github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-15 00:03:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
gh-pages
DependencyCheck/dependency-check-ant/configuration.html
Jeremy Long 615f6e3750 documentation version 1.4.5
2017-01-22 17:22:46 -05:00

670 lines
19 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2017-01-22
| Rendered using Apache Maven Fluido Skin 1.5
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20170122" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check-ant &#x2013; Configuration</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.5.min.css" />
<link rel="stylesheet" href="./css/site.css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
<script type="text/javascript" src="./js/apache-maven-fluido-1.5.min.js"></script>
<style type="text/css">
#bannerLeft { margin-top:-20px;margin-bottom:5px !important }
</style>
</head>
<body class="topBarDisabled">
<a href="https://github.com/jeremylong/DependencyCheck">
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
alt="Fork me on GitHub">
</a>
<div class="container-fluid">
<div id="banner">
<div class="pull-left">
<div id="bannerLeft">
<img src="images/dc-ant.svg" alt="OWASP dependency-check-ant"/>
</div>
</div>
<div class="pull-right"> </div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li class="">
<a href="../../../../../../target/site/1.4.5/#" title="">
</a>
<span class="divider">/</span>
</li>
<li class="">
<a href="../index.html" title="dependency-check">
dependency-check</a>
<span class="divider">/</span>
</li>
<li class="active ">Configuration</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2017-01-22</li>
<li id="projectVersion" class="pull-right">
Version: 1.4.5
</li>
</ul>
</div>
<div class="row-fluid">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">Getting Started</li>
<li>
<a href="index.html" title="Installation">
<span class="none"></span>
Installation</a>
</li>
<li class="active">
<a href="#"><span class="none"></span>Configuration</a>
</li>
<li class="nav-header">Project Documentation</li>
<li>
<a href="project-info.html" title="Project Information">
<span class="icon-chevron-right"></span>
Project Information</a>
</li>
<li>
<a href="project-reports.html" title="Project Reports">
<span class="icon-chevron-right"></span>
Project Reports</a>
</li>
</ul>
<hr />
<div id="poweredBy">
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<div class="g-plusone" data-href="https://github.com/jeremylong/DependencyCheck.git/dependency-check-ant" data-size="tall" ></div>
<div class="clear"></div>
<div class="clear"></div>
<div id="twitter">
<a href="https://twitter.com/ctxt" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow ctxt</a>
<script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
</div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
<img class="builtBy" alt="built with maven" src="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png" />
</a>
<a href="http://www.jetbrains.com/idea/" title="IntelliJ" class="builtBy">
<img class="builtBy" alt="developed using" src="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png" width="170px" />
</a>
</div>
</div>
</div>
<div id="bodyColumn" class="span10" >
<h1>Configuration</h1>
<p>Once dependency-check-ant has been <a href="index.html">installed</a> the defined tasks can be used.</p>
<ul>
<li>dependency-check - the primary task used to check the project dependencies. Configuration options are below.</li>
<li>dependency-check-purge - deletes the local copy of the NVD; this should rarely be used (if ever). See the <a href="config-purge.html">purge configuration</a> for more information.</li>
<li>dependency-check-update - downloads and updates the local copy of the NVD. See the <a href="config-update.html">update configuration</a> for more information.</li>
</ul>
<p>To configure the dependency-check task you can add it to a target and include a file based <a class="externalLink" href="http://ant.apache.org/manual/Types/resources.html#collection">resource collection</a> such as a <a class="externalLink" href="http://ant.apache.org/manual/Types/fileset.html">FileSet</a>, <a class="externalLink" href="http://ant.apache.org/manual/Types/dirset.html">DirSet</a>, or <a class="externalLink" href="http://ant.apache.org/manual/Types/filelist.html">FileList</a> that includes the project&#x2019;s dependencies.</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">&lt;target name=&quot;dependency-check&quot; description=&quot;Dependency-Check Analysis&quot;&gt;
&lt;dependency-check projectname=&quot;Hello World&quot;
reportoutputdirectory=&quot;${basedir}&quot;
reportformat=&quot;ALL&quot;&gt;
&lt;fileset dir=&quot;lib&quot;&gt;
