Coverage Report - org.owasp.dependencycheck.agent.DependencyCheckScanAgent
 
Classes in this File Line Coverage Branch Coverage Complexity
DependencyCheckScanAgent
0%
0/139
0%
0/118
1.922
 
 1   
 /*
 2   
  * This file is part of dependency-check-core.
 3   
  *
 4   
  * Licensed under the Apache License, Version 2.0 (the "License");
 5   
  * you may not use this file except in compliance with the License.
 6   
  * You may obtain a copy of the License at
 7   
  *
 8   
  *     http://www.apache.org/licenses/LICENSE-2.0
 9   
  *
 10   
  * Unless required by applicable law or agreed to in writing, software
 11   
  * distributed under the License is distributed on an "AS IS" BASIS,
 12   
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13   
  * See the License for the specific language governing permissions and
 14   
  * limitations under the License.
 15   
  *
 16   
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 17   
  */
 18   
 package org.owasp.dependencycheck.agent;
 19   
 
 20   
 import java.io.File;
 21   
 import java.io.IOException;
 22   
 import java.util.List;
 23   
 import java.util.logging.Level;
 24   
 import java.util.logging.Logger;
 25   
 import org.owasp.dependencycheck.Engine;
 26   
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 27   
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 28   
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 29   
 import org.owasp.dependencycheck.dependency.Dependency;
 30   
 import org.owasp.dependencycheck.dependency.Identifier;
 31   
 import org.owasp.dependencycheck.dependency.Vulnerability;
 32   
 import org.owasp.dependencycheck.exception.ScanAgentException;
 33   
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 34   
 import org.owasp.dependencycheck.utils.Settings;
 35   
 
 36   
 /**
 37   
  * This class provides a way to easily conduct a scan solely based on existing evidence metadata rather than collecting
 38   
  * evidence from the files themselves. This class is based on the Ant task and Maven plugin with the exception that it
 39   
  * takes a list of dependencies that can be programmatically added from data in a spreadsheet, database or some other
 40   
  * datasource and conduct a scan based on this pre-defined evidence.
 41   
  *
 42   
  * <h2>Example:</h2>
 43   
  * <pre>
 44   
  * List<Dependency> dependencies = new ArrayList<Dependency>();
 45   
  * Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
 46   
  * dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
 47   
  * dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
 48   
  * dependency.getVendorEvidence().addEvidence("my-datasource", "vendor", "mortbay", Confidence.HIGH);
 49   
  * dependencies.add(dependency);
 50   
  *
 51   
  * DependencyCheckScanAgent scan = new DependencyCheckScanAgent();
 52   
  * scan.setDependencies(dependencies);
 53   
  * scan.setReportFormat(ReportGenerator.Format.ALL);
 54   
  * scan.setReportOutputDirectory(System.getProperty("user.home"));
 55   
  * scan.execute();
 56   
  * </pre>
 57   
  *
 58   
  * @author Steve Springett <steve.springett@owasp.org>
 59   
  */
 60   
 @SuppressWarnings("unused")
 61  0 
 public class DependencyCheckScanAgent {
 62   
 
 63   
     /**
 64   
      * System specific new line character.
 65   
      */
 66  0 
     private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
 67   
 
 68   
     /**
 69   
      * The application name for the report.
 70   
      */
 71  0 
     private String applicationName = "Dependency-Check";
 72   
 
 73   
     /**
 74   
      * Get the value of applicationName.
 75   
      *
 76   
      * @return the value of applicationName
 77   
      */
 78   
     public String getApplicationName() {
 79   
         return applicationName;
 80   
     }
 81   
 
 82   
     /**
 83   
      * Set the value of applicationName.
 84   
      *
 85   
      * @param applicationName new value of applicationName
 86   
      */
 87   
     public void setApplicationName(String applicationName) {
 88   
         this.applicationName = applicationName;
 89   
     }
 90   
 
 91   
     /**
 92   
      * The pre-determined dependencies to scan
 93   
      */
 94   
     private List<Dependency> dependencies;
 95   
 
 96   
     /**
 97   
      * Returns a list of pre-determined dependencies.
 98   
      *
 99   
      * @return returns a list of dependencies
 100   
      */
 101   
     public List<Dependency> getDependencies() {
 102   
         return dependencies;
 103   
     }
 104   
 
