github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github-mirrors:v1.4.4
Branches Tags
github-mirrors:master github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0
...
compare: github-mirrors:v1.4.5
Branches Tags
github-mirrors:feature/java-version-parse github-mirrors:cvedb-cache github-mirrors:reportGeneration github-mirrors:master github-mirrors:stevespringett-master github-mirrors:gh-pages github-mirrors:issue690_threadsafe
github-mirrors:v1.4.5 github-mirrors:v1.4.4 github-mirrors:1.4.3 github-mirrors:v1.4.2 github-mirrors:v1.4.1 github-mirrors:v1.4.0 github-mirrors:v1.3.6 github-mirrors:v1.3.5 github-mirrors:v1.3.4 github-mirrors:v1.3.3 github-mirrors:v1.3.2 github-mirrors:v1.3.1 github-mirrors:v1.3.0 github-mirrors:v1.2.11 github-mirrors:v1.2.9 github-mirrors:v1.2.8 github-mirrors:v1.2.7 github-mirrors:v1.2.6 github-mirrors:v1.2.5 github-mirrors:v1.2.4 github-mirrors:v1.2.3 github-mirrors:v1.2.2 github-mirrors:v1.2.1 github-mirrors:v1.2.0.1 github-mirrors:v1.2.0 github-mirrors:v1.1.4 github-mirrors:v1.1.3 github-mirrors:v1.1.2 github-mirrors:v1.1.1 github-mirrors:v1.1.0 github-mirrors:v1.0.8 github-mirrors:v1.0.7 github-mirrors:v1.0.6 github-mirrors:v1.0.5 github-mirrors:v1.0.4 github-mirrors:v1.0.3 github-mirrors:v1.0.2 github-mirrors:v1.0.1 github-mirrors:v0.3.2.4 github-mirrors:v0.3.2.3 github-mirrors:v0.3.2.2 github-mirrors:v0.3.2.0 github-mirrors:v0.3.1.1 github-mirrors:v0.3.1.0 github-mirrors:v0.3.0.0 github-mirrors:v0.2.6.0 github-mirrors:v0.2.5.2 github-mirrors:v0.2.5.1 github-mirrors:v0.2.5.0 github-mirrors:v0.2.4.0 github-mirrors:v0.2.3.2 github-mirrors:v0.2.3.1 github-mirrors:v0.2.3 github-mirrors:v0.2.2 github-mirrors:v0.2.1 github-mirrors:v0.2.0

111 Commits
v1.4.4 ... v1.4.5

Author SHA1 Message Date
Jeremy Long
e246757f47 version 1.4.5 2017-01-22 17:10:42 -05:00
Jeremy Long
4172300799 added license 2017-01-22 16:11:50 -05:00
Jeremy Long
f39f754b7b reapplied fix for issue #601 2017-01-22 08:10:14 -05:00
Jeremy Long
c59615f452 patch for issue #510 and #512 2017-01-22 08:01:40 -05:00
Jeremy Long
847bed2fa0 added manifest implementation-version 2017-01-22 07:42:11 -05:00
Jeremy Long
a9af15f6f8 checkstyle/pmd suggested corrections 2017-01-21 08:47:52 -05:00
Jeremy Long
92519ae955 updated notes 2017-01-21 08:09:48 -05:00
Jeremy Long
2d90aca1f2 minor code cleanup 2017-01-21 08:05:54 -05:00
Jeremy Long
f29ed38c34 Merge pull request #644 from oosterholt/master 
Add troubling JAR file name to the exception when JAR reading errors occur
 2017-01-21 06:21:18 -05:00
Rick Oosterholt
df8d4fd77c Minor change: When JAR reading errors occur, at least add the file name 
to the exception. Without it, finding the troubling JAR is hard.
 2017-01-18 13:52:17 +01:00
Jeremy Long
baa2e2c6ff updated archetype for new analyzers to be more complete 2017-01-15 12:18:01 -05:00
Jeremy Long
9d5769bb69 Merge branch 'issue575' 2017-01-15 11:19:37 -05:00
Jeremy Long
4cdfa804ee fixed accidental commit 2017-01-14 09:43:34 -05:00
Jeremy Long
523cd23b6b filter version numbers for issue #575 2017-01-14 09:41:34 -05:00
Jeremy Long
61866e9e76 updated source version 2017-01-14 08:55:20 -05:00
Jeremy Long
ff7fbdc98d updated year to speed test case 2017-01-14 07:34:35 -05:00
Jeremy Long
b625d642ea updated documentation for #635 2017-01-14 07:31:31 -05:00
Jeremy Long
8733a85ebb patch per issue#642 2017-01-13 06:53:26 -05:00
Jeremy Long
5ab5a7b72b tuned linguist language stats 2017-01-09 20:05:37 -05:00
Jeremy Long
3cb8b9fa9e Merge branch 'hgschmie-additional_analyzers' 2017-01-08 11:52:09 -05:00
Jeremy Long
429039bf1c documentation for issue #635 2017-01-08 11:37:50 -05:00
Jeremy Long
29d28c3408 fixed PR #635 to cover other interfaces 2017-01-08 11:23:52 -05:00
Jeremy Long
372d484440 Merge branch 'additional_analyzers' of https://github.com/hgschmie/DependencyCheck into hgschmie-additional_analyzers 2017-01-08 10:33:57 -05:00
Jeremy Long
eac47800a3 added documentation for PR #636 2017-01-08 08:55:29 -05:00
Jeremy Long
86a85db12b removed for now 2017-01-08 08:54:47 -05:00
Jeremy Long
4ab6cd278c updated documentation for PR #636 2017-01-08 08:51:56 -05:00
Jeremy Long
233a068c8b Merge pull request #636 from hgschmie/fail_on_any_vuln 
adds a new flag 'failBuildOnAnyVulnerability'
 2017-01-08 08:19:24 -05:00
Jeremy Long
d9f0ffa742 Merge pull request #634 from hgschmie/enable_disable 
rework the enabled / disabled logic
 2017-01-08 08:18:12 -05:00
Jeremy Long
8d63ee19ed fix for Jenkins integration, updates to commit f47c6b0 2017-01-08 07:55:35 -05:00
Jeremy Long
1fb74e1a27 Merge pull request #639 from dejan2609/java-6-compatibility 
check code against Java 1.6 API signatures
 2017-01-07 06:40:47 -05:00
dejan2609
c94ab6108c check code against Java 1.6 API signatures 2017-01-04 16:42:07 +01:00
Jeremy Long
bf285e19ab added site for archetype 2017-01-02 21:59:09 -05:00
Jeremy Long
b1ceca73e4 added plugin archetype to site 2017-01-02 21:48:04 -05:00
Jeremy Long
f3aca63b61 version upgrades and added enforcer for java version 2017-01-02 21:47:27 -05:00
Jeremy Long
fca107d287 added site distribution 2017-01-02 21:46:15 -05:00
Jeremy Long
64b6964fff checkstyle corrections 2017-01-02 21:45:49 -05:00
Jeremy Long
6af0842838 added logging 2017-01-02 21:45:21 -05:00
Jeremy Long
4c49adf1ba reduced code duplication 2017-01-02 21:44:59 -05:00
Jeremy Long
5f4e4fab56 reduced code duplication 2017-01-02 21:43:51 -05:00
Jeremy Long
146d7e3fbf reduced code duplciation 2017-01-02 21:42:20 -05:00
Jeremy Long
4d22800747 fixed type 2017-01-02 21:40:57 -05:00
Jeremy Long
541a7f8180 removed unused code 2017-01-02 21:40:04 -05:00
Jeremy Long
f205cf79c9 Merge branch 'plugins' 2016-12-30 17:02:32 -05:00
Jeremy Long
d8bb6488b7 added archetype per #612 2016-12-30 17:01:09 -05:00
Jeremy Long
4324563c0a updated plugins path for #612 2016-12-30 16:42:37 -05:00
Jeremy Long
bad03660b1 added plugins directory per #612 2016-12-29 07:38:11 -05:00
Henning Schmiedehausen
20b1ff38f9 adds a new flag 'failBuildOnAnyVulnerability' 
In our build system, we enable checkers based on boolean
values. Currently, the only way to enable failing the build on
vulnerabilities is by providing a numeric value (0-10) for another
property. This change adds a boolean switch that will fail the build
if any vulnerability is present (we have a strict "no vulnerabilities
in our builds" policy).
 2016-12-28 17:24:26 -08:00
Henning Schmiedehausen
def78a3cfd rework the enabled / disabled logic 
If an analyzer is disabled from the configuration, it should not be
initialized (because some of the may actually fail during that process
nor should the engine log in any way that those exist.

With these changes, it is possible for me to turn off unwanted
analyzers (e.g. Ruby analyzers for a java project) from the maven
plugin and not confuse my users with spurious misleading messages.
 2016-12-28 16:39:25 -08:00
Henning Schmiedehausen
a41158a716 adds maven configuration switches for more analyzers 2016-12-28 16:38:28 -08:00
Jeremy Long
63ad13ff7a added enabled properties per issue #612 2016-12-27 08:46:04 -05:00
Jeremy Long
dd92ec675f fixed error in tests 2016-12-27 08:45:42 -05:00
Jeremy Long
6e1512f7d9 added enabled setting (#612) and added additional checks to see if the update should occur (#631) 2016-12-27 08:45:01 -05:00
Jeremy Long
287b1df3fd added enabled settings for all analyzers per #612 2016-12-26 09:11:26 -05:00
Jeremy Long
38bf9b4ddb checkstyle recommendations 2016-12-22 07:32:04 -05:00
Jeremy Long
f9d3a9d8d8 Merge pull request #614 from stefanneuhaus/issue-613-fix-version-comparison 
Fix handling of numerical versions
 2016-12-22 06:58:26 -05:00
Jeremy Long
309a5d9bcb Merge branch 'issue630' 2016-12-22 06:57:04 -05:00
Jeremy Long
60e661d3a4 updated per issue #630 2016-12-22 06:55:26 -05:00
Jeremy Long
c33257d266 addded synchronization - as this analyzer should only run synchronized 2016-12-22 06:53:35 -05:00
Jeremy Long
1dbc183567 added check for failure 2016-12-22 06:52:47 -05:00
Jeremy Long
bf258146da added test case for issue #629 and #517 2016-12-18 12:14:35 -05:00
Jeremy Long
bb927b447e updated so that the old suppression files could be processed 2016-12-18 12:12:57 -05:00
Jeremy Long
d91b4c3151 updated test case for performance of build 2016-12-18 12:12:10 -05:00
Jeremy Long
91dbb39f18 updated test for #630 2016-12-18 11:59:59 -05:00
Jeremy Long
35ae8fd660 updated test for #630 2016-12-18 11:59:30 -05:00
Jeremy Long
d854917090 changes for issue #630 2016-12-18 11:58:58 -05:00
Jeremy Long
32ebf6c8ed added phase to accomodate the fix for issue #630 2016-12-18 11:58:20 -05:00
Jeremy Long
edd4191d47 fix for #517 2016-12-16 06:29:42 -05:00
Jeremy Long
0cce49506a added validation 2016-12-10 19:58:05 -05:00
Jeremy Long
1c053469e9 fixed date format for test case 2016-12-10 19:50:09 -05:00
Jeremy Long
610e97ef7f jacks suggested change 2016-12-10 16:55:58 -05:00
Jeremy Long
5a678d2ccb removed test code 2016-12-10 16:55:38 -05:00
Jeremy Long
8db61a4d1e coverity suggested change 2016-12-10 16:42:32 -05:00
Jeremy Long
f47c6b07f4 jacks recommended change for thread safety 2016-12-05 22:41:15 -05:00
Jeremy Long
bd3af45db9 fixed code duplication 2016-12-04 16:18:01 -05:00
Jeremy Long
a271d422f6 moved similiar code to a utility function to remove code duplication 2016-12-04 11:28:53 -05:00
Jeremy Long
4dd6dedaa4 hardening the XML parser per jacks.codiscope.com 2016-12-03 17:44:49 -05:00
Jeremy Long
10ee569096 fix proposed by Jacks - synchronizing SimpleDateFormat 2016-12-03 17:43:24 -05:00
Jeremy Long
1474855305 fix proposed by Jacks - synchronizing SimpleDateFormat 2016-12-03 17:41:32 -05:00
Jeremy Long
0202bc11d4 null checking proposed by coverity 2016-12-03 17:39:57 -05:00
Stefan Neuhaus
e7072ea04c Count "0" as a positive integer 2016-12-03 22:50:20 +01:00
Jeremy Long
8f2c755f21 checkstyle correction 2016-12-03 16:23:53 -05:00
Jeremy Long
e513a79bd2 fixed issue #272 2016-12-03 15:07:33 -05:00
Jeremy Long
dd17f7393f snapshot version 2016-12-03 14:28:36 -05:00
Jeremy Long
32f38bf892 updated travis build script 2016-12-03 14:01:32 -05:00
Jeremy Long
d5c3eeaf28 Merge branch 'removeMavenEngine' 2016-12-03 13:48:03 -05:00
Jeremy Long
bfa67fcba7 fix #617 2016-12-03 13:46:25 -05:00
Jeremy Long
37a556dcc0 add integration test 2016-12-03 07:06:01 -05:00
Jeremy Long
fe61f298f0 Merge branch 'axel3rd-MavenMojosPurgeAndUpdateOnlyAggregator' 2016-12-03 06:56:01 -05:00
Jeremy Long
9786c9bf82 minor changes - planning on moving additional testing profile to an invoker test in the maven module per issue #618 2016-12-03 06:55:24 -05:00
Jeremy Long
668161081a moved the invoker plugin to a profile so that it does not execute on every build 2016-12-03 06:54:03 -05:00
Jeremy Long
4978f9dcba Merge branch 'MavenMojosPurgeAndUpdateOnlyAggregator' of https://github.com/axel3rd/DependencyCheck into axel3rd-MavenMojosPurgeAndUpdateOnlyAggregator 2016-11-22 19:57:27 -05:00
Jeremy Long
a6ca2e3895 Merge pull request #625 from axel3rd/MinorFixAndUTsWindowsSpaceDirectory 
UTs on Windows when project path contains space & some exception review
 2016-11-22 19:51:54 -05:00
Alix Lourme
6ecf55be91 UTs on Windows when project path contains space & some exception review 2016-11-22 23:33:40 +01:00
Jeremy Long
13bd63dac8 re-loading of properties/settings resolved by sharing the settings object amongst tasks 2016-11-22 16:40:57 -05:00
Jeremy Long
db5ff1bfca java mail - disputed CVE is considered a false positive 2016-11-22 16:38:45 -05:00
Jeremy Long
42f2385bb2 updated documentation for PR #619 2016-11-22 06:51:21 -05:00
Jeremy Long
e9556bbbf0 added analyzer initialization so that temp files get put in the correct location 2016-11-22 06:40:33 -05:00
Jeremy Long
316b936326 ensured resources are closed 2016-11-22 06:39:50 -05:00
Jeremy Long
6838b9b950 fixed logic for single pom entry in a jar 2016-11-22 06:21:30 -05:00
Jeremy Long
cdfe5d0c9a Merge pull request #619 from willowtreeapps/feature/fail-on-cvss 
Adds a failOnCVSS command line option
 2016-11-22 05:50:45 -05:00
Jeremy Long
1610f14c47 general code cleanup/fixes 2016-11-22 05:46:35 -05:00
Jeremy Long
85ab894b94 fixed the possible creation of two indexes 2016-11-20 06:49:28 -05:00
Alix Lourme
ddbca24f33 Maven mojos 'purge' & 'update-only' aggregator #618 2016-11-19 00:32:10 +01:00
Charlie Fairchild
6b9acac8c4 Minor Styling 2016-11-17 15:37:21 -05:00
Charlie Fairchild
2333bee5fd Adds a command line option for the CLI tool to pick what CVSS error to fail on 2016-11-16 11:25:21 -05:00
Jeremy Long
2ad08d2367 minor code cleanup 2016-11-13 16:33:39 -05:00
Stefan Neuhaus
1337686013 Fix handling of numerical versions 2016-11-13 19:37:29 +01:00
Jeremy Long
41041bfd18 updated documentation per issue #607 2016-11-12 11:21:40 -05:00
Jeremy Long
e693e53630 updated error message per issue #607 2016-11-12 11:19:48 -05:00
Jeremy Long
b99e13a337 added documentation to address issue #609 2016-11-12 11:03:25 -05:00
Jeremy Long
3bbc485968 fix index out of range exception per issue #611 2016-11-11 10:58:14 -05:00
142 changed files with 3537 additions and 1359 deletions
Expand all files Collapse all files

2
.gitattributes vendored Normal file
View File

@@ -0,0 +1,2 @@
*.html linguist-documentation
(^|/)site/) linguist-documentation

1
.travis.yml
View File

@@ -1,2 +1,3 @@
language: java
jdk: oraclejdk7
script: mvn install -DreleaseTesting

2
dependency-check-ant/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.4.4</version>
<version>1.4.5</version>
</parent>
<artifactId>dependency-check-ant</artifactId>

100
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
View File

@@ -568,6 +568,102 @@ public class Check extends Update {
public void setCMakeAnalyzerEnabled(Boolean cmakeAnalyzerEnabled) {
this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
}
//start changes
/**
* Whether or not the Ruby Bundle Audit Analyzer is enabled.
*/
private Boolean bundleAuditAnalyzerEnabled;
/**
* Returns if the Bundle Audit Analyzer is enabled.
*
* @return if the Bundle Audit Analyzer is enabled.
*/
public Boolean isBundleAuditAnalyzerEnabled() {
return bundleAuditAnalyzerEnabled;
}
/**
* Sets if the Bundle Audit Analyzer is enabled.
*
* @param bundleAuditAnalyzerEnabled whether or not the analyzer should be
* enabled
*/
public void setBundleAuditAnalyzerEnabled(Boolean bundleAuditAnalyzerEnabled) {
this.bundleAuditAnalyzerEnabled = bundleAuditAnalyzerEnabled;
}
/**
* Sets the path for the bundle-audit binary.
*/
private String bundleAuditPath;
/**
* Returns the path to the bundle audit executable.
*
* @return the path to the bundle audit executable
*/
public String getBundleAuditPath() {
return bundleAuditPath;
}
/**
* Sets the path to the bundle audit executable.
*
* @param bundleAuditPath the path to the bundle audit executable
*/
public void setBundleAuditPath(String bundleAuditPath) {
this.bundleAuditPath = bundleAuditPath;
}
/**
* Whether or not the CocoaPods Analyzer is enabled.
*/
private Boolean cocoapodsAnalyzerEnabled;
/**
* Returns if the cocoapods analyyzer is enabled.
*
* @return if the cocoapods analyyzer is enabled
*/
public boolean isCocoapodsAnalyzerEnabled() {
return cocoapodsAnalyzerEnabled;
}
/**
* Sets whether or not the cocoapods analyzer is enabled.
*
* @param cocoapodsAnalyzerEnabled the state of the cocoapods analyzer
*/
public void setCocoapodsAnalyzerEnabled(Boolean cocoapodsAnalyzerEnabled) {
this.cocoapodsAnalyzerEnabled = cocoapodsAnalyzerEnabled;
}
/**
* Whether or not the Swift package Analyzer is enabled.
*/
private Boolean swiftPackageManagerAnalyzerEnabled;
/**
* Returns whether or not the Swift package Analyzer is enabled.
*
* @return whether or not the Swift package Analyzer is enabled
*/
public Boolean isSwiftPackageManagerAnalyzerEnabled() {
return swiftPackageManagerAnalyzerEnabled;
}
/**
* Sets the enabled state of the swift package manager analyzer.
*
* @param swiftPackageManagerAnalyzerEnabled the enabled state of the swift
* package manager
*/
public void setSwiftPackageManagerAnalyzerEnabled(Boolean swiftPackageManagerAnalyzerEnabled) {
this.swiftPackageManagerAnalyzerEnabled = swiftPackageManagerAnalyzerEnabled;
}
//end changes
/**
* Whether or not the openssl analyzer is enabled.
*/
@@ -934,6 +1030,10 @@ public class Check extends Update {
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
Settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);