&lt;include name=&quot;**/*.jar&quot;/&gt;
&lt;/fileset&gt;
&lt;/dependency-check&gt;
&lt;/target&gt;
</pre></div></div>
<div class="section">
<h2><a name="Configuration:_dependency-check_Task"></a>Configuration: dependency-check Task</h2>
<p>The following properties can be set on the dependency-check task.</p>
<table border="0" class="table table-striped">
<thead>
<tr class="a">
<th>Property </th>
<th>Description </th>
<th>Default Value</th>
</tr>
</thead>
<tbody>
<tr class="b">
<td>autoUpdate </td>
<td>Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. </td>
<td>true</td>
</tr>
<tr class="a">
<td>cveValidForHours </td>
<td>Sets the number of hours to wait before checking for new updates from the NVD </td>
<td>4</td>
</tr>
<tr class="b">
<td>failBuildOnCVSS </td>
<td>Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. </td>
<td>11</td>
</tr>
<tr class="a">
<td>failOnError </td>
<td>Whether the build should fail if there is an error executing the dependency-check analysis </td>
<td>true</td>
</tr>
<tr class="b">
<td>projectName </td>
<td>The name of the project being scanned. </td>
<td>Dependency-Check</td>
</tr>
<tr class="a">
<td>reportFormat </td>
<td>The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. </td>
<td>HTML</td>
</tr>
<tr class="b">
<td>reportOutputDirectory </td>
<td>The location to write the report(s). Note, this is not used if generating the report as part of a <tt>mvn site</tt> build </td>
<td>&#x2018;target&#x2019;</td>
</tr>
<tr class="a">
<td>suppressionFile </td>
<td>The file path to the XML suppression file - used to suppress <a href="../general/suppression.html">false positives</a> </td>
<td>&#160;</td>
</tr>
<tr class="b">
<td>hintsFile </td>
<td>The file path to the XML hints file - used to resolve <a href="../general/hints.html">false negatives</a> </td>
<td>&#160;</td>
</tr>
<tr class="a">
<td>proxyServer </td>
<td>The Proxy Server; see the <a href="../data/proxy.html">proxy configuration</a> page for more information. </td>
<td>&#160;</td>
</tr>
<tr class="b">
<td>proxyPort </td>
<td>The Proxy Port. </td>
<td>&#160;</td>
</tr>
<tr class="a">
<td>proxyUsername </td>
<td>Defines the proxy user name. </td>
<td>&#160;</td>
</tr>
<tr class="b">
<td>proxyPassword </td>
<td>Defines the proxy password. </td>
<td>&#160;</td>
</tr>
<tr class="a">
<td>connectionTimeout </td>
<td>The URL Connection Timeout. </td>
<td>&#160;</td>
</tr>
<tr class="b">
<td>enableExperimental </td>
<td>Enable the <a href="../analyzers/index.html">experimental analyzers</a>. If not enabled the experimental analyzers (see below) will not be loaded or used. </td>
<td>false</td>
</tr>
</tbody>
</table>
<h1>Analyzer Configuration</h1>
<p>The following properties are used to configure the various file type analyzers. These properties can be used to turn off specific analyzers if it is not needed. Note, that specific analyzers will automatically disable themselves if no file types that they support are detected - so specifically disabling them may not be needed.</p>
<table border="0" class="table table-striped">
<thead>
<tr class="a">
<th>Property </th>
<th>Description </th>
<th>Default Value</th>
</tr>
</thead>
<tbody>
<tr class="b">
<td>archiveAnalyzerEnabled </td>
<td>Sets whether the Archive Analyzer will be used. </td>
<td>true</td>
</tr>
<tr class="a">
<td>zipExtensions </td>
<td>A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. </td>
<td>&#160;</td>
</tr>
<tr class="b">
<td>jarAnalyzer </td>
<td>Sets whether the Jar Analyzer will be used. </td>
<td>true</td>
</tr>
<tr class="a">
<td>centralAnalyzerEnabled </td>
<td>Sets whether the Central Analyzer will be used. <b>Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).</b> If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). </td>
<td>true</td>
</tr>
<tr class="b">
<td>nexusAnalyzerEnabled </td>
<td>Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. </td>
<td>true</td>
</tr>
<tr class="a">
<td>nexusUrl </td>
<td>Defines the Nexus web service endpoint (example <a class="externalLink" href="http://domain.enterprise/nexus/service/local/)">http://domain.enterprise/nexus/service/local/)</a>. If not set the Nexus Analyzer will be disabled. </td>
<td>&#160;</td>
</tr>
<tr class="b">
<td>nexusUsesProxy </td>
<td>Whether or not the defined proxy should be used when connecting to Nexus. </td>
<td>true</td>
</tr>
<tr class="a">
<td>pyDistributionAnalyzerEnabled </td>
<td>Sets whether the <a href="../analyzers/index.html">experimental</a> Python Distribution Analyzer will be used. </td>
<td>true</td>
</tr>
<tr class="b">
<td>pyPackageAnalyzerEnabled </td>
<td>Sets whether the <a href="../analyzers/index.html">experimental</a> Python Package Analyzer will be used. </td>
