</dependencies>
<configuration>
@@ -445,7 +445,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.8.1</version>
<version>2.9</version>
<reportSets>
<reportSet>
<reports>
@@ -472,7 +472,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.19</version>
<version>2.19.1</version>
<reportSets>
<reportSet>
<reports>
@@ -496,7 +496,7 @@ Copyright (c) 2012 - Jeremy Long
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>3.0.2</version>
<version>3.0.3</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
@@ -562,12 +562,13 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.4</version>
<!--upgrading beyond this may cause issues with the Jenkins plugin-->
<version>3.3.2</version>
</dependency>
<dependency>
<groupId>com.sun.mail</groupId>
<artifactId>mailapi</artifactId>
<version>1.5.4</version>
<version>1.5.5</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
@@ -588,7 +589,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.10</version>
<version>1.11</version>
</dependency>
<dependency>
<groupId>org.apache.ant</groupId>
@@ -635,11 +636,6 @@ Copyright (c) 2012 - Jeremy Long
<artifactId>maven-settings</artifactId>
<version>3.3.3</version>
</dependency>
<dependency>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.4</version>
</dependency>
<dependency>
<groupId>org.apache.maven.plugin-testing</groupId>
<artifactId>maven-plugin-testing-harness</artifactId>
@@ -655,11 +651,22 @@ Copyright (c) 2012 - Jeremy Long
<artifactId>maven-reporting-api</artifactId>
<version>3.0</version>
</dependency>
<!-- Upgrading transitive commons-collections-3.2.1 from velocity-1.7. -->
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.2</version>
</dependency>
<dependency>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity</artifactId>
<version>1.7</version>
</dependency>
<dependency>
<groupId>org.sonatype.plexus</groupId>
<artifactId>plexus-sec-dispatcher</artifactId>
<version>1.4</version>
</dependency>
<dependency>
<groupId>org.glassfish</groupId>
<artifactId>javax.json</artifactId>
@@ -674,7 +681,7 @@ Copyright (c) 2012 - Jeremy Long
<dependency>
<groupId>org.jmockit</groupId>
<artifactId>jmockit</artifactId>
<version>1.20</version>
<version>1.22</version>
<scope>test</scope>
</dependency>
<dependency>

5
src/main/config/checkstyle-checks.xml
View File

@@ -28,9 +28,10 @@
<property name="allowLegacy" value="false"/>
</module>
<module name="Translation">
<!-- this causes a ton of noise due to how this is abused in core for dealing with database dialects.-->
<!--module name="Translation">
<property name="severity" value="warning"/>
</module>
</module-->
<module name="FileTabCharacter">
<property name="eachLine" value="false"/>

Some files were not shown because too many files have changed in this diff Show More