10
dependency-check-ant/src/site/markdown/configuration.md
View File

@@ -72,9 +72,13 @@ cmakeAnalyzerEnabled | Sets whether the [experimental](../analyzers/ind
autoconfAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true
composerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true
nodeAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Node.js Analyzer should be used. | true
nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true
assemblyAnalyzerEnabled | Sets whether the .NET Assembly Analyzer should be used. | true
pathToMono | The path to Mono for .NET assembly analysis on non-windows systems. | &nbsp;
nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true
cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true
bundleAuditAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. | true
bundleAuditPath | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled. | &nbsp;
swiftPackageManagerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Switft Package Analyzer should be used. | true
assemblyAnalyzerEnabled | Sets whether the .NET Assembly Analyzer should be used. | true
pathToMono | The path to Mono for .NET assembly analysis on non-windows systems. | &nbsp;
Advanced Configuration
====================

4
dependency-check-cli/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.4.4</version>
<version>1.4.5</version>
</parent>
<artifactId>dependency-check-cli</artifactId>
@@ -140,6 +140,8 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
<binFileExtensions>
<unix>.sh</unix>
</binFileExtensions>
<configurationDirectory>plugins/*</configurationDirectory>
<includeConfigurationDirectoryInClasspath>true</includeConfigurationDirectoryInClasspath>
</configuration>
<executions>
<execution>

24
dependency-check-cli/src/main/assembly/release.xml
View File

@@ -29,6 +29,13 @@
<outputDirectory>dependency-check/repo</outputDirectory>
<directory>${project.build.directory}/release/repo</directory>
</fileSet>
<fileSet>
<directory>.</directory>
<outputDirectory>dependency-check/plugins</outputDirectory>
<excludes>
<exclude>*/**</exclude>
</excludes>
</fileSet>
<fileSet>
<outputDirectory>dependency-check</outputDirectory>
<includes>
@@ -53,21 +60,4 @@
</includes>
</fileSet>
</fileSets>
<!--
<fileSets>
<fileSet>
<outputDirectory>/</outputDirectory>
<directory>${project.build.directory}</directory>
<includes>
<include>dependency-check*.jar</include>
</includes>
</fileSet>
</fileSets>
<dependencySets>
<dependencySet>
<outputDirectory>/lib</outputDirectory>
<scope>runtime</scope>
</dependencySet>
</dependencySets>
-->
</assembly>

30
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -33,6 +33,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.dependency.Dependency;
import org.apache.tools.ant.DirectoryScanner;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
@@ -161,8 +162,8 @@ public class App {
try {
final String[] scanFiles = cli.getScanFiles();
if (scanFiles != null) {
runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getProjectName(), scanFiles,
cli.getExcludeList(), cli.getSymLinkDepth());
exitCode = runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getProjectName(), scanFiles,
cli.getExcludeList(), cli.getSymLinkDepth(), cli.getFailOnCVSS());
} else {
LOGGER.error("No scan files configured");
}
@@ -203,6 +204,8 @@ public class App {
* @param files the files/directories to scan
* @param excludes the patterns for files/directories to exclude
* @param symLinkDepth the depth that symbolic links will be followed
* @param cvssFailScore the score to fail on if a vulnerability is found
* @return the exit code if there was an error
*
* @throws InvalidScanPathException thrown if the path to scan starts with
* "//"
@@ -213,9 +216,11 @@ public class App {
* analysis; there may be multiple exceptions contained within the
* collection.
*/
private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files,
String[] excludes, int symLinkDepth) throws InvalidScanPathException, DatabaseException, ExceptionCollection, ReportException {
private int runScan(String reportDirectory, String outputFormat, String applicationName, String[] files,
String[] excludes, int symLinkDepth, int cvssFailScore) throws InvalidScanPathException, DatabaseException,
ExceptionCollection, ReportException {
Engine engine = null;
int retCode = 0;
try {
engine = new Engine();
final List<String> antStylePaths = new ArrayList<String>();
@@ -302,12 +307,25 @@ public class App {
if (exCol != null && exCol.getExceptions().size() > 0) {
throw exCol;
}
//Set the exit code based on whether we found a high enough vulnerability
for (Dependency dep : dependencies) {
if (!dep.getVulnerabilities().isEmpty()) {
for (Vulnerability vuln : dep.getVulnerabilities()) {
LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName());
if (vuln.getCvssScore() > cvssFailScore) {
retCode = 1;
}
}
}
}
return retCode;
} finally {
if (engine != null) {
engine.cleanup();
}
}
}
/**
@@ -413,6 +431,8 @@ public class App {
Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, !cli.isSwiftPackageAnalyzerDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, !cli.isCocoapodsAnalyzerDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !cli.isCentralDisabled());
Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !cli.isNexusDisabled());

71
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -289,6 +289,11 @@ public final class CliParser {
.desc("Enables the experimental analzers.")
.build();
final Option failOnCVSS = Option.builder().argName("score").hasArg().longOpt(ARGUMENT.FAIL_ON_CVSS)
.desc("Specifies if the build should be failed if a CVSS score above a specified level is identified. "
+ "The default is 11; since the CVSS scores are 0-10, by default the build will never fail.")
.build();
//This is an option group because it can be specified more then once.
final OptionGroup og = new OptionGroup();
og.addOption(path);
@@ -311,7 +316,8 @@ public final class CliParser {
.addOption(suppressionFile)
.addOption(hintsFile)
.addOption(cveValidForHours)
.addOption(experimentalEnabled);
.addOption(experimentalEnabled)
.addOption(failOnCVSS);
}
/**
@@ -431,6 +437,11 @@ public final class CliParser {
final Option disableCmakeAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CMAKE)
.desc("Disable the Cmake Analyzer.").build();
final Option cocoapodsAnalyzerEnabled = Option.builder().longOpt(ARGUMENT.DISABLE_COCOAPODS)
.desc("Disable the CocoaPods Analyzer.").build();
final Option swiftPackageManagerAnalyzerEnabled = Option.builder().longOpt(ARGUMENT.DISABLE_SWIFT)
.desc("Disable the swift package Analyzer.").build();
final Option disableCentralAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CENTRAL)
.desc("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
+ "the Nexus Analyzer.").build();
@@ -475,6 +486,8 @@ public final class CliParser {
.addOption(disableNuspecAnalyzer)
.addOption(disableCentralAnalyzer)
.addOption(disableNexusAnalyzer)
.addOption(cocoapodsAnalyzerEnabled)
.addOption(swiftPackageManagerAnalyzerEnabled)
.addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NODE_JS)
.desc("Disable the Node.js Package Analyzer.").build())
.addOption(nexusUrl)
@@ -695,6 +708,28 @@ public final class CliParser {
return (line != null) && line.hasOption(ARGUMENT.DISABLE_NODE_JS);
}
/**
* Returns true if the disableCocoapodsAnalyzer command line argument was
* specified.
*
* @return true if the disableCocoapodsAnalyzer command line argument was
* specified; otherwise false
*/
public boolean isCocoapodsAnalyzerDisabled() {
return (line != null) && line.hasOption(ARGUMENT.DISABLE_COCOAPODS);
}
/**
* Returns true if the disableSwiftPackageManagerAnalyzer command line
* argument was specified.
*
* @return true if the disableSwiftPackageManagerAnalyzer command line
* argument was specified; otherwise false
*/
public boolean isSwiftPackageAnalyzerDisabled() {
return (line != null) && line.hasOption(ARGUMENT.DISABLE_SWIFT);
}
/**
* Returns true if the disableCentral command line argument was specified.
*
@@ -1105,6 +1140,25 @@ public final class CliParser {
return line.hasOption(ARGUMENT.EXPERIMENTAL);
}
/**
* Returns the CVSS value to fail on.
*
* @return 11 if nothing is set. Otherwise it returns the int passed from
* the command line arg
*/
public int getFailOnCVSS() {
if (line.hasOption(ARGUMENT.FAIL_ON_CVSS)) {
final String value = line.getOptionValue(ARGUMENT.FAIL_ON_CVSS);
try {
return Integer.parseInt(value);
} catch (NumberFormatException nfe) {
return 11;
}
} else {
return 11;
}
}
/**
* A collection of static final strings that represent the possible command
* line arguments.
@@ -1287,8 +1341,7 @@ public final class CliParser {
*/
public static final String SUPPRESSION_FILE = "suppression";
/**
* The CLI argument name for setting the location of the hint
* file.
* The CLI argument name for setting the location of the hint file.
*/
public static final String HINTS_FILE = "hints";
/**
@@ -1328,6 +1381,14 @@ public final class CliParser {
* Disables the Cmake Analyzer.
*/
public static final String DISABLE_CMAKE = "disableCmake";
/**
* Disables the cocoapods analyzer.
*/
public static final String DISABLE_COCOAPODS = "disableCocoapodsAnalyzer";
/**
* Disables the swift package manager analyzer.
*/
public static final String DISABLE_SWIFT = "disableSwiftPackageManagerAnalyzer";
/**
* Disables the Assembly Analyzer.
*/
@@ -1408,5 +1469,9 @@ public final class CliParser {
* The CLI argument to enable the experimental analyzers.
*/
private static final String EXPERIMENTAL = "enableExperimental";
/**
* The CLI argument to enable the experimental analyzers.
*/
private static final String FAIL_ON_CVSS = "failOnCVSS";
}
}

11
dependency-check-cli/src/site/markdown/arguments.md
View File

@@ -11,6 +11,7 @@ Short | Argument&nbsp;Name&nbsp;&nbsp; | Parameter | Description | Requir
| \-\-symLink | \<depth\> | The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed. | Optional
\-o | \-\-out | \<path\> | The folder to write reports to. This defaults to the current directory. If the format is not set to ALL one could specify a specific file name. | Optional
\-f | \-\-format | \<format\> | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
| \-\-failOnCvss | \<score\> | If the score set between 0 and 10 the exit code from dependency-check will indicate if a vulnerability with a CVSS score equal to or higher was identified. | Optional
\-l | \-\-log | \<file\> | The file path to write verbose logging information. | Optional
\-n | \-\-noupdate | | Disables the automatic updating of the CPE data. | Optional
| \-\-suppression | \<file\> | The file path to the suppression XML file; used to suppress [false positives](../general/suppression.html). | Optional
@@ -34,13 +35,15 @@ Short | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Paramete
| \-\-disablePyPkg | | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. | false
| \-\-disableNodeJS | | Sets whether the [experimental](../analyzers/index.html) Node.js Package Analyzer will be used. | false
| \-\-disableRubygems | | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. | false
| \-\-disableBundleAudit | | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used. | false
| \-\-disableBundleAudit | | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used. | false
| \-\-disableCocoapodsAnalyzer | | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used. | false
| \-\-disableSwiftPackageManagerAnalyzer | | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer will be used. | false
| \-\-disableAutoconf | | Sets whether the [experimental](../analyzers/index.html) Autoconf Analyzer will be used. | false
| \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false
| \-\-disableOpenSSL | | Sets whether the OpenSSL Analyzer will be used. | false
| \-\-disableCmake | | Sets whether the [experimental](../analyzers/index.html) Cmake Analyzer will be disabled. | false
| \-\-disableArchive | | Sets whether the Archive Analyzer will be disabled. | false
| \-\-disableArchive | | Sets whether the Archive Analyzer will be disabled. | false
| \-\-zipExtensions | \<strings\> | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
| \-\-disableJar | | Sets whether the Jar Analyzer will be disabled. | false
| \-\-disableJar | | Sets whether the Jar Analyzer will be disabled. | false
| \-\-disableComposer | | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer will be disabled. | false
| \-\-disableCentral | | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false
| \-\-disableNexus | | Sets whether the Nexus Analyzer will be used. Note, this has been superceded by the Central Analyzer. However, you can configure the Nexus URL to utilize an internally hosted Nexus Pro server. | false

59
dependency-check-cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java
View File

@@ -115,6 +115,63 @@ public class CliParserTest {
}
/**
* Test of parse method with failOnCVSS without an argument
*
* @throws Exception thrown when an exception occurs.
*/
@Test
public void testParse_failOnCVSSNoArg() throws Exception {
String[] args = {"--failOnCVSS"};
CliParser instance = new CliParser();
try {
instance.parse(args);
} catch (ParseException ex) {
Assert.assertTrue(ex.getMessage().contains("Missing argument"));
}
Assert.assertFalse(instance.isGetVersion());
Assert.assertFalse(instance.isGetHelp());
Assert.assertFalse(instance.isRunScan());
}
/**
* Test of parse method with failOnCVSS invalid argument. It should default to 11
*
* @throws Exception thrown when an exception occurs.
*/
@Test
public void testParse_failOnCVSSInvalidArgument() throws Exception {
String[] args = {"--failOnCVSS","bad"};
CliParser instance = new CliParser();
instance.parse(args);
Assert.assertEquals("Default should be 11", 11, instance.getFailOnCVSS());
Assert.assertFalse(instance.isGetVersion());
Assert.assertFalse(instance.isGetHelp());
Assert.assertFalse(instance.isRunScan());
}
/**
* Test of parse method with failOnCVSS invalid argument. It should default to 11
*
* @throws Exception thrown when an exception occurs.
*/
@Test
public void testParse_failOnCVSSValidArgument() throws Exception {
String[] args = {"--failOnCVSS","6"};
CliParser instance = new CliParser();
instance.parse(args);
Assert.assertEquals(6, instance.getFailOnCVSS());
Assert.assertFalse(instance.isGetVersion());
Assert.assertFalse(instance.isGetHelp());
Assert.assertFalse(instance.isRunScan());
}
/**
* Test of parse method with jar and cpe args, of class CliParser.
*
@@ -196,7 +253,7 @@ public class CliParserTest {
*/
@Test
public void testParse_scan_withFileExists() throws Exception {
File path = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").getPath());
File path = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
String[] args = {"-scan", path.getCanonicalPath(), "-out", "./", "-app", "test"};
CliParser instance = new CliParser();

31
dependency-check-core/pom.xml
View File

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.4.4</version>
<version>1.4.5</version>
</parent>
<artifactId>dependency-check-core</artifactId>
@@ -261,6 +261,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</reporting>
<dependencies>
<!-- Note, to stay compatible with Jenkins installations only JARs compiled to 1.6 can be used -->
<dependency>
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
</dependency>
<dependency>
<groupId>com.google.code.findbugs</groupId>
<artifactId>annotations</artifactId>
@@ -575,15 +579,19 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
</plugins>
</build>
</profile>
<profile>
<!-- The following profile adds additional
dependencies that are only used during testing.
Additionally, these are only added when using "allTests" to
make the build slightly faster in most cases. -->
<!--
The following profile adds additional dependencies that are only
used during testing.
TODO move the following FP tests to a seperate invoker test in the
maven plugin project. Add checks against the XML to validate that
these do not report FP.
-->
<!--profile>
<id>False Positive Tests</id>
<activation>
<property>
<name>allTests</name>
<name>releaseTesting</name>
</property>
</activation>
<dependencies>
@@ -664,13 +672,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>3.2.12.RELEASE</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
@@ -728,6 +729,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
<optional>true</optional>
</dependency>
</dependencies>
</profile>
</profile-->
</profiles>
</project>

47
dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java
View File

@@ -29,8 +29,8 @@ import java.util.List;
import java.util.concurrent.Callable;
/**
* Task to support parallelism of dependency-check analysis.
* Analyses a single {@link Dependency} by a specific {@link Analyzer}.
* Task to support parallelism of dependency-check analysis. Analyses a single
* {@link Dependency} by a specific {@link Analyzer}.
*
* @author Stefan Neuhaus
*/
@@ -57,6 +57,10 @@ class AnalysisTask implements Callable<Void> {
* The list of exceptions that may occur during analysis.
*/
private final List<Throwable> exceptions;
/**
* A reference to the global settings object.
*/
private final Settings settings;
/**
* Creates a new analysis task.
@@ -66,12 +70,16 @@ class AnalysisTask implements Callable<Void> {
* @param engine the dependency-check engine
* @param exceptions exceptions that occur during analysis will be added to
* this collection of exceptions
* @param settings a reference to the global settings object; this is
* necessary so that when the thread is started the dependencies have a
* correct reference to the global settings.
*/
AnalysisTask(Analyzer analyzer, Dependency dependency, Engine engine, List<Throwable> exceptions) {
AnalysisTask(Analyzer analyzer, Dependency dependency, Engine engine, List<Throwable> exceptions, Settings settings) {
this.analyzer = analyzer;
this.dependency = dependency;
this.engine = engine;
this.exceptions = exceptions;
this.settings = settings;
}
/**
@@ -82,24 +90,27 @@ class AnalysisTask implements Callable<Void> {
*/
@Override
public Void call() {
Settings.initialize();
try {
Settings.setInstance(settings);
if (shouldAnalyze()) {
LOGGER.debug("Begin Analysis of '{}' ({})", dependency.getActualFilePath(), analyzer.getName());
try {
analyzer.analyze(dependency, engine);
} catch (AnalysisException ex) {
LOGGER.warn("An error occurred while analyzing '{}' ({}).", dependency.getActualFilePath(), analyzer.getName());
LOGGER.debug("", ex);
exceptions.add(ex);
} catch (Throwable ex) {
LOGGER.warn("An unexpected error occurred during analysis of '{}' ({}): {}",
dependency.getActualFilePath(), analyzer.getName(), ex.getMessage());
LOGGER.debug("", ex);
exceptions.add(ex);
if (shouldAnalyze()) {
LOGGER.debug("Begin Analysis of '{}' ({})", dependency.getActualFilePath(), analyzer.getName());
try {
analyzer.analyze(dependency, engine);
} catch (AnalysisException ex) {
LOGGER.warn("An error occurred while analyzing '{}' ({}).", dependency.getActualFilePath(), analyzer.getName());
LOGGER.debug("", ex);
exceptions.add(ex);
} catch (Throwable ex) {
LOGGER.warn("An unexpected error occurred during analysis of '{}' ({}): {}",
dependency.getActualFilePath(), analyzer.getName(), ex.getMessage());
LOGGER.debug("", ex);
exceptions.add(ex);
}
}
} finally {
Settings.cleanup(false);
}
return null;
}

23
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -163,15 +163,16 @@ public class Engine implements FileFilter {
/**
* Get the dependencies identified. The returned list is a reference to the
* engine's synchronized list. You must synchronize on it, when you modify
* and iterate over it from multiple threads. E.g. this holds for analyzers
* supporting parallel processing during their analysis phase.
* engine's synchronized list. <b>You must synchronize on the returned
* list</b> when you modify and iterate over it from multiple threads. E.g.
* this holds for analyzers supporting parallel processing during their
* analysis phase.
*
* @return the dependencies identified
* @see Collections#synchronizedList(List)
* @see Analyzer#supportsParallelProcessing()
*/
public List<Dependency> getDependencies() {
public synchronized List<Dependency> getDependencies() {
return dependencies;
}
@@ -521,11 +522,15 @@ public class Engine implements FileFilter {
continue;
}
executeAnalysisTasks(analyzer, exceptions);
if (analyzer.isEnabled()) {
executeAnalysisTasks(analyzer, exceptions);
final long analyzerDurationMillis = System.currentTimeMillis() - analyzerStart;
final long analyzerDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(analyzerDurationMillis);
LOGGER.info("Finished {} ({} seconds)", analyzer.getName(), analyzerDurationSeconds);
final long analyzerDurationMillis = System.currentTimeMillis() - analyzerStart;
final long analyzerDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(analyzerDurationMillis);
LOGGER.info("Finished {} ({} seconds)", analyzer.getName(), analyzerDurationSeconds);
} else {
LOGGER.debug("Skipping {} (not enabled)", analyzer.getName());
}
}
}
for (AnalysisPhase phase : AnalysisPhase.values()) {
@@ -588,7 +593,7 @@ public class Engine implements FileFilter {
final List<AnalysisTask> result = new ArrayList<AnalysisTask>();
synchronized (dependencies) {
for (final Dependency dependency : dependencies) {
final AnalysisTask task = new AnalysisTask(analyzer, dependency, this, exceptions);
final AnalysisTask task = new AnalysisTask(analyzer, dependency, this, exceptions, Settings.getInstance());
result.add(task);
}
}

