Merge branch 'main' into main

jeremylong · Sep 6, 2023 · dd25c37 · dd25c37
2 parents f5b55b4 + 842af7f
commit dd25c37
Show file tree

Hide file tree

Showing 28 changed files with 1,272 additions and 288 deletions.
diff --git a/.github/workflows/false-positive-approvals.yml b/.github/workflows/false-positive-approvals.yml
@@ -23,7 +23,7 @@ jobs:
       - uses: actions/checkout@v3
         with:
           ref: generatedSuppressions
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/setup-node@v3.8.1
       - run: |
           npm install [email protected]
           npm install fs

diff --git a/.github/workflows/false-positive-ops.yml b/.github/workflows/false-positive-ops.yml
@@ -41,7 +41,7 @@ jobs:
         with:
           issue-body: ${{ github.event.issue.body }}
           template-path: odc/.github/ISSUE_TEMPLATE/false-positive-report.yml
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/setup-node@v3.8.1
         with:
           node-version: 14
       - name: Initialize npm

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -185,7 +185,19 @@ jobs:
           prerelease: false
           draft: false
           body: |
-            Re-release of 8.3.0 as 8.3.1.
+            ### Added
+
+            - feat: Add support for Nexus v3 to NexusAnalyzer (#5849)
+
+            ### Fixed
+
+            - fix: Hint Analyzer should run before VersionFilter Analyzer (#5818)
+            - chore: switch to sha1-pinning as suggested by Semgrep
+            - fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#5845)
+            - fix: use curl with -L to follow github redirect (#5808)
+            - fix: use curl with -L to follow github redirect
+            - fix: #5671 out of memory error (#5789)
+            - fix: #5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError
 
       - name: Upload CLI
         id: upload-release-cli

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,11 +1,27 @@
 # Change Log
 
+## [Version 8.4.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v8.4.0) (2023-08-19)
+
+### Added
+
+- feat: Add support for Nexus v3 to NexusAnalyzer (#5849)
+
+### Fixed
+
+- fix: Hint Analyzer should run before VersionFilter Analyzer (#5818)
+- chore: switch to sha1-pinning as suggested by Semgrep
+- fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#5845)
+- fix: use curl with -L to follow github redirect (#5808)
+- fix: use curl with -L to follow github redirect
+- fix: #5671 out of memory error (#5789)
+- fix: #5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError
+
+See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/66?closed=1).
+
 ## [Version 8.3.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v8.3.1) (2023-06-12)
 
 Re-release of 8.3.0 as 8.3.1.
 
-### Added
-
 ## [Version 8.3.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v8.3.0) (2023-06-12)
 
 ### Added

diff --git a/ant/pom.xml b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>8.3.2-SNAPSHOT</version>
+        <version>8.4.1-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

diff --git a/archetype/pom.xml b/archetype/pom.xml
@@ -20,14 +20,14 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>8.3.2-SNAPSHOT</version>
+        <version>8.4.1-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2023-06-12T11:16:20Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2023-08-19T12:57:43Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/jeremylong/DependencyCheck.git</connection>

diff --git a/cli/pom.xml b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>8.3.2-SNAPSHOT</version>
+        <version>8.4.1-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

diff --git a/core/pom.xml b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>8.3.2-SNAPSHOT</version>
+        <version>8.4.1-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>

diff --git a/core/src/main/java/org/owasp/dependencycheck/Engine.java b/core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -78,7 +78,9 @@
 import static org.owasp.dependencycheck.analyzer.AnalysisPhase.INITIAL;
 import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_FINDING_ANALYSIS;
 import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
-import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION;
+import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION1;
+import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION2;
+import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION3;
 import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_FINDING_ANALYSIS;
 import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
 import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_INFORMATION_COLLECTION;
@@ -1294,7 +1296,9 @@ public enum Mode {
                 PRE_INFORMATION_COLLECTION,
                 INFORMATION_COLLECTION,
                 INFORMATION_COLLECTION2,
-                POST_INFORMATION_COLLECTION
+                POST_INFORMATION_COLLECTION1,
+                POST_INFORMATION_COLLECTION2,
+                POST_INFORMATION_COLLECTION3
         ),
         /**
          * In evidence processing mode the {@link Engine} processes the evidence

