From 0507b306597f94023b591061e359b2f2856d35ca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Aug 2023 01:45:32 +0000 Subject: [PATCH 01/13] build(deps): bump actions/setup-node from 3.7.0 to 3.8.0 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.7.0 to 3.8.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v3.7.0...v3.8.0) --- updated-dependencies: - dependency-name: actions/setup-node dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/false-positive-approvals.yml | 2 +- .github/workflows/false-positive-ops.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/false-positive-approvals.yml b/.github/workflows/false-positive-approvals.yml index ae3d555d9db..3197f25af1c 100644 --- a/.github/workflows/false-positive-approvals.yml +++ b/.github/workflows/false-positive-approvals.yml @@ -23,7 +23,7 @@ jobs: - uses: actions/checkout@v3 with: ref: generatedSuppressions - - uses: actions/setup-node@v3.7.0 + - uses: actions/setup-node@v3.8.0 - run: | npm install fast-xml-parser@4.0.9 npm install fs diff --git a/.github/workflows/false-positive-ops.yml b/.github/workflows/false-positive-ops.yml index 8ec3f8f3aff..5458dbb1c55 100644 --- a/.github/workflows/false-positive-ops.yml +++ b/.github/workflows/false-positive-ops.yml @@ -41,7 +41,7 @@ jobs: with: issue-body: ${{ github.event.issue.body }} template-path: odc/.github/ISSUE_TEMPLATE/false-positive-report.yml - - uses: actions/setup-node@v3.7.0 + - uses: actions/setup-node@v3.8.0 with: node-version: 14 - name: Initialize npm From 5a55c81406e3810150b11300d48724312cea2795 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 16 Aug 2023 01:24:12 +0000 Subject: [PATCH 02/13] build(deps): bump org.semver4j:semver4j from 5.0.0 to 5.1.0 Bumps [org.semver4j:semver4j](https://github.com/semver4j/semver4j) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/semver4j/semver4j/releases) - [Commits](https://github.com/semver4j/semver4j/compare/v5.0.0...v5.1.0) --- updated-dependencies: - dependency-name: org.semver4j:semver4j dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 6ce68b7bdb8..3fa3d0f900c 100644 --- a/pom.xml +++ b/pom.xml @@ -1069,7 +1069,7 @@ Copyright (c) 2012 - Jeremy Long org.semver4j semver4j - 5.0.0 + 5.1.0 org.jetbrains From 0f4553abff5219a2bba8a286cb1364fa2d5708d1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 18 Aug 2023 01:47:28 +0000 Subject: [PATCH 03/13] build(deps): bump actions/setup-node from 3.8.0 to 3.8.1 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.8.0 to 3.8.1. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v3.8.0...v3.8.1) --- updated-dependencies: - dependency-name: actions/setup-node dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/false-positive-approvals.yml | 2 +- .github/workflows/false-positive-ops.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/false-positive-approvals.yml b/.github/workflows/false-positive-approvals.yml index 3197f25af1c..c8358aaf769 100644 --- a/.github/workflows/false-positive-approvals.yml +++ b/.github/workflows/false-positive-approvals.yml @@ -23,7 +23,7 @@ jobs: - uses: actions/checkout@v3 with: ref: generatedSuppressions - - uses: actions/setup-node@v3.8.0 + - uses: actions/setup-node@v3.8.1 - run: | npm install fast-xml-parser@4.0.9 npm install fs diff --git a/.github/workflows/false-positive-ops.yml b/.github/workflows/false-positive-ops.yml index 5458dbb1c55..55163b53107 100644 --- a/.github/workflows/false-positive-ops.yml +++ b/.github/workflows/false-positive-ops.yml @@ -41,7 +41,7 @@ jobs: with: issue-body: ${{ github.event.issue.body }} template-path: odc/.github/ISSUE_TEMPLATE/false-positive-report.yml - - uses: actions/setup-node@v3.8.0 + - uses: actions/setup-node@v3.8.1 with: node-version: 14 - name: Initialize npm From a29afc496f103725fd3837883d307f80cb3e9a73 Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Sat, 19 Aug 2023 13:58:30 +0200 Subject: [PATCH 04/13] fix: Hint Analyzer should run before VersionFilter Analyzer (#5818) --- .../org/owasp/dependencycheck/Engine.java | 8 +- .../analyzer/AnalysisPhase.java | 76 ++++++++++++++++++- .../analyzer/DependencyMergingAnalyzer.java | 2 +- .../analyzer/HintAnalyzer.java | 2 +- .../analyzer/NpmCPEAnalyzer.java | 2 +- .../analyzer/VersionFilterAnalyzer.java | 2 +- .../DependencyMergingAnalyzerTest.java | 2 +- .../analyzer/HintAnalyzerTest.java | 2 +- .../analyzer/VersionFilterAnalyzerTest.java | 2 +- 9 files changed, 87 insertions(+), 11 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/Engine.java b/core/src/main/java/org/owasp/dependencycheck/Engine.java index 5b6d41e5929..265aaaf81d2 100644 --- a/core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -78,7 +78,9 @@ import static org.owasp.dependencycheck.analyzer.AnalysisPhase.INITIAL; import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_FINDING_ANALYSIS; import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_IDENTIFIER_ANALYSIS; -import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION; +import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION1; +import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION2; +import static org.owasp.dependencycheck.analyzer.AnalysisPhase.POST_INFORMATION_COLLECTION3; import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_FINDING_ANALYSIS; import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_IDENTIFIER_ANALYSIS; import static org.owasp.dependencycheck.analyzer.AnalysisPhase.PRE_INFORMATION_COLLECTION; @@ -1294,7 +1296,9 @@ public enum Mode { PRE_INFORMATION_COLLECTION, INFORMATION_COLLECTION, INFORMATION_COLLECTION2, - POST_INFORMATION_COLLECTION + POST_INFORMATION_COLLECTION1, + POST_INFORMATION_COLLECTION2, + POST_INFORMATION_COLLECTION3 ), /** * In evidence processing mode the {@link Engine} processes the evidence diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java index 818ba2186c8..09008bebb23 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java @@ -26,54 +26,126 @@ public enum AnalysisPhase { /** * Initialization phase. + * @implNote Bound analyzers are {@link ArchiveAnalyzer} */ INITIAL, /** * Pre information collection phase. + * @implNote Bound analyzers are {@link ElixirMixAuditAnalyzer},{@link RubyBundleAuditAnalyzer} */ PRE_INFORMATION_COLLECTION, /** * Information collection phase. + * @implNote Bound analyzers are + * {@link ArtifactoryAnalyzer} + * {@link AssemblyAnalyzer} + * {@link AutoconfAnalyzer} + * {@link CMakeAnalyzer} + * {@link CentralAnalyzer} + * {@link CocoaPodsAnalyzer} + * {@link ComposerLockAnalyzer} + * {@link DartAnalyzer} + * {@link FileNameAnalyzer} + * {@link GolangDepAnalyzer} + * {@link GolangModAnalyzer} + * {@link JarAnalyzer} + * {@link LibmanAnalyzer} + * {@link MSBuildProjectAnalyzer} + * {@link NexusAnalyzer} + * {@link NodeAuditAnalyzer} + * {@link NugetconfAnalyzer} + * {@link NuspecAnalyzer} + * {@link OpenSSLAnalyzer} + * {@link PinnedMavenInstallAnalyzer} + * {@link PipAnalyzer} + * {@link PipfileAnalyzer} + * {@link PipfilelockAnalyzer} + * {@link PoetryAnalyzer} + * {@link PythonDistributionAnalyzer} + * {@link PythonPackageAnalyzer} + * {@link RubyGemspecAnalyzer} + * {@link RubyBundlerAnalyzer} + * {@link SwiftPackageManagerAnalyzer} + * {@link SwiftPackageResolvedAnalyzer} */ INFORMATION_COLLECTION, /** * Information collection phase 2. + * @implNote Bound analyzers are + * {@link PEAnalyzer} */ INFORMATION_COLLECTION2, /** - * Post information collection phase. + * Post information collection phase 1. + * @implNote Bound analyzers are + * {@link DependencyMergingAnalyzer} */ - POST_INFORMATION_COLLECTION, + POST_INFORMATION_COLLECTION1, + /** + * Post