116
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java
View File

@@ -17,24 +17,123 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.exception.InitializationException;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Base class for analyzers to avoid code duplication of initialize and close
* as most analyzers do not need these methods.
* Base class for analyzers to avoid code duplication of initialize and close as
* most analyzers do not need these methods.
*
* @author Jeremy Long
*/
public abstract class AbstractAnalyzer implements Analyzer {
/**
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(AbstractAnalyzer.class);
/**
* A flag indicating whether or not the analyzer is enabled.
*/
private volatile boolean enabled = true;
/**
* Get the value of enabled.
*
* @return the value of enabled
*/
@Override
public boolean isEnabled() {
return enabled;
}
/**
* Set the value of enabled.
*
* @param enabled new value of enabled
*/
public void setEnabled(boolean enabled) {
this.enabled = enabled;
}
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
*
* @return the key for the analyzer's enabled property
*/
protected abstract String getAnalyzerEnabledSettingKey();
/**
* Analyzes a given dependency. If the dependency is an archive, such as a
* WAR or EAR, the contents are extracted, scanned, and added to the list of
* dependencies within the engine.
*
* @param dependency the dependency to analyze
* @param engine the engine scanning
* @throws AnalysisException thrown if there is an analysis exception
*/
protected abstract void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException;
/**
* Initializes a given Analyzer. This will be skipped if the analyzer is disabled.
*
* @throws InitializationException thrown if there is an exception
*/
protected void initializeAnalyzer() throws InitializationException {
}
/**
* Closes a given Analyzer. This will be skipped if the analyzer is disabled.
*
* @throws Exception thrown if there is an exception
*/
protected void closeAnalyzer() throws Exception {
}
/**
* Analyzes a given dependency. If the dependency is an archive, such as a
* WAR or EAR, the contents are extracted, scanned, and added to the list of
* dependencies within the engine.
*
* @param dependency the dependency to analyze
* @param engine the engine scanning
* @throws AnalysisException thrown if there is an analysis exception
*/
@Override
public final void analyze(Dependency dependency, Engine engine) throws AnalysisException {
if (this.isEnabled()) {
analyzeDependency(dependency, engine);
}
}
/**
* The initialize method does nothing for this Analyzer.
*
* @throws InitializationException thrown if there is an exception
*/
@Override
public void initialize() throws InitializationException {
//do nothing
public final void initialize() throws InitializationException {
final String key = getAnalyzerEnabledSettingKey();
try {
this.setEnabled(Settings.getBoolean(key, true));
} catch (InvalidSettingException ex) {
LOGGER.warn("Invalid setting for property '{}'", key);
LOGGER.debug("", ex);
}
if (isEnabled()) {
initializeAnalyzer();
} else {
LOGGER.debug("{} has been disabled", getName());
}
}
/**
@@ -43,12 +142,17 @@ public abstract class AbstractAnalyzer implements Analyzer {
* @throws Exception thrown if there is an exception
*/
@Override
public void close() throws Exception {
//do nothing
public final void close() throws Exception {
if (isEnabled()) {
closeAnalyzer();
}
}
/**
* The default is to support parallel processing.
*
* @return true
*/
@Override
public boolean supportsParallelProcessing() {

124
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
View File

@@ -17,11 +17,6 @@
*/
package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -40,17 +35,7 @@ import org.owasp.dependencycheck.exception.InitializationException;
*/
public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer {
//<editor-fold defaultstate="collapsed" desc="Constructor">
/**
* Base constructor that all children must call. This checks the
* configuration to determine if the analyzer is enabled.
*/
public AbstractFileTypeAnalyzer() {
reset();
}
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Field definitions">
//<editor-fold defaultstate="collapsed" desc="Field definitions, getters, and setters ">
/**
* The logger.
*/
@@ -80,30 +65,24 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
this.filesMatched = filesMatched;
}
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Final implementations for the Analyzer interface">
/**
* A flag indicating whether or not the analyzer is enabled.
*/
private volatile boolean enabled = true;
/**
* Get the value of enabled.
* Initializes the analyzer.
*
* @return the value of enabled
* @throws InitializationException thrown if there is an exception during
* initialization
*/
public boolean isEnabled() {
return enabled;
@Override
protected final void initializeAnalyzer() throws InitializationException {
if (filesMatched) {
initializeFileTypeAnalyzer();
} else {
this.setEnabled(false);
}
}
/**
* Set the value of enabled.
*
* @param enabled new value of enabled
*/
public void setEnabled(boolean enabled) {
this.enabled = enabled;
}
//</editor-fold>
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Abstract methods children must implement">
/**
* <p>
@@ -127,80 +106,21 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
*/
protected abstract void initializeFileTypeAnalyzer() throws InitializationException;
//</editor-fold>
/**
* Analyzes a given dependency. If the dependency is an archive, such as a
* WAR or EAR, the contents are extracted, scanned, and added to the list of
* dependencies within the engine.
* Determines if the file can be analyzed by the analyzer.
*
* @param dependency the dependency to analyze
* @param engine the engine scanning
* @throws AnalysisException thrown if there is an analysis exception
* @param pathname the path to the file
* @return true if the file can be analyzed by the given analyzer; otherwise
* false
*/
protected abstract void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException;
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
*
* @return the key for the analyzer's enabled property
*/
protected abstract String getAnalyzerEnabledSettingKey();
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Final implementations for the Analyzer interface">
/**
* Initializes the analyzer.
*
* @throws InitializationException thrown if there is an exception during
* initialization
*/
@Override
public final void initialize() throws InitializationException {
if (filesMatched) {
initializeFileTypeAnalyzer();
} else {
enabled = false;
}
}
/**
* Resets the enabled flag on the analyzer.
*/
@Override
public final void reset() {
final String key = getAnalyzerEnabledSettingKey();
try {
enabled = Settings.getBoolean(key, true);
} catch (InvalidSettingException ex) {
LOGGER.warn("Invalid setting for property '{}'", key);
LOGGER.debug("", ex);
LOGGER.warn("{} has been disabled", getName());
}
}
/**
* Analyzes a given dependency. If the dependency is an archive, such as a
* WAR or EAR, the contents are extracted, scanned, and added to the list of
* dependencies within the engine.
*
* @param dependency the dependency to analyze
* @param engine the engine scanning
* @throws AnalysisException thrown if there is an analysis exception
*/
@Override
public final void analyze(Dependency dependency, Engine engine) throws AnalysisException {
if (enabled) {
analyzeFileType(dependency, engine);
}
}
@Override
public boolean accept(File pathname) {
final FileFilter filter = getFileFilter();
boolean accepted = false;
if (null == filter) {
LOGGER.error("The '{}' analyzer is misconfigured and does not have a file filter; it will be disabled", getName());
} else if (enabled) {
} else if (this.isEnabled()) {
accepted = filter.accept(pathname);
if (accepted) {
filesMatched = true;
@@ -209,8 +129,6 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
return accepted;
}
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Static utility methods">
/**
* <p>
* Utility method to help in the creation of the extensions set. This
@@ -227,6 +145,4 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
Collections.addAll(set, strings);
return set;
}
//</editor-fold>
}

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
View File

@@ -67,8 +67,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
* @throws InitializationException thrown if there is an exception
*/
@Override
public void initialize() throws InitializationException {
super.initialize();
public void initializeAnalyzer() throws InitializationException {
try {
loadSuppressionData();
} catch (SuppressionParseException ex) {
@@ -108,7 +107,8 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
final SuppressionParser parser = new SuppressionParser();
File file = null;
try {
rules = parser.parseSuppressionRules(this.getClass().getClassLoader().getResourceAsStream("dependencycheck-base-suppression.xml"));
final InputStream in = this.getClass().getClassLoader().getResourceAsStream("dependencycheck-base-suppression.xml");
rules = parser.parseSuppressionRules(in);
} catch (SAXException ex) {
throw new SuppressionParseException("Unable to parse the base suppression data file", ex);
}

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java
View File

@@ -36,6 +36,10 @@ public enum AnalysisPhase {
* Information collection phase.
*/
INFORMATION_COLLECTION,
/**
* Post information collection phase.
*/
POST_INFORMATION_COLLECTION,
/**
* Pre identifier analysis phase.
*/

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java
View File

@@ -83,4 +83,10 @@ public interface Analyzer {
* @return {@code true} if the analyzer supports parallel processing, {@code false} else
*/
boolean supportsParallelProcessing();
/**
* Get the value of enabled.
*
* @return the value of enabled
*/
boolean isEnabled();
}

45
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -18,7 +18,6 @@
package org.owasp.dependencycheck.analyzer;
import java.io.BufferedInputStream;
import java.io.Closeable;
import java.io.File;
import java.io.FileFilter;
import java.io.FileInputStream;
@@ -205,7 +204,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
* files
*/
@Override
public void close() throws Exception {
public void closeAnalyzer() throws Exception {
if (tempFileLocation != null && tempFileLocation.exists()) {
LOGGER.debug("Attempting to delete temporary files");
final boolean success = FileUtils.delete(tempFileLocation);
@@ -222,7 +221,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
* Does not support parallel processing as it both modifies and iterates
* over the engine's list of dependencies.
*
* @see #analyzeFileType(Dependency, Engine)
* @see #analyzeDependency(Dependency, Engine)
* @see #findMoreDependencies(Engine, File)
*/
@Override
@@ -240,7 +239,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
* @throws AnalysisException thrown if there is an analysis exception
*/
@Override
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
final File f = new File(dependency.getActualFilePath());
final File tmpDir = getNextTempDirectory();
extractFiles(f, tmpDir, engine);
@@ -248,7 +247,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
//make a copy
final List<Dependency> dependencySet = findMoreDependencies(engine, tmpDir);
if (!dependencySet.isEmpty()) {
if (dependencySet != null && !dependencySet.isEmpty()) {
for (Dependency d : dependencySet) {
if (d.getFilePath().startsWith(tmpDir.getAbsolutePath())) {
//fix the dependency's display name and path
@@ -314,7 +313,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
dependency.setSha1sum("");
org.apache.commons.io.FileUtils.copyFile(dependency.getActualFile(), tmpLoc);
final List<Dependency> dependencySet = findMoreDependencies(engine, tmpLoc);
if (!dependencySet.isEmpty()) {
if (dependencySet != null && !dependencySet.isEmpty()) {
for (Dependency d : dependencySet) {
//fix the dependency's display name and path
if (d.getActualFile().equals(tmpLoc)) {
@@ -434,12 +433,12 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
} finally {
//overly verbose and not needed... but keeping it anyway due to
//having issue with file handles being left open
close(fis);
close(in);
close(zin);
close(tin);
close(gin);
close(bzin);
FileUtils.close(fis);
FileUtils.close(in);
FileUtils.close(zin);
FileUtils.close(tin);
FileUtils.close(gin);
FileUtils.close(bzin);
}
}
}
@@ -521,7 +520,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
} catch (Throwable ex) {
throw new ArchiveExtractionException(ex);
} finally {
close(input);
FileUtils.close(input);
}
}
@@ -552,7 +551,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
throw new AnalysisException(msg, ex);
} finally {
close(fos);
FileUtils.close(fos);
}
}
@@ -577,23 +576,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
LOGGER.debug("", ex);
throw new ArchiveExtractionException(ex);
} finally {
close(out);
}
}
/**
* Close the given {@link Closeable} instance, ignoring nulls, and logging
* any thrown {@link IOException}.
*
* @param closeable to be closed
*/
private static void close(Closeable closeable) {
if (null != closeable) {
try {
closeable.close();
} catch (IOException ex) {
LOGGER.trace("", ex);
}
FileUtils.close(out);
}
}

22
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -37,7 +37,6 @@ import org.w3c.dom.Document;
import org.xml.sax.SAXException;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
@@ -46,6 +45,7 @@ import java.util.List;
import javax.xml.parsers.ParserConfigurationException;
import org.owasp.dependencycheck.exception.InitializationException;
import org.apache.commons.lang3.SystemUtils;
import org.owasp.dependencycheck.utils.XmlUtils;
/**
* Analyzer for getting company, product, and version information from a .NET
@@ -106,7 +106,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
* @throws AnalysisException if anything goes sideways
*/
@Override
public void analyzeFileType(Dependency dependency, Engine engine)
public void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
if (grokAssemblyExe == null) {
LOGGER.warn("GrokAssembly didn't get deployed");
@@ -123,8 +123,8 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
Document doc = null;
try {
final Process proc = pb.start();
final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
doc = builder.parse(proc.getInputStream());
// Try evacuating the error stream
@@ -178,7 +178,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
} catch (IOException ioe) {
throw new AnalysisException(ioe);
} catch (SAXException saxe) {
throw new AnalysisException("Couldn't parse GrokAssembly result", saxe);
LOGGER.error("----------------------------------------------------");
LOGGER.error("Failed to read the Assembly Analyzer results. "
+ "On some systems mono-runtime and mono-devel need to be installed.");
LOGGER.error("----------------------------------------------------");
throw new AnalysisException("Couldn't parse Assembly Analzyzer results (GrokAssembly)", saxe);
} catch (XPathExpressionException xpe) {
// This shouldn't happen
throw new AnalysisException(xpe);
@@ -244,7 +248,8 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
LOGGER.error("----------------------------------------------------");
LOGGER.error(".NET Assembly Analyzer could not be initialized and at least one "
+ "'exe' or 'dll' was scanned. The 'mono' executable could not be found on "
+ "the path; either disable the Assembly Analyzer or configure the path mono.");
+ "the path; either disable the Assembly Analyzer or configure the path mono. "
+ "On some systems mono-runtime and mono-devel need to be installed.");
LOGGER.error("----------------------------------------------------");
return;
}
@@ -254,9 +259,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
// Try evacuating the error stream
IOUtils.copy(p.getErrorStream(), NullOutputStream.NULL_OUTPUT_STREAM);
final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
final DocumentBuilder builder = factory.newDocumentBuilder();
final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
final Document doc = builder.parse(p.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String error = xpath.evaluate("/assembly/error", doc);
@@ -285,8 +288,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
* @throws Exception thrown if there is a problem closing the analyzer
*/
@Override
public void close() throws Exception {
super.close();
public void closeAnalyzer() throws Exception {
try {
if (grokAssemblyExe != null && !grokAssemblyExe.delete()) {
LOGGER.debug("Unable to delete temporary GrokAssembly.exe; attempting delete on exit");

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
View File

@@ -154,7 +154,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
}
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
protected void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
final File actualFile = dependency.getActualFile();
final String name = actualFile.getName();

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
View File

@@ -147,7 +147,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
* analyzing the dependency
*/
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
protected void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
final File file = dependency.getActualFile();
final String parentName = file.getParentFile().getName();

37
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -50,6 +50,7 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.exception.InitializationException;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -122,7 +123,14 @@ public class CPEAnalyzer extends AbstractAnalyzer {
public AnalysisPhase getAnalysisPhase() {
return AnalysisPhase.IDENTIFIER_ANALYSIS;
}
/**
* The default is to support parallel processing.
* @return false
*/
@Override
public boolean supportsParallelProcessing() {
return false;
}
/**
* Creates the CPE Lucene Index.
*
@@ -130,7 +138,7 @@ public class CPEAnalyzer extends AbstractAnalyzer {
* the index.
*/
@Override
public void initialize() throws InitializationException {
public void initializeAnalyzer() throws InitializationException {
try {
this.open();
} catch (IOException ex) {
@@ -171,7 +179,7 @@ public class CPEAnalyzer extends AbstractAnalyzer {
* Closes the data sources.
*/
@Override
public void close() {
public void closeAnalyzer() {
if (cpe != null) {
cpe.close();
cpe = null;
@@ -515,7 +523,7 @@ public class CPEAnalyzer extends AbstractAnalyzer {
* dependency.
*/
@Override
public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
protected synchronized void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
try {
determineCPE(dependency);
} catch (CorruptIndexException ex) {
@@ -628,6 +636,17 @@ public class CPEAnalyzer extends AbstractAnalyzer {
return identifierAdded;
}
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
*
* @return the key for the analyzer's enabled property
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_CPE_ENABLED;
}
/**
* The confidence whether the identifier is an exact match, or a best guess.
*/
@@ -808,16 +827,6 @@ public class CPEAnalyzer extends AbstractAnalyzer {
.append(evidenceConfidence, o.evidenceConfidence)
.append(identifier, o.identifier)
.toComparison();
/*
int conf = this.confidence.compareTo(o.confidence);
if (conf == 0) {
conf = this.evidenceConfidence.compareTo(o.evidenceConfidence);
if (conf == 0) {
conf = identifier.compareTo(o.identifier);
}
}
return conf;
*/
}
}
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
View File

@@ -193,7 +193,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
* @throws AnalysisException when there's an exception during analysis
*/
@Override
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
if (errorFlag || !isEnabled()) {
return;
}

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java
View File

@@ -119,7 +119,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
}
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
protected void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
String contents;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
View File

@@ -100,7 +100,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
* @throws AnalysisException if there's a failure during analysis
*/
@Override
protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
FileInputStream fis = null;
try {
fis = new FileInputStream(dependency.getActualFile());

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
View File

@@ -20,6 +20,7 @@ package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
/**
@@ -62,7 +63,7 @@ public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
//</editor-fold>
@Override
public void analyze(final Dependency dependency, final Engine engine) throws AnalysisException {
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
if (getRules() == null || getRules().size() <= 0) {
return;
@@ -72,4 +73,15 @@ public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
rule.process(dependency);
}
}
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
*
* @return the key for the analyzer's enabled property
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_CPE_SUPPRESSION_ENABLED;
}
}