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java
@@ -26,54 +26,126 @@ public enum AnalysisPhase {
 
     /**
      * Initialization phase.
+     * @implNote Bound analyzers are {@link ArchiveAnalyzer}
      */
     INITIAL,
     /**
      * Pre information collection phase.
+     * @implNote Bound analyzers are {@link ElixirMixAuditAnalyzer},{@link RubyBundleAuditAnalyzer}
      */
     PRE_INFORMATION_COLLECTION,
     /**
      * Information collection phase.
+     * @implNote Bound analyzers are
+     * {@link ArtifactoryAnalyzer}
+     * {@link AssemblyAnalyzer}
+     * {@link AutoconfAnalyzer}
+     * {@link CMakeAnalyzer}
+     * {@link CentralAnalyzer}
+     * {@link CocoaPodsAnalyzer}
+     * {@link ComposerLockAnalyzer}
+     * {@link DartAnalyzer}
+     * {@link FileNameAnalyzer}
+     * {@link GolangDepAnalyzer}
+     * {@link GolangModAnalyzer}
+     * {@link JarAnalyzer}
+     * {@link LibmanAnalyzer}
+     * {@link MSBuildProjectAnalyzer}
+     * {@link NexusAnalyzer}
+     * {@link NodeAuditAnalyzer}
+     * {@link NugetconfAnalyzer}
+     * {@link NuspecAnalyzer}
+     * {@link OpenSSLAnalyzer}
+     * {@link PinnedMavenInstallAnalyzer}
+     * {@link PipAnalyzer}
+     * {@link PipfileAnalyzer}
+     * {@link PipfilelockAnalyzer}
+     * {@link PoetryAnalyzer}
+     * {@link PythonDistributionAnalyzer}
+     * {@link PythonPackageAnalyzer}
+     * {@link RubyGemspecAnalyzer}
+     * {@link RubyBundlerAnalyzer}
+     * {@link SwiftPackageManagerAnalyzer}
+     * {@link SwiftPackageResolvedAnalyzer}
      */
     INFORMATION_COLLECTION,
     /**
      * Information collection phase 2.
+     * @implNote Bound analyzers are
+     * {@link PEAnalyzer}
      */
     INFORMATION_COLLECTION2,
     /**
-     * Post information collection phase.
+     * Post information collection phase 1.
+     * @implNote Bound analyzers are
+     * {@link DependencyMergingAnalyzer}
      */
-    POST_INFORMATION_COLLECTION,
+    POST_INFORMATION_COLLECTION1,
+    /**
+     * Post information collection phase 2.
+     * @implNote Bound analyzers are
+     * {@link HintAnalyzer} (must run before {@link VersionFilterAnalyzer}, should run after {@link DependencyMergingAnalyzer})
+     */
+    POST_INFORMATION_COLLECTION2,
+    /**
+     * Post information collection phase 3.
+     * @implNote Bound analyzers are
+     * {@link VersionFilterAnalyzer}
+     */
+    POST_INFORMATION_COLLECTION3,
     /**
      * Pre identifier analysis phase.
+     * @implNote Bound analyzers are
+     * {@link NpmCPEAnalyzer} (must run in a separate phase from {@link CPEAnalyzer} due to singleton re-use)
      */
     PRE_IDENTIFIER_ANALYSIS,
     /**
      * Identifier analysis phase.
+     * @implNote Bound analyzers are
+     * {@link CPEAnalyzer}
      */
     IDENTIFIER_ANALYSIS,
     /**
      * Post identifier analysis phase.
+     * @implNote Bound analyzers are
+     * {@link CpeSuppressionAnalyzer}
+     * {@link FalsePositiveAnalyzer}
      */
     POST_IDENTIFIER_ANALYSIS,
     /**
      * Pre finding analysis phase.
+     * @implNote No analyzers bound to this phase
      */
     PRE_FINDING_ANALYSIS,
     /**
      * Finding analysis phase.
+     * @implNote Bound analyzers are
+     * {@link NodeAuditAnalyzer}
+     * {@link NvdCveAnalyzer}
+     * {@link PnpmAuditAnalyzer}
+     * {@link RetireJsAnalyzer}
+     * {@link YarnAuditAnalyzer}
+     *
      */
     FINDING_ANALYSIS,
     /**
      * Finding analysis phase 2.
+     * @implNote Bound analyzers are
+     * {@link OssIndexAnalyzer}
      */
     FINDING_ANALYSIS_PHASE2,
     /**
      * Post analysis phase.
+     * @implNote Bound analyzers are
+     * {@link KnownExploitedVulnerabilityAnalyzer}
+     * {@link VulnerabilitySuppressionAnalyzer}
      */
     POST_FINDING_ANALYSIS,
     /**
      * The final analysis phase.
+     * @implNote Bound analyzers are
+     * {@link DependencyBundlingAnalyzer}
+     * {@link UnusedSuppressionRuleAnalyzer}
      */
     FINAL
 }
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java
@@ -47,7 +47,7 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz
     /**
      * The phase that this analyzer is intended to run in.
      */
-    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION;
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION1;
     /**
      * Used for synchronization when merging related dependencies.
      */

