mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-14 15:53:36 +01:00
cd4f09dc86
- Make thread pools members of the class to facilitate reuse - Increase default max download thread pool size from 3 to 50 (should be fine for mostly blocking tasks like downloading)
116 lines
5.2 KiB
Properties
116 lines
5.2 KiB
Properties
application.name=${pom.name}
|
|
application.version=${pom.version}
|
|
autoupdate=true
|
|
max.download.threads=50
|
|
|
|
# the url to obtain the current engine version from
|
|
engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt
|
|
|
|
#temp.directory defaults to System.getProperty("java.io.tmpdir")
|
|
#temp.directory=[path to temp directory]
|
|
|
|
# the path to the data directory; the [JAR] signifies to use the relative path
|
|
# to the dependency-check-core JAR file. This path is only used to construct
|
|
# the connection string for the H2 driver (or other drivers that require a file path
|
|
# to be supplied. If you are using another database (MySQL, Oracle, etc.) this property
|
|
# will not be used. The data.directory will be resolved and if the connection string
|
|
# below contains a %s then the data.directory will replace the %s.
|
|
data.directory=[JAR]/data
|
|
#if the filename has a %s it will be replaced with the current expected version
|
|
data.file_name=dc.h2.db
|
|
data.version=3.0
|
|
data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
|
|
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
|
|
|
|
# user name and password for the database connection. The inherent case is to use H2.
|
|
# As such, this unsecure username/password exist.
|
|
data.user=dcuser
|
|
data.password=DC-Pass1337!
|
|
# The following are only used if the DB Driver is not JDBC4 compliant and/or the driver
|
|
# is not in the current classpath. Setting these properties will add the give path(s) to
|
|
# the class loader and then register the driver with the DriverManager. If the class is
|
|
# not in the path you must specify both the driver name (aka the fully qualified driver name)
|
|
# and the driver path. The driver path can be a semi-colon separated list of files/directories
|
|
# to ensure any and all needed files can be added to the classpath to load the driver.
|
|
# For non-JDBC4 drivers in the classpath only the driver_name needs to be set.
|
|
# For MOST situations these properties likely do not need to be set.
|
|
data.driver_name=org.h2.Driver
|
|
data.driver_path=
|
|
|
|
# the number of days that the modified nvd cve data holds data for. We don't need
|
|
# to update the other files if we are within this timespan. Per NIST this file
|
|
# holds 8 days of updates, we are using 7 just to be safe.
|
|
cve.url.modified.validfordays=7
|
|
# the number of hours to wait before checking if updates are available from the NVD.
|
|
cve.check.validforhours=0
|
|
#first year to pull data from the URLs below
|
|
cve.startyear=2014
|
|
# the path to the modified nvd cve xml file.
|
|
cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
|
|
#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
|
|
#the original URL and modified URL should be the same; this is used to detect if we are using an internal NVD CVE copy
|
|
cve.url-2.0.original=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
|
|
cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
|
|
#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
|
|
cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
|
|
#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
|
|
cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
|
|
#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
|
|
cve.cpe.startswith.filter=cpe:/a:
|
|
|
|
cpe.validfordays=30
|
|
cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
|
|
|
|
|
|
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
|
|
analyzer.nexus.enabled=true
|
|
analyzer.nexus.url=https://repository.sonatype.org/service/local/
|
|
# If set to true, the proxy will still ONLY be used if the proxy properties (proxy.url, proxy.port)
|
|
# are configured
|
|
analyzer.nexus.proxy=true
|
|
|
|
# the URL for searching search.maven.org for SHA-1 and whether it's enabled
|
|
analyzer.central.enabled=true
|
|
analyzer.central.url=https://search.maven.org/solrsearch/select
|
|
|
|
# the number of nested archives that will be searched.
|
|
archive.scan.depth=3
|
|
|
|
# use HEAD (default) or GET as HTTP request method for query timestamp
|
|
downloader.quick.query.timestamp=true
|
|
downloader.tls.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
|
|
|
|
analyzer.experimental.enabled=true
|
|
analyzer.jar.enabled=true
|
|
analyzer.archive.enabled=true
|
|
analyzer.node.package.enabled=true
|
|
analyzer.composer.lock.enabled=true
|
|
analyzer.python.distribution.enabled=true
|
|
analyzer.python.package.enabled=true
|
|
analyzer.ruby.gemspec.enabled=true
|
|
analyzer.autoconf.enabled=true
|
|
analyzer.cmake.enabled=true
|
|
analyzer.assembly.enabled=true
|
|
analyzer.nuspec.enabled=true
|
|
analyzer.openssl.enabled=true
|
|
analyzer.central.enabled=true
|
|
analyzer.nexus.enabled=false
|
|
analyzer.cocoapods.enabled=true
|
|
analyzer.swift.package.manager.enabled=true
|
|
#whether the nexus analyzer uses the proxy
|
|
analyzer.nexus.proxy=true
|
|
|
|
#Use your own bundle-audit install directory.
|
|
analyzer.bundle.audit.path=/usr/local/bin/bundle-audit
|
|
analyzer.cpe.enabled=true
|
|
analyzer.cpesuppression.enabled=true
|
|
analyzer.dependencybundling.enabled=true
|
|
analyzer.dependencymerging.enabled=true
|
|
analyzer.falsepositive.enabled=true
|
|
analyzer.filename.enabled=true
|
|
analyzer.hint.enabled=true
|
|
analyzer.nvdcve.enabled=true
|
|
analyzer.vulnerabilitysuppression.enabled=true
|
|
updater.nvdcve.enabled=true
|
|
updater.versioncheck.enabled=true
|