149
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
View File

@@ -30,6 +30,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -84,7 +85,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.FINAL;
/**
* Returns the name of the analyzer.
@@ -119,6 +120,17 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
return false;
}
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
*
* @return the key for the analyzer's enabled property
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_DEPENDENCY_BUNDLING_ENABLED;
}
/**
* Analyzes a set of dependencies. If they have been found to have the same
* base path and the same set of identifiers they are likely related. The
@@ -130,7 +142,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
* file.
*/
@Override
public void analyze(Dependency ignore, Engine engine) throws AnalysisException {
protected synchronized void analyzeDependency(Dependency ignore, Engine engine) throws AnalysisException {
if (!analyzed) {
analyzed = true;
final Set<Dependency> dependenciesToRemove = new HashSet<Dependency>();
@@ -142,7 +154,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
while (subIterator.hasNext()) {
final Dependency nextDependency = subIterator.next();
Dependency main = null;
if (hashesMatch(dependency, nextDependency) && !containedInWar(dependency.getFilePath())
&& !containedInWar(nextDependency.getFilePath())) {
if (firstPathIsShortest(dependency.getFilePath(), nextDependency.getFilePath())) {
@@ -162,6 +173,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
}
} else if (cpeIdentifiersMatch(dependency, nextDependency)
&& hasSameBasePath(dependency, nextDependency)
&& vulnCountMatches(dependency, nextDependency)
&& fileNameMatch(dependency, nextDependency)) {
if (isCore(dependency, nextDependency)) {
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
@@ -169,20 +181,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
mergeDependencies(nextDependency, dependency, dependenciesToRemove);
break; //since we merged into the next dependency - skip forward to the next in mainIterator
}
} else if ((main = getMainGemspecDependency(dependency, nextDependency)) != null) {
if (main == dependency) {
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
} else {
mergeDependencies(nextDependency, dependency, dependenciesToRemove);
break; //since we merged into the next dependency - skip forward to the next in mainIterator
}
} else if ((main = getMainSwiftDependency(dependency, nextDependency)) != null) {
if (main == dependency) {
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
} else {
mergeDependencies(nextDependency, dependency, dependenciesToRemove);
break; //since we merged into the next dependency - skip forward to the next in mainIterator
}
}
}
}
@@ -224,7 +222,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
* @return a string representing the base path.
*/
private String getBaseRepoPath(final String path) {
int pos = path.indexOf("repository" + File.separator) + 11;
int pos;
if (path.contains("local-repo")) {
pos = path.indexOf("local-repo" + File.separator) + 11;
} else {
pos = path.indexOf("repository" + File.separator) + 11;
}
if (pos < 0) {
return path;
}
@@ -317,6 +320,19 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
return matches;
}
/**
* Returns true if the two dependencies have the same vulnerability count.
*
* @param dependency1 a dependency2 to compare
* @param dependency2 a dependency2 to compare
* @return true if the two dependencies have the same vulnerability count
*/
private boolean vulnCountMatches(Dependency dependency1, Dependency dependency2) {
return dependency1.getVulnerabilities() != null && dependency2.getVulnerabilities() != null
&& dependency1.getVulnerabilities().size() == dependency2.getVulnerabilities().size();
}
/**
* Determines if the two dependencies have the same base path.
*
@@ -341,7 +357,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
return true;
}
if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
if (left.matches(".*[/\\\\](repository|local-repo)[/\\\\].*") && right.matches(".*[/\\\\](repository|local-repo)[/\\\\].*")) {
left = getBaseRepoPath(left);
right = getBaseRepoPath(right);
}
@@ -357,96 +373,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
return false;
}
/**
* Bundling Ruby gems that are identified from different .gemspec files but
* denote the same package path. This happens when Ruby bundler installs an
* application's dependencies by running "bundle install".
*
* @param dependency1 dependency to compare
* @param dependency2 dependency to compare
* @return true if the the dependencies being analyzed appear to be the
* same; otherwise false
*/
private boolean isSameRubyGem(Dependency dependency1, Dependency dependency2) {
if (dependency1 == null || dependency2 == null
|| !dependency1.getFileName().endsWith(".gemspec")
|| !dependency2.getFileName().endsWith(".gemspec")
|| dependency1.getPackagePath() == null
|| dependency2.getPackagePath() == null) {
return false;
}
return dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath());
}
/**
* Ruby gems installed by "bundle install" can have zero or more *.gemspec
* files, all of which have the same packagePath and should be grouped. If
* one of these gemspec is from <parent>/specifications/*.gemspec, because
* it is a stub with fully resolved gem meta-data created by Ruby bundler,
* this dependency should be the main one. Otherwise, use dependency2 as
* main.
*
* This method returns null if any dependency is not from *.gemspec, or the
* two do not have the same packagePath. In this case, they should not be
* grouped.
*
* @param dependency1 dependency to compare
* @param dependency2 dependency to compare
* @return the main dependency; or null if a gemspec is not included in the
* analysis
*/
private Dependency getMainGemspecDependency(Dependency dependency1, Dependency dependency2) {
if (isSameRubyGem(dependency1, dependency2)) {
final File lFile = dependency1.getActualFile();
final File left = lFile.getParentFile();
if (left != null && left.getName().equalsIgnoreCase("specifications")) {
return dependency1;
}
return dependency2;
}
return null;
}
/**
* Bundling same swift dependencies with the same packagePath but identified
* by different analyzers.
*
* @param dependency1 dependency to test
* @param dependency2 dependency to test
* @return <code>true</code> if the dependencies appear to be the same;
* otherwise <code>false</code>
*/
private boolean isSameSwiftPackage(Dependency dependency1, Dependency dependency2) {
if (dependency1 == null || dependency2 == null
|| (!dependency1.getFileName().endsWith(".podspec")
&& !dependency1.getFileName().equals("Package.swift"))
|| (!dependency2.getFileName().endsWith(".podspec")
&& !dependency2.getFileName().equals("Package.swift"))
|| dependency1.getPackagePath() == null
|| dependency2.getPackagePath() == null) {
return false;
}
return dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath());
}
/**
* Determines which of the swift dependencies should be considered the
* primary.
*
* @param dependency1 the first swift dependency to compare
* @param dependency2 the second swift dependency to compare
* @return the primary swift dependency
*/
private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) {
if (isSameSwiftPackage(dependency1, dependency2)) {
if (dependency1.getFileName().endsWith(".podspec")) {
return dependency1;
}
return dependency2;
}
return null;
}
/**
* This is likely a very broken attempt at determining if the 'left'
* dependency is the 'core' library in comparison to the 'right' library.
@@ -469,10 +395,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
|| !rightName.contains("core") && leftName.contains("core")
|| !rightName.contains("kernel") && leftName.contains("kernel")) {
returnVal = true;
// } else if (leftName.matches(".*struts2\\-core.*") && rightName.matches(".*xwork\\-core.*")) {
// returnVal = true;
// } else if (rightName.matches(".*struts2\\-core.*") && leftName.matches(".*xwork\\-core.*")) {
// returnVal = false;
} else {
/*
* considered splitting the names up and comparing the components,
@@ -577,4 +499,5 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
private boolean containedInWar(String filePath) {
return filePath == null ? false : filePath.matches(".*\\.(ear|war)[\\\\/].*");
}
}

283
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java Normal file
View File

@@ -0,0 +1,283 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import java.io.File;
import java.util.HashSet;
import java.util.Iterator;
import java.util.ListIterator;
import java.util.Set;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* <p>
* This analyzer will merge dependencies, created from different source, into a
* single dependency.</p>
*
* @author Jeremy Long
*/
public class DependencyMergingAnalyzer extends AbstractAnalyzer {
//<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
/**
* The Logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(DependencyMergingAnalyzer.class);
/**
* a flag indicating if this analyzer has run. This analyzer only runs once.
*/
private boolean analyzed = false;
/**
* Returns a flag indicating if this analyzer has run. This analyzer only
* runs once. Note this is currently only used in the unit tests.
*
* @return a flag indicating if this analyzer has run. This analyzer only
* runs once
*/
protected boolean getAnalyzed() {
return analyzed;
}
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
/**
* The name of the analyzer.
*/
private static final String ANALYZER_NAME = "Dependency Merging Analyzer";
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION;
/**
* Returns the name of the analyzer.
*
* @return the name of the analyzer.
*/
@Override
public String getName() {
return ANALYZER_NAME;
}
/**
* Returns the phase that the analyzer is intended to run in.
*
* @return the phase that the analyzer is intended to run in.
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
/**
* Does not support parallel processing as it only runs once and then
* operates on <em>all</em> dependencies.
*
* @return whether or not parallel processing is enabled
* @see #analyze(Dependency, Engine)
*/
@Override
public boolean supportsParallelProcessing() {
return false;
}
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
*
* @return the key for the analyzer's enabled property
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_DEPENDENCY_MERGING_ENABLED;
}
//</editor-fold>
/**
* Analyzes a set of dependencies. If they have been found to be the same
* dependency created by more multiple FileTypeAnalyzers (i.e. a gemspec
* dependency and a dependency from the Bundle Audit Analyzer. The
* dependencies are then merged into a single reportable item.
*
* @param ignore this analyzer ignores the dependency being analyzed
* @param engine the engine that is scanning the dependencies
* @throws AnalysisException is thrown if there is an error reading the JAR
* file.
*/
@Override
protected synchronized void analyzeDependency(Dependency ignore, Engine engine) throws AnalysisException {
if (!analyzed) {
analyzed = true;
final Set<Dependency> dependenciesToRemove = new HashSet<Dependency>();
final ListIterator<Dependency> mainIterator = engine.getDependencies().listIterator();
//for (Dependency nextDependency : engine.getDependencies()) {
while (mainIterator.hasNext()) {
final Dependency dependency = mainIterator.next();
if (mainIterator.hasNext() && !dependenciesToRemove.contains(dependency)) {
final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
while (subIterator.hasNext()) {
final Dependency nextDependency = subIterator.next();
Dependency main = null;
if ((main = getMainGemspecDependency(dependency, nextDependency)) != null) {
if (main == dependency) {
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
} else {
mergeDependencies(nextDependency, dependency, dependenciesToRemove);
break; //since we merged into the next dependency - skip forward to the next in mainIterator
}
} else if ((main = getMainSwiftDependency(dependency, nextDependency)) != null) {
if (main == dependency) {
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
} else {
mergeDependencies(nextDependency, dependency, dependenciesToRemove);
break; //since we merged into the next dependency - skip forward to the next in mainIterator
}
}
}
}
}
//removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions
// was difficult because of the inner iterator.
engine.getDependencies().removeAll(dependenciesToRemove);
}
}
/**
* Adds the relatedDependency to the dependency's related dependencies.
*
* @param dependency the main dependency
* @param relatedDependency a collection of dependencies to be removed from
* the main analysis loop, this is the source of dependencies to remove
* @param dependenciesToRemove a collection of dependencies that will be
* removed from the main analysis loop, this function adds to this
* collection
*/
private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
LOGGER.debug("Merging '{}' into '{}'", relatedDependency.getFilePath(), dependency.getFilePath());
dependency.addRelatedDependency(relatedDependency);
dependency.getVendorEvidence().getEvidence().addAll(relatedDependency.getVendorEvidence().getEvidence());
dependency.getProductEvidence().getEvidence().addAll(relatedDependency.getProductEvidence().getEvidence());
dependency.getVersionEvidence().getEvidence().addAll(relatedDependency.getVersionEvidence().getEvidence());
final Iterator<Dependency> i = relatedDependency.getRelatedDependencies().iterator();
while (i.hasNext()) {
dependency.addRelatedDependency(i.next());
i.remove();
}
if (dependency.getSha1sum().equals(relatedDependency.getSha1sum())) {
dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
}
dependenciesToRemove.add(relatedDependency);
}
/**
* Bundling Ruby gems that are identified from different .gemspec files but
* denote the same package path. This happens when Ruby bundler installs an
* application's dependencies by running "bundle install".
*
* @param dependency1 dependency to compare
* @param dependency2 dependency to compare
* @return true if the the dependencies being analyzed appear to be the
* same; otherwise false
*/
private boolean isSameRubyGem(Dependency dependency1, Dependency dependency2) {
if (dependency1 == null || dependency2 == null
|| !dependency1.getFileName().endsWith(".gemspec")
|| !dependency2.getFileName().endsWith(".gemspec")
|| dependency1.getPackagePath() == null
|| dependency2.getPackagePath() == null) {
return false;
}
return dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath());
}
/**
* Ruby gems installed by "bundle install" can have zero or more *.gemspec
* files, all of which have the same packagePath and should be grouped. If
* one of these gemspec is from <parent>/specifications/*.gemspec, because
* it is a stub with fully resolved gem meta-data created by Ruby bundler,
* this dependency should be the main one. Otherwise, use dependency2 as
* main.
*
* This method returns null if any dependency is not from *.gemspec, or the
* two do not have the same packagePath. In this case, they should not be
* grouped.
*
* @param dependency1 dependency to compare
* @param dependency2 dependency to compare
* @return the main dependency; or null if a gemspec is not included in the
* analysis
*/
private Dependency getMainGemspecDependency(Dependency dependency1, Dependency dependency2) {
if (isSameRubyGem(dependency1, dependency2)) {
final File lFile = dependency1.getActualFile();
final File left = lFile.getParentFile();
if (left != null && left.getName().equalsIgnoreCase("specifications")) {
return dependency1;
}
return dependency2;
}
return null;
}
/**
* Bundling same swift dependencies with the same packagePath but identified
* by different file type analyzers.
*
* @param dependency1 dependency to test
* @param dependency2 dependency to test
* @return <code>true</code> if the dependencies appear to be the same;
* otherwise <code>false</code>
*/
private boolean isSameSwiftPackage(Dependency dependency1, Dependency dependency2) {
if (dependency1 == null || dependency2 == null
|| (!dependency1.getFileName().endsWith(".podspec")
&& !dependency1.getFileName().equals("Package.swift"))
|| (!dependency2.getFileName().endsWith(".podspec")
&& !dependency2.getFileName().equals("Package.swift"))
|| dependency1.getPackagePath() == null
|| dependency2.getPackagePath() == null) {
return false;
}
return dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath());
}
/**
* Determines which of the swift dependencies should be considered the
* primary.
*
* @param dependency1 the first swift dependency to compare
* @param dependency2 the second swift dependency to compare
* @return the primary swift dependency
*/
private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) {
if (isSameSwiftPackage(dependency1, dependency2)) {
if (dependency1.getFileName().endsWith(".podspec")) {
return dependency1;
}
return dependency2;
}
return null;
}
}

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -34,6 +34,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.FileFilterBuilder;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -83,6 +84,16 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
*
* @return the key for the analyzer's enabled property
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_FALSE_POSITIVE_ENABLED;
}
//</editor-fold>
/**
@@ -93,7 +104,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
* @throws AnalysisException is thrown if there is an error reading the JAR file.
*/
@Override
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
removeJreEntries(dependency);
removeBadMatches(dependency);
removeBadSpringMatches(dependency);

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
View File

@@ -27,6 +27,7 @@ import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.DependencyVersionUtil;
import org.owasp.dependencycheck.utils.Settings;
/**
*
@@ -65,6 +66,16 @@ public class FileNameAnalyzer extends AbstractAnalyzer {
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
*
* @return the key for the analyzer's enabled property
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_FILE_NAME_ENABLED;
}
//</editor-fold>
/**
@@ -86,7 +97,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer {
* file.
*/
@Override
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
//strip any path information that may get added by ArchiveAnalyzer, etc.
final File f = dependency.getActualFile();

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java
View File

@@ -26,8 +26,4 @@ import java.io.FileFilter;
*/
public interface FileTypeAnalyzer extends Analyzer, FileFilter {
/**
* Resets the analyzers state.
*/
void reset();
}

15
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
View File

@@ -82,6 +82,16 @@ public class HintAnalyzer extends AbstractAnalyzer {
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
*
* @return the key for the analyzer's enabled property
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_HINT_ENABLED;
}
/**
* The initialize method does nothing for this Analyzer.
@@ -89,9 +99,8 @@ public class HintAnalyzer extends AbstractAnalyzer {
* @throws InitializationException thrown if there is an exception
*/
@Override
public void initialize() throws InitializationException {
public void initializeAnalyzer() throws InitializationException {
try {
super.initialize();
loadHintRules();
} catch (HintParseException ex) {
LOGGER.debug("Unable to parse hint file", ex);
@@ -123,7 +132,7 @@ public class HintAnalyzer extends AbstractAnalyzer {
* the dependency.
*/
@Override
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
for (HintRule hint : hints.getHintRules()) {
boolean shouldAdd = false;
for (Evidence given : hint.getGivenVendor()) {

201
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -23,8 +23,8 @@ import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.Reader;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
@@ -227,7 +227,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* file.
*/
@Override
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
try {
final List<ClassNameInformation> classNames = collectClassNames(dependency);
final String fileName = dependency.getFileName().toLowerCase();
@@ -243,7 +243,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
final boolean addPackagesAsEvidence = !(hasManifest && hasPOM);
analyzePackageNames(classNames, dependency, addPackagesAsEvidence);
} catch (IOException ex) {
throw new AnalysisException("Exception occurred reading the JAR file.", ex);
throw new AnalysisException("Exception occurred reading the JAR file (" + dependency.getFileName() + ").", ex);
}
}
@@ -260,81 +260,93 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @return whether or not evidence was added to the dependency
*/
protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
boolean foundSomething = false;
final JarFile jar;
JarFile jar = null;
List<String> pomEntries = null;
try {
jar = new JarFile(dependency.getActualFilePath());
pomEntries = retrievePomListing(jar);
} catch (IOException ex) {
LOGGER.warn("Unable to read JarFile '{}'.", dependency.getActualFilePath());
LOGGER.trace("", ex);
return false;
}
List<String> pomEntries;
try {
pomEntries = retrievePomListing(jar);
} catch (IOException ex) {
LOGGER.warn("Unable to read Jar file entries in '{}'.", dependency.getActualFilePath());
LOGGER.trace("", ex);
return false;
}
File externalPom = null;
if (pomEntries.isEmpty()) {
final String pomPath = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom";
externalPom = new File(pomPath);
if (externalPom.isFile()) {
pomEntries.add(pomPath);
} else {
return false;
}
}
for (String path : pomEntries) {
LOGGER.debug("Reading pom entry: {}", path);
Properties pomProperties = null;
try {
if (externalPom == null) {
pomProperties = retrievePomProperties(path, jar);
if (jar != null) {
try {
jar.close();
} catch (IOException ex1) {
LOGGER.trace("", ex1);
}
} catch (IOException ex) {
LOGGER.trace("ignore this, failed reading a non-existent pom.properties", ex);
}
Model pom = null;
return false;
}
if (pomEntries != null && pomEntries.size() <= 1) {
try {
if (pomEntries.size() > 1) {
//extract POM to its own directory and add it as its own dependency
final Dependency newDependency = new Dependency();
pom = extractPom(path, jar, newDependency);
final String displayPath = String.format("%s%s%s",
dependency.getFilePath(),
File.separator,
path);
final String displayName = String.format("%s%s%s",
dependency.getFileName(),
File.separator,
path);
newDependency.setFileName(displayName);
newDependency.setFilePath(displayPath);
pom.processProperties(pomProperties);
setPomEvidence(newDependency, pom, null);
engine.getDependencies().add(newDependency);
String path = null;
Properties pomProperties = null;
File pomFile = null;
if (pomEntries.size() == 1) {
path = pomEntries.get(0);
pomFile = extractPom(path, jar);
pomProperties = retrievePomProperties(path, jar);
} else {
if (externalPom == null) {
pom = PomUtils.readPom(path, jar);
} else {
pom = PomUtils.readPom(externalPom);
path = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom";
pomFile = new File(path);
}
if (pomFile.isFile()) {
final Model pom = PomUtils.readPom(pomFile);
if (pom != null && pomProperties != null) {
pom.processProperties(pomProperties);
}
if (pom != null) {
pom.processProperties(pomProperties);
foundSomething |= setPomEvidence(dependency, pom, classes);
return setPomEvidence(dependency, pom, classes);
}
return false;
} else {
return false;
}
} finally {
try {
jar.close();
} catch (IOException ex) {
LOGGER.trace("", ex);
}
}
}
//reported possible null dereference on pomEntries is on a non-feasible path
for (String path : pomEntries) {
//TODO - one of these is likely the pom for the main JAR we are analyzing
LOGGER.debug("Reading pom entry: {}", path);
try {
//extract POM to its own directory and add it as its own dependency
final Properties pomProperties = retrievePomProperties(path, jar);
final File pomFile = extractPom(path, jar);
final Model pom = PomUtils.readPom(pomFile);
pom.processProperties(pomProperties);
final String displayPath = String.format("%s%s%s",
dependency.getFilePath(),
File.separator,
path);
final String displayName = String.format("%s%s%s",
dependency.getFileName(),
File.separator,
path);
final Dependency newDependency = new Dependency();
newDependency.setActualFilePath(pomFile.getAbsolutePath());
newDependency.setFileName(displayName);
newDependency.setFilePath(displayPath);
setPomEvidence(newDependency, pom, null);
engine.getDependencies().add(newDependency);
} catch (AnalysisException ex) {
LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath());
LOGGER.trace("", ex);
}
}
return foundSomething;
try {
jar.close();
} catch (IOException ex) {
LOGGER.trace("", ex);
}
return false;
}
/**
@@ -347,7 +359,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @throws IOException thrown if there is an exception reading the
* pom.properties
*/
private Properties retrievePomProperties(String path, final JarFile jar) throws IOException {
private Properties retrievePomProperties(String path, final JarFile jar) {
Properties pomProperties = null;
final String propPath = path.substring(0, path.length() - 7) + "pom.properies";
final ZipEntry propEntry = jar.getEntry(propPath);
@@ -358,6 +370,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
pomProperties = new Properties();
pomProperties.load(reader);
LOGGER.debug("Read pom.properties: {}", propPath);
} catch (UnsupportedEncodingException ex) {
LOGGER.trace("UTF-8 is not supported", ex);
} catch (IOException ex) {
LOGGER.trace("Unable to read the POM properties", ex);
} finally {
if (reader != null) {
try {
@@ -394,16 +410,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* Retrieves the specified POM from a jar file and converts it to a Model.
* Retrieves the specified POM from a jar.
*
* @param path the path to the pom.xml file within the jar file
* @param jar the jar file to extract the pom from
* @param dependency the dependency being analyzed
* @return returns the POM object
* @return returns the POM file
* @throws AnalysisException is thrown if there is an exception extracting
* or parsing the POM {@link org.owasp.dependencycheck.xml.pom.Model} object
* the file
*/
private Model extractPom(String path, JarFile jar, Dependency dependency) throws AnalysisException {
private File extractPom(String path, JarFile jar) throws AnalysisException {
InputStream input = null;
FileOutputStream fos = null;
final File tmpDir = getNextTempDirectory();
@@ -416,45 +431,14 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
input = jar.getInputStream(entry);
fos = new FileOutputStream(file);
IOUtils.copy(input, fos);
dependency.setActualFilePath(file.getAbsolutePath());
} catch (IOException ex) {
LOGGER.warn("An error occurred reading '{}' from '{}'.", path, dependency.getFilePath());
LOGGER.warn("An error occurred reading '{}' from '{}'.", path, jar.getName());
LOGGER.error("", ex);
} finally {
closeStream(fos);
closeStream(input);
}
return PomUtils.readPom(file);
}
/**
* Silently closes an input stream ignoring errors.
*
* @param stream an input stream to close
*/
private void closeStream(InputStream stream) {
if (stream != null) {
try {
stream.close();
} catch (IOException ex) {
LOGGER.trace("", ex);
}
}
}
/**
* Silently closes an output stream ignoring errors.
*
* @param stream an output stream to close
*/
private void closeStream(OutputStream stream) {
if (stream != null) {
try {
stream.close();
} catch (IOException ex) {
LOGGER.trace("", ex);
}
FileUtils.close(fos);
FileUtils.close(input);
}
return file;
}
/**
@@ -649,7 +633,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @return whether evidence was identified parsing the manifest
* @throws IOException if there is an issue reading the JAR file
*/
protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) throws IOException {
protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation)
throws IOException {
boolean foundSomething = false;
JarFile jar = null;
try {
@@ -734,11 +719,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
} else if ("build-id".equals(key)) {
int pos = value.indexOf('(');
if (pos >= 0) {
if (pos > 0) {
value = value.substring(0, pos - 1);
}
pos = value.indexOf('[');
if (pos >= 0) {
if (pos > 0) {
value = value.substring(0, pos - 1);
}
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
@@ -927,7 +912,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* Deletes any files extracted from the JAR during analysis.
*/
@Override
public void close() {
public void closeAnalyzer() {
if (tempFileLocation != null && tempFileLocation.exists()) {
LOGGER.debug("Attempting to delete temporary files");
final boolean success = FileUtils.delete(tempFileLocation);
@@ -1013,13 +998,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
if (list.size() == 2) {
addEntry(product, list.get(1));
}
if (list.size() == 3) {
} else if (list.size() == 3) {
addEntry(vendor, list.get(1));
addEntry(product, list.get(1));
addEntry(product, list.get(2));
}
if (list.size() >= 4) {
} else if (list.size() >= 4) {
addEntry(vendor, list.get(1));
addEntry(vendor, list.get(2));
addEntry(product, list.get(1));