 105   
     /**
 106   
      * Sets the list of dependencies to scan.
 107   
      *
 108   
      * @param dependencies new value of dependencies
 109   
      */
 110   
     public void setDependencies(List<Dependency> dependencies) {
 111   
         this.dependencies = dependencies;
 112   
     }
 113   
 
 114   
     /**
 115   
      * The location of the data directory that contains
 116   
      */
 117  0 
     private String dataDirectory = null;
 118   
 
 119   
     /**
 120   
      * Get the value of dataDirectory.
 121   
      *
 122   
      * @return the value of dataDirectory
 123   
      */
 124   
     public String getDataDirectory() {
 125   
         return dataDirectory;
 126   
     }
 127   
 
 128   
     /**
 129   
      * Set the value of dataDirectory.
 130   
      *
 131   
      * @param dataDirectory new value of dataDirectory
 132   
      */
 133   
     public void setDataDirectory(String dataDirectory) {
 134   
         this.dataDirectory = dataDirectory;
 135   
     }
 136   
 
 137   
     /**
 138   
      * Specifies the destination directory for the generated Dependency-Check report.
 139   
      */
 140   
     private String reportOutputDirectory;
 141   
 
 142   
     /**
 143   
      * Get the value of reportOutputDirectory.
 144   
      *
 145   
      * @return the value of reportOutputDirectory
 146   
      */
 147   
     public String getReportOutputDirectory() {
 148   
         return reportOutputDirectory;
 149   
     }
 150   
 
 151   
     /**
 152   
      * Set the value of reportOutputDirectory.
 153   
      *
 154   
      * @param reportOutputDirectory new value of reportOutputDirectory
 155   
      */
 156   
     public void setReportOutputDirectory(String reportOutputDirectory) {
 157   
         this.reportOutputDirectory = reportOutputDirectory;
 158   
     }
 159   
 
 160   
     /**
 161   
      * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
 162   
      * which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
 163   
      * The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
 164   
      */
 165  0 
     private float failBuildOnCVSS = 11;
 166   
 
 167   
     /**
 168   
      * Get the value of failBuildOnCVSS.
 169   
      *
 170   
      * @return the value of failBuildOnCVSS
 171   
      */
 172   
     public float getFailBuildOnCVSS() {
 173   
         return failBuildOnCVSS;
 174   
     }
 175   
 
 176   
     /**
 177   
      * Set the value of failBuildOnCVSS.
 178   
      *
 179   
      * @param failBuildOnCVSS new value of failBuildOnCVSS
 180   
      */
 181   
     public void setFailBuildOnCVSS(float failBuildOnCVSS) {
 182   
         this.failBuildOnCVSS = failBuildOnCVSS;
 183   
     }
 184   
 
 185   
     /**
 186   
      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
 187   
      * false. Default is true.
 188   
      */
 189  0 
     private boolean autoUpdate = true;
 190   
 
 191   
     /**
 192   
      * Get the value of autoUpdate.
 193   
      *
 194   
      * @return the value of autoUpdate
 195   
      */
 196   
     public boolean isAutoUpdate() {
 197   
         return autoUpdate;
 198   
     }
 199   
 
 200   
     /**
 201   
      * Set the value of autoUpdate.
 202   
      *
 203   
      * @param autoUpdate new value of autoUpdate
 204   
      */
 205   
     public void setAutoUpdate(boolean autoUpdate) {
 206   
         this.autoUpdate = autoUpdate;
 207   
     }
 208   
 
 209   
     /**
 210   
      * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
 211   
      * within the Site plugin unless the externalReport is set to true. Default is HTML.
 212   
      */
 213  0 
     private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
 214   
 
 215   
     /**
 216   
      * Get the value of reportFormat.
 217   
      *
 218   
      * @return the value of reportFormat
 219   
      */
 220   
     public ReportGenerator.Format getReportFormat() {
 221   
         return reportFormat;
 222   
     }
 223   
 
