mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-13 15:23:40 +01:00
345 lines
16 KiB
HTML
345 lines
16 KiB
HTML
<!DOCTYPE html>
|
|
<!--
|
|
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2017-01-22
|
|
| Rendered using Apache Maven Fluido Skin 1.5
|
|
-->
|
|
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
|
|
<head>
|
|
<meta charset="UTF-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
<meta name="Date-Revision-yyyymmdd" content="20170122" />
|
|
<meta http-equiv="Content-Language" content="en" />
|
|
<title>dependency-check – Using a Database Server</title>
|
|
<link rel="stylesheet" href="../css/apache-maven-fluido-1.5.min.css" />
|
|
<link rel="stylesheet" href="../css/site.css" />
|
|
<link rel="stylesheet" href="../css/print.css" media="print" />
|
|
|
|
|
|
<script type="text/javascript" src="../js/apache-maven-fluido-1.5.min.js"></script>
|
|
|
|
<style type="text/css">
|
|
#bannerLeft { margin-top:-20px;margin-bottom:5px !important }
|
|
</style>
|
|
</head>
|
|
<body class="topBarDisabled">
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<a href="https://github.com/jeremylong/DependencyCheck">
|
|
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
|
|
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
|
|
alt="Fork me on GitHub">
|
|
</a>
|
|
|
|
|
|
|
|
|
|
<div class="container-fluid">
|
|
<div id="banner">
|
|
<div class="pull-left">
|
|
<div id="bannerLeft">
|
|
<img src="../images/dc.svg" alt="OWASP dependency-check"/>
|
|
</div>
|
|
</div>
|
|
<div class="pull-right"> </div>
|
|
<div class="clear"><hr/></div>
|
|
</div>
|
|
|
|
<div id="breadcrumbs">
|
|
<ul class="breadcrumb">
|
|
|
|
<li class="">
|
|
<a href="../#" title="">
|
|
</a>
|
|
<span class="divider">/</span>
|
|
</li>
|
|
<li class="active ">Using a Database Server</li>
|
|
|
|
|
|
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2017-01-22</li>
|
|
<li id="projectVersion" class="pull-right">
|
|
Version: 1.4.5
|
|
</li>
|
|
|
|
</ul>
|
|
</div>
|
|
|
|
|
|
<div class="row-fluid">
|
|
<div id="leftColumn" class="span2">
|
|
<div class="well sidebar-nav">
|
|
|
|
<ul class="nav nav-list">
|
|
<li class="nav-header">OWASP dependency-check</li>
|
|
|
|
<li>
|
|
|
|
<a href="../index.html" title="General">
|
|
<span class="icon-chevron-down"></span>
|
|
General</a>
|
|
<ul class="nav nav-list">
|
|
|
|
<li>
|
|
|
|
<a href="../general/internals.html" title="How it Works">
|
|
<span class="none"></span>
|
|
How it Works</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/thereport.html" title="Reading the Report">
|
|
<span class="none"></span>
|
|
Reading the Report</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/suppression.html" title="False Positives">
|
|
<span class="none"></span>
|
|
False Positives</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/hints.html" title="False Negatives">
|
|
<span class="none"></span>
|
|
False Negatives</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../data/index.html" title="Internet Access Required">
|
|
<span class="icon-chevron-down"></span>
|
|
Internet Access Required</a>
|
|
<ul class="nav nav-list">
|
|
|
|
<li>
|
|
|
|
<a href="../data/proxy.html" title="Proxy">
|
|
<span class="none"></span>
|
|
Proxy</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../data/mirrornvd.html" title="Mirroring NVD">
|
|
<span class="none"></span>
|
|
Mirroring NVD</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../data/cachenvd.html" title="Snapshotting the NVD">
|
|
<span class="none"></span>
|
|
Snapshotting the NVD</a>
|
|
</li>
|
|
|
|
<li class="active">
|
|
|
|
<a href="#"><span class="none"></span>Central DB</a>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../related.html" title="Related Work">
|
|
<span class="none"></span>
|
|
Related Work</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/dependency-check.pptx" title="Project Presentation (pptx)">
|
|
<span class="none"></span>
|
|
Project Presentation (pptx)</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/dependency-check.pdf" title="Project Presentation (pdf)">
|
|
<span class="none"></span>
|
|
Project Presentation (pdf)</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/SampleReport.html" title="Sample Report">
|
|
<span class="none"></span>
|
|
Sample Report</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../general/scan_iso.html" title="How to Scan an ISO Image">
|
|
<span class="none"></span>
|
|
How to Scan an ISO Image</a>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../analyzers/index.html" title="File Type Analyzers">
|
|
<span class="icon-chevron-right"></span>
|
|
File Type Analyzers</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../modules.html" title="Modules">
|
|
<span class="icon-chevron-right"></span>
|
|
Modules</a>
|
|
</li>
|
|
<li class="nav-header">Project Documentation</li>
|
|
|
|
<li>
|
|
|
|
<a href="../project-info.html" title="Project Information">
|
|
<span class="icon-chevron-right"></span>
|
|
Project Information</a>
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<a href="../project-reports.html" title="Project Reports">
|
|
<span class="icon-chevron-right"></span>
|
|
Project Reports</a>
|
|
</li>
|
|
</ul>
|
|
|
|
|
|
<hr />
|
|
|
|
<div id="poweredBy">
|
|
|
|
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
|
|
|
|
|
|
<div class="g-plusone" data-href="https://github.com/jeremylong/DependencyCheck.git" data-size="tall" ></div>
|
|
|
|
<div class="clear"></div>
|
|
<div class="clear"></div>
|
|
|
|
|
|
|
|
<div id="twitter">
|
|
|
|
<a href="https://twitter.com/ctxt" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow ctxt</a>
|
|