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
View File

@@ -87,6 +87,9 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
*/
private static final String SUPPORTED_EXTENSIONS = "jar";
/**
* Whether or not the Nexus analyzer should use a proxy if configured.
*/
private boolean useProxy;
/**
* The Nexus Search to be set up for this analyzer.
@@ -215,7 +218,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
* @throws AnalysisException when there's an exception during analysis
*/
@Override
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
if (!isEnabled()) {
return;
}
@@ -265,7 +268,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
LOGGER.debug("Could not connect to nexus repository", ioe);
}
}
/**
* Determine if a proxy should be used.
*

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
View File

@@ -121,7 +121,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
}
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
protected void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
final File file = dependency.getActualFile();
JsonReader jsonReader;

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
View File

@@ -127,7 +127,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
* @throws AnalysisException when there's an exception during analysis
*/
@Override
public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
LOGGER.debug("Checking Nuspec file {}", dependency);
try {
final NuspecParser parser = new XPathNuspecParser();

38
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
View File

@@ -28,15 +28,18 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.exception.InitializationException;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.LoggerFactory;
/**
* NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
* CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
* NvdCveAnalyzer is a utility class that takes a project dependency and
* attempts to discern if there is an associated CVEs. It uses the the
* identifiers found by other analyzers to lookup the CVE data.
*
* @author Jeremy Long
*/
public class NvdCveAnalyzer extends AbstractAnalyzer {
/**
* The Logger for use throughout the class
*/
@@ -56,7 +59,8 @@ public class NvdCveAnalyzer extends AbstractAnalyzer {
* @throws SQLException thrown when there is a SQL Exception
* @throws IOException thrown when there is an IO Exception
* @throws DatabaseException thrown when there is a database exceptions
* @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
* @throws ClassNotFoundException thrown if the h2 database driver cannot be
* loaded
*/
public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
cveDB = new CveDB();
@@ -67,7 +71,7 @@ public class NvdCveAnalyzer extends AbstractAnalyzer {
* Closes the data source.
*/
@Override
public void close() {
public void closeAnalyzer() {
cveDB.close();
cveDB = null;
}
@@ -95,14 +99,16 @@ public class NvdCveAnalyzer extends AbstractAnalyzer {
}
/**
* Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
* Analyzes a dependency and attempts to determine if there are any CPE
* identifiers for this dependency.
*
* @param dependency The Dependency to analyze
* @param engine The analysis engine
* @throws AnalysisException thrown if there is an issue analyzing the dependency
* @throws AnalysisException thrown if there is an issue analyzing the
* dependency
*/
@Override
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
for (Identifier id : dependency.getIdentifiers()) {
if ("cpe".equals(id.getType())) {
try {
@@ -148,12 +154,24 @@ public class NvdCveAnalyzer extends AbstractAnalyzer {
}
/**
* Opens the database used to gather NVD CVE data.
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
*
* @throws InitializationException is thrown if there is an issue opening the index.
* @return the key for the analyzer's enabled property
*/
@Override
public void initialize() throws InitializationException {
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_NVD_CVE_ENABLED;
}
/**
* Opens the database used to gather NVD CVE data.
*
* @throws InitializationException is thrown if there is an issue opening
* the index.
*/
@Override
public void initializeAnalyzer() throws InitializationException {
try {
this.open();
} catch (SQLException ex) {

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java
View File

@@ -162,7 +162,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
* analyzing the dependency
*/
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
protected void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
final File file = dependency.getActualFile();
final String parentName = file.getParentFile().getName();

4
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
View File

@@ -181,7 +181,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
}
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
protected void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
final File actualFile = dependency.getActualFile();
if (WHL_FILTER.accept(actualFile)) {
@@ -273,7 +273,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
* Deletes any files extracted from the Wheel during analysis.
*/
@Override
public void close() {
public void closeAnalyzer() {
if (tempFileLocation != null && tempFileLocation.exists()) {
LOGGER.debug("Attempting to delete temporary files");
final boolean success = FileUtils.delete(tempFileLocation);

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
View File

@@ -171,7 +171,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
* analyzing the dependency
*/
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
protected void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
final File file = dependency.getActualFile();
final File parent = file.getParentFile();

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
View File

@@ -115,7 +115,15 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
}
final List<String> args = new ArrayList<String>();
final String bundleAuditPath = Settings.getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH);
args.add(null == bundleAuditPath ? "bundle-audit" : bundleAuditPath);
File bundleAudit = null;
if (bundleAuditPath != null) {
bundleAudit = new File(bundleAuditPath);
if (!bundleAudit.isFile()) {
LOGGER.warn("Supplied `bundleAudit` path is incorrect: " + bundleAuditPath);
bundleAudit = null;
}
}
args.add(bundleAudit != null && bundleAudit.isFile() ? bundleAudit.getAbsolutePath() : "bundle-audit");
args.add("check");
args.add("--verbose");
final ProcessBuilder builder = new ProcessBuilder(args);
@@ -244,7 +252,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
}
/**
* If {@link #analyzeFileType(Dependency, Engine)} is called, then we have
* If {@link #analyzeDependency(Dependency, Engine)} is called, then we have
* successfully initialized, and it will be necessary to disable
* {@link RubyGemspecAnalyzer}.
*/
@@ -258,7 +266,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
* @throws AnalysisException thrown if there is an analysis exception.
*/
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
protected void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
if (needToDisableGemspecAnalyzer) {
boolean failed = true;

13
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java
View File

@@ -27,8 +27,9 @@ import org.owasp.dependencycheck.dependency.Dependency;
/**
* This analyzer accepts the fully resolved .gemspec created by the Ruby bundler
* (http://bundler.io) for better evidence results. It also tries to resolve the
* dependency packagePath to where the gem is actually installed. Then during {@link org.owasp.dependencycheck.analyzer.AnalysisPhase#PRE_FINDING_ANALYSIS}
* {@link DependencyBundlingAnalyzer} will merge two .gemspec dependencies
* dependency packagePath to where the gem is actually installed. Then during
* the {@link org.owasp.dependencycheck.analyzer.AnalysisPhase#PRE_FINDING_ANALYSIS}
* {@link DependencyMergingAnalyzer} will merge two .gemspec dependencies
* together if <code>Dependency.getPackagePath()</code> are the same.
*
* Ruby bundler creates new .gemspec files under a folder called
@@ -39,8 +40,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
* can't be used for evidences.
*
* Note this analyzer share the same
* {@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_RUBY_GEMSPEC_ENABLED} as
* {@link RubyGemspecAnalyzer}, so it will enabled/disabled with
* {@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_RUBY_GEMSPEC_ENABLED}
* as {@link RubyGemspecAnalyzer}, so it will enabled/disabled with
* {@link RubyGemspecAnalyzer}.
*
* @author Bianca Jiang (https://twitter.com/biancajiang)
@@ -93,9 +94,9 @@ public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
}
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
protected void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
super.analyzeFileType(dependency, engine);
super.analyzeDependency(dependency, engine);
//find the corresponding gem folder for this .gemspec stub by "bundle install --deployment"
final File gemspecFile = dependency.getActualFile();

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
View File

@@ -130,7 +130,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
private static final Pattern GEMSPEC_BLOCK_INIT = Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
protected void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
String contents;
try {

2
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java
View File

@@ -116,7 +116,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
}
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
protected void analyzeDependency(Dependency dependency, Engine engine)
throws AnalysisException {
String contents;

169
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java Normal file
View File

@@ -0,0 +1,169 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2017 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import java.util.Iterator;
import java.util.Objects;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.utils.DependencyVersion;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* This analyzer attempts to filter out erroneous version numbers collected.
* Initially, this will focus on JAR files that contain a POM version number
* that matches the file name - if identified all other version information will
* be removed.
*
* @author Jeremy Long
*/
public class VersionFilterAnalyzer extends AbstractAnalyzer {
//<editor-fold defaultstate="collapsed" desc="Constaints">
/**
* Evidence source.
*/
private static final String FILE = "file";
/**
* Evidence source.
*/
private static final String POM = "pom";
/**
* Evidence source.
*/
private static final String NEXUS = "nexus";
/**
* Evidence source.
*/
private static final String CENTRAL = "central";
/**
* Evidence source.
*/
private static final String MANIFEST = "Manifest";
/**
* Evidence name.
*/
private static final String VERSION = "version";
/**
* Evidence name.
*/
private static final String IMPLEMENTATION_VERSION = "Implementation-Version";
/**
* The name of the analyzer.
*/
private static final String ANALYZER_NAME = "Version Filter Analyzer";
/**
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION;
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="Standard implementation of Analyzer">
/**
* Returns the name of the analyzer.
*
* @return the name of the analyzer.
*/
@Override
public String getName() {
return ANALYZER_NAME;
}
/**
* Returns the phase that the analyzer is intended to run in.
*
* @return the phase that the analyzer is intended to run in.
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
/**
* Returns the setting key to determine if the analyzer is enabled.
*
* @return the key for the analyzer's enabled property
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_VERSION_FILTER_ENABLED;
}
//</editor-fold>
/**
* The Logger for use throughout the class
*/
private static final Logger LOGGER = LoggerFactory.getLogger(VersionFilterAnalyzer.class);
/**
* The HintAnalyzer uses knowledge about a dependency to add additional
* information to help in identification of identifiers or vulnerabilities.
*
* @param dependency The dependency being analyzed
* @param engine The scanning engine
* @throws AnalysisException is thrown if there is an exception analyzing
* the dependency.
*/
@Override
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
String fileVersion = null;
String pomVersion = null;
String manifestVersion = null;
for (Evidence e : dependency.getVersionEvidence()) {
if (FILE.equals(e.getSource()) && VERSION.equals(e.getName())) {
fileVersion = e.getValue(Boolean.FALSE);
} else if ((NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource())
|| POM.equals(e.getSource())) && VERSION.equals(e.getName())) {
pomVersion = e.getValue(Boolean.FALSE);
} else if (MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName())) {
manifestVersion = e.getValue(Boolean.FALSE);
}
}
//ensure we have at least two not null
if (((fileVersion == null ? 0 : 1) + (pomVersion == null ? 0 : 1) + (manifestVersion == null ? 0 : 1)) > 1) {
final DependencyVersion dvFile = new DependencyVersion(fileVersion);
final DependencyVersion dvPom = new DependencyVersion(pomVersion);
final DependencyVersion dvManifest = new DependencyVersion(manifestVersion);
final boolean fileMatch = Objects.equals(dvFile, dvPom) || Objects.equals(dvFile, dvManifest);
final boolean manifestMatch = Objects.equals(dvManifest, dvPom) || Objects.equals(dvManifest, dvFile);
final boolean pomMatch = Objects.equals(dvPom, dvFile) || Objects.equals(dvPom, dvManifest);
if (fileMatch || manifestMatch || pomMatch) {
LOGGER.debug("filtering evidence from {}", dependency.getFileName());
final EvidenceCollection versionEvidence = dependency.getVersionEvidence();
synchronized (versionEvidence) {
final Iterator<Evidence> itr = versionEvidence.iterator();
while (itr.hasNext()) {
final Evidence e = itr.next();
if (!(pomMatch && VERSION.equals(e.getName())
&& (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource())))
&& !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource()))
&& !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) {
itr.remove();
}
}
}
}
}
}
}

27
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java
View File

@@ -20,11 +20,13 @@ package org.owasp.dependencycheck.analyzer;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
/**
* The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
* Any identified Vulnerability entries within the dependencies that match will be removed.
* The suppression analyzer processes an externally defined XML document that
* complies with the suppressions.xsd schema. Any identified Vulnerability
* entries within the dependencies that match will be removed.
*
* @author Jeremy Long
*/
@@ -59,10 +61,29 @@ public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyze
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
*
* @return the key for the analyzer's enabled property
*/
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED;
}
//</editor-fold>
/**
* Analyzes a dependency's vulnerabilities against the configured CVE
* suppressions.
*
* @param dependency the dependency being analyzed
* @param engine a reference to the engine orchestrating the analysis
* @throws AnalysisException thrown if there is an error during analysis
*/
@Override
public void analyze(final Dependency dependency, final Engine engine) throws AnalysisException {
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
if (getRules() == null || getRules().size() <= 0) {
return;

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
View File

@@ -24,13 +24,13 @@ import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.URLConnectionFactory;
import org.owasp.dependencycheck.utils.XmlUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
@@ -110,9 +110,7 @@ public class CentralSearch {
if (conn.getResponseCode() == 200) {
boolean missing = false;
try {
final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
final DocumentBuilder builder = factory.newDocumentBuilder();
final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String numFound = xpath.evaluate("/response/result/@numFound", doc);

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
View File

@@ -22,13 +22,11 @@ import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathFactory;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.URLConnectionFactory;
import org.owasp.dependencycheck.utils.XmlUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
@@ -104,9 +102,7 @@ public class NexusSearch {
switch (conn.getResponseCode()) {
case 200:
try {
final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
final DocumentBuilder builder = factory.newDocumentBuilder();
final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
final XPath xpath = XPathFactory.newInstance().newXPath();
final String groupId = xpath
@@ -167,7 +163,8 @@ public class NexusSearch {
LOGGER.warn("Expected 200 result from Nexus, got {}", conn.getResponseCode());
return false;
}
final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
final Document doc = builder.parse(conn.getInputStream());
if (!"status".equals(doc.getDocumentElement().getNodeName())) {
LOGGER.warn("Expected root node name of status, got {}", doc.getDocumentElement().getNodeName());

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java
View File

@@ -18,10 +18,11 @@
package org.owasp.dependencycheck.data.nuget;
import java.io.InputStream;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import org.owasp.dependencycheck.utils.XmlUtils;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
@@ -57,9 +58,8 @@ public class XPathNuspecParser implements NuspecParser {
@Override
public NugetPackage parse(InputStream stream) throws NuspecParseException {
try {
final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
final Document d = factory.newDocumentBuilder().parse(stream);
final DocumentBuilder db = XmlUtils.buildSecureDocumentBuilder();
final Document d = db.parse(stream);
final XPath xpath = XPathFactory.newInstance().newXPath();
final NugetPackage nuspec = new NugetPackage();

42
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
View File

@@ -17,13 +17,13 @@
*/
package org.owasp.dependencycheck.data.nvdcve;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Properties;
import java.util.TreeMap;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.slf4j.Logger;
@@ -41,21 +41,24 @@ public class DatabaseProperties {
*/
private static final Logger LOGGER = LoggerFactory.getLogger(DatabaseProperties.class);
/**
* Modified key word, used as a key to store information about the modified file (i.e. the containing the last 8 days of
* updates)..
* Modified key word, used as a key to store information about the modified
* file (i.e. the containing the last 8 days of updates)..
*/
public static final String MODIFIED = "Modified";
/**
* The properties file key for the last checked field - used to store the last check time of the Modified NVD CVE xml file.
* The properties file key for the last checked field - used to store the
* last check time of the Modified NVD CVE xml file.
*/
public static final String LAST_CHECKED = "NVD CVE Checked";
/**
* The properties file key for the last updated field - used to store the last updated time of the Modified NVD CVE xml file.
* The properties file key for the last updated field - used to store the
* last updated time of the Modified NVD CVE xml file.
*/
public static final String LAST_UPDATED = "NVD CVE Modified";
/**
* Stores the last updated time for each of the NVD CVE files. These timestamps should be updated if we process the modified
* file within 7 days of the last update.
* Stores the last updated time for each of the NVD CVE files. These
* timestamps should be updated if we process the modified file within 7
* days of the last update.
*/
public static final String LAST_UPDATED_BASE = "NVD CVE ";
/**
@@ -121,7 +124,8 @@ public class DatabaseProperties {
}
/**
* Returns the property value for the given key. If the key is not contained in the underlying properties null is returned.
* Returns the property value for the given key. If the key is not contained
* in the underlying properties null is returned.
*
* @param key the property key
* @return the value of the property
@@ -131,8 +135,8 @@ public class DatabaseProperties {
}
/**
* Returns the property value for the given key. If the key is not contained in the underlying properties the default value is
* returned.
* Returns the property value for the given key. If the key is not contained
* in the underlying properties the default value is returned.
*
* @param key the property key
* @param defaultValue the default value
@@ -152,8 +156,9 @@ public class DatabaseProperties {
}
/**
* Returns a map of the meta data from the database properties. This primarily contains timestamps of when the NVD CVE
* information was last updated.
* Returns a map of the meta data from the database properties. This
* primarily contains timestamps of when the NVD CVE information was last
* updated.
*
* @return a map of the database meta data
*/
@@ -165,9 +170,12 @@ public class DatabaseProperties {
if (key.startsWith("NVD CVE ")) {
try {
final long epoch = Long.parseLong((String) entry.getValue());
final Date date = new Date(epoch);
final DateFormat format = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
final String formatted = format.format(date);
final DateTime date = new DateTime(epoch);
final DateTimeFormatter format = DateTimeFormat.forPattern("dd/MM/yyyy HH:mm:ss");
final String formatted = format.print(date);
// final Date date = new Date(epoch);
// final DateFormat format = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
// final String formatted = format.format(date);
map.put(key, formatted);
} catch (Throwable ex) { //deliberately being broad in this catch clause
LOGGER.debug("Unable to parse timestamp from DB", ex);