 224   
     /**
 225   
      * Set the value of reportFormat.
 226   
      *
 227   
      * @param reportFormat new value of reportFormat
 228   
      */
 229   
     public void setReportFormat(ReportGenerator.Format reportFormat) {
 230   
         this.reportFormat = reportFormat;
 231   
     }
 232   
 
 233   
     /**
 234   
      * The Proxy URL.
 235   
      */
 236   
     private String proxyUrl;
 237   
 
 238   
     /**
 239   
      * Get the value of proxyUrl.
 240   
      *
 241   
      * @return the value of proxyUrl
 242   
      */
 243   
     public String getProxyUrl() {
 244   
         return proxyUrl;
 245   
     }
 246   
 
 247   
     /**
 248   
      * Set the value of proxyUrl.
 249   
      *
 250   
      * @param proxyUrl new value of proxyUrl
 251   
      */
 252   
     public void setProxyUrl(String proxyUrl) {
 253   
         this.proxyUrl = proxyUrl;
 254   
     }
 255   
 
 256   
     /**
 257   
      * The Proxy Port.
 258   
      */
 259   
     private String proxyPort;
 260   
 
 261   
     /**
 262   
      * Get the value of proxyPort.
 263   
      *
 264   
      * @return the value of proxyPort
 265   
      */
 266   
     public String getProxyPort() {
 267   
         return proxyPort;
 268   
     }
 269   
 
 270   
     /**
 271   
      * Set the value of proxyPort.
 272   
      *
 273   
      * @param proxyPort new value of proxyPort
 274   
      */
 275   
     public void setProxyPort(String proxyPort) {
 276   
         this.proxyPort = proxyPort;
 277   
     }
 278   
 
 279   
     /**
 280   
      * The Proxy username.
 281   
      */
 282   
     private String proxyUsername;
 283   
 
 284   
     /**
 285   
      * Get the value of proxyUsername.
 286   
      *
 287   
      * @return the value of proxyUsername
 288   
      */
 289   
     public String getProxyUsername() {
 290   
         return proxyUsername;
 291   
     }
 292   
 
 293   
     /**
 294   
      * Set the value of proxyUsername.
 295   
      *
 296   
      * @param proxyUsername new value of proxyUsername
 297   
      */
 298   
     public void setProxyUsername(String proxyUsername) {
 299   
         this.proxyUsername = proxyUsername;
 300   
     }
 301   
 
 302   
     /**
 303   
      * The Proxy password.
 304   
      */
 305   
     private String proxyPassword;
 306   
 
 307   
     /**
 308   
      * Get the value of proxyPassword.
 309   
      *
 310   
      * @return the value of proxyPassword
 311   
      */
 312   
     public String getProxyPassword() {
 313   
         return proxyPassword;
 314   
     }
 315   
 
 316   
     /**
 317   
      * Set the value of proxyPassword.
 318   
      *
 319   
      * @param proxyPassword new value of proxyPassword
 320   
      */
 321   
     public void setProxyPassword(String proxyPassword) {
 322   
         this.proxyPassword = proxyPassword;
 323   
     }
 324   
 
 325   
     /**
 326   
      * The Connection Timeout.
 327   
      */
 328   
     private String connectionTimeout;
 329   
 
 330   
     /**
 331   
      * Get the value of connectionTimeout.
 332   
      *
 333   
      * @return the value of connectionTimeout
 334   
      */
 335   
     public String getConnectionTimeout() {
 336   
         return connectionTimeout;
 337   
     }
 338   
 
 339   
     /**
 340   
      * Set the value of connectionTimeout.
 341   
      *
 342   
      * @param connectionTimeout new value of connectionTimeout
 343   
      */
 344   
     public void setConnectionTimeout(String connectionTimeout) {
 345   
         this.connectionTimeout = connectionTimeout;
 346   
     }
 347   
 
 348   
     /**
 349   
      * The file path used for verbose logging.
 350   
      */
 351  0 
     private String logFile = null;
 352   
 
 353   
     /**
 354   
      * Get the value of logFile.
 355   
      *
 356   
      * @return the value of logFile
 357   
      */
 358   
     public String getLogFile() {
 359   
         return logFile;
 360   
     }
 361   
 