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
@@ -80,7 +80,7 @@ public class HintAnalyzer extends AbstractAnalyzer {
     /**
      * The phase that this analyzer is intended to run in.
      */
-    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION2;
 
     /**
      * Returns the name of the analyzer.

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
@@ -22,6 +22,8 @@
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
+import org.owasp.dependencycheck.data.nexus.NexusV2Search;
+import org.owasp.dependencycheck.data.nexus.NexusV3Search;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
@@ -35,6 +37,7 @@
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.util.Locale;
 import javax.annotation.concurrent.ThreadSafe;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.exception.InitializationException;
@@ -169,17 +172,38 @@ public void prepareFileTypeAnalyzer(Engine engine) throws InitializationExceptio
         if (isEnabled()) {
             final boolean useProxy = useProxy();
             LOGGER.debug("Using proxy: {}", useProxy);
-            try {
-                searcher = new NexusSearch(getSettings(), useProxy);
-                if (!searcher.preflightRequest()) {
-                    setEnabled(false);
-                    throw new InitializationException("There was an issue getting Nexus status. Disabling analyzer.");
-                }
-            } catch (MalformedURLException mue) {
+            searcher = createNexusSearchOrDisable(useProxy);
+        }
+    }
+
+    /**
+     * Creates a NexusSearch for the appropriate Nexus version (Nexus V2 and V3 supported).
+     * <p>
+     * If errors are encountered creating or validating the NexusSearch it disables this analyzer.
+     *
+     * @param useProxy Whether a proxy is to be used
+     * @return A NexusSearch appropriate for the configured ANALYZER_NEXUS_URL
+     * @throws InitializationException Upon errors creating of validating the ANALYZER_NEXUS_URL
+     */
+    private NexusSearch createNexusSearchOrDisable(boolean useProxy) throws InitializationException {
+        final Settings settings = getSettings();
+        final String nexusRootURL = settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
+        final NexusSearch result;
+        try {
+            if (nexusRootURL.toLowerCase(Locale.ROOT).contains("service/local/")) {
+                result = new NexusV2Search(settings, useProxy);
+            } else {
+                result = new NexusV3Search(settings, useProxy);
+            }
+            if (!result.preflightRequest()) {
                 setEnabled(false);
-                throw new InitializationException("Malformed URL to Nexus", mue);
+                throw new InitializationException("There was an error getting Nexus status. Disabling NexusAnalyzer.");
             }
+        } catch (MalformedURLException mue) {
+            setEnabled(false);
+            throw new InitializationException("Malformed URL to Nexus. Disabling NexusAnalyzer", mue);
         }
+        return result;
     }
 
     /**

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzer.java
@@ -49,7 +49,7 @@ public class NpmCPEAnalyzer extends CPEAnalyzer {
     /**
      * The Logger.
      */
-    private static final Logger LOGGER = LoggerFactory.getLogger(CPEAnalyzer.class);
+    private static final Logger LOGGER = LoggerFactory.getLogger(NpmCPEAnalyzer.class);
 
     /**
      * Returns the analysis phase that this analyzer should run in.

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java
@@ -86,7 +86,7 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer {
     /**
      * The phase that this analyzer is intended to run in.
      */
-    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION;
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION3;
 
     //</editor-fold>
     //<editor-fold defaultstate="collapsed" desc="Standard implementation of Analyzer">