<script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
|
|
|
|
</div>
|
|
<div class="clear"></div>
|
|
<div class="clear"></div>
|
|
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
|
|
<img class="builtBy" alt="built with maven" src="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png" />
|
|
</a>
|
|
<a href="http://www.jetbrains.com/idea/" title="IntelliJ" class="builtBy">
|
|
<img class="builtBy" alt="developed using" src="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png" width="170px" />
|
|
</a>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<div id="bodyColumn" class="span10" >
|
|
|
|
<h1>Using a Database Server</h1>
|
|
<p><font color="red"><b>WARNING: This discusses an advanced setup and you may run into issues.</b></font></p>
|
|
<p>Out of the box dependency-check uses a local H2 database. The location of the database file is configured using the data directory configuration option (see <a class="externalLink" href="https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html">CLI</a>).</p>
|
|
<p>Some organizations may want to use a more robust centralized database. Currently, <a class="externalLink" href="http://www.h2database.com/html/tutorial.html#using_server">H2 in server mode</a>, MySQL, MariaDB, PostgreSQL, Oracle, and MS SQL Server have been tested. In general, the setup is done by creating a central database, setting up a single instance of dependency-check, which can connect to the Internet, that is run in update-only mode once a day. Then the other dependency-check clients can connect, using a read-only connection, to perform the analysis. Please note that if the clients are unable to access the Internet the analysis may result in a few false negatives; see the note about Central <a href="./index.html">here</a>.</p>
|
|
<p>To setup a centralized database the following generalized steps can be used:</p>
|
|
|
|
<ol style="list-style-type: decimal">
|
|
<li>Create the database and tables using either <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/data/initialize.sql">initialize.sql</a>
|
|
or one of the other initialization scripts <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/tree/master/dependency-check-core/src/main/resources/data">found here</a>.</li>
|
|
|
|
<li>The account that the clients will connect using must have select granted on the tables.
|
|
|
|
<ul>
|
|
<li>Note, if the clients performing the scans should run with the noupdate setting. A single
|
|
instance of the dependency-check client should be setup with update enabled and the account
|
|
used during the update process will need to be granted update rights on the tables.
|
|
</li></ul>
|
|
</li>
|
|
<li>Dependency-check clients running scans will need to be configured to use the central database:
|
|
|
|
<ul>
|
|
<li>The database driver will need to be specified using the dbDriver and if the driver is not
|
|
already in the classpath the dbDriverPath options will need to be set (see the specific configuration
|
|
options for Maven, Ant, CLI, and Jenkins).</li>
|
|
|
|
<li>The connection string, database user name, and the database user's password will also need to be configured.</li>
|
|
</ul>
|
|
</li></ol>
|
|
<p>Depending on the database being used, you may need to customize the <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/data/dbStatements.properties">dbStatements.properties</a>. Alternatively to modifying the dbStatements.properties it is possible to use a dialect file to support other databases. See <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/data/dbStatements_h2.properties">dbStatements_h2.properties</a> as an example.</p>
|
|
<p>Also, if using an external database you will need to manually upgrade the schema. See <a href="./upgrade.html">database upgrades</a> for more information.</p>
|
|
<div class="section">
|
|
<h2><a name="Examples"></a>Examples</h2>
|
|
<p>The following example shows how to use the Maven plugin with MariaDB:</p>
|
|
|
|
<div class="source">
|
|
<div class="source"><pre class="prettyprint linenums"><project>
|
|
<modelVersion>4.0.0</modelVersion>
|
|
<groupId>dummy</groupId>
|
|
<artifactId>dummy</artifactId>
|
|
<version>1.0-SNAPSHOT</version>
|
|
<build>
|
|
<plugins>
|
|
<plugin>
|
|
<groupId>org.owasp</groupId>
|
|
<artifactId>dependency-check-maven</artifactId>
|
|
<version>1.4.5</version>
|
|
<dependencies>
|
|
<dependency>
|
|
<groupId>org.mariadb.jdbc</groupId>
|
|
<artifactId>mariadb-java-client</artifactId>
|
|
<version>1.4.6</version>
|
|
</dependency>
|
|
</dependencies>
|
|
<configuration>
|
|
<databaseDriverName>org.mariadb.jdbc.Driver</databaseDriverName>
|
|
<connectionString>jdbc:mariadb://my.cvedb.host/cvedb</connectionString>
|
|
<databaseUser>depscan</databaseUser>
|
|
<databasePassword>NotReallyMyDbPassword</databasePassword>
|
|
</configuration>
|
|
<executions>
|
|
<execution>
|
|
<goals>
|
|
<goal>update-only</goal>
|
|
</goals>
|
|
</execution>
|
|
</executions>
|
|
</plugin>
|
|
</plugins>
|
|
</build>
|
|
</project>
|
|
</pre></div></div></div>
|
|
<div class="section">
|
|
<h2><a name="Support"></a>Support</h2>
|
|
<p>As always, feel free to open an <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/issues">issue</a> or post a question to the <a class="externalLink" href="https://groups.google.com/forum/#!forum/dependency-check">dependency-check google group</a>.</p></div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<hr/>
|
|
|
|
<footer>
|
|
<div class="container-fluid">
|
|
<div class="row-fluid">
|
|
<p >Copyright © 2012–2017
|
|
<a href="http://www.owasp.org">OWASP</a>.
|
|
All rights reserved.
|
|
</p>
|
|
</div>
|
|
|
|
|
|
</div>
|
|
</footer>
|
|
</body>
|
|
</html>
|