View Javadoc

1   /*
2    * This file is part of dependency-check-cli.
3    *
4    * Dependency-check-cli is free software: you can redistribute it and/or modify it
5    * under the terms of the GNU General Public License as published by the Free
6    * Software Foundation, either version 3 of the License, or (at your option) any
7    * later version.
8    *
9    * Dependency-check-cli is distributed in the hope that it will be useful, but
10   * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11   * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
12   * details.
13   *
14   * You should have received a copy of the GNU General Public License along with
15   * dependency-check-cli. If not, see http://www.gnu.org/licenses/.
16   *
17   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
18   */
19  package org.owasp.dependencycheck.cli;
20  
21  import java.io.File;
22  import java.io.FileNotFoundException;
23  import org.apache.commons.cli.CommandLine;
24  import org.apache.commons.cli.CommandLineParser;
25  import org.apache.commons.cli.HelpFormatter;
26  import org.apache.commons.cli.Option;
27  import org.apache.commons.cli.OptionBuilder;
28  import org.apache.commons.cli.OptionGroup;
29  import org.apache.commons.cli.Options;
30  import org.apache.commons.cli.ParseException;
31  import org.apache.commons.cli.PosixParser;
32  import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
33  import org.owasp.dependencycheck.utils.Settings;
34  
35  /**
36   * A utility to parse command line arguments for the DependencyCheck.
37   *
38   * @author Jeremy Long (jeremy.long@owasp.org)
39   */
40  public final class CliParser {
41  
42      /**
43       * The command line.
44       */
45      private CommandLine line;
46      /**
47       * The options for the command line parser.
48       */
49      private final Options options = createCommandLineOptions();
50      /**
51       * Indicates whether the arguments are valid.
52       */
53      private boolean isValid = true;
54  
55      /**
56       * Parses the arguments passed in and captures the results for later use.
57       *
58       * @param args the command line arguments
59       * @throws FileNotFoundException is thrown when a 'file' argument does not
60       * point to a file that exists.
61       * @throws ParseException is thrown when a Parse Exception occurs.
62       */
63      public void parse(String[] args) throws FileNotFoundException, ParseException {
64          line = parseArgs(args);
65  
66          if (line != null) {
67              validateArgs();
68          }
69      }
70  
71      /**
72       * Parses the command line arguments.
73       *
74       * @param args the command line arguments
75       * @return the results of parsing the command line arguments
76       * @throws ParseException if the arguments are invalid
77       */
78      private CommandLine parseArgs(String[] args) throws ParseException {
79          final CommandLineParser parser = new PosixParser();
80          return parser.parse(options, args);
81      }
82  
83      /**
84       * Validates that the command line arguments are valid.
85       *
86       * @throws FileNotFoundException if there is a file specified by either the
87       * SCAN or CPE command line arguments that does not exist.
88       * @throws ParseException is thrown if there is an exception parsing the
89       * command line.
90       */
91      private void validateArgs() throws FileNotFoundException, ParseException {
92          if (isRunScan()) {
93              validatePathExists(getScanFiles(), "scan");
94              validatePathExists(getReportDirectory(), "out");
95              if (!line.hasOption(ArgumentName.APP_NAME)) {
96                  throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
97              }
98              if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
99                  final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
100                 try {
101                     Format.valueOf(format);
102                 } catch (IllegalArgumentException ex) {
103                     final String msg = String.format("An invalid 'format' of '%s' was specified. Supported output formats are XML, HTML, VULN, or ALL", format);
104                     throw new ParseException(msg);
105                 }
106             }
107         }
108     }
109 
110     /**
111      * Validates whether or not the path(s) points at a file that exists; if the
112      * path(s) does not point to an existing file a FileNotFoundException is
113      * thrown.
114      *
115      * @param paths the paths to validate if they exists
116      * @param optType the option being validated (e.g. scan, out, etc.)
117      * @throws FileNotFoundException is thrown if one of the paths being
118      * validated does not exist.
119      */
120     private void validatePathExists(String[] paths, String optType) throws FileNotFoundException {
121         for (String path : paths) {
122             validatePathExists(path, optType);
123         }
124     }
125 
126     /**
127      * Validates whether or not the path points at a file that exists; if the
128      * path does not point to an existing file a FileNotFoundException is
129      * thrown.
130      *
131      * @param path the paths to validate if they exists
132      * @param optType the option being validated (e.g. scan, out, etc.)
133      * @throws FileNotFoundException is thrown if the path being validated does
134      * not exist.
135      */
136     private void validatePathExists(String path, String optType) throws FileNotFoundException {
137         final File f = new File(path);
138         if (!f.exists()) {
139             isValid = false;
140             final String msg = String.format("Invalid '%s' argument: '%s'", optType, path);
141             throw new FileNotFoundException(msg);
142         }
143     }
144 
145     /**
146      * Generates an Options collection that is used to parse the command line
147      * and to display the help message.