information collection phase 2. + * @implNote Bound analyzers are + * {@link HintAnalyzer} (must run before {@link VersionFilterAnalyzer}, should run after {@link DependencyMergingAnalyzer}) + */ + POST_INFORMATION_COLLECTION2, + /** + * Post information collection phase 3. + * @implNote Bound analyzers are + * {@link VersionFilterAnalyzer} + */ + POST_INFORMATION_COLLECTION3, /** * Pre identifier analysis phase. + * @implNote Bound analyzers are + * {@link NpmCPEAnalyzer} (must run in a separate phase from {@link CPEAnalyzer} due to singleton re-use) */ PRE_IDENTIFIER_ANALYSIS, /** * Identifier analysis phase. + * @implNote Bound analyzers are + * {@link CPEAnalyzer} */ IDENTIFIER_ANALYSIS, /** * Post identifier analysis phase. + * @implNote Bound analyzers are + * {@link CpeSuppressionAnalyzer} + * {@link FalsePositiveAnalyzer} */ POST_IDENTIFIER_ANALYSIS, /** * Pre finding analysis phase. + * @implNote No analyzers bound to this phase */ PRE_FINDING_ANALYSIS, /** * Finding analysis phase. + * @implNote Bound analyzers are + * {@link NodeAuditAnalyzer} + * {@link NvdCveAnalyzer} + * {@link PnpmAuditAnalyzer} + * {@link RetireJsAnalyzer} + * {@link YarnAuditAnalyzer} + * */ FINDING_ANALYSIS, /** * Finding analysis phase 2. + * @implNote Bound analyzers are + * {@link OssIndexAnalyzer} */ FINDING_ANALYSIS_PHASE2, /** * Post analysis phase. + * @implNote Bound analyzers are + * {@link KnownExploitedVulnerabilityAnalyzer} + * {@link VulnerabilitySuppressionAnalyzer} */ POST_FINDING_ANALYSIS, /** * The final analysis phase. + * @implNote Bound analyzers are + * {@link DependencyBundlingAnalyzer} + * {@link UnusedSuppressionRuleAnalyzer} */ FINAL } diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java index 07c596275d0..432330fa88e 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java @@ -47,7 +47,7 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz /** * The phase that this analyzer is intended to run in. */ - private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION; + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION1; /** * Used for synchronization when merging related dependencies. */ diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java index 37787063628..7b181d71be2 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java @@ -80,7 +80,7 @@ public class HintAnalyzer extends AbstractAnalyzer { /** * The phase that this analyzer is intended to run in. */ - private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS; + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION2; /** * Returns the name of the analyzer. diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzer.java index 0acce56f45c..530a5d669ad 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzer.java @@ -49,7 +49,7 @@ public class NpmCPEAnalyzer extends CPEAnalyzer { /** * The Logger. */ - private static final Logger LOGGER = LoggerFactory.getLogger(CPEAnalyzer.class); + private static final Logger LOGGER = LoggerFactory.getLogger(NpmCPEAnalyzer.class); /** * Returns the analysis phase that this analyzer should run in. diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java index 584b9b2a163..b8a7f57c447 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java @@ -86,7 +86,7 @@ public class VersionFilterAnalyzer extends AbstractAnalyzer { /** * The phase that this analyzer is intended to run in. */ - private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION; + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION3; // // diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzerTest.java index a24da41f43f..eddec091aa5 100644 --- a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzerTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzerTest.java @@ -53,7 +53,7 @@ public void testGetName() { @Test public void testGetAnalysisPhase() { DependencyMergingAnalyzer instance = new DependencyMergingAnalyzer(); - AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION; + AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION1; AnalysisPhase result = instance.getAnalysisPhase(); assertEquals(expResult, result); } diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java index 0e1ce35a1c4..f5737ca7bf8 100644 --- a/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java @@ -54,7 +54,7 @@ public void testGetName() { @Test public void testGetAnalysisPhase() { HintAnalyzer instance = new HintAnalyzer(); - AnalysisPhase expResult = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS; + AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION2; AnalysisPhase result = instance.getAnalysisPhase(); assertEquals(expResult, result); } diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java index a0d23a25880..eabae8571c8 100644 --- a/core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java @@ -49,7 +49,7 @@ public void testGetName() { public void testGetAnalysisPhase() { VersionFilterAnalyzer instance = new VersionFilterAnalyzer(); instance.initialize(getSettings()); - AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION; + AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION3; AnalysisPhase result = instance.getAnalysisPhase(); assertEquals(expResult, result); } From e685b8050531228e5826bc803b41a6fedc0c3685 Mon Sep 17 00:00:00 2001 From: Hans Aikema Date: Sat, 19 Aug 2023 13:58:53 +0200 Subject: [PATCH 05/13] feat: Add support for Nexus v3 to NexusAnalyzer (#5849) --- .../analyzer/NexusAnalyzer.java | 40 ++- .../data/nexus/NexusSearch.java | 196 +------------ .../data/nexus/NexusV2Search.java | 211 ++++++++++++++ .../data/nexus/NexusV3Search.java | 259 ++++++++++++++++++ .../data/nexus/NexusV2SearchTest.java | 84 ++++++ ...SearchTest.java => NexusV3SearchTest.java} | 23 +- core/src/test/resources/logback-test.xml | 2 +- 7 files changed, 608 insertions(+), 207 deletions(-) create mode 100644 core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java create mode 100644 core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV3Search.java create mode 100644 core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV2SearchTest.java rename core/src/test/java/org/owasp/dependencycheck/data/nexus/{NexusSearchTest.java => NexusV3SearchTest.java} (83%) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index b5828678402..6a657cf916c 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -22,6 +22,8 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.data.nexus.NexusSearch; +import org.owasp.dependencycheck.data.nexus.NexusV2Search; +import org.owasp.dependencycheck.data.nexus.NexusV3Search; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; @@ -35,6 +37,7 @@ import java.io.IOException; import java.net.MalformedURLException; import java.net.URL; +import java.util.Locale; import javax.annotation.concurrent.ThreadSafe; import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; @@ -169,17 +172,38 @@ public void prepareFileTypeAnalyzer(Engine engine) throws InitializationExceptio if (isEnabled()) { final boolean useProxy = useProxy(); LOGGER.debug("Using proxy: {}", useProxy); - try { - searcher = new NexusSearch(getSettings(), useProxy); - if (!searcher.preflightRequest()) { - setEnabled(false); - throw new InitializationException("There was an issue getting Nexus status. Disabling analyzer."); - } - } catch (MalformedURLException mue) { + searcher = createNexusSearchOrDisable(useProxy); + } + } + + /** + * Creates a NexusSearch for the appropriate Nexus version (Nexus V2 and V3 supported). + *