1
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java
View File

@@ -115,7 +115,6 @@ class DriverShim implements Driver {
* @throws SQLFeatureNotSupportedException thrown if the feature is not supported
* @see java.sql.Driver#getParentLogger()
*/
@Override
public java.util.logging.Logger getParentLogger() throws SQLFeatureNotSupportedException {
//return driver.getParentLogger();
Method m = null;

82
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java
View File

@@ -18,18 +18,12 @@
package org.owasp.dependencycheck.data.update;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.List;
import java.util.zip.GZIPInputStream;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.apache.commons.io.FileUtils;
import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.LAST_CPE_UPDATE;
import org.owasp.dependencycheck.data.update.cpe.CPEHandler;
import org.owasp.dependencycheck.data.update.cpe.Cpe;
@@ -37,7 +31,9 @@ import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.DateUtil;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.ExtractionUtil;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.XmlUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.SAXException;
@@ -53,8 +49,10 @@ import org.xml.sax.SAXException;
* this class is not currently used. The code is being kept as a future update
* may utilize more data from the CPE XML files.
*
* @deprecated the CPE updater is not currently used.
* @author Jeremy Long
*/
@Deprecated
public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
/**
@@ -64,6 +62,17 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
@Override
public void update() throws UpdateException {
/*
//the following could be used if this were ever used.
try {
if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
return;
}
} catch (InvalidSettingException ex) {
LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex);
}
*/
try {
openDataStores();
if (updateNeeded()) {
@@ -98,7 +107,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
xml = File.createTempFile("cpe", ".xml", Settings.getTempDirectory());
Downloader.fetchFile(url, xml);
if (url.toExternalForm().endsWith(".xml.gz")) {
extractGzip(xml);
ExtractionUtil.extractGzip(xml);
}
} catch (MalformedURLException ex) {
@@ -121,9 +130,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
*/
private List<Cpe> processXML(final File xml) throws UpdateException {
try {
final SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
final SAXParser saxParser = factory.newSAXParser();
final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
final CPEHandler handler = new CPEHandler();
saxParser.parse(xml, handler);
return handler.getData();
@@ -152,59 +159,4 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
}
return !DateUtil.withinDateRange(timestamp, now, days);
}
/**
* Extracts the file contained in a gzip archive. The extracted file is
* placed in the exact same path as the file specified.
*
* @param file the archive file
* @throws FileNotFoundException thrown if the file does not exist
* @throws IOException thrown if there is an error extracting the file.
*/
private void extractGzip(File file) throws FileNotFoundException, IOException {
//TODO - move this to a util class as it is duplicative of (copy of) code in the DownloadTask
final String originalPath = file.getPath();
final File gzip = new File(originalPath + ".gz");
if (gzip.isFile() && !gzip.delete()) {
LOGGER.debug("Failed to delete intial temporary file {}", gzip.toString());
gzip.deleteOnExit();
}
if (!file.renameTo(gzip)) {
throw new IOException("Unable to rename '" + file.getPath() + "'");
}
final File newfile = new File(originalPath);
final byte[] buffer = new byte[4096];
GZIPInputStream cin = null;
FileOutputStream out = null;
try {
cin = new GZIPInputStream(new FileInputStream(gzip));
out = new FileOutputStream(newfile);
int len;
while ((len = cin.read(buffer)) > 0) {
out.write(buffer, 0, len);
}
} finally {
if (cin != null) {
try {
cin.close();
} catch (IOException ex) {
LOGGER.trace("ignore", ex);
}
}
if (out != null) {
try {
out.close();
} catch (IOException ex) {
LOGGER.trace("ignore", ex);
}
}
if (gzip.isFile() && !FileUtils.deleteQuietly(gzip)) {
LOGGER.debug("Failed to delete temporary file {}", gzip.toString());
gzip.deleteOnExit();
}
}
}
}

11
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
View File

@@ -99,7 +99,16 @@ public class EngineVersionCheck implements CachedWebDataSource {
@Override
public void update() throws UpdateException {
try {
if (Settings.getBoolean(Settings.KEYS.AUTO_UPDATE)) {
final boolean autoupdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE, true);
final boolean enabled = Settings.getBoolean(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, true);
final String original = Settings.getString(Settings.KEYS.CVE_ORIGINAL_MODIFIED_20_URL);
final String current = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
/**
* Only update if auto-update is enabled, the engine check is
* enabled, and the NVD CVE URLs have not been modified (i.e. the
* user has not configured them to point to an internal source).
*/
if (enabled && autoupdate && original != null && original.equals(current)) {
openDatabase();
LOGGER.debug("Begin Engine Version Check");
final DatabaseProperties properties = cveDB.getDatabaseProperties();

22
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
View File

@@ -67,6 +67,14 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
*/
@Override
public void update() throws UpdateException {
try {
if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
return;
}
} catch (InvalidSettingException ex) {
LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex);
}
try {
openDataStores();
boolean autoUpdate = true;
@@ -271,12 +279,22 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
if (!getProperties().isEmpty()) {
try {
final int startYear = Settings.getInt(Settings.KEYS.CVE_START_YEAR, 2002);
final int endYear = Calendar.getInstance().get(Calendar.YEAR);
boolean needsFullUpdate = false;
for (int y = startYear; y <= endYear; y++) {
final long val = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED_BASE + y, "0"));
if (val == 0) {
needsFullUpdate = true;
}
}
final long lastUpdated = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED, "0"));
final long now = System.currentTimeMillis();
final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
if (lastUpdated == updates.getTimeStamp(MODIFIED)) {
if (!needsFullUpdate && lastUpdated == updates.getTimeStamp(MODIFIED)) {
updates.clear(); //we don't need to update anything.
} else if (DateUtil.withinDateRange(lastUpdated, now, days)) {
} else if (!needsFullUpdate && DateUtil.withinDateRange(lastUpdated, now, days)) {
for (NvdCveInfo entry : updates) {
if (MODIFIED.equals(entry.getId())) {
entry.setNeedsUpdate(true);

62
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
View File

@@ -20,19 +20,17 @@ package org.owasp.dependencycheck.data.update.nvd;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future;
import java.util.zip.GZIPInputStream;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.utils.DownloadFailedException;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.ExtractionUtil;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -179,10 +177,10 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
return null;
}
if (url1.toExternalForm().endsWith(".xml.gz") && !isXml(first)) {
extractGzip(first);
ExtractionUtil.extractGzip(first);
}
if (url2.toExternalForm().endsWith(".xml.gz") && !isXml(second)) {
extractGzip(second);
ExtractionUtil.extractGzip(second);
}
LOGGER.info("Download Complete for NVD CVE - {} ({} ms)", nvdCveInfo.getId(),
@@ -255,58 +253,4 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
}
}
}
/**
* Extracts the file contained in a gzip archive. The extracted file is
* placed in the exact same path as the file specified.
*
* @param file the archive file
* @throws FileNotFoundException thrown if the file does not exist
* @throws IOException thrown if there is an error extracting the file.
*/
private void extractGzip(File file) throws FileNotFoundException, IOException {
final String originalPath = file.getPath();
final File gzip = new File(originalPath + ".gz");
if (gzip.isFile() && !gzip.delete()) {
LOGGER.debug("Failed to delete initial temporary file when extracting 'gz' {}", gzip.toString());
gzip.deleteOnExit();
}
if (!file.renameTo(gzip)) {
throw new IOException("Unable to rename '" + file.getPath() + "'");
}
final File newfile = new File(originalPath);
final byte[] buffer = new byte[4096];
GZIPInputStream cin = null;
FileOutputStream out = null;
try {
cin = new GZIPInputStream(new FileInputStream(gzip));
out = new FileOutputStream(newfile);
int len;
while ((len = cin.read(buffer)) > 0) {
out.write(buffer, 0, len);
}
} finally {
if (cin != null) {
try {
cin.close();
} catch (IOException ex) {
LOGGER.trace("ignore", ex);
}
}
if (out != null) {
try {
out.close();
} catch (IOException ex) {
LOGGER.trace("ignore", ex);
}
}
if (gzip.isFile() && !FileUtils.deleteQuietly(gzip)) {
LOGGER.debug("Failed to delete temporary file when extracting 'gz' {}", gzip.toString());
gzip.deleteOnExit();
}
}
}
}

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java
View File

@@ -26,13 +26,13 @@ import java.util.Map;
import java.util.concurrent.Callable;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.data.update.exception.UpdateException;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.XmlUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.SAXException;
@@ -142,9 +142,7 @@ public class ProcessTask implements Callable<ProcessTask> {
protected void importXML(File file, File oldVersion) throws ParserConfigurationException,
SAXException, IOException, SQLException, DatabaseException, ClassNotFoundException {
final SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
final SAXParser saxParser = factory.newSAXParser();
final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
final NvdCve12Handler cve12Handler = new NvdCve12Handler();
saxParser.parse(oldVersion, cve12Handler);

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
View File

@@ -226,14 +226,24 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
/**
* Determines if the string passed in is a positive integer.
* To be counted as a positive integer, the string must only contain 0-9
* and must not have any leading zeros (though "0" is a valid positive
* integer).
*
* @param str the string to test
* @return true if the string only contains 0-9, otherwise false.
*/
private static boolean isPositiveInteger(final String str) {
static boolean isPositiveInteger(final String str) {
if (str == null || str.isEmpty()) {
return false;
}
// numbers with leading zeros should not be treated as numbers
// (e.g. when comparing "01" <-> "1")
if (str.charAt(0) == '0' && str.length() > 1) {
return false;
}
for (int i = 0; i < str.length(); i++) {
final char c = str.charAt(i);
if (c < '0' || c > '9') {

25
dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
View File

@@ -27,14 +27,14 @@ import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.UnsupportedEncodingException;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.List;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.context.Context;
import org.apache.velocity.runtime.RuntimeConstants;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
import org.owasp.dependencycheck.analyzer.Analyzer;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
import org.owasp.dependencycheck.dependency.Dependency;
@@ -103,14 +103,18 @@ public class ReportGenerator {
context = createContext();
velocityEngine.init();
final DateFormat dateFormat = new SimpleDateFormat("MMM d, yyyy 'at' HH:mm:ss z");
final DateFormat dateFormatXML = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
final Date d = new Date();
final String scanDate = dateFormat.format(d);
final String scanDateXML = dateFormatXML.format(d);
final EscapeTool enc = new EscapeTool();
final DateTime dt = new DateTime();
final DateTimeFormatter dateFormat = DateTimeFormat.forPattern("MMM d, yyyy 'at' HH:mm:ss z");
final DateTimeFormatter dateFormatXML = DateTimeFormat.forPattern("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
// final Date d = new Date();
// final DateFormat dateFormat = new SimpleDateFormat("MMM d, yyyy 'at' HH:mm:ss z");
// final DateFormat dateFormatXML = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
final String scanDate = dateFormat.print(dt);
final String scanDateXML = dateFormatXML.print(dt);
context.put("applicationName", applicationName);
context.put("dependencies", dependencies);
context.put("analyzers", analyzers);
@@ -167,7 +171,8 @@ public class ReportGenerator {
*
* @param outputDir the path where the reports should be written
* @param format the format the report should be written in
* @throws ReportException is thrown if there is an error writing out the reports
* @throws ReportException is thrown if there is an error writing out the
* reports
*/
public void generateReports(String outputDir, Format format) throws ReportException {
if (format == Format.XML || format == Format.ALL) {

106
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
View File

@@ -18,13 +18,13 @@
package org.owasp.dependencycheck.utils;
import java.io.BufferedInputStream;
import java.io.Closeable;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.FilenameFilter;
import java.io.IOException;
import java.util.zip.GZIPInputStream;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
@@ -61,20 +61,24 @@ public final class ExtractionUtil {
*
* @param archive an archive file such as a WAR or EAR
* @param extractTo a directory to extract the contents to
* @throws ExtractionException thrown if an exception occurs while extracting the files
* @throws ExtractionException thrown if an exception occurs while
* extracting the files
*/
public static void extractFiles(File archive, File extractTo) throws ExtractionException {
extractFiles(archive, extractTo, null);
}
/**
* Extracts the contents of an archive into the specified directory. The files are only extracted if they are supported by the
* analyzers loaded into the specified engine. If the engine is specified as null then all files are extracted.
* Extracts the contents of an archive into the specified directory. The
* files are only extracted if they are supported by the analyzers loaded
* into the specified engine. If the engine is specified as null then all
* files are extracted.
*
* @param archive an archive file such as a WAR or EAR
* @param extractTo a directory to extract the contents to
* @param engine the scanning engine
* @throws ExtractionException thrown if there is an error extracting the files
* @throws ExtractionException thrown if there is an error extracting the
* files
*/
public static void extractFiles(File archive, File extractTo, Engine engine) throws ExtractionException {
if (archive == null || extractTo == null) {
@@ -116,7 +120,7 @@ public final class ExtractionUtil {
final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
throw new ExtractionException(msg, ex);
} finally {
closeStream(fos);
FileUtils.close(fos);
}
}
}
@@ -126,7 +130,7 @@ public final class ExtractionUtil {
LOGGER.debug("", ex);
throw new ExtractionException(msg, ex);
} finally {
closeStream(zis);
FileUtils.close(zis);
}
}
@@ -172,7 +176,8 @@ public final class ExtractionUtil {
* @param input the archive to extract files from
* @param destination the location to write the files too
* @param filter determines which files get extracted
* @throws ArchiveExtractionException thrown if there is an exception extracting files from the archive
* @throws ArchiveExtractionException thrown if there is an exception
* extracting files from the archive
*/
private static void extractArchive(ArchiveInputStream input,
File destination, FilenameFilter filter)
@@ -197,18 +202,20 @@ public final class ExtractionUtil {
} catch (Throwable ex) {
throw new ArchiveExtractionException(ex);
} finally {
closeStream(input);
FileUtils.close(input);
}
}
/**
* Extracts a file from an archive (input stream) and correctly builds the directory structure.
* Extracts a file from an archive (input stream) and correctly builds the
* directory structure.
*
* @param input the archive input stream
* @param destination where to write the file
* @param filter the file filter to apply to the files being extracted
* @param entry the entry from the archive to extract
* @throws ExtractionException thrown if there is an error reading from the archive stream
* @throws ExtractionException thrown if there is an error reading from the
* archive stream
*/
private static void extractFile(ArchiveInputStream input, File destination,
FilenameFilter filter, ArchiveEntry entry) throws ExtractionException {
@@ -233,31 +240,18 @@ public final class ExtractionUtil {
file.getName());
throw new ExtractionException(msg, ex);
} finally {
closeStream(fos);
FileUtils.close(fos);
}
}
}
/**
* Closes the stream.
*
* @param stream the stream to close
*/
private static void closeStream(Closeable stream) {
if (stream != null) {
try {
stream.close();
} catch (IOException ex) {
LOGGER.trace("", ex);
}
}
}
/**
* Ensures the parent path is correctly created on disk so that the file can be extracted to the correct location.
* Ensures the parent path is correctly created on disk so that the file can
* be extracted to the correct location.
*
* @param file the file path
* @throws ExtractionException thrown if the parent paths could not be created
* @throws ExtractionException thrown if the parent paths could not be
* created
*/
private static void createParentFile(final File file)
throws ExtractionException {
@@ -269,4 +263,58 @@ public final class ExtractionUtil {
throw new ExtractionException(msg);
}
}
/**
* Extracts the file contained in a gzip archive. The extracted file is
* placed in the exact same path as the file specified.
*
* @param file the archive file
* @throws FileNotFoundException thrown if the file does not exist
* @throws IOException thrown if there is an error extracting the file.
*/
public static void extractGzip(File file) throws FileNotFoundException, IOException {
final String originalPath = file.getPath();
final File gzip = new File(originalPath + ".gz");
if (gzip.isFile() && !gzip.delete()) {
LOGGER.debug("Failed to delete initial temporary file when extracting 'gz' {}", gzip.toString());
gzip.deleteOnExit();
}
if (!file.renameTo(gzip)) {
throw new IOException("Unable to rename '" + file.getPath() + "'");
}
final File newfile = new File(originalPath);
final byte[] buffer = new byte[4096];
GZIPInputStream cin = null;
FileOutputStream out = null;
try {
cin = new GZIPInputStream(new FileInputStream(gzip));
out = new FileOutputStream(newfile);
int len;
while ((len = cin.read(buffer)) > 0) {
out.write(buffer, 0, len);
}
} finally {
if (cin != null) {
try {
cin.close();
} catch (IOException ex) {
LOGGER.trace("ignore", ex);
}
}
if (out != null) {
try {
out.close();
} catch (IOException ex) {
LOGGER.trace("ignore", ex);
}
}
if (gzip.isFile() && !org.apache.commons.io.FileUtils.deleteQuietly(gzip)) {
LOGGER.debug("Failed to delete temporary file when extracting 'gz' {}", gzip.toString());
gzip.deleteOnExit();
}
}
}
}

32
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintErrorHandler.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.xml.hints;
import org.owasp.dependencycheck.utils.XmlUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.ErrorHandler;
@@ -35,33 +36,6 @@ public class HintErrorHandler implements ErrorHandler {
*/
private static final Logger LOGGER = LoggerFactory.getLogger(HintErrorHandler.class);
/**
* Builds a prettier exception message.
*
* @param ex the SAXParseException
* @return an easier to read exception message
*/
private String getPrettyParseExceptionInfo(SAXParseException ex) {
final StringBuilder sb = new StringBuilder();
if (ex.getSystemId() != null) {
sb.append("systemId=").append(ex.getSystemId()).append(", ");
}
if (ex.getPublicId() != null) {
sb.append("publicId=").append(ex.getPublicId()).append(", ");
}
if (ex.getLineNumber() > 0) {
sb.append("Line=").append(ex.getLineNumber());
}
if (ex.getColumnNumber() > 0) {
sb.append(", Column=").append(ex.getColumnNumber());
}
sb.append(": ").append(ex.getMessage());
return sb.toString();
}
/**
* Logs warnings.
*
@@ -81,7 +55,7 @@ public class HintErrorHandler implements ErrorHandler {
*/
@Override
public void error(SAXParseException ex) throws SAXException {
throw new SAXException(getPrettyParseExceptionInfo(ex));
throw new SAXException(XmlUtils.getPrettyParseExceptionInfo(ex));
}
/**
@@ -92,6 +66,6 @@ public class HintErrorHandler implements ErrorHandler {
*/
@Override
public void fatalError(SAXParseException ex) throws SAXException {
throw new SAXException(getPrettyParseExceptionInfo(ex));
throw new SAXException(XmlUtils.getPrettyParseExceptionInfo(ex));
}
}

10
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java
View File

@@ -26,7 +26,7 @@ import java.io.InputStreamReader;
import java.io.Reader;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.owasp.dependencycheck.utils.XmlUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -108,13 +108,7 @@ public class HintParser {
try {
schemaStream = this.getClass().getClassLoader().getResourceAsStream(HINT_SCHEMA);
final HintHandler handler = new HintHandler();
final SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setNamespaceAware(true);
factory.setValidating(true);
final SAXParser saxParser = factory.newSAXParser();
saxParser.setProperty(HintParser.JAXP_SCHEMA_LANGUAGE, HintParser.W3C_XML_SCHEMA);
saxParser.setProperty(HintParser.JAXP_SCHEMA_SOURCE, new InputSource(schemaStream));
final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream);
final XMLReader xmlReader = saxParser.getXMLReader();
xmlReader.setErrorHandler(new HintErrorHandler());
xmlReader.setContentHandler(handler);