148      *
149      * @return the command line options used for parsing the command line
150      */
151     @SuppressWarnings("static-access")
152     private Options createCommandLineOptions() {
153         final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
154                 "Print this message.");
155 
156         final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
157                 false, "Print the version information.");
158 
159         final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
160                 false, "Disables the automatic updating of the CPE data.");
161 
162         final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
163                 .withDescription("The name of the application being scanned. This is a required argument.")
164                 .create(ArgumentName.APP_NAME_SHORT);
165 
166         final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
167                 .withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
168                 .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
169 
170         final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
171                 .withDescription("The proxy url to use when downloading resources.")
172                 .create(ArgumentName.PROXY_URL_SHORT);
173 
174         final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
175                 .withDescription("The proxy port to use when downloading resources.")
176                 .create(ArgumentName.PROXY_PORT_SHORT);
177 
178         final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
179                 .withDescription("The path to scan - this option can be specified multiple times.")
180                 .create(ArgumentName.SCAN_SHORT);
181 
182         final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
183                 .withDescription("A property file to load.")
184                 .create(ArgumentName.PROP_SHORT);
185 
186         final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DATA_DIRECTORY)
187                 .withDescription("The location of the data directory used to store persistent data. This option should generally not be set.")
188                 .create(ArgumentName.DATA_DIRECTORY_SHORT);
189 
190         final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
191                 .withDescription("The folder to write reports to. This defaults to the current directory.")
192                 .create(ArgumentName.OUT_SHORT);
193 
194         final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
195                 .withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
196                 .create(ArgumentName.OUTPUT_FORMAT_SHORT);
197 
198         final OptionGroup og = new OptionGroup();
199         og.addOption(path);
200 
201         final Options opts = new Options();
202         opts.addOptionGroup(og);
203         opts.addOption(out);
204         opts.addOption(outputFormat);
205         opts.addOption(appName);
206         opts.addOption(version);
207         opts.addOption(help);
208         opts.addOption(noUpdate);
209         opts.addOption(props);
210         opts.addOption(data);
211         opts.addOption(proxyPort);
212         opts.addOption(proxyUrl);
213         opts.addOption(connectionTimeout);
214 
215         return opts;
216     }
217 
218     /**
219      * Determines if the 'version' command line argument was passed in.
220      *
221      * @return whether or not the 'version' command line argument was passed in
222      */
223     public boolean isGetVersion() {
224         return (line != null) && line.hasOption(ArgumentName.VERSION);
225     }
226 
227     /**
228      * Determines if the 'help' command line argument was passed in.
229      *
230      * @return whether or not the 'help' command line argument was passed in
231      */
232     public boolean isGetHelp() {
233         return (line != null) && line.hasOption(ArgumentName.HELP);
234     }
235 
236     /**
237      * Determines if the 'scan' command line argument was passed in.
238      *
239      * @return whether or not the 'scan' command line argument was passed in
240      */
241     public boolean isRunScan() {
242         return (line != null) && isValid && line.hasOption(ArgumentName.SCAN);
243     }
244 
245     /**
246      * Displays the command line help message to the standard output.
247      */
248     public void printHelp() {
249         final HelpFormatter formatter = new HelpFormatter();
250         final String nl = System.getProperty("line.separator");
251 
252         formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
253                 nl + Settings.getString("application.name", "DependencyCheck")
254                 + " can be used to identify if there are any known CVE vulnerabilities in libraries utilized by an application. "
255                 + Settings.getString("application.name", "DependencyCheck")
256                 + " will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov." + nl + nl,
257                 options,
258                 "",
259                 true);
260     }
261 
262     /**
263      * Retrieves the file command line parameter(s) specified for the 'scan'
264      * argument.
265      *
266      * @return the file paths specified on the command line for scan
267      */
268     public String[] getScanFiles() {
269         return line.getOptionValues(ArgumentName.SCAN);
270     }
271 
272     /**
273      * Returns the directory to write the reports to specified on the command
274      * line.
275      *
276      * @return the path to the reports directory.
277      */
278     public String getReportDirectory() {
279         return line.getOptionValue(ArgumentName.OUT, ".");
280     }
281 
282     /**
283      * Returns the output format specified on the command line. Defaults to HTML
284      * if no format was specified.
285      *
286      * @return the output format name.
287      */
288     public String getReportFormat() {
289         return line.getOptionValue(ArgumentName.OUTPUT_FORMAT, "HTML");
290     }
291 
292     /**
293      * Returns the application name specified on the command line.
294      *
295      * @return the application name.
296      */
297     public String getApplicationName() {
298         return line.getOptionValue(ArgumentName.APP_NAME);
299     }
300 
301     /**
302      * Returns the connection timeout.
303      *
304      * @return the connection timeout
305      */
306     public String getConnectionTimeout() {
307         return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
308     }
309 
310     /**
311      * Returns the proxy url.
312      *
313      * @return the proxy url
314      */
315     public String getProxyUrl() {
316         return line.getOptionValue(ArgumentName.PROXY_URL);
317     }
318 
319     /**
320      * Returns the proxy port.
321      *
322      * @return the proxy port
323      */
324     public String getProxyPort() {
325         return line.getOptionValue(ArgumentName.PROXY_PORT);
326     }
327 
328     /**
329      * Get the value of dataDirectory.
330      *
331      * @return the value of dataDirectory
332      */
333     public String getDataDirectory() {
334         return line.getOptionValue(ArgumentName.DATA_DIRECTORY);
335     }
336 
337     /**
338      * <p>Prints the manifest information to standard output.</p>
339      * <ul><li>Implementation-Title: ${pom.name}</li>
340      * <li>Implementation-Version: ${pom.version}</li></ul>
341      */
342     public void printVersionInfo() {
343         final String version = String.format("%s version %s",
344                 Settings.getString("application.name", "DependencyCheck"),
345                 Settings.getString("application.version", "Unknown"));
346         System.out.println(version);
347     }
348 
349     /**
350      * Checks if the auto update feature has been disabled. If it has been
351      * disabled via the command line this will return false.
352      *
353      * @return if auto-update is allowed.
354      */
355     public boolean isAutoUpdate() {
356         return (line == null) || !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE);
357     }
358 
359     /**
360      * A collection of static final strings that represent the possible command
361      * line arguments.
362      */
363     public static class ArgumentName {
364 
365         /**
366          * The long CLI argument name specifying the directory/file to scan.
367          */
368         public static final String SCAN = "scan";
369         /**
370          * The short CLI argument name specifying the directory/file to scan.
371          */
372         public static final String SCAN_SHORT = "s";
373         /**
374          * The long CLI argument name specifying that the CPE/CVE/etc. data
375          * should not be automatically updated.
376          */
377         public static final String DISABLE_AUTO_UPDATE = "noupdate";
378         /**
379          * The short CLI argument name specifying that the CPE/CVE/etc. data
380          * should not be automatically updated.
381          */
382         public static final String DISABLE_AUTO_UPDATE_SHORT = "n";
383         /**
384          * The long CLI argument name specifying the directory to write the
385          * reports to.
386          */
387         public static final String OUT = "out";
388         /**
389          * The short CLI argument name specifying the directory to write the
390          * reports to.
391          */
392         public static final String OUT_SHORT = "o";
393         /**
394          * The long CLI argument name specifying the output format to write the
395          * reports to.
396          */
397         public static final String OUTPUT_FORMAT = "format";
398         /**
399          * The short CLI argument name specifying the output format to write the
400          * reports to.
401          */
402         public static final String OUTPUT_FORMAT_SHORT = "f";
403         /**
404          * The long CLI argument name specifying the name of the application to
405          * be scanned.
406          */
407         public static final String APP_NAME = "app";
408         /**
409          * The short CLI argument name specifying the name of the application to
410          * be scanned.
411          */
412         public static final String APP_NAME_SHORT = "a";
413         /**
414          * The long CLI argument name asking for help.
415          */
416         public static final String HELP = "help";
417         /**
418          * The short CLI argument name asking for help.
419          */
420         public static final String HELP_SHORT = "h";
421         /**
422          * The long CLI argument name asking for the version.
423          */
424         public static final String VERSION_SHORT = "v";
425         /**
426          * The short CLI argument name asking for the version.
427          */
428         public static final String VERSION = "version";
429         /**
430          * The short CLI argument name indicating the proxy port.
431          */
432         public static final String PROXY_PORT_SHORT = "p";
433         /**
434          * The CLI argument name indicating the proxy port.
435          */
436         public static final String PROXY_PORT = "proxyport";
437         /**
438          * The short CLI argument name indicating the proxy url.
439          */
440         public static final String PROXY_URL_SHORT = "u";
441         /**
442          * The CLI argument name indicating the proxy url.
443          */
444         public static final String PROXY_URL = "proxyurl";
445         /**
446          * The short CLI argument name indicating the proxy url.
447          */
448         public static final String CONNECTION_TIMEOUT_SHORT = "c";
449         /**
450          * The CLI argument name indicating the proxy url.
451          */
452         public static final String CONNECTION_TIMEOUT = "connectiontimeout";
453         /**
454          * The short CLI argument name for setting the location of an additional
455          * properties file.
456          */
457         public static final String PROP_SHORT = "p";
458         /**
459          * The CLI argument name for setting the location of an additional
460          * properties file.
461          */
462         public static final String PROP = "propertyfile";
463         /**
464          * The CLI argument name for setting the location of the data directory.
465          */
466         public static final String DATA_DIRECTORY = "data";
467         /**
468          * The short CLI argument name for setting the location of the data
469          * directory.
470          */
471         public static final String DATA_DIRECTORY_SHORT = "d";
472     }
473 }