application.name=${pom.name} application.version=${pom.version} autoupdate=true max.download.threads=50 # the url to obtain the current engine version from engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt #temp.directory defaults to System.getProperty("java.io.tmpdir") #temp.directory=[path to temp directory] # the path to the data directory; the [JAR] signifies to use the relative path # to the dependency-check-core JAR file. This path is only used to construct # the connection string for the H2 driver (or other drivers that require a file path # to be supplied. If you are using another database (MySQL, Oracle, etc.) this property # will not be used. The data.directory will be resolved and if the connection string # below contains a %s then the data.directory will replace the %s. data.directory=[JAR]/data #if the filename has a %s it will be replaced with the current expected version data.file_name=dc.h2.db data.version=3.0 data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON; #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck # user name and password for the database connection. The inherent case is to use H2. # As such, this unsecure username/password exist. data.user=dcuser data.password=DC-Pass1337! # The following are only used if the DB Driver is not JDBC4 compliant and/or the driver # is not in the current classpath. Setting these properties will add the give path(s) to # the class loader and then register the driver with the DriverManager. If the class is # not in the path you must specify both the driver name (aka the fully qualified driver name) # and the driver path. The driver path can be a semi-colon separated list of files/directories # to ensure any and all needed files can be added to the classpath to load the driver. # For non-JDBC4 drivers in the classpath only the driver_name needs to be set. # For MOST situations these properties likely do not need to be set. data.driver_name=org.h2.Driver data.driver_path= # the number of days that the modified nvd cve data holds data for. We don't need # to update the other files if we are within this timespan. Per NIST this file # holds 8 days of updates, we are using 7 just to be safe. cve.url.modified.validfordays=7 # the number of hours to wait before checking if updates are available from the NVD. cve.check.validforhours=0 #first year to pull data from the URLs below cve.startyear=2014 # the path to the modified nvd cve xml file. cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml #the original URL and modified URL should be the same; this is used to detect if we are using an internal NVD CVE copy cve.url-2.0.original=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz #cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml cve.cpe.startswith.filter=cpe:/a: cpe.validfordays=30 cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz # the URL for searching Nexus for SHA-1 hashes and whether it's enabled analyzer.nexus.enabled=true analyzer.nexus.url=https://repository.sonatype.org/service/local/ # If set to true, the proxy will still ONLY be used if the proxy properties (proxy.url, proxy.port) # are configured analyzer.nexus.proxy=true # the URL for searching search.maven.org for SHA-1 and whether it's enabled analyzer.central.enabled=true analyzer.central.url=https://search.maven.org/solrsearch/select # the number of nested archives that will be searched. archive.scan.depth=3 # use HEAD (default) or GET as HTTP request method for query timestamp downloader.quick.query.timestamp=true downloader.tls.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 analyzer.experimental.enabled=true analyzer.jar.enabled=true analyzer.archive.enabled=true analyzer.node.package.enabled=true analyzer.composer.lock.enabled=true analyzer.python.distribution.enabled=true analyzer.python.package.enabled=true analyzer.ruby.gemspec.enabled=true analyzer.autoconf.enabled=true analyzer.cmake.enabled=true analyzer.assembly.enabled=true analyzer.nuspec.enabled=true analyzer.openssl.enabled=true analyzer.central.enabled=true analyzer.nexus.enabled=false analyzer.cocoapods.enabled=true analyzer.swift.package.manager.enabled=true #whether the nexus analyzer uses the proxy analyzer.nexus.proxy=true #Use your own bundle-audit install directory. analyzer.bundle.audit.path=/usr/local/bin/bundle-audit analyzer.cpe.enabled=true analyzer.cpesuppression.enabled=true analyzer.dependencybundling.enabled=true analyzer.dependencymerging.enabled=true analyzer.falsepositive.enabled=true analyzer.filename.enabled=true analyzer.hint.enabled=true analyzer.nvdcve.enabled=true analyzer.vulnerabilitysuppression.enabled=true updater.nvdcve.enabled=true updater.versioncheck.enabled=true