12
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java
View File

@@ -26,7 +26,7 @@ import java.io.InputStreamReader;
import java.io.Reader;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.owasp.dependencycheck.utils.XmlUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -85,20 +85,12 @@ public class PomParser {
public Model parse(InputStream inputStream) throws PomParseException {
try {
final PomHandler handler = new PomHandler();
final SAXParserFactory factory = SAXParserFactory.newInstance();
// factory.setNamespaceAware(true);
// factory.setValidating(true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
final SAXParser saxParser = factory.newSAXParser();
final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
final XMLReader xmlReader = saxParser.getXMLReader();
xmlReader.setContentHandler(handler);
final Reader reader = new InputStreamReader(inputStream, "UTF-8");
final InputSource in = new InputSource(reader);
//in.setEncoding("UTF-8");
xmlReader.parse(in);
return handler.getModel();
} catch (ParserConfigurationException ex) {
LOGGER.debug("", ex);

32
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionErrorHandler.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.xml.suppression;
import org.owasp.dependencycheck.utils.XmlUtils;
import org.xml.sax.ErrorHandler;
import org.xml.sax.SAXException;
import org.xml.sax.SAXParseException;
@@ -33,33 +34,6 @@ public class SuppressionErrorHandler implements ErrorHandler {
*/
//private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionErrorHandler.class);
/**
* Builds a prettier exception message.
*
* @param ex the SAXParseException
* @return an easier to read exception message
*/
private String getPrettyParseExceptionInfo(SAXParseException ex) {
final StringBuilder sb = new StringBuilder();
if (ex.getSystemId() != null) {
sb.append("systemId=").append(ex.getSystemId()).append(", ");
}
if (ex.getPublicId() != null) {
sb.append("publicId=").append(ex.getPublicId()).append(", ");
}
if (ex.getLineNumber() > 0) {
sb.append("Line=").append(ex.getLineNumber());
}
if (ex.getColumnNumber() > 0) {
sb.append(", Column=").append(ex.getColumnNumber());
}
sb.append(": ").append(ex.getMessage());
return sb.toString();
}
/**
* Logs warnings.
*
@@ -79,7 +53,7 @@ public class SuppressionErrorHandler implements ErrorHandler {
*/
@Override
public void error(SAXParseException ex) throws SAXException {
throw new SAXException(getPrettyParseExceptionInfo(ex));
throw new SAXException(XmlUtils.getPrettyParseExceptionInfo(ex));
}
/**
@@ -90,6 +64,6 @@ public class SuppressionErrorHandler implements ErrorHandler {
*/
@Override
public void fatalError(SAXParseException ex) throws SAXException {
throw new SAXException(getPrettyParseExceptionInfo(ex));
throw new SAXException(XmlUtils.getPrettyParseExceptionInfo(ex));
}
}

105
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java
View File

@@ -27,7 +27,7 @@ import java.io.Reader;
import java.util.List;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.owasp.dependencycheck.utils.XmlUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -46,25 +46,10 @@ public class SuppressionParser {
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(SuppressionParser.class);
/**
* JAXP Schema Language. Source:
* http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
*/
public static final String JAXP_SCHEMA_LANGUAGE = "http://java.sun.com/xml/jaxp/properties/schemaLanguage";
/**
* W3C XML Schema. Source:
* http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
*/
public static final String W3C_XML_SCHEMA = "http://www.w3.org/2001/XMLSchema";
/**
* JAXP Schema Source. Source:
* http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
*/
public static final String JAXP_SCHEMA_SOURCE = "http://java.sun.com/xml/jaxp/properties/schemaSource";
/**
* The suppression schema file location.
*/
private static final String SUPPRESSION_SCHEMA = "schema/dependency-suppression.1.1.xsd";
public static final String SUPPRESSION_SCHEMA = "schema/dependency-suppression.1.1.xsd";
/**
* The old suppression schema file location.
*/
@@ -99,7 +84,11 @@ public class SuppressionParser {
} catch (FileNotFoundException ex1) {
throw new SuppressionParseException(ex);
}
return parseOldSuppressionRules(fis);
try {
return parseSuppressionRules(fis, OLD_SUPPRESSION_SCHEMA);
} catch (SAXException ex1) {
throw new SuppressionParseException(ex);
}
} finally {
if (fis != null) {
try {
@@ -121,27 +110,31 @@ public class SuppressionParser {
* @throws SAXException thrown if the XML cannot be parsed
*/
public List<SuppressionRule> parseSuppressionRules(InputStream inputStream) throws SuppressionParseException, SAXException {
return parseSuppressionRules(inputStream, SUPPRESSION_SCHEMA);
}
/**
* Parses the given XML stream and returns a list of the suppression rules
* contained.
*
* @param inputStream an InputStream containing suppression rules
* @param schema the schema used to validate the XML stream
* @return a list of suppression rules
* @throws SuppressionParseException thrown if the XML cannot be parsed
* @throws SAXException thrown if the XML cannot be parsed
*/
private List<SuppressionRule> parseSuppressionRules(InputStream inputStream, String schema) throws SuppressionParseException, SAXException {
InputStream schemaStream = null;
try {
schemaStream = this.getClass().getClassLoader().getResourceAsStream(SUPPRESSION_SCHEMA);
schemaStream = this.getClass().getClassLoader().getResourceAsStream(schema);
final SuppressionHandler handler = new SuppressionHandler();
final SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setNamespaceAware(true);
factory.setValidating(true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
final SAXParser saxParser = factory.newSAXParser();
saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_LANGUAGE, SuppressionParser.W3C_XML_SCHEMA);
saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_SOURCE, new InputSource(schemaStream));
final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream);
final XMLReader xmlReader = saxParser.getXMLReader();
xmlReader.setErrorHandler(new SuppressionErrorHandler());
xmlReader.setContentHandler(handler);
final Reader reader = new InputStreamReader(inputStream, "UTF-8");
final InputSource in = new InputSource(reader);
//in.setEncoding("UTF-8");
xmlReader.parse(in);
return handler.getSuppressionRules();
} catch (ParserConfigurationException ex) {
LOGGER.debug("", ex);
@@ -169,56 +162,4 @@ public class SuppressionParser {
}
}
}
/**
* Parses the given XML stream and returns a list of the suppression rules
* contained.
*
* @param inputStream an InputStream containing suppression rues
* @return a list of suppression rules
* @throws SuppressionParseException if the XML cannot be parsed
*/
private List<SuppressionRule> parseOldSuppressionRules(InputStream inputStream) throws SuppressionParseException {
InputStream schemaStream = null;
try {
schemaStream = this.getClass().getClassLoader().getResourceAsStream(OLD_SUPPRESSION_SCHEMA);
final SuppressionHandler handler = new SuppressionHandler();
final SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setNamespaceAware(true);
factory.setValidating(true);
final SAXParser saxParser = factory.newSAXParser();
saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_LANGUAGE, SuppressionParser.W3C_XML_SCHEMA);
saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_SOURCE, new InputSource(schemaStream));
final XMLReader xmlReader = saxParser.getXMLReader();
xmlReader.setErrorHandler(new SuppressionErrorHandler());
xmlReader.setContentHandler(handler);
final Reader reader = new InputStreamReader(inputStream, "UTF-8");
final InputSource in = new InputSource(reader);
xmlReader.parse(in);
return handler.getSuppressionRules();
} catch (ParserConfigurationException ex) {
LOGGER.debug("", ex);
throw new SuppressionParseException(ex);
} catch (SAXException ex) {
LOGGER.debug("", ex);
throw new SuppressionParseException(ex);
} catch (FileNotFoundException ex) {
LOGGER.debug("", ex);
throw new SuppressionParseException(ex);
} catch (IOException ex) {
LOGGER.debug("", ex);
throw new SuppressionParseException(ex);
} finally {
if (schemaStream != null) {
try {
schemaStream.close();
} catch (IOException ex) {
LOGGER.debug("Error closing old suppression file stream", ex);
}
}
}
}
}

2
dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
View File

@@ -6,6 +6,7 @@ org.owasp.dependencycheck.analyzer.CPEAnalyzer
org.owasp.dependencycheck.analyzer.FalsePositiveAnalyzer
org.owasp.dependencycheck.analyzer.CpeSuppressionAnalyzer
org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer
org.owasp.dependencycheck.analyzer.DependencyMergingAnalyzer
org.owasp.dependencycheck.analyzer.NvdCveAnalyzer
org.owasp.dependencycheck.analyzer.VulnerabilitySuppressionAnalyzer
org.owasp.dependencycheck.analyzer.CentralAnalyzer
@@ -24,3 +25,4 @@ org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer
org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer
org.owasp.dependencycheck.analyzer.CocoaPodsAnalyzer
org.owasp.dependencycheck.analyzer.SwiftPackageManagerAnalyzer
org.owasp.dependencycheck.analyzer.VersionFilterAnalyzer

48
dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
View File

@@ -453,4 +453,52 @@
<gav regex="true">^org\.mitre\.dsmiley\.httpproxy:smiley-http-proxy-servlet:.*$</gav>
<cpe>cpe:/a:shttp:shttp</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
This CVE is disputed by the vendor and is not considered an issue.
]]></notes>
<filePath regex="true">.*</filePath>
<cve>CVE-2007-6059</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: jackson-core-2.6.5.jar
]]></notes>
<gav regex="true">com\.fasterxml\.jackson\.core:jackson.*</gav>
<cve>CVE-2016-3720</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
file name: jackson-core-2.6.5.jar
]]></notes>
<gav regex="true">com\.fasterxml\.jackson\.dataformat:jackson(?!\-dataformat\-xml).*</gav>
<cve>CVE-2016-3720</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per issue #642
]]></notes>
<gav regex="true">^org\.springframework\.boot:spring-boot.*$</gav>
<cpe>cpe:/a:pivotal_software:spring_framework</cpe>
<cpe>cpe:/a:pivotal:spring_framework</cpe>
<cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
False positives per issue #642
]]></notes>
<gav regex="true">^org\.springframework:spring-context:.*$</gav>
<cpe>cpe:/a:context_project:context</cpe>
</suppress>
<suppress base="true">
<notes><![CDATA[
Node.js false positives per issues #512 and #510
]]></notes>
<filePath regex="true">.*package\.json$</filePath>
<cpe>cpe:/a:file_project:file</cpe>
<cpe>cpe:/a:file:file</cpe>
<cpe>cpe:/a:shim:shim</cpe>
<cpe>cpe:/a:shim_project:shim</cpe>
</suppress>
</suppressions>

15
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -53,6 +53,8 @@ cve.startyear=2002
# the path to the modified nvd cve xml file.
cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
#the original URL and modified URL should be the same; this is used to detect if we are using an internal NVD CVE copy
cve.url-2.0.original=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
@@ -101,4 +103,15 @@ analyzer.cocoapods.enabled=true
analyzer.swift.package.manager.enabled=true
#whether the nexus analyzer uses the proxy
analyzer.nexus.proxy=true
analyzer.cpe.enabled=true
analyzer.cpesuppression.enabled=true
analyzer.dependencybundling.enabled=true
analyzer.dependencymerging.enabled=true
analyzer.falsepositive.enabled=true
analyzer.filename.enabled=true
analyzer.hint.enabled=true
analyzer.nvdcve.enabled=true
analyzer.vulnerabilitysuppression.enabled=true
updater.nvdcve.enabled=true
updater.versioncheck.enabled=true
analyzer.versionfilter.enabled=true

2
dependency-check-core/src/main/resources/templates/HtmlReport.vsl
View File

@@ -609,7 +609,7 @@ Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check"
<li><i>dependency-check version</i>: $version</li>
<li><i>Report Generated On</i>: $scanDate</li>
<li><i>Dependencies Scanned</i>:&nbsp;$depCount ($dependencies.size() unique)</li>
<li><i>Vulnerable Dependencies</i>:&nbsp;$vulnDepCount</li>
<li><i>Vulnerable Dependencies</i>:&nbsp;<span id="vulnerableCount">$vulnDepCount</span></li>
<li><i>Vulnerabilities Found</i>:&nbsp;$vulnCount</li>
<li><i>Vulnerabilities Suppressed</i>:&nbsp;$vulnSuppressedCount</li>
<li class="scaninfo">...</li>

13
dependency-check-core/src/test/java/org/owasp/dependencycheck/AnalysisTaskTest.java
View File

@@ -12,8 +12,9 @@ import java.io.File;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.owasp.dependencycheck.utils.Settings;
public class AnalysisTaskTest {
public class AnalysisTaskTest extends BaseTest {
@Mocked
FileTypeAnalyzer fileTypeAnalyzer;
@@ -27,7 +28,7 @@ public class AnalysisTaskTest {
@Test
public void shouldAnalyzeReturnsTrueForNonFileTypeAnalyzers() {
AnalysisTask instance = new AnalysisTask(new HintAnalyzer(), null, null, null);
AnalysisTask instance = new AnalysisTask(new HintAnalyzer(), null, null, null, null);
boolean shouldAnalyze = instance.shouldAnalyze();
assertTrue(shouldAnalyze);
}
@@ -43,7 +44,7 @@ public class AnalysisTaskTest {
result = true;
}};
AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, null, null);
AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, null, null, Settings.getInstance());
boolean shouldAnalyze = analysisTask.shouldAnalyze();
assertTrue(shouldAnalyze);
@@ -60,7 +61,7 @@ public class AnalysisTaskTest {
result = false;
}};
AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, null, null);
AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, null, null, Settings.getInstance());
boolean shouldAnalyze = analysisTask.shouldAnalyze();
assertFalse(shouldAnalyze);
@@ -68,7 +69,7 @@ public class AnalysisTaskTest {
@Test
public void taskAnalyzes() throws Exception {
final AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, engine, null);
final AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, engine, null, Settings.getInstance());
new Expectations(analysisTask) {{
analysisTask.shouldAnalyze();
result = true;
@@ -84,7 +85,7 @@ public class AnalysisTaskTest {
@Test
public void taskDoesNothingIfItShouldNotAnalyze() throws Exception {
final AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, engine, null);
final AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, engine, null, Settings.getInstance());
new Expectations(analysisTask) {{
analysisTask.shouldAnalyze();
result = false;

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java
View File

@@ -65,7 +65,7 @@ public abstract class BaseDBTestCase extends BaseTest {
FileInputStream fis = null;
ZipInputStream zin = null;
try {
File path = new File(BaseDBTestCase.class.getClassLoader().getResource("data.zip").getPath());
File path = new File(BaseDBTestCase.class.getClassLoader().getResource("data.zip").toURI().getPath());
fis = new FileInputStream(path);
zin = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;

12
dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseTest.java
View File

@@ -17,6 +17,8 @@ package org.owasp.dependencycheck;
import java.io.File;
import java.io.InputStream;
import java.net.URISyntaxException;
import org.junit.AfterClass;
import org.junit.Assume;
import org.junit.BeforeClass;
@@ -69,8 +71,12 @@ public class BaseTest {
* @return the resource as an File
*/
public static File getResourceAsFile(Object o, String resource) {
File f = new File(o.getClass().getClassLoader().getResource(resource).getPath());
Assume.assumeTrue(String.format("%n%n[SEVERE] Unable to load resource for test case: %s%n%n", resource), f.exists());
return f;
try{
File f = new File(o.getClass().getClassLoader().getResource(resource).toURI().getPath());
Assume.assumeTrue(String.format("%n%n[SEVERE] Unable to load resource for test case: %s%n%n", resource), f.exists());
return f;
}catch (URISyntaxException e){
throw new UnsupportedOperationException(e);
}
}
}

7
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
View File

@@ -104,7 +104,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
public class AbstractSuppressionAnalyzerImpl extends AbstractSuppressionAnalyzer {
@Override
public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
}
@@ -117,6 +117,11 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
public AnalysisPhase getAnalysisPhase() {
throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
}
@Override
protected String getAnalyzerEnabledSettingKey() {
return "unknown";
}
}
}

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java
View File

@@ -41,7 +41,7 @@ public class ArchiveAnalyzerTest extends BaseTest {
}
/**
* Test of analyzeFileType method, of class ArchiveAnalyzer.
* Test of analyzeDependency method, of class ArchiveAnalyzer.
*/
@Test
public void testZippableExtensions() throws Exception {

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
View File

@@ -53,7 +53,7 @@ public class DependencyBundlingAnalyzerTest extends BaseTest {
@Test
public void testGetAnalysisPhase() {
DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer();
AnalysisPhase expResult = AnalysisPhase.PRE_FINDING_ANALYSIS;
AnalysisPhase expResult = AnalysisPhase.FINAL;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
}

1
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
View File

@@ -47,6 +47,7 @@ public class JarAnalyzerTest extends BaseTest {
File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
Dependency result = new Dependency(file);
JarAnalyzer instance = new JarAnalyzer();
instance.initializeFileTypeAnalyzer();
instance.analyze(result, null);
assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache"));
assertTrue(result.getVendorEvidence().getWeighting().contains("apache"));

210
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java Normal file
View File

@@ -0,0 +1,210 @@
/*
* This file is part of dependency-check-core.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2017 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.analyzer;
import org.junit.Test;
import static org.junit.Assert.*;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceCollection;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author jerem
*/
public class VersionFilterAnalyzerTest extends BaseTest {
/**
* Test of getName method, of class VersionFilterAnalyzer.
*/
@Test
public void testGetName() {
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
String expResult = "Version Filter Analyzer";
String result = instance.getName();
assertEquals(expResult, result);
}
/**
* Test of getAnalysisPhase method, of class VersionFilterAnalyzer.
*/
@Test
public void testGetAnalysisPhase() {
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION;
AnalysisPhase result = instance.getAnalysisPhase();
assertEquals(expResult, result);
}
/**
* Test of getAnalyzerEnabledSettingKey method, of class
* VersionFilterAnalyzer.
*/
@Test
public void testGetAnalyzerEnabledSettingKey() {
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
String expResult = Settings.KEYS.ANALYZER_VERSION_FILTER_ENABLED;
String result = instance.getAnalyzerEnabledSettingKey();
assertEquals(expResult, result);
}
/**
* Test of analyzeDependency method, of class VersionFilterAnalyzer.
*/
@Test
public void testAnalyzeDependency() throws Exception {
Dependency dependency = new Dependency();
EvidenceCollection versions = dependency.getVersionEvidence();
versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(4, versions.size());
versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(2, versions.size());
versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(4, versions.size());
versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(5, versions.size());
}
/**
* Test of analyzeDependency method, of class VersionFilterAnalyzer.
*/
@Test
public void testAnalyzeDependencyFilePom() throws Exception {
Dependency dependency = new Dependency();
EvidenceCollection versions = dependency.getVersionEvidence();
versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(4, versions.size());
versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(2, versions.size());
versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(4, versions.size());
}
/**
* Test of analyzeDependency method, of class VersionFilterAnalyzer.
*/
@Test
public void testAnalyzeDependencyFileManifest() throws Exception {
Dependency dependency = new Dependency();
EvidenceCollection versions = dependency.getVersionEvidence();
versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(4, versions.size());
versions.addEvidence("file", "version", "1.2.3", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(2, versions.size());
}
/**
* Test of analyzeDependency method, of class VersionFilterAnalyzer.
*/
@Test
public void testAnalyzeDependencyPomManifest() throws Exception {
Dependency dependency = new Dependency();
EvidenceCollection versions = dependency.getVersionEvidence();
versions.addEvidence("util", "version", "33.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
versions.addEvidence("other", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
versions.addEvidence("pom", "version", "1.2.3", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(4, versions.size());
versions.addEvidence("Manifest", "Implementation-Version", "1.2.3", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(2, versions.size());
versions.addEvidence("nexus", "version", "1.2.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(3, versions.size());
versions.addEvidence("central", "version", "1.2.3", Confidence.HIGHEST);
versions.addEvidence("other", "version", "alpha", Confidence.HIGHEST);
instance.analyzeDependency(dependency, null);
assertEquals(4, versions.size());
}
}

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
View File

@@ -17,8 +17,14 @@
*/
package org.owasp.dependencycheck.data.nvdcve;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import org.owasp.dependencycheck.BaseDBTestCase;
import java.util.Properties;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;

52
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java
View File

@@ -20,6 +20,9 @@ import java.text.SimpleDateFormat;
import java.util.Properties;
import mockit.Mock;
import mockit.MockUp;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
@@ -42,6 +45,24 @@ public class EngineVersionCheckTest extends BaseTest {
// EngineVersionCheck instance = new EngineVersionCheck();
// instance.update();
// }
/**
* Converts a date in the form of yyyy-MM-dd into the epoch milliseconds.
*
* @param date a date in the format of yyyy-MM-dd
* @return milliseconds
*/
private long dateToMilliseconds(String date) {
//removed for compatability with joda-time 1.6
//DateTimeFormatter dtf = DateTimeFormat.forPattern("yyyy-MM-dd");
//return DateTime.parse(date, dtf).toInstant().getMillis();
String[] dp = date.split("-");
int y = Integer.parseInt(dp[0]);
int m = Integer.parseInt(dp[1]);
int d = Integer.parseInt(dp[2]);
DateTime dt = new DateTime(y, m, d, 0, 0, 0, 0);
return dt.toInstant().getMillis();
}
/**
* Test of shouldUpdate method, of class EngineVersionCheck.
*/
@@ -62,12 +83,11 @@ public class EngineVersionCheckTest extends BaseTest {
}.getMockInstance();
DateFormat df = new SimpleDateFormat("yyyy-MM-dd");
String updateToVersion = "1.2.6";
String currentVersion = "1.2.6";
long lastChecked = df.parse("2014-12-01").getTime();
long now = df.parse("2014-12-01").getTime();
long lastChecked = dateToMilliseconds("2014-12-01");
long now = dateToMilliseconds("2014-12-01");
EngineVersionCheck instance = new EngineVersionCheck();
boolean expResult = false;
@@ -77,8 +97,8 @@ public class EngineVersionCheckTest extends BaseTest {
updateToVersion = "1.2.5";
currentVersion = "1.2.5";
lastChecked = df.parse("2014-10-01").getTime();
now = df.parse("2014-12-01").getTime();
lastChecked = dateToMilliseconds("2014-10-01");
now = dateToMilliseconds("2014-12-01");
expResult = true;
instance.setUpdateToVersion(updateToVersion);
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
@@ -87,8 +107,8 @@ public class EngineVersionCheckTest extends BaseTest {
updateToVersion = "1.2.5";
currentVersion = "1.2.5";
lastChecked = df.parse("2014-12-01").getTime();
now = df.parse("2014-12-03").getTime();
lastChecked = dateToMilliseconds("2014-12-01");
now = dateToMilliseconds("2014-12-03");
expResult = false;
instance.setUpdateToVersion(updateToVersion);
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
@@ -96,8 +116,8 @@ public class EngineVersionCheckTest extends BaseTest {
updateToVersion = "1.2.6";
currentVersion = "1.2.5";
lastChecked = df.parse("2014-12-01").getTime();
now = df.parse("2014-12-03").getTime();
lastChecked = dateToMilliseconds("2014-12-01");
now = dateToMilliseconds("2014-12-03");
expResult = true;
instance.setUpdateToVersion(updateToVersion);
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
@@ -105,8 +125,8 @@ public class EngineVersionCheckTest extends BaseTest {
updateToVersion = "1.2.5";
currentVersion = "1.2.6";
lastChecked = df.parse("2014-12-01").getTime();
now = df.parse("2014-12-08").getTime();
lastChecked = dateToMilliseconds("2014-12-01");
now = dateToMilliseconds("2014-12-08");
expResult = false;
instance.setUpdateToVersion(updateToVersion);
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
@@ -114,8 +134,8 @@ public class EngineVersionCheckTest extends BaseTest {
updateToVersion = "";
currentVersion = "1.2.5";
lastChecked = df.parse("2014-12-01").getTime();
now = df.parse("2014-12-03").getTime();
lastChecked = dateToMilliseconds("2014-12-01");
now = dateToMilliseconds("2014-12-03");
expResult = false;
instance.setUpdateToVersion(updateToVersion);
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
@@ -123,8 +143,8 @@ public class EngineVersionCheckTest extends BaseTest {
updateToVersion = "";
currentVersion = "1.2.5";
lastChecked = df.parse("2014-12-01").getTime();
now = df.parse("2015-12-08").getTime();
lastChecked = dateToMilliseconds("2014-12-01");
now = dateToMilliseconds("2015-12-08");
expResult = true;
instance.setUpdateToVersion(updateToVersion);
result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);

15
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCveTest.java
View File

@@ -42,8 +42,7 @@ public class UpdateableNvdCveTest extends BaseTest {
public void testIsUpdateNeeded() throws MalformedURLException, DownloadFailedException, IOException {
String id = "key";
//use a local file as this test will load the result and check the timestamp
File f = new File("target/test-classes/nvdcve-2.0-2012.xml");
String url = "file:///" + f.getCanonicalPath();
String url = new File("target/test-classes/nvdcve-2.0-2012.xml").toURI().toString();
UpdateableNvdCve instance = new UpdateableNvdCve();
instance.add(id, url, url, false);
@@ -64,9 +63,8 @@ public class UpdateableNvdCveTest extends BaseTest {
@Test
public void testAdd_3args() throws Exception {
String id = "key";
File f = new File("target/test-classes/nvdcve-2.0-2012.xml");
//use a local file as this test will load the result and check the timestamp
String url = "file:///" + f.getCanonicalPath();
String url = "file:///" + new File("target/test-classes/nvdcve-2.0-2012.xml").toURI().toString();
UpdateableNvdCve instance = new UpdateableNvdCve();
instance.add(id, url, url);
NvdCveInfo results = instance.get(id);
@@ -82,8 +80,7 @@ public class UpdateableNvdCveTest extends BaseTest {
public void testAdd_4args() throws Exception {
String id = "key";
//use a local file as this test will load the result and check the timestamp
File f = new File("target/test-classes/nvdcve-2.0-2012.xml");
String url = "file:///" + f.getCanonicalPath();
String url = new File("target/test-classes/nvdcve-2.0-2012.xml").toURI().toString();
UpdateableNvdCve instance = new UpdateableNvdCve();
instance.add(id, url, url, false);
@@ -107,8 +104,7 @@ public class UpdateableNvdCveTest extends BaseTest {
public void testClear() throws MalformedURLException, DownloadFailedException, IOException {
String id = "key";
//use a local file as this test will load the result and check the timestamp
File f = new File("target/test-classes/nvdcve-2.0-2012.xml");
String url = "file:///" + f.getCanonicalPath();
String url = new File("target/test-classes/nvdcve-2.0-2012.xml").toURI().toString();
UpdateableNvdCve instance = new UpdateableNvdCve();
instance.add(id, url, url, false);
assertFalse(instance.getCollection().isEmpty());
@@ -122,8 +118,7 @@ public class UpdateableNvdCveTest extends BaseTest {
@Test
public void testIterator() throws IOException {
//use a local file as this test will load the result and check the timestamp
File f = new File("target/test-classes/nvdcve-2.0-2012.xml");
String url = "file:///" + f.getCanonicalPath();
String url = new File("target/test-classes/nvdcve-2.0-2012.xml").toURI().toString();
UpdateableNvdCve instance = new UpdateableNvdCve();
instance.add("one", url, url, false);
instance.add("two", url, url, false);

26
dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
View File

@@ -109,6 +109,10 @@ public class VulnerableSoftwareTest extends BaseTest {
vs1.setCpe("2.1.10");
assertTrue(vs.compareTo(vs1) < 0);
vs.setCpe("2.1.42");
vs1.setCpe("2.3.21");
assertTrue(vs.compareTo(vs1) < 0);
vs.setCpe("cpe:/a:hp:system_management_homepage:2.1.1");
vs1.setCpe("cpe:/a:hp:system_management_homepage:2.1.10");
assertTrue(vs.compareTo(vs1) < 0);
@@ -125,6 +129,14 @@ public class VulnerableSoftwareTest extends BaseTest {
vs1.setCpe("cpe:/a:hp:system_management_homepage:2.1.10-186");
assertTrue(vs.compareTo(vs1) < 0);
//assertTrue(vs1.compareTo(vs)>0);
vs.setCpe("cpe:/a:ibm:security_guardium_database_activity_monitor:10.01");
vs1.setCpe("cpe:/a:ibm:security_guardium_database_activity_monitor:10.1");
assertTrue(vs.compareTo(vs1) < 0);
vs.setCpe("2.0");
vs1.setCpe("2.1");
assertTrue(vs.compareTo(vs1) < 0);
}
@Test
@@ -148,4 +160,18 @@ public class VulnerableSoftwareTest extends BaseTest {
assertEquals("mysql", vs.getProduct());
assertEquals("5.1.23a", vs.getVersion());
}
@Test
public void testIspositiveInteger() {
assertTrue(VulnerableSoftware.isPositiveInteger("1"));
assertTrue(VulnerableSoftware.isPositiveInteger("10"));
assertTrue(VulnerableSoftware.isPositiveInteger("666"));
assertTrue(VulnerableSoftware.isPositiveInteger("0"));
assertFalse(VulnerableSoftware.isPositiveInteger("+1"));
assertFalse(VulnerableSoftware.isPositiveInteger("-1"));
assertFalse(VulnerableSoftware.isPositiveInteger("2.1"));
assertFalse(VulnerableSoftware.isPositiveInteger("01"));
assertFalse(VulnerableSoftware.isPositiveInteger("00"));
}
}

12
dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandlerTest.java
View File

@@ -28,6 +28,7 @@ import javax.xml.parsers.SAXParserFactory;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.utils.XmlUtils;
import org.xml.sax.InputSource;
import org.xml.sax.XMLReader;
@@ -45,15 +46,10 @@ public class SuppressionHandlerTest extends BaseTest {
@Test
public void testHandler() throws Exception {
File file = BaseTest.getResourceAsFile(this, "suppressions.xml");
File schema = BaseTest.getResourceAsFile(this, "schema/suppression.xsd");
SuppressionHandler handler = new SuppressionHandler();
InputStream schemaStream = BaseTest.getResourceAsStream(this, "schema/suppression.xsd");
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setNamespaceAware(true);
factory.setValidating(true);
SAXParser saxParser = factory.newSAXParser();
saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_LANGUAGE, SuppressionParser.W3C_XML_SCHEMA);
saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_SOURCE, schema);
SuppressionHandler handler = new SuppressionHandler();
SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream);
XMLReader xmlReader = saxParser.getXMLReader();
xmlReader.setErrorHandler(new SuppressionErrorHandler());
xmlReader.setContentHandler(handler);

22
dependency-check-core/src/test/resources/dependencycheck.properties
View File

@@ -4,7 +4,7 @@ autoupdate=true
max.download.threads=3
# the url to obtain the current engine version from
engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt
#temp.directory defaults to System.getProperty("java.io.tmpdir")
#temp.directory=[path to temp directory]
@@ -48,15 +48,18 @@ cve.startyear=2014
# the path to the modified nvd cve xml file.
cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
#the original URL and modified URL should be the same; this is used to detect if we are using an internal NVD CVE copy
cve.url-2.0.original=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cve.cpe.startswith.filter=cpe:/a:
cpe.validfordays=30
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
@@ -68,7 +71,7 @@ analyzer.nexus.proxy=true
# the URL for searching search.maven.org for SHA-1 and whether it's enabled
analyzer.central.enabled=true
analyzer.central.url=http://search.maven.org/solrsearch/select
analyzer.central.url=https://search.maven.org/solrsearch/select
# the number of nested archives that will be searched.
archive.scan.depth=3
@@ -92,8 +95,21 @@ analyzer.nuspec.enabled=true
analyzer.openssl.enabled=true
analyzer.central.enabled=true
analyzer.nexus.enabled=false
analyzer.cocoapods.enabled=true
analyzer.swift.package.manager.enabled=true
#whether the nexus analyzer uses the proxy
analyzer.nexus.proxy=true
#Use your own bundle-audit install directory.
analyzer.bundle.audit.path=/usr/local/bin/bundle-audit
analyzer.cpe.enabled=true
analyzer.cpesuppression.enabled=true
analyzer.dependencybundling.enabled=true
analyzer.dependencymerging.enabled=true
analyzer.falsepositive.enabled=true
analyzer.filename.enabled=true
analyzer.hint.enabled=true
analyzer.nvdcve.enabled=true
analyzer.vulnerabilitysuppression.enabled=true
updater.nvdcve.enabled=true
updater.versioncheck.enabled=true

37
dependency-check-maven/pom.xml
View File

@@ -20,9 +20,8 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>1.4.4</version>
<version>1.4.5</version>
</parent>
<artifactId>dependency-check-maven</artifactId>
<packaging>maven-plugin</packaging>
<name>Dependency-Check Maven Plugin</name>
@@ -116,7 +115,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<configuration>
<rules>
<requireMavenVersion>
<version>[3.0,]</version>
<version>[3.1,]</version>
</requireMavenVersion>
</rules>
<fail>true</fail>
@@ -226,4 +225,36 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
<scope>test</scope>
</dependency>
</dependencies>
<profiles>
<profile>
<id>FullIntegrationTesting</id>
<activation>
<property>
<name>releaseTesting</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-invoker-plugin</artifactId>
<version>2.0.0</version>
<configuration>
<cloneProjectsTo>${project.build.directory}/it</cloneProjectsTo>
<localRepositoryPath>target/local-repo</localRepositoryPath>
</configuration>
<executions>
<execution>
<id>integration-test</id>
<goals>
<goal>install</goal>
<goal>run</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>

19
dependency-check-maven/src/it/617-hierarchical-cross-deps/invoker.properties Normal file
View File

@@ -0,0 +1,19 @@
#
# This file is part of dependency-check-maven.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Copyright (c) 2014 Jeremy Long. All Rights Reserved.
#
invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -e

35
dependency-check-maven/src/it/617-hierarchical-cross-deps/module-java/pom.xml Normal file
View File

@@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of dependency-check-maven.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2013 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.owasp.test</groupId>
<artifactId>hierarchical-cross-deps</artifactId>
<version>1.0.0-SNAPSHOT</version>
</parent>
<artifactId>module-java</artifactId>
<packaging>jar</packaging>
<dependencies>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
</dependencies>
</project>

35
dependency-check-maven/src/it/617-hierarchical-cross-deps/module-web/pom.xml Normal file
View File

@@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of dependency-check-maven.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2013 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.owasp.test</groupId>
<artifactId>hierarchical-cross-deps</artifactId>
<version>1.0.0-SNAPSHOT</version>
</parent>
<artifactId>module-web</artifactId>
<packaging>war</packaging>
<dependencies>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>module-java</artifactId>
<version>${project.version}</version>
</dependency>
</dependencies>
</project>

26
dependency-check-maven/src/it/617-hierarchical-cross-deps/module-web/src/main/webapp/WEB-INF/web.xml Normal file
View File

@@ -0,0 +1,26 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of dependency-check-maven.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2013 Jeremy Long. All Rights Reserved.
-->
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>test-app</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
</web-app>

29
dependency-check-maven/src/it/617-hierarchical-cross-deps/pom.xml Normal file
View File

@@ -0,0 +1,29 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of dependency-check-maven.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2013 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.test</groupId>
<artifactId>hierarchical-cross-deps</artifactId>
<version>1.0.0-SNAPSHOT</version>
<packaging>pom</packaging>
<modules>
<module>module-java</module>
<module>module-web</module>
</modules>
</project>

28
dependency-check-maven/src/it/617-hierarchical-cross-deps/postbuild.groovy Normal file
View File

@@ -0,0 +1,28 @@
/*
* This file is part of dependency-check-maven.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
// Save NVD-CVE for next IT (if not already done)
File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
if (datasDwl.exists() && !datasSave.exists()){
System.out.println("Save NVD-CVE into backup");
FileUtils.copyFile(datasDwl, datasSave);
}

28
dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy Normal file
View File

@@ -0,0 +1,28 @@
/*
* This file is part of dependency-check-maven.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
import org.apache.commons.io.FileUtils;
// Load NVD-CVE if not exist and had been saved in a previous IT
File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
if (!datasDwl.exists() && datasSave.exists()){
System.out.println("Load NVD-CVE from backup");
FileUtils.copyFile(datasSave, datasDwl);
}

20
dependency-check-maven/src/it/618-aggregator-purge/invoker.properties Normal file
View File

@@ -0,0 +1,20 @@
#
# This file is part of dependency-check-maven.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Copyright (c) 2014 Jeremy Long. All Rights Reserved.
#
invoker.goals.1 = ${project.groupId}:${project.artifactId}:${project.version}:update-only -DdataDirectory=./data -Dcve.startyear=2017
invoker.goals.2 = ${project.groupId}:${project.artifactId}:${project.version}:purge -DdataDirectory=./data

35
dependency-check-maven/src/it/618-aggregator-purge/module/pom.xml Normal file
View File

@@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of dependency-check-maven.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2013 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.owasp.test</groupId>
<artifactId>hierarchical</artifactId>
<version>1.0.0-SNAPSHOT</version>
</parent>
<artifactId>module</artifactId>
<packaging>jar</packaging>
<dependencies>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
</dependencies>
</project>

28
dependency-check-maven/src/it/618-aggregator-purge/pom.xml Normal file
View File

@@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of dependency-check-maven.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2013 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.test</groupId>
<artifactId>hierarchical</artifactId>
<version>1.0.0-SNAPSHOT</version>
<packaging>pom</packaging>
<modules>
<module>module</module>
</modules>
</project>

29
dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy Normal file
View File

@@ -0,0 +1,29 @@
/*
* This file is part of dependency-check-maven.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2016 Jeremy Long. All Rights Reserved.
*/
import java.nio.charset.Charset;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
// Analyse number of "Checking for updates"
String log = FileUtils.readFileToString(new File(basedir, "build.log"), Charset.defaultCharset().name());
if (!StringUtils.contains(log, "Database file purged; local copy of the NVD has been removed")) {
System.out.println("The database was not purged.");
return false;
}

19
dependency-check-maven/src/it/618-aggregator-update-only/invoker.properties Normal file
View File

@@ -0,0 +1,19 @@
#
# This file is part of dependency-check-maven.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Copyright (c) 2014 Jeremy Long. All Rights Reserved.
#
invoker.goals = ${project.groupId}:${project.artifactId}:${project.version}:update-only

35
dependency-check-maven/src/it/618-aggregator-update-only/module/pom.xml Normal file
View File

@@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of dependency-check-maven.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2013 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.owasp.test</groupId>
<artifactId>hierarchical</artifactId>
<version>1.0.0-SNAPSHOT</version>
</parent>
<artifactId>module</artifactId>
<packaging>jar</packaging>
<dependencies>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
</dependencies>
</project>

28
dependency-check-maven/src/it/618-aggregator-update-only/pom.xml Normal file
View File

@@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of dependency-check-maven.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2013 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.test</groupId>
<artifactId>hierarchical</artifactId>
<version>1.0.0-SNAPSHOT</version>
<packaging>pom</packaging>
<modules>
<module>module</module>
</modules>
</project>

38
dependency-check-maven/src/it/618-aggregator-update-only/postbuild.groovy Normal file
View File

@@ -0,0 +1,38 @@
/*
* This file is part of dependency-check-maven.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
import java.nio.charset.Charset;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
// Save NVD-CVE for next IT (if not already done)
File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
if (datasDwl.exists() && !datasSave.exists()){
System.out.println("Save NVD-CVE into backup");
FileUtils.copyFile(datasDwl, datasSave);
}
// Analyse number of "Checking for updates"
String log = FileUtils.readFileToString(new File(basedir, "build.log"), Charset.defaultCharset().name());
int count = StringUtils.countMatches(log, "Checking for updates");
if (count > 1){
System.out.println(String.format("The update should be unique, it is %s", count));
return false;
//throw new Exception(String.format("The update should be unique, it is %s", count));
}

Some files were not shown because too many files have changed in this diff Show More