<td>true</td>
</tr>
<tr class="a">
<td>rubygemsAnalyzerEnabled </td>
<td>Sets whether the <a href="../analyzers/index.html">experimental</a> Ruby Gemspec Analyzer will be used. </td>
<td>true</td>
</tr>
<tr class="b">
<td>opensslAnalyzerEnabled </td>
<td>Sets whether the openssl Analyzer should be used. </td>
<td>true</td>
</tr>
<tr class="a">
<td>cmakeAnalyzerEnabled </td>
<td>Sets whether the <a href="../analyzers/index.html">experimental</a> CMake Analyzer should be used. </td>
<td>true</td>
</tr>
<tr class="b">
<td>autoconfAnalyzerEnabled </td>
<td>Sets whether the <a href="../analyzers/index.html">experimental</a> autoconf Analyzer should be used. </td>
<td>true</td>
</tr>
<tr class="a">
<td>composerAnalyzerEnabled </td>
<td>Sets whether the <a href="../analyzers/index.html">experimental</a> PHP Composer Lock File Analyzer should be used. </td>
<td>true</td>
</tr>
<tr class="b">
<td>nodeAnalyzerEnabled </td>
<td>Sets whether the <a href="../analyzers/index.html">experimental</a> Node.js Analyzer should be used. </td>
<td>true</td>
</tr>
<tr class="a">
<td>nuspecAnalyzerEnabled </td>
<td>Sets whether the .NET Nuget Nuspec Analyzer will be used. </td>
<td>true</td>
</tr>
<tr class="b">
<td>cocoapodsAnalyzerEnabled </td>
<td>Sets whether the <a href="../analyzers/index.html">experimental</a> Cocoapods Analyzer should be used. </td>
<td>true</td>
</tr>
<tr class="a">
<td>bundleAuditAnalyzerEnabled </td>
<td>Sets whether the <a href="../analyzers/index.html">experimental</a> Bundle Audit Analyzer should be used. </td>
<td>true</td>
</tr>
<tr class="b">
<td>bundleAuditPath </td>
<td>Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled. </td>
<td>&#160;</td>
</tr>
<tr class="a">
<td>swiftPackageManagerAnalyzerEnabled </td>
<td>Sets whether the <a href="../analyzers/index.html">experimental</a> Switft Package Analyzer should be used. </td>
<td>true</td>
</tr>
<tr class="b">
<td>assemblyAnalyzerEnabled </td>
<td>Sets whether the .NET Assembly Analyzer should be used. </td>
<td>true</td>
</tr>
<tr class="a">
<td>pathToMono </td>
<td>The path to Mono for .NET assembly analysis on non-windows systems. </td>
<td>&#160;</td>
</tr>
</tbody>
</table>
<h1>Advanced Configuration</h1>
<p>The following properties can be configured in the plugin. However, they are less frequently changed. One exception may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.</p>
<table border="0" class="table table-striped">
<thead>
<tr class="a">
<th>Property </th>
<th>Description </th>
<th>Default Value</th>
</tr>
</thead>
<tbody>
<tr class="b">
<td>cveUrl12Modified </td>
<td>URL for the modified CVE 1.2. </td>
<td><a class="externalLink" href="http://nvd.nist.gov/download/nvdcve-modified.xml">http://nvd.nist.gov/download/nvdcve-modified.xml</a></td>
</tr>
<tr class="a">
<td>cveUrl20Modified </td>
<td>URL for the modified CVE 2.0. </td>
<td><a class="externalLink" href="http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml">http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml</a></td>
</tr>
<tr class="b">
<td>cveUrl12Base </td>
<td>Base URL for each year&#x2019;s CVE 1.2, the %d will be replaced with the year. </td>
<td><a class="externalLink" href="http://nvd.nist.gov/download/nvdcve-%d.xml">http://nvd.nist.gov/download/nvdcve-%d.xml</a></td>
</tr>
<tr class="a">
<td>cveUrl20Base </td>
<td>Base URL for each year&#x2019;s CVE 2.0, the %d will be replaced with the year. </td>
<td><a class="externalLink" href="http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml">http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml</a></td>
</tr>
<tr class="b">
<td>dataDirectory </td>
<td>Data directory that is used to store the local copy of the NVD. This should generally not be changed. </td>
<td>data</td>
</tr>
<tr class="a">
<td>databaseDriverName </td>
<td>The name of the database driver. Example: org.h2.Driver. </td>
<td>&#160;</td>
</tr>
<tr class="b">
<td>databaseDriverPath </td>
<td>The path to the database driver JAR file; only used if the driver is not in the class path. </td>
<td>&#160;</td>
</tr>
<tr class="a">
<td>connectionString </td>
<td>The connection string used to connect to the database. </td>
<td>&#160;</td>
</tr>
<tr class="b">
<td>databaseUser </td>
<td>The username used when connecting to the database. </td>
<td>&#160;</td>
</tr>
<tr class="a">
<td>databasePassword </td>
<td>The password used when connecting to the database. </td>
<td>&#160;</td>
</tr>
</tbody>
</table></div>
</div>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p >Copyright &copy; 2012&#x2013;2017
<a href="http://www.owasp.org">OWASP</a>.
All rights reserved.
</p>
</div>
</div>
</footer>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink