github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-15 08:13:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
4da950f37c1190cec480a5db0daaf4998f572d0e
DependencyCheck/src/site/markdown/data/database.md.vm

87 lines
4.7 KiB
Plaintext
Raw Blame History

Using a Database Server
=======================
<font color="red">**WARNING: This discusses an advanced setup and you may run into issues.**</font>
Out of the box dependency-check uses a local H2 database. The location of the database
file is configured using the data directory configuration option (see
[CLI](https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html)).
Some organizations may want to use a more robust centralized database. Currently, [H2 in
server mode](http://www.h2database.com/html/tutorial.html#using_server), MySQL, MariaDB, PostgreSQL,
Oracle, and MS SQL Server have been tested. In general, the setup is done by creating
a central database, setting up a single instance of dependency-check, which can connect to the
Internet, that is run in update-only mode once a day. Then the other dependency-check clients
can connect, using a read-only connection, to perform the analysis. Please note that if the
clients are unable to access the Internet the analysis may result in a few false negatives;
see the note about Central [here](./index.html).
To setup a centralized database the following generalized steps can be used:
<ol><li>Create the database and tables using either <a href="https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/data/initialize.sql">initialize.sql</a>
or one of the other initialization scripts <a href="https://github.com/jeremylong/DependencyCheck/tree/master/dependency-check-core/src/main/resources/data">found here</a>.</li>
<li>The account that the clients will connect using must have select granted on the tables.
<ul><li>Note, the clients performing the scans should run with the noupdate setting. A single
instance of the dependency-check client should be setup with updates enabled and the account
used during the update process will need to be granted update rights on the tables.
</li></ul>
</li><li>Dependency-check clients running scans will need to be configured to use the central database:
<ul><li>The database driver will need to be specified using the dbDriver and if the driver is not
already in the classpath the dbDriverPath options will need to be set (see the specific configuration
options for Maven, Gradle, Ant, CLI, and Jenkins).</li>
<li>The connection string, database user name, and the database user's password will also need to be configured.</li>
</ul>
</li></ol>
Depending on the database being used, you may need to customize the [dbStatements.properties](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/data/dbStatements.properties).
Alternatively to modifying the dbStatements.properties it is possible to use a dialect file to support other databases.
See [dbStatements_h2.properties](https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/data/dbStatements_h2.properties)
as an example.
Also, if using an external database you will need to manually upgrade the schema. See [database upgrades](./upgrade.html) for more information.
Examples
--------
The following example shows how to use the Maven plugin with MariaDB:
```xml
<project>
<modelVersion>4.0.0</modelVersion>
<groupId>dummy</groupId>
<artifactId>dummy</artifactId>
<version>1.0-SNAPSHOT</version>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${project.version}</version>
<dependencies>
<dependency>
<groupId>org.mariadb.jdbc</groupId>
<artifactId>mariadb-java-client</artifactId>
<version>1.4.6</version>
</dependency>
</dependencies>
<configuration>
<databaseDriverName>org.mariadb.jdbc.Driver</databaseDriverName>
<connectionString>jdbc:mariadb://my.cvedb.host/cvedb</connectionString>
<databaseUser>depscan</databaseUser>
<databasePassword>NotReallyMyDbPassword</databasePassword>
</configuration>
<executions>
<execution>
<goals>
<goal>update-only</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
```
Support
-------
As always, feel free to open an [issue](https://github.com/jeremylong/DependencyCheck/issues)
or post a question to the [dependency-check google group](https://groups.google.com/forum/#!forum/dependency-check).
Reference in New Issue View Git Blame Copy Permalink