 362   
     /**
 363   
      * Set the value of logFile.
 364   
      *
 365   
      * @param logFile new value of logFile
 366   
      */
 367   
     public void setLogFile(String logFile) {
 368   
         this.logFile = logFile;
 369   
     }
 370   
 
 371   
     /**
 372   
      * The path to the suppression file.
 373   
      */
 374   
     private String suppressionFile;
 375   
 
 376   
     /**
 377   
      * Get the value of suppressionFile.
 378   
      *
 379   
      * @return the value of suppressionFile
 380   
      */
 381   
     public String getSuppressionFile() {
 382   
         return suppressionFile;
 383   
     }
 384   
 
 385   
     /**
 386   
      * Set the value of suppressionFile.
 387   
      *
 388   
      * @param suppressionFile new value of suppressionFile
 389   
      */
 390   
     public void setSuppressionFile(String suppressionFile) {
 391   
         this.suppressionFile = suppressionFile;
 392   
     }
 393   
 
 394   
     /**
 395   
      * flag indicating whether or not to show a summary of findings.
 396   
      */
 397  0 
     private boolean showSummary = true;
 398   
 
 399   
     /**
 400   
      * Get the value of showSummary.
 401   
      *
 402   
      * @return the value of showSummary
 403   
      */
 404   
     public boolean isShowSummary() {
 405   
         return showSummary;
 406   
     }
 407   
 
 408   
     /**
 409   
      * Set the value of showSummary.
 410   
      *
 411   
      * @param showSummary new value of showSummary
 412   
      */
 413   
     public void setShowSummary(boolean showSummary) {
 414   
         this.showSummary = showSummary;
 415   
     }
 416   
 
 417   
     /**
 418   
      * Whether or not the nexus analyzer is enabled.
 419   
      */
 420  0 
     private boolean nexusAnalyzerEnabled = true;
 421   
 
 422   
     /**
 423   
      * Get the value of nexusAnalyzerEnabled.
 424   
      *
 425   
      * @return the value of nexusAnalyzerEnabled
 426   
      */
 427   
     public boolean isNexusAnalyzerEnabled() {
 428   
         return nexusAnalyzerEnabled;
 429   
     }
 430   
 
 431   
     /**
 432   
      * Set the value of nexusAnalyzerEnabled.
 433   
      *
 434   
      * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
 435   
      */
 436   
     public void setNexusAnalyzerEnabled(boolean nexusAnalyzerEnabled) {
 437   
         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
 438   
     }
 439   
 
 440   
     /**
 441   
      * The URL of the Nexus server.
 442   
      */
 443   
     private String nexusUrl;
 444   
 
 445   
     /**
 446   
      * Get the value of nexusUrl.
 447   
      *
 448   
      * @return the value of nexusUrl
 449   
      */
 450   
     public String getNexusUrl() {
 451   
         return nexusUrl;
 452   
     }
 453   
 
 454   
     /**
 455   
      * Set the value of nexusUrl.
 456   
      *
 457   
      * @param nexusUrl new value of nexusUrl
 458   
      */
 459   
     public void setNexusUrl(String nexusUrl) {
 460   
         this.nexusUrl = nexusUrl;
 461   
     }
 462   
 
 463   
     /**
 464   
      * Whether or not the defined proxy should be used when connecting to Nexus.
 465   
      */
 466  0 
     private boolean nexusUsesProxy = true;
 467   
 
 468   
     /**
 469   
      * Get the value of nexusUsesProxy.
 470   
      *
 471   
      * @return the value of nexusUsesProxy
 472   
      */
 473   
     public boolean isNexusUsesProxy() {
 474   
         return nexusUsesProxy;
 475   
     }
 476   
 
 477   
     /**
 478   
      * Set the value of nexusUsesProxy.
 479   
      *
 480   
      * @param nexusUsesProxy new value of nexusUsesProxy
 481   
      */
 482   
     public void setNexusUsesProxy(boolean nexusUsesProxy) {
 483   
         this.nexusUsesProxy = nexusUsesProxy;
 484   
     }
 485   
 
 486   
     /**
 487   
      * The database driver name; such as org.h2.Driver.
 488   
      */
 489   
     private String databaseDriverName;
 490   
 
 491   
     /**
 492   
      * Get the value of databaseDriverName.
 493   
      *
 494   
      * @return the value of databaseDriverName
 495   
      */
 496   
     public String getDatabaseDriverName() {
 497   
         return databaseDriverName;
 498   
     }
 499   
 
 500   
     /**
 501   
      * Set the value of databaseDriverName.
 502   
      *
 503   
      * @param databaseDriverName new value of databaseDriverName
 504   
      */
 505   
     public void setDatabaseDriverName(String databaseDriverName) {
 506   
         this.databaseDriverName = databaseDriverName;
 507   
     }
 508   
 
 509   
     /**
 510   
      * The path to the database driver JAR file if it is not on the class path.
 511   
      */
 512   
     private String databaseDriverPath;
 513   
 
 514   
     /**
 515   
      * Get the value of databaseDriverPath.
 516   
      *
 517   
      * @return the value of databaseDriverPath
 518   
      */
 519   
     public String getDatabaseDriverPath() {
 520   
         return databaseDriverPath;
 521   
     }
 522   
 
 523   
     /**
 524   
      * Set the value of databaseDriverPath.
 525   
      *
 526   
      * @param databaseDriverPath new value of databaseDriverPath
 527   
      */
 528   
     public void setDatabaseDriverPath(String databaseDriverPath) {
 529   
         this.databaseDriverPath = databaseDriverPath;
 530   
     }
 531   
 
 532   
     /**
 533   
      * The database connection string.
 534   
      */
 535   
     private String connectionString;
 536   
 
 537   
     /**
 538   
      * Get the value of connectionString.
 539   
      *
 540   
      * @return the value of connectionString
 541   
      */
 542   
     public String getConnectionString() {
 543   
         return connectionString;
 544   
     }
 545   
 
 546   
     /**
 547   
      * Set the value of connectionString.
 548   
      *
 549   
      * @param connectionString new value of connectionString
 550   
      */
 551   
     public void setConnectionString(String connectionString) {
 552   
         this.connectionString = connectionString;
 553   
     }
 554   
 
 555   
     /**
 556   
      * The user name for connecting to the database.
 557   
      */
 558   
     private String databaseUser;
 559   
 
 560   
     /**
 561   
      * Get the value of databaseUser.
 562   
      *
 563   
      * @return the value of databaseUser
 564   
      */
 565   
     public String getDatabaseUser() {
 566   
         return databaseUser;
 567   
     }
 568   
 
 569   
     /**
 570   
      * Set the value of databaseUser.
 571   
      *
 572   
      * @param databaseUser new value of databaseUser
 573   
      */
 574   
     public void setDatabaseUser(String databaseUser) {
 575   
         this.databaseUser = databaseUser;
 576   
     }
 577   
 
 578   
     /**
 579   
      * The password to use when connecting to the database.
 580   
      */
 581   
     private String databasePassword;
 582   
 
 583   
     /**
 584   
      * Get the value of databasePassword.
 585   
      *
 586   
      * @return the value of databasePassword
 587   
      */
 588   
     public String getDatabasePassword() {
 589   
         return databasePassword;
 590   
     }
 591   
 
 592   
     /**
 593   
      * Set the value of databasePassword.
 594   
      *
 595   
      * @param databasePassword new value of databasePassword
 596   
      */
 597   
     public void setDatabasePassword(String databasePassword) {
 598   
         this.databasePassword = databasePassword;
 599   
     }
 600   
 
 601   
     /**
 602   
      * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
 603   
      * like ZIP files.
 604   
      */
 605   
     private String zipExtensions;
 606   
 
 607   
     /**
 608   
      * Get the value of zipExtensions.
 609   
      *
 610   
      * @return the value of zipExtensions
 611   
      */
 612   
     public String getZipExtensions() {
 613   
         return zipExtensions;
 614   
     }
 615   
 
 616   
     /**
 617   
      * Set the value of zipExtensions.
 618   
      *
 619   
      * @param zipExtensions new value of zipExtensions
 620   
      */
 621   
     public void setZipExtensions(String zipExtensions) {
 622   
         this.zipExtensions = zipExtensions;
 623   
     }
 624   
 
 625   
     /**
 626   
      * The url for the modified NVD CVE (1.2 schema).
 627   
      */
 628   
     private String cveUrl12Modified;
 629   
 
 630   
     /**
 631   
      * Get the value of cveUrl12Modified.
 632   
      *
 633   
      * @return the value of cveUrl12Modified
 634   
      */
 635   
     public String getCveUrl12Modified() {
 636   
         return cveUrl12Modified;
 637   
     }
 638   
 
 639   
     /**
 640   
      * Set the value of cveUrl12Modified.
 641   
      *
 642   
      * @param cveUrl12Modified new value of cveUrl12Modified
 643   
      */
 644   
     public void setCveUrl12Modified(String cveUrl12Modified) {
 645   
         this.cveUrl12Modified = cveUrl12Modified;
 646   
     }
 647   
 
 648   
     /**
 649   
      * The url for the modified NVD CVE (2.0 schema).
 650   
      */
 651   
     private String cveUrl20Modified;
 652   
 
 653   
     /**
 654   
      * Get the value of cveUrl20Modified.
 655   
      *
 656   
      * @return the value of cveUrl20Modified
 657   
      */
 658   
     public String getCveUrl20Modified() {
 659   
         return cveUrl20Modified;
 660   
     }
 661   
 
 662   
     /**
 663   
      * Set the value of cveUrl20Modified.
 664   
      *
 665   
      * @param cveUrl20Modified new value of cveUrl20Modified
 666   
      */
 667   
     public void setCveUrl20Modified(String cveUrl20Modified) {
 668   
         this.cveUrl20Modified = cveUrl20Modified;
 669   
     }
 670   
 
 671   
     /**
 672   
      * Base Data Mirror URL for CVE 1.2.
 673   
      */
 674   
     private String cveUrl12Base;
 675   
 
 676   
     /**
 677   
      * Get the value of cveUrl12Base.
 678   
      *
 679   
      * @return the value of cveUrl12Base
 680   
      */
 681   
     public String getCveUrl12Base() {
 682   
         return cveUrl12Base;
 683   
     }
 684   
 
 685   
     /**
 686   
      * Set the value of cveUrl12Base.
 687   
      *
 688   
      * @param cveUrl12Base new value of cveUrl12Base
 689   
      */
 690   
     public void setCveUrl12Base(String cveUrl12Base) {
 691   
         this.cveUrl12Base = cveUrl12Base;
 692   
     }
 693   
 
 694   
     /**
 695   
      * Data Mirror URL for CVE 2.0.
 696   
      */
 697   
     private String cveUrl20Base;
 698   
 
 699   
     /**
 700   
      * Get the value of cveUrl20Base.
 701   
      *
 702   
      * @return the value of cveUrl20Base
 703   
      */
 704   
     public String getCveUrl20Base() {
 705   
         return cveUrl20Base;
 706   
     }
 707   
 
 708   
     /**
 709   
      * Set the value of cveUrl20Base.
 710   
      *
 711   
      * @param cveUrl20Base new value of cveUrl20Base
 712   
      */
 713   
     public void setCveUrl20Base(String cveUrl20Base) {
 714   
         this.cveUrl20Base = cveUrl20Base;
 715   
     }
 716   
 
 717   
     /**
 718   
      * The path to Mono for .NET assembly analysis on non-windows systems.
 719   
      */
 720   
     private String pathToMono;
 721   
 
 722   
     /**
 723   
      * Get the value of pathToMono.
 724   
      *
 725   
      * @return the value of pathToMono
 726   
      */
 727   
     public String getPathToMono() {
 728   
         return pathToMono;
 729   
     }
 730   
 
 731   
     /**
 732   
      * Set the value of pathToMono.
 733   
      *
 734   
      * @param pathToMono new value of pathToMono
 735   
      */
 736   
     public void setPathToMono(String pathToMono) {
 737   
         this.pathToMono = pathToMono;
 738   
     }
 739   
 
 740   
     /**
 741   
      * Executes the Dependency-Check on the dependent libraries.
 742   
      *
 743   
      * @return the Engine used to scan the dependencies.
 744   
      * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException thrown if there is an exception connecting to the
 745   
      * database
 746   
      */
 747   
     private Engine executeDependencyCheck() throws DatabaseException {
 748  0 
         populateSettings();
 749  0 
         Engine engine = null;
 750   
         try {
 751  0 
             engine = new Engine();
 752  0 
             engine.setDependencies(this.dependencies);
 753  0 
             engine.analyzeDependencies();
 754   
 
 755   
         } finally {
 756  0 
             if (engine != null) {
 757  0 
                 engine.cleanup();
 758   
             }
 759   
         }
 760  0 
         return engine;
 761   
     }
 762   
 
 763   
     /**
 764   
      * Generates the reports for a given dependency-check engine.
 765   
      *
 766   
      * @param engine a dependency-check engine
 767   
      * @param outDirectory the directory to write the reports to
 768   
      */
 769   
     private void generateExternalReports(Engine engine, File outDirectory) {
 770  0 
         DatabaseProperties prop = null;
 771  0 
         CveDB cve = null;
 772   
         try {
 773  0 
             cve = new CveDB();
 774  0 
             cve.open();
 775  0 
             prop = cve.getDatabaseProperties();
 776  0 
         } catch (DatabaseException ex) {
 777  0 
             Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
 778   
         } finally {
 779  0 
             if (cve != null) {
 780  0 
                 cve.close();
 781   
             }
 782   
         }
 783  0 
         final ReportGenerator r = new ReportGenerator(this.applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
 784   
         try {
 785  0 
             r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
 786  0 
         } catch (IOException ex) {
 787  0 
             Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
 788   
                     "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
 789  0 
             Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, null, ex);
 790  0 
         } catch (Throwable ex) {
 791  0 
             Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
 792   
                     "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
 793  0 
             Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, null, ex);
 794  0 
         }
 795  0 
     }
 796   
 
 797   
     /**
 798   
      * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
 799   
      * properties required to change the proxy url, port, and connection timeout.
 800   
      */
 801   
     private void populateSettings() {
 802  0 
         if (dataDirectory != null) {
 803  0 
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
 804   
         } else {
 805  0 
             final File jarPath = new File(DependencyCheckScanAgent.class.getProtectionDomain().getCodeSource().getLocation().getPath());
 806  0 
             final File base = jarPath.getParentFile();
 807  0 
             final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
 808  0 
             final File dataDir = new File(base, sub);
 809  0 
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
 810   
         }
 811   
 
 812  0 
         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
 813   
 
 814  0 
         if (proxyUrl != null && !proxyUrl.isEmpty()) {
 815  0 
             Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
 816   
         }
 817  0 
         if (proxyPort != null && !proxyPort.isEmpty()) {
 818  0 
             Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
 819   
         }
 820  0 
         if (proxyUsername != null && !proxyUsername.isEmpty()) {
 821  0 
             Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
 822   
         }
 823  0 
         if (proxyPassword != null && !proxyPassword.isEmpty()) {
 824  0 
             Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
 825   
         }
 826  0 
         if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
 827  0 
             Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
 828   
         }
 829  0 
         if (suppressionFile != null && !suppressionFile.isEmpty()) {
 830  0 
             Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
 831   
         }
 832  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
 833  0 
         if (nexusUrl != null && !nexusUrl.isEmpty()) {
 834  0 
             Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
 835   
         }
 836  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
 837  0 
         if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
 838  0 
             Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
 839   
         }
 840  0 
         if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
 841  0 
             Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
 842   
         }
 843  0 
         if (connectionString != null && !connectionString.isEmpty()) {
 844  0 
             Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
 845   
         }
 846  0 
         if (databaseUser != null && !databaseUser.isEmpty()) {
 847  0 
             Settings.setString(Settings.KEYS.DB_USER, databaseUser);
 848   
         }
 849  0 
         if (databasePassword != null && !databasePassword.isEmpty()) {
 850  0 
             Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
 851   
         }
 852  0 
         if (zipExtensions != null && !zipExtensions.isEmpty()) {
 853  0 
             Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
 854   
         }
 855  0 
         if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
 856  0 
             Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
 857   
         }
 858  0 
         if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
 859  0 
             Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
 860   
         }
 861  0 
         if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
 862  0 
             Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
 863   
         }
 864  0 
         if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
 865  0 
             Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
 866   
         }
 867  0 
         if (pathToMono != null && !pathToMono.isEmpty()) {
 868  0 
             Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
 869   
         }
 870  0 
     }
 871   
 
 872   
     /**
 873   
      * Executes the dependency-check and generates the report.
 874   
      *
 875   
      * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
 876   
      * scan.
 877   
      */
 878   
     public void execute() throws ScanAgentException {
 879  0 
         Engine engine = null;
 880   
         try {
 881  0 
             engine = executeDependencyCheck();
 882  0 
             generateExternalReports(engine, new File(this.reportOutputDirectory));
 883  0 
             if (this.showSummary) {
 884  0 
                 showSummary(engine.getDependencies());
 885   
             }
 886  0 
             if (this.failBuildOnCVSS <= 10) {
 887  0 
                 checkForFailure(engine.getDependencies());
 888   
             }
 889  0 
         } catch (DatabaseException ex) {
 890  0 
             Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
 891   
                     "Unable to connect to the dependency-check database; analysis has stopped");
 892  0 
             Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, "", ex);
 893   
         } finally {
 894  0 
             if (engine != null) {
 895  0 
                 engine.cleanup();
 896   
             }
 897   
         }
 898  0 
     }
 899   
 
 900   
     /**
 901   
      * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
 902   
      * configuration.
 903   
      *
 904   
      * @param dependencies the list of dependency objects
 905   
      * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
 906   
      * scan.
 907   
      */
 908   
     private void checkForFailure(List<Dependency> dependencies) throws ScanAgentException {
 909  0 
         final StringBuilder ids = new StringBuilder();
 910  0 
         for (Dependency d : dependencies) {
 911  0 
             boolean addName = true;
 912  0 
             for (Vulnerability v : d.getVulnerabilities()) {
 913  0 
                 if (v.getCvssScore() >= failBuildOnCVSS) {
 914  0 
                     if (addName) {
 915  0 
                         addName = false;
 916  0 
                         ids.append(NEW_LINE).append(d.getFileName()).append(": ");
 917  0 
                         ids.append(v.getName());
 918   
                     } else {
 919  0 
                         ids.append(", ").append(v.getName());
 920   
                     }
 921   
                 }
 922  0 
             }
 923  0 
         }
 924  0 
         if (ids.length() > 0) {
 925  0 
             final String msg = String.format("%n%nDependency-Check Failure:%n"
 926   
                     + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
 927   
                     + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
 928   
 
 929  0 
             throw new ScanAgentException(msg);
 930   
         }
 931  0 
     }
 932   
 
 933   
     /**
 934   
      * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
 935   
      *
 936   
      * @param dependencies a list of dependency objects
 937   
      */
 938   
     private void showSummary(List<Dependency> dependencies) {
 939  0 
         final StringBuilder summary = new StringBuilder();
 940  0 
         for (Dependency d : dependencies) {
 941  0 
             boolean firstEntry = true;
 942  0 
             final StringBuilder ids = new StringBuilder();
 943  0 
             for (Vulnerability v : d.getVulnerabilities()) {
 944  0 
                 if (firstEntry) {
 945  0 
                     firstEntry = false;
 946   
                 } else {
 947  0 
                     ids.append(", ");
 948   
                 }
 949  0 
                 ids.append(v.getName());
 950  0 
             }
 951  0 
             if (ids.length() > 0) {
 952  0 
                 summary.append(d.getFileName()).append(" (");
 953  0 
                 firstEntry = true;
 954  0 
                 for (Identifier id : d.getIdentifiers()) {
 955  0 
                     if (firstEntry) {
 956  0 
                         firstEntry = false;
 957   
                     } else {
 958  0 
                         summary.append(", ");
 959   
                     }
 960  0 
                     summary.append(id.getValue());
 961  0 
                 }
 962  0 
                 summary.append(") : ").append(ids).append(NEW_LINE);
 963   
             }
 964  0 
         }
 965  0 
         if (summary.length() > 0) {
 966  0 
             final String msg = String.format("%n%n"
 967   
                     + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
 968   
                     + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
 969  0 
             Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.WARNING, msg);
 970   
         }
 971  0 
     }
 972   
 
 973   
 }
Report generated by Cobertura 2.0.3 on 3/29/14 6:13 AM.