+ * If errors are encountered creating or validating the NexusSearch it disables this analyzer. + * + * @param useProxy Whether a proxy is to be used + * @return A NexusSearch appropriate for the configured ANALYZER_NEXUS_URL + * @throws InitializationException Upon errors creating of validating the ANALYZER_NEXUS_URL + */ + private NexusSearch createNexusSearchOrDisable(boolean useProxy) throws InitializationException { + final Settings settings = getSettings(); + final String nexusRootURL = settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL); + final NexusSearch result; + try { + if (nexusRootURL.toLowerCase(Locale.ROOT).contains("service/local/")) { + result = new NexusV2Search(settings, useProxy); + } else { + result = new NexusV3Search(settings, useProxy); + } + if (!result.preflightRequest()) { setEnabled(false); - throw new InitializationException("Malformed URL to Nexus", mue); + throw new InitializationException("There was an error getting Nexus status. Disabling NexusAnalyzer."); } + } catch (MalformedURLException mue) { + setEnabled(false); + throw new InitializationException("Malformed URL to Nexus. Disabling NexusAnalyzer", mue); } + return result; } /** diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java index 4670966fe19..264d0a84c09 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java @@ -13,76 +13,13 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + * Copyright (c) 2023 Jeremy Long. All Rights Reserved. */ package org.owasp.dependencycheck.data.nexus; -import java.io.FileNotFoundException; import java.io.IOException; -import java.net.HttpURLConnection; -import java.net.MalformedURLException; -import java.net.URL; -import java.nio.charset.StandardCharsets; -import java.util.Base64; -import javax.annotation.concurrent.ThreadSafe; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.ParserConfigurationException; -import javax.xml.xpath.XPath; -import javax.xml.xpath.XPathExpressionException; -import javax.xml.xpath.XPathFactory; -import org.owasp.dependencycheck.utils.Settings; - -import org.owasp.dependencycheck.utils.URLConnectionFactory; -import org.owasp.dependencycheck.utils.XmlUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.w3c.dom.Document; -import org.xml.sax.SAXException; - -/** - * Class of methods to search Nexus repositories. - * - * @author colezlaw - */ -@ThreadSafe -public class NexusSearch { - - /** - * The root URL for the Nexus repository service. - */ - private final URL rootURL; - - /** - * Whether to use the Proxy when making requests. - */ - private final boolean useProxy; - /** - * The configured settings. - */ - private final Settings settings; - /** - * Used for logging. - */ - private static final Logger LOGGER = LoggerFactory.getLogger(NexusSearch.class); - - /** - * Creates a NexusSearch for the given repository URL. - * - * @param settings the configured settings - * @param useProxy flag indicating if the proxy settings should be used - * @throws java.net.MalformedURLException thrown if the configured URL is - * invalid - */ - public NexusSearch(Settings settings, boolean useProxy) throws MalformedURLException { - this.settings = settings; - this.useProxy = useProxy; - - final String searchUrl = settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL); - LOGGER.debug("Nexus Search URL: {}", searchUrl); - this.rootURL = new URL(searchUrl); - - } +public interface NexusSearch { /** * Searches the configured Nexus repository for the given sha1 hash. If the * artifact is found, a MavenArtifact is populated with the @@ -91,135 +28,14 @@ public NexusSearch(Settings settings, boolean useProxy) throws MalformedURLExcep * @param sha1 The SHA-1 hash string for which to search * @return the populated Maven coordinates * @throws IOException if it's unable to connect to the specified repository - * or if the specified artifact is not found. + * or if the specified artifact is not found. */ - public MavenArtifact searchSha1(String sha1) throws IOException { - if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) { - throw new IllegalArgumentException("Invalid SHA1 format"); - } - - final URL url = new URL(rootURL, String.format("identify/sha1/%s", - sha1.toLowerCase())); - - LOGGER.debug("Searching Nexus url {}", url); - - // Determine if we need to use a proxy. The rules: - // 1) If the proxy is set, AND the setting is set to true, use the proxy - // 2) Otherwise, don't use the proxy (either the proxy isn't configured, - // or proxy is specifically set to false - final HttpURLConnection conn; - final URLConnectionFactory factory = new URLConnectionFactory(settings); - conn = factory.createHttpURLConnection(url, useProxy); - conn.setDoOutput(true); - final String authHeader = buildHttpAuthHeaderValue(); - if (!authHeader.isEmpty()) { - conn.addRequestProperty("Authorization", authHeader); - } - - // JSON would be more elegant, but there's not currently a dependency - // on JSON, so don't want to add one just for this - conn.addRequestProperty("Accept", "application/xml"); - conn.connect(); - - switch (conn.getResponseCode()) { - case 200: - try { - final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder(); - final Document doc = builder.parse(conn.getInputStream()); - final XPath xpath = XPathFactory.newInstance().newXPath(); - final String groupId = xpath - .evaluate( - "/org.sonatype.nexus.rest.model.NexusArtifact/groupId", - doc); - final String artifactId = xpath.evaluate( - "/org.sonatype.nexus.rest.model.NexusArtifact/artifactId", - doc); - final String version = xpath - .evaluate( - "/org.sonatype.nexus.rest.model.NexusArtifact/version", - doc); - final String link = xpath - .evaluate( - "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink", - doc); - final String pomLink = xpath - .evaluate( - "/org.sonatype.nexus.rest.model.NexusArtifact/pomLink", - doc); - final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version); - if (link != null && !link.isEmpty()) { - ma.setArtifactUrl(link); - } - if (pomLink != null && !pomLink.isEmpty()) { - ma.setPomUrl(pomLink); - } - return ma; - } catch (ParserConfigurationException | IOException | SAXException | XPathExpressionException e) { - // Anything else is jacked-up XML stuff that we really can't recover - // from well - throw new IOException(e.getMessage(), e); - } - case 404: - throw new FileNotFoundException("Artifact not found in Nexus"); - default: - LOGGER.debug("Could not connect to Nexus received response code: {} {}", - conn.getResponseCode(), conn.getResponseMessage()); - throw new IOException("Could not connect to Nexus"); - } - } + MavenArtifact searchSha1(String sha1) throws IOException; /** * Do a preflight request to see if the repository is actually working. * - * @return whether the repository is listening and returns the /status URL - * correctly - */ - public boolean preflightRequest() { - final HttpURLConnection conn; - try { - final URL url = new URL(rootURL, "status"); - final URLConnectionFactory factory = new URLConnectionFactory(settings); - conn = factory.createHttpURLConnection(url, useProxy); - conn.addRequestProperty("Accept", "application/xml"); - final String authHeader = buildHttpAuthHeaderValue(); - if (!authHeader.isEmpty()) { - conn.addRequestProperty("Authorization", authHeader); - } - conn.connect(); - if (conn.getResponseCode() != 200) { - LOGGER.warn("Expected 200 result from Nexus, got {}", conn.getResponseCode()); - return false; - } - final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder(); - - final Document doc = builder.parse(conn.getInputStream()); - if (!"status".equals(doc.getDocumentElement().getNodeName())) { - LOGGER.warn("Expected root node name of status, got {}", doc.getDocumentElement().getNodeName()); - return false; - } - } catch (IOException | ParserConfigurationException | SAXException e) { - LOGGER.warn("Pre-flight request to Nexus failed: ", e); - return false; - } - return true; - } - - /** - * Constructs the base64 encoded basic authentication header value. - * - * @return the base64 encoded basic authentication header value + * @return whether the repository is listening and returns the expected status response */ - private String buildHttpAuthHeaderValue() { - final String user = settings.getString(Settings.KEYS.ANALYZER_NEXUS_USER, ""); - final String pass = settings.getString(Settings.KEYS.ANALYZER_NEXUS_PASSWORD, ""); - String result = ""; - if (user.isEmpty() || pass.isEmpty()) { - LOGGER.debug("Skip authentication as user and/or password for nexus is empty"); - } else { - final String auth = user + ':' + pass; - final String base64Auth = Base64.getEncoder().encodeToString(auth.getBytes(StandardCharsets.UTF_8)); - result = "Basic " + base64Auth; - } - return result; - } + boolean preflightRequest(); } diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java new file mode 100644 index 00000000000..d1242a77dbb --- /dev/null +++ b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java @@ -0,0 +1,211 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nexus; + +import java.io.FileNotFoundException; +import java.io.IOException; +import java.net.HttpURLConnection; +import java.net.MalformedURLException; +import java.net.URL; +import java.nio.charset.StandardCharsets; +import java.util.Base64; +import javax.annotation.concurrent.ThreadSafe; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathExpressionException; +import javax.xml.xpath.XPathFactory; +import org.owasp.dependencycheck.utils.Settings; + +import org.owasp.dependencycheck.utils.URLConnectionFactory; +import org.owasp.dependencycheck.utils.XmlUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Document; +import org.xml.sax.SAXException; + +/** + * Class of methods to search Nexus repositories. + * + * @author colezlaw + */ +@ThreadSafe +public class NexusV2Search implements NexusSearch { + + /** + * The root URL for the Nexus repository service. + */ + private final URL rootURL; + + /** + * Whether to use the Proxy when making requests. + */ + private final boolean useProxy; + /** + * The configured settings. + */ + private final Settings settings; + /** + * Used for logging. + */ + private static final Logger LOGGER = LoggerFactory.getLogger(NexusV2Search.class); + + /** + * Creates a NexusSearch for the given repository URL. + * + * @param settings the configured settings + * @param useProxy flag indicating if the proxy settings should be used + * @throws java.net.MalformedURLException thrown if the configured URL is + * invalid + */ + public NexusV2Search(Settings settings, boolean useProxy) throws MalformedURLException { + this.settings = settings; + this.useProxy = useProxy; + + final String searchUrl = settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL); + LOGGER.debug("Nexus Search URL: {}", searchUrl); + this.rootURL = new URL(searchUrl); + + } + + @Override + public MavenArtifact searchSha1(String sha1) throws IOException { + if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) { + throw new IllegalArgumentException("Invalid SHA1 format"); + } + + final URL url = new URL(rootURL, String.format("identify/sha1/%s", + sha1.toLowerCase())); + + LOGGER.debug("Searching Nexus url {}", url); + + // Determine if we need to use a proxy. The rules: + // 1) If the proxy is set, AND the setting is set to true, use the proxy + // 2) Otherwise, don't use the proxy (either the proxy isn't configured, + // or proxy is specifically set to false + final HttpURLConnection conn; + final URLConnectionFactory factory = new URLConnectionFactory(settings); + conn = factory.createHttpURLConnection(url, useProxy); + conn.setDoOutput(true); + final String authHeader = buildHttpAuthHeaderValue(); + if (!authHeader.isEmpty()) { + conn.addRequestProperty("Authorization", authHeader); + } + + // JSON would be more elegant, but there's not currently a dependency + // on JSON, so don't want to add one just for this + conn.addRequestProperty("Accept", "application/xml"); + conn.connect(); + + switch (conn.getResponseCode()) { + case 200: + try { + final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder(); + final Document doc = builder.parse(conn.getInputStream()); + final XPath xpath = XPathFactory.newInstance().newXPath(); + final String groupId = xpath + .evaluate( + "/org.sonatype.nexus.rest.model.NexusArtifact/groupId", + doc); + final String artifactId = xpath.evaluate( + "/org.sonatype.nexus.rest.model.NexusArtifact/artifactId", + doc); + final String version = xpath + .evaluate( + "/org.sonatype.nexus.rest.model.NexusArtifact/version", + doc); + final String link = xpath + .evaluate( + "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink", + doc); + final String pomLink = xpath + .evaluate( + "/org.sonatype.nexus.rest.model.NexusArtifact/pomLink", + doc); + final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version); + if (link != null && !link.isEmpty()) { + ma.setArtifactUrl(link); + } + if (pomLink != null && !pomLink.isEmpty()) { + ma.setPomUrl(pomLink); + } + return ma; + } catch (ParserConfigurationException | IOException | SAXException | XPathExpressionException e) { + // Anything else is jacked-up XML stuff that we really can't recover + // from well + throw new IOException(e.getMessage(), e); + } + case 404: + throw new FileNotFoundException("Artifact not found in Nexus"); + default: + LOGGER.debug("Could not connect to Nexus received response code: {} {}", + conn.getResponseCode(), conn.getResponseMessage()); + throw new IOException("Could not connect to Nexus"); + } + } + + @Override + public boolean preflightRequest() { + final HttpURLConnection conn; + try { + final URL url = new URL(rootURL, "status"); + final URLConnectionFactory factory = new URLConnectionFactory(settings); + conn = factory.createHttpURLConnection(url, useProxy); + conn.addRequestProperty("Accept", "application/xml"); + final String authHeader = buildHttpAuthHeaderValue(); + if (!authHeader.isEmpty()) { + conn.addRequestProperty("Authorization", authHeader); + } + conn.connect(); + if (conn.getResponseCode() != 200) { + LOGGER.warn("Expected 200 result from Nexus, got {}", conn.getResponseCode()); + return false; + } + final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder(); + + final Document doc = builder.parse(conn.getInputStream()); + if (!"status".equals(doc.getDocumentElement().getNodeName())) { + LOGGER.warn("Expected root node name of status, got {}", doc.getDocumentElement().getNodeName()); + return false; + } + } catch (IOException | ParserConfigurationException | SAXException e) { + LOGGER.warn("Pre-flight request to Nexus failed: ", e); + return false; + } + return true; + } + + /** + * Constructs the base64 encoded basic authentication header value. + * + * @return the base64 encoded basic authentication header value + */ + private String buildHttpAuthHeaderValue() { + final String user = settings.getString(Settings.KEYS.ANALYZER_NEXUS_USER, ""); + final String pass = settings.getString(Settings.KEYS.ANALYZER_NEXUS_PASSWORD, ""); + String result = ""; + if (user.isEmpty() || pass.isEmpty()) { + LOGGER.debug("Skip authentication as user and/or password for nexus is empty"); + } else { + final String auth = user + ':' + pass; + final String base64Auth = Base64.getEncoder().encodeToString(auth.getBytes(StandardCharsets.UTF_8)); + result = "Basic " + base64Auth; + } + return result; + } +} diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV3Search.java b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV3Search.java new file mode 100644 index 00000000000..058b5329a38 --- /dev/null +++ b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV3Search.java @@ -0,0 +1,259 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2023 Hans Aikema. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nexus; + +import org.owasp.dependencycheck.utils.Settings; +import org.owasp.dependencycheck.utils.URLConnectionFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.annotation.concurrent.ThreadSafe; +import javax.json.Json; +import javax.json.JsonArray; +import javax.json.JsonObject; +import javax.json.JsonReader; +import java.io.BufferedInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.io.InputStream; +import java.net.HttpURLConnection; +import java.net.MalformedURLException; +import java.net.URL; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.Base64; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +/** + * Class of methods to search Nexus v3 repositories. + * + * @author Hans Aikema + */ +@ThreadSafe +public class NexusV3Search implements NexusSearch { + + /** + * By default, NexusV3Search accepts only classifier-less artifacts. + *

+ * This prevents, among others, sha1-collisions for empty jars on empty javadoc/sources jars. + * See e.g. issues #5559 and #5118 + */ + private final Set acceptedClassifiers = new HashSet<>(); + + /** + * The root URL for the Nexus repository service. + */ + private final URL rootURL; + + /** + * Whether to use the Proxy when making requests. + */ + private final boolean useProxy; + /** + * The configured settings. + */ + private final Settings settings; + /** + * Used for logging. + */ + private static final Logger LOGGER = LoggerFactory.getLogger(NexusV3Search.class); + + /** + * Creates a NexusV3Search for the given repository URL. + * + * @param settings the configured settings + * @param useProxy flag indicating if the proxy settings should be used + * @throws MalformedURLException thrown if the configured URL is + * invalid + */ + public NexusV3Search(Settings settings, boolean useProxy) throws MalformedURLException { + this.settings = settings; + this.useProxy = useProxy; + this.acceptedClassifiers.add(null); + final String searchUrl = settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL); + LOGGER.debug("Nexus Search URL: {}", searchUrl); + this.rootURL = new URL(searchUrl); + + } + + @Override + public MavenArtifact searchSha1(String sha1) throws IOException { + if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) { + throw new IllegalArgumentException("Invalid SHA1 format"); + } + + final List collectedMatchingArtifacts = new ArrayList<>(1); + + String continuationToken = retrievePageAndAddMatchingArtifact(collectedMatchingArtifacts, sha1, null); + while (continuationToken != null && collectedMatchingArtifacts.isEmpty()) { + continuationToken = retrievePageAndAddMatchingArtifact(collectedMatchingArtifacts, sha1, continuationToken); + } + if (collectedMatchingArtifacts.isEmpty()) { + throw new FileNotFoundException("Artifact not found in Nexus"); + } else { + return collectedMatchingArtifacts.get(0); + } + } + + private String retrievePageAndAddMatchingArtifact(List collectedMatchingArtifacts, String sha1, String continuationToken) + throws IOException { + final URL url; + LOGGER.debug("Search with continuation token {}", continuationToken); + if (continuationToken == null) { + url = new URL(rootURL, String.format("v1/search/?sha1=%s", + sha1.toLowerCase())); + } else { + url = new URL(rootURL, String.format("v1/search/?sha1=%s&continuationToken=%s", + sha1.toLowerCase(), continuationToken)); + } + + LOGGER.debug("Searching Nexus url {}", url); + // Determine if we need to use a proxy. The rules: + // 1) If the proxy is set, AND the setting is set to true, use the proxy + // 2) Otherwise, don't use the proxy (either the proxy isn't configured, + // or proxy is specifically set to false + final HttpURLConnection conn; + final URLConnectionFactory factory = new URLConnectionFactory(settings); + conn = factory.createHttpURLConnection(url, useProxy); + conn.setDoOutput(true); + final String authHeader = buildHttpAuthHeaderValue(); + if (!authHeader.isEmpty()) { + conn.addRequestProperty("Authorization", authHeader); + } + + conn.addRequestProperty("Accept", "application/json"); + conn.connect(); + final String nextContinuationToken; + if (conn.getResponseCode() == 200) { + nextContinuationToken = parseResponse(conn, sha1, collectedMatchingArtifacts); + } else { + LOGGER.debug("Could not connect to Nexus received response code: {} {}", + conn.getResponseCode(), conn.getResponseMessage()); + throw new IOException(String.format("Could not connect to Nexus, HTTP response code %d", conn.getResponseCode())); + } + return nextContinuationToken; + } + + private String parseResponse(HttpURLConnection conn, String sha1, List matchingArtifacts) throws IOException { + try (InputStream in = new BufferedInputStream(conn.getInputStream()); + JsonReader jsonReader = Json.createReader(in)) { + final JsonObject jsonResponse = jsonReader.readObject(); + final String continuationToken = jsonResponse.getString("continuationToken", null); + final JsonArray components = jsonResponse.getJsonArray("items"); + boolean found = false; + for (int i = 0; i < components.size() && !found; i++) { + boolean jarFound = false; + boolean pomFound = false; + String downloadUrl = null; + String groupId = null; + String artifactId = null; + String version = null; + String pomUrl = null; + + final JsonObject component = components.getJsonObject(i); + + final String format = components.getJsonObject(0).getString("format", "unknown"); + if ("maven2".equals(format)) { + final JsonArray assets = component.getJsonArray("assets"); + for (int j = 0; !found && j < assets.size(); j++) { + final JsonObject asset = assets.getJsonObject(j); + final JsonObject checksums = asset.getJsonObject("checksum"); + final JsonObject maven2 = asset.getJsonObject("maven2"); + if (maven2 != null + && "jar".equals(maven2.getString("extension", null)) + && acceptedClassifiers.contains(maven2.getString("classifier", null)) + && checksums != null && sha1.equals(checksums.getString("sha1", null)) + ) { + downloadUrl = asset.getString("downloadUrl"); + groupId = maven2.getString("groupId"); + artifactId = maven2.getString("artifactId"); + version = maven2.getString("version"); + + jarFound = true; + } else if (maven2 != null && "pom".equals(maven2.getString("extension"))) { + pomFound = true; + pomUrl = asset.getString("downloadUrl"); + } + if (pomFound && jarFound) { + found = true; + } + } + if (found) { + matchingArtifacts.add(new MavenArtifact(groupId, artifactId, version, downloadUrl, pomUrl)); + } else if (jarFound) { + final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version, downloadUrl); + ma.setPomUrl(MavenArtifact.derivePomUrl(artifactId, version, downloadUrl)); + matchingArtifacts.add(ma); + found = true; + } + } + } + return continuationToken; + } + } + + @Override + public boolean preflightRequest() { + final HttpURLConnection conn; + try { + final URL url = new URL(rootURL, "v1/status"); + final URLConnectionFactory factory = new URLConnectionFactory(settings); + conn = factory.createHttpURLConnection(url, useProxy); + conn.addRequestProperty("Accept", "application/json"); + final String authHeader = buildHttpAuthHeaderValue(); + if (!authHeader.isEmpty()) { + conn.addRequestProperty("Authorization", authHeader); + } + conn.connect(); + if (conn.getResponseCode() != 200) { + LOGGER.warn("Expected 200 result from Nexus, got {}", conn.getResponseCode()); + return false; + } + if (conn.getContentLength() != 0) { + LOGGER.warn("Expected empty OK response (content-length 0), got content-length {}", conn.getContentLength()); + return false; + } + } catch (IOException e) { + LOGGER.warn("Pre-flight request to Nexus failed: ", e); + return false; + } + return true; + } + + /** + * Constructs the base64 encoded basic authentication header value. + * + * @return the base64 encoded basic authentication header value + */ + private String buildHttpAuthHeaderValue() { + final String user = settings.getString(Settings.KEYS.ANALYZER_NEXUS_USER, ""); + final String pass = settings.getString(Settings.KEYS.ANALYZER_NEXUS_PASSWORD, ""); + String result = ""; + if (user.isEmpty() || pass.isEmpty()) { + LOGGER.debug("Skip authentication as user and/or password for nexus is empty"); + } else { + final String auth = user + ':' + pass; + final String base64Auth = Base64.getEncoder().encodeToString(auth.getBytes(StandardCharsets.UTF_8)); + result = "Basic " + base64Auth; + } + return result; + } + +} diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV2SearchTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV2SearchTest.java new file mode 100644 index 00000000000..8bc0a9fde81 --- /dev/null +++ b/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV2SearchTest.java @@ -0,0 +1,84 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nexus; + +import java.io.FileNotFoundException; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import org.junit.Assume; +import org.junit.Before; +import org.junit.Ignore; +import org.junit.Test; +import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.utils.Settings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class NexusV2SearchTest extends BaseTest { + + private static final Logger LOGGER = LoggerFactory.getLogger(NexusV2SearchTest.class); + private NexusV2Search searcher; + + @Before + @Override + public void setUp() throws Exception { + super.setUp(); + Settings sett = getSettings(); +// sett.setString(Settings.KEYS.ANALYZER_NEXUS_USER, "demo"); +// sett.setString(Settings.KEYS.ANALYZER_NEXUS_PASSWORD, "demo"); +// sett.setString(Settings.KEYS.ANALYZER_NEXUS_URL, "https://localhost/nexus/service/local/"); + String nexusUrl = sett.getString(Settings.KEYS.ANALYZER_NEXUS_URL); + LOGGER.debug(nexusUrl); + searcher = new NexusV2Search(sett, false); + Assume.assumeTrue(searcher.preflightRequest()); + } + + @Test(expected = IllegalArgumentException.class) + @Ignore + public void testNullSha1() throws Exception { + searcher.searchSha1(null); + } + + @Test(expected = IllegalArgumentException.class) + @Ignore + public void testMalformedSha1() throws Exception { + searcher.searchSha1("invalid"); + } + + // This test does generate network traffic and communicates with a host + // you may not be able to reach. Remove the @Ignore annotation if you want to + // test it anyway + @Test + @Ignore + public void testValidSha1() throws Exception { + MavenArtifact ma = searcher.searchSha1("9977a8d04e75609cf01badc4eb6a9c7198c4c5ea"); + assertEquals("Incorrect group", "org.apache.maven.plugins", ma.getGroupId()); + assertEquals("Incorrect artifact", "maven-compiler-plugin", ma.getArtifactId()); + assertEquals("Incorrect version", "3.1", ma.getVersion()); + assertNotNull("URL Should not be null", ma.getArtifactUrl()); + } + + // This test does generate network traffic and communicates with a host + // you may not be able to reach. Remove the @Ignore annotation if you want to + // test it anyway + @Test(expected = FileNotFoundException.class) + @Ignore + public void testMissingSha1() throws Exception { + searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); + } +} diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusSearchTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV3SearchTest.java similarity index 83% rename from core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusSearchTest.java rename to core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV3SearchTest.java index c77c9005108..166748899fc 100644 --- a/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusSearchTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV3SearchTest.java @@ -17,9 +17,6 @@ */ package org.owasp.dependencycheck.data.nexus; -import java.io.FileNotFoundException; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; import org.junit.Assume; import org.junit.Before; import org.junit.Ignore; @@ -29,18 +26,28 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class NexusSearchTest extends BaseTest { +import java.io.FileNotFoundException; - private static final Logger LOGGER = LoggerFactory.getLogger(NexusSearchTest.class); - private NexusSearch searcher; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; + +public class NexusV3SearchTest extends BaseTest { + + private static final Logger LOGGER = LoggerFactory.getLogger(NexusV3SearchTest.class); + private NexusV3Search searcher; @Before @Override public void setUp() throws Exception { super.setUp(); - String nexusUrl = getSettings().getString(Settings.KEYS.ANALYZER_NEXUS_URL); + Settings sett = getSettings(); +// sett.setString(Settings.KEYS.ANALYZER_NEXUS_USER, "demo"); +// sett.setString(Settings.KEYS.ANALYZER_NEXUS_PASSWORD, "demo"); +// sett.setString(Settings.KEYS.ANALYZER_NEXUS_URL, "http://localhost/service/rest/"); + String nexusUrl = sett.getString(Settings.KEYS.ANALYZER_NEXUS_URL); + LOGGER.debug(nexusUrl); - searcher = new NexusSearch(getSettings(), false); + searcher = new NexusV3Search(sett, false); Assume.assumeTrue(searcher.preflightRequest()); } diff --git a/core/src/test/resources/logback-test.xml b/core/src/test/resources/logback-test.xml index 69e9d03f2f0..3bf2ce1769d 100644 --- a/core/src/test/resources/logback-test.xml +++ b/core/src/test/resources/logback-test.xml @@ -24,7 +24,7 @@ - + From d1e573656884fa25b5e5a9d557aa5d9e4086cbbb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 19 Aug 2023 07:59:28 -0400 Subject: [PATCH 06/13] build(deps): bump com.google.guava:guava from 32.0.1-jre to 32.1.2-jre (#5850) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 3fa3d0f900c..8a501ce99b5 100644 --- a/pom.xml +++ b/pom.xml @@ -1330,7 +1330,7 @@ Copyright (c) 2012 - Jeremy Long com.google.guava guava - 32.0.1-jre + 32.1.2-jre com.hankcs From 17c5081e63c104cdc061dbcb0cb1105c6b2efe2f Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 19 Aug 2023 08:55:18 -0400 Subject: [PATCH 07/13] chore: prepare release (#5891) --- .github/workflows/release.yml | 14 +- CHANGELOG.md | 20 +- ant/pom.xml | 2 +- archetype/pom.xml | 2 +- cli/pom.xml | 2 +- core/pom.xml | 2 +- .../dependencycheck-base-suppression.xml | 579 ++++++++++++++++-- maven/pom.xml | 2 +- pom.xml | 2 +- utils/pom.xml | 2 +- 10 files changed, 567 insertions(+), 60 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 74aff3994dc..5d0bb1e16d7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -185,7 +185,19 @@ jobs: prerelease: false draft: false body: | - Re-release of 8.3.0 as 8.3.1. + ### Added + + - feat: Add support for Nexus v3 to NexusAnalyzer (#5849) + + ### Fixed + + - fix: Hint Analyzer should run before VersionFilter Analyzer (#5818) + - chore: switch to sha1-pinning as suggested by Semgrep + - fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#5845) + - fix: use curl with -L to follow github redirect (#5808) + - fix: use curl with -L to follow github redirect + - fix: #5671 out of memory error (#5789) + - fix: #5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError - name: Upload CLI id: upload-release-cli diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d691a69985..f280e31f733 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,27 @@ # Change Log +## [Version 8.4.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v8.4.0) (2023-08-19) + +### Added + +- feat: Add support for Nexus v3 to NexusAnalyzer (#5849) + +### Fixed + +- fix: Hint Analyzer should run before VersionFilter Analyzer (#5818) +- chore: switch to sha1-pinning as suggested by Semgrep +- fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#5845) +- fix: use curl with -L to follow github redirect (#5808) +- fix: use curl with -L to follow github redirect +- fix: #5671 out of memory error (#5789) +- fix: #5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError + +See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/66?closed=1). + ## [Version 8.3.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v8.3.1) (2023-06-12) Re-release of 8.3.0 as 8.3.1. -### Added - ## [Version 8.3.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v8.3.0) (2023-06-12) ### Added diff --git a/ant/pom.xml b/ant/pom.xml index a926d5613a3..f2adfe0239b 100644 --- a/ant/pom.xml +++ b/ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-ant diff --git a/archetype/pom.xml b/archetype/pom.xml index f2cde125013..8d83d85dfae 100644 --- a/archetype/pom.xml +++ b/archetype/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-plugin Dependency-Check Plugin Archetype diff --git a/cli/pom.xml b/cli/pom.xml index b0b5bc84db3..26ce69d3e7d 100644 --- a/cli/pom.xml +++ b/cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-cli diff --git a/core/pom.xml b/core/pom.xml index 9ef676d825a..01c2106cc32 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-core diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 103a10ceed0..3d428a6fbc7 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -6213,177 +6213,656 @@ + FP per issue #5333 + ]]> ^pkg:maven/com\.graphql-java-kickstart/graphql-kickstart-spring-support@.*$ cpe:/a:graphql-java_project:graphql-java + FP per issue #5336 + ]]> ^pkg:maven/org\.openrewrite\.recipe/rewrite-jhipster@.*$ cpe:/a:jhipster:jhipster + FP per issue #5361 + ]]> ^pkg:maven/jakarta\.resource/jakarta\.resource-api@.*$ cpe:/a:payara:payara + FP per issue #5373 + ]]> ^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$ cpe:/a:voyager_project:voyager + FP per issue #5372 + ]]> ^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$ cpe:/a:smiley_project:smiley + FP per issue #5380 + ]]> ^pkg:maven/dev\.ludovic\.netlib/lapack@.*$ cpe:/a:lapack_project:lapack + FP per issue #5375 + ]]> ^pkg:maven/org\.eclipse\.microprofile\.jwt/microprofile-jwt-auth-api@.*$ cpe:/a:payara:payara + FP per issue #5368 + ]]> ^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop-shaded-protobuf_3_7@.*$ cpe:/a:apache:hadoop + FP per issue #5325 + ]]> ^pkg:maven/com\.enterprisedt/edtFTPj@.*$ cpe:/a:ftp_project:ftp + FP per issue #5436 + ]]> ^pkg:maven/org\.codehaus\.woodstox/stax2-api@.*$ cpe:/a:fasterxml:woodstox + FP per issue #5459 + ]]> ^pkg:maven/com\.oracle\.database\.nls/orai18n@.*$ cpe:/a:oracle:database + FP per issue #5460 + ]]> ^pkg:maven/com\.oracle\.database\.nls/orai18n@.*$ cpe:/a:oracle:oracle_database + FP per issue #5501 + ]]> ^pkg:maven/org\.jsonschema2pojo/jsonschema2pojo-jdk-annotation@.*$ cpe:/a:json-schema_project:json-schema + FP per issue #5500 + ]]> ^pkg:maven/org\.apache\.iceberg/iceberg-orc@.*$ cpe:/a:apache:orc + FP per issue #5499 + ]]> ^pkg:maven/org\.apache\.iceberg/iceberg-flink-1\.15@.*$ cpe:/a:apache:flink + FP per issue #5498 + ]]> ^pkg:maven/com\.googlecode\.javaewah/JavaEWAH@.*$ cpe:/a:google:google_search + FP per issue #5497 + ]]> ^pkg:maven/com\.google\.cloud/grpc-gcp@.*$ cpe:/a:grpc:grpc + FP per issue #5496 + ]]> ^pkg:maven/org\.apache\.flink/flink-s3-fs-hadoop@.*$ cpe:/a:apache:hadoop + FP per issue #5492 + ]]> ^pkg:maven/com\.microsoft\.azure/azure-cosmosdb-direct@.*$ cpe:/a:microsoft:platform_sdk + FP per issue #5491 + ]]> ^pkg:maven/com\.microsoft\.azure/azure-cosmosdb@.*$ cpe:/a:www-sql_project:www-sql + FP per issue #5490 + ]]> ^pkg:maven/com\.microsoft\.azure/azure-cosmosdb@.*$ cpe:/a:async_project:async + FP per issue #5471 + ]]> ^pkg:maven/org\.apache\.spark/spark-token-provider-kafka-0-10_2\.12@.*$ cpe:/a:apache:kafka + FP per issue #5462 + ]]> ^pkg:maven/org\.apache\.ws\.commons\.axiom/axiom-impl@.*$ cpe:/a:web_project:web + FP per issue #5461 + ]]> ^pkg:maven/com\.github\.luben/zstd-jni@.*$ cpe:/a:freebsd:freebsd + FP per issue #5506 + ]]> ^pkg:maven/io\.kamon/kamon-prometheus_2\.13@.*$ cpe:/a:prometheus:prometheus + + + + + ^pkg:maven/com\.github\.dasniko/testcontainers-keycloak@.*$ + cpe:/a:keycloak:keycloak + + + + ^pkg:maven/org\.apache\.kerby/zookeeper-backend@.*$ + cpe:/a:apache:zookeeper + + + + ^pkg:maven/org\.apache\.camel\.springboot/camel-ftp-starter@.*$ + cpe:/a:ftp_project:ftp + + + + ^pkg:maven/javax\.resource/connector@.*$ + cpe:/a:sun:j2ee + + + + ^pkg:maven/org\.springframework\.cloud/spring-cloud-sleuth-autoconfigure@.*$ + cpe:/a:vmware:spring_cloud_config + + + + ^pkg:maven/org\.jfrog\.artifactory\.client/artifactory-java-client-services@.*$ + cpe:/a:jfrog:artifactory + + + + ^pkg:maven/net\.minidev/accessors-smart@.*$ + cpe:/a:json-smart_project:json-smart + + + + ^pkg:maven/org\.springframework\.integration/spring-integration-ftp@.*$ + cpe:/a:vmware:spring_integration + + + + ^pkg:maven/com\.graphql-java/graphql-java-extended-scalars@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-java-tools@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-java-servlet@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-java-kickstart@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-kickstart-spring-support@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/org\.bouncycastle/bcpg-jdk15on@.*$ + cpe:/a:open_cas_project:open_cas + + + + ^pkg:maven/org\.jboss\.resteasy\.microprofile/microprofile-config@.*$ + cpe:/a:redhat:resteasy + + + + ^pkg:maven/org\.apache\.ignite/ignite-log4j2@.*$ + cpe:/a:apache:log4j + + + + ^pkg:maven/org\.apache\.directory\.api/api-ldap-net-mina@.*$ + cpe:/a:apache:mina + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-webclient@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/io\.quarkiverse\.openapi\.generator/quarkus-openapi-generator@.*$ + cpe:/a:openapi-generator:openapi_generator + + + + ^pkg:nuget/MagicFileEncoding@.*$ + cpe:/a:file_project:file + + + + ^pkg:nuget/FluentFTP@.*$ + cpe:/a:ftp:ftp + + + + ^pkg:nuget/KubernetesClient@.*$ + cpe:/a:kubernetes:kubernetes + + + + ^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.johnzon@.*$ + cpe:/a:apache:sling_commons_json + + + + ^pkg:nuget/AspNetCoreRateLimit\.Redis@.*$ + cpe:/a:asp-project:asp-project + + + + ^pkg:maven/io\.swagger\.parser\.v3/swagger-parser-safe-url-resolver@.*$ + cpe:/a:parse-url_project:2.1.14 + + + + ^pkg:maven/org\.jruby/jzlib@.*$ + cpe:/a:jruby:jruby + + + + ^pkg:maven/com\.bazaarvoice\.jolt/json-utils@.*$ + cpe:/a:utils_project:utils + + + + ^pkg:maven/org\.springframework\.integration/spring-integration-ftp@.*$ + cpe:/a:ftp_project:ftp + + + + ^pkg:maven/org\.mockftpserver/MockFtpServer@.*$ + cpe:/a:ftp_project:ftp + + + + ^pkg:maven/com\.sun\.xml\.bind\.jaxb/isorelax@.*$ + cpe:/a:xml_library_project:xml_library + + + + ^pkg:maven/org\.jboss\.resteasy\.microprofile/.*$ + cpe:/a:redhat:resteasy + + + + + ^pkg:maven/org\.jboss\.resteasy\.microprofile/microprofile-rest-client@.*$ + cpe:/a:redhat:resteasy + + + + ^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.osgi@.*$ + cpe:/a:apache:sling + + + + ^pkg:maven/cloud\.localstack/localstack-utils@.*$ + cpe:/a:utils_project:utils + + + + ^pkg:nuget/Minio\.AspNetCore@.*$ + cpe:/a:minio:minio + + + + ^pkg:maven/org\.apache\.thrift/libfb303@.*$ + cpe:/a:apache:thrift + + + + ^pkg:nuget/RazorEngine\.NetCore@.*$ + cpe:/a:razorengine_project:razorengine + + + + ^pkg:maven/io\.github\.graphql-java/graphql-java-annotations@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-spring-boot-starter@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java/java-dataloader@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support-api@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/org\.apache\.cxf/cxf-rt-bindings-soap@.*$ + cpe:/a:apache:soap + + + + ^pkg:nuget/Microsoft\.Win32\.SystemEvents@.*$ + cpe:/a:events_project:events + + + + ^(?!pkg:maven/net\.pwall\.json/jsonutil).*$ + cpe:/a:jsonutil_project:jsonutil + + + + ^pkg:maven/com\.apollographql\.apollo3/.*$ + cpe:/a:apollo_project:apollo + + + + + ^pkg:maven/com\.apollographql\.apollo3/apollo-annotations-jvm@.*$ + cpe:/a:apollo_project:apollo + + + + ^pkg:maven/com\.itextpdf\.licensing/licensing-base@.*$ + cpe:/a:itextpdf:itext + + + + ^pkg:maven/com\.itextpdf\.licensing/licensing-remote@.*$ + cpe:/a:itextpdf:itext + + + + ^pkg:npm/wordwrap@.*$ + cpe:/a:word-wrap_project:word-wrap + + + + ^pkg:maven/com\.exactpro\.th2/netty-bytebuf-utils@.*$ + cpe:/a:utils_project:utils + + + + ^pkg:maven/io\.github\.detekt\.sarif4k/sarif4k-jvm@.*$ + cpe:/a:detekt:detekt + + + + ^pkg:maven/org\.apache\.avro/avro@.*$ + cpe:/a:avro_project:avro + + + + ^pkg:maven/commons-logging/commons-logging@.*$ + cpe:/a:morgan_project:morgan + + + + ^pkg:maven/com\.lightbend\.akka\.grpc/.*$ + cpe:/a:akka:akka + cpe:/a:lightbend:akka + cpe:/a:grpc:grpc + + + + ^pkg:maven/com\.lightbend\.akka/akka-persistence-r2dbc.*$ + cpe:/a:akka:akka + cpe:/a:lightbend:akka + + + + ^pkg:maven/com\.lightbend\.akka/akka-projection-.*$ + cpe:/a:akka:akka + cpe:/a:lightbend:akka + + + + ^pkg:maven/com\.lightbend\.akka/akka-projection-grpc.*$ + cpe:/a:grpc:grpc + + + + ^pkg:maven/org\.apache\.jackrabbit/oak-.*$ + cpe:/a:apache:jackrabbit + + + + ^pkg:maven/org\.apache\.jackrabbit/oak-core@.*$ + cpe:/a:apache:jackrabbit + + + + ^pkg:maven/com\.vaadin/vaadin-swing-kit-flow@.*$ + cpe:/a:vaadin:flow + + + + ^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.johnzon@.*$ + cpe:/a:apache:sling + + + + ^pkg:maven/io\.netty\.incubator/netty-incubator-codec-classes-quic@.*$ + cpe:/a:quic_project:quic + + + + ^pkg:maven/org\.apache\.geronimo\.specs/geronimo-saaj_1\.3_spec@.*$ + cpe:/a:apache:soap + + + + ^pkg:maven/org\.ops4j\.pax\.logging/pax-logging-log4j2@.*$ + cpe:/a:apache:log4j + + + + ^pkg:maven/software\.amazon\.awssdk\.crt/aws-crt@.*$ + cpe:/a:amazon:aws-sdk-java + + + diff --git a/maven/pom.xml b/maven/pom.xml index fd905920999..8175c85d367 100644 --- a/maven/pom.xml +++ b/maven/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-maven maven-plugin diff --git a/pom.xml b/pom.xml index 8a501ce99b5..f6e1a62ec5b 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT pom diff --git a/utils/pom.xml b/utils/pom.xml index 2350daa0d1a..2ac41b2d4af 100644 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-utils From cc2db4cffb078b4219524ad40f181a49e97a892b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 19 Aug 2023 08:57:39 -0400 Subject: [PATCH 08/13] build: prepare release v8.4.0 --- ant/pom.xml | 4 ++-- archetype/pom.xml | 6 +++--- cli/pom.xml | 4 ++-- core/pom.xml | 4 ++-- maven/pom.xml | 4 ++-- pom.xml | 6 +++--- utils/pom.xml | 4 ++-- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/ant/pom.xml b/ant/pom.xml index f2adfe0239b..282ab6df773 100644 --- a/ant/pom.xml +++ b/ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0-SNAPSHOT + 8.4.0 dependency-check-ant @@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/main/ant scm:git:git@github.com:jeremylong/DependencyCheck.git - v6.4.1 + v8.4.0 diff --git a/archetype/pom.xml b/archetype/pom.xml index 8d83d85dfae..a52d4ddea02 100644 --- a/archetype/pom.xml +++ b/archetype/pom.xml @@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0-SNAPSHOT + 8.4.0 dependency-check-plugin Dependency-Check Plugin Archetype jar - 2023-06-12T11:16:20Z + 2023-08-19T12:56:52Z scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/main/archetype scm:git:git@github.com:jeremylong/DependencyCheck.git - HEAD + v8.4.0 diff --git a/cli/pom.xml b/cli/pom.xml index 26ce69d3e7d..d15103299f0 100644 --- a/cli/pom.xml +++ b/cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0-SNAPSHOT + 8.4.0 dependency-check-cli @@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/main/cli scm:git:git@github.com:jeremylong/DependencyCheck.git - v6.4.1 + v8.4.0 dependency-check-${project.version} diff --git a/core/pom.xml b/core/pom.xml index 01c2106cc32..067b41ebfeb 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0-SNAPSHOT + 8.4.0 dependency-check-core @@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/main/core scm:git:git@github.com:jeremylong/DependencyCheck.git - v6.4.1 + v8.4.0 diff --git a/maven/pom.xml b/maven/pom.xml index 8175c85d367..c22f64208c4 100644 --- a/maven/pom.xml +++ b/maven/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0-SNAPSHOT + 8.4.0 dependency-check-maven maven-plugin @@ -35,7 +35,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/maven scm:git:git@github.com:jeremylong/DependencyCheck.git - v6.4.1 + v8.4.0 3.1.0 diff --git a/pom.xml b/pom.xml index f6e1a62ec5b..b7f891d1613 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 8.4.0-SNAPSHOT + 8.4.0 pom @@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck scm:git:https://github.com/jeremylong/DependencyCheck.git - v6.4.1 + v8.4.0 github @@ -112,7 +112,7 @@ Copyright (c) 2012 - Jeremy Long - 2023-06-12T11:16:20Z + 2023-08-19T12:56:52Z UTF-8 UTF-8 github diff --git a/utils/pom.xml b/utils/pom.xml index 2ac41b2d4af..0c104069aba 100644 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0-SNAPSHOT + 8.4.0 dependency-check-utils @@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/main/utils scm:git:git@github.com:jeremylong/DependencyCheck.git - v6.4.1 + v8.4.0 org.owasp.dependencycheck.utils.* From d1f8e0b3ffe50ed96970806a28b3b1b05c77827c Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 19 Aug 2023 08:57:43 -0400 Subject: [PATCH 09/13] build: prepare for next development iteration --- ant/pom.xml | 4 ++-- archetype/pom.xml | 6 +++--- cli/pom.xml | 4 ++-- core/pom.xml | 4 ++-- maven/pom.xml | 4 ++-- pom.xml | 6 +++--- utils/pom.xml | 4 ++-- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/ant/pom.xml b/ant/pom.xml index 282ab6df773..94a194174ab 100644 --- a/ant/pom.xml +++ b/ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0 + 8.4.1-SNAPSHOT dependency-check-ant @@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/main/ant scm:git:git@github.com:jeremylong/DependencyCheck.git - v8.4.0 + v6.4.1 diff --git a/archetype/pom.xml b/archetype/pom.xml index a52d4ddea02..329bfd645bc 100644 --- a/archetype/pom.xml +++ b/archetype/pom.xml @@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0 + 8.4.1-SNAPSHOT dependency-check-plugin Dependency-Check Plugin Archetype jar - 2023-08-19T12:56:52Z + 2023-08-19T12:57:43Z scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/main/archetype scm:git:git@github.com:jeremylong/DependencyCheck.git - v8.4.0 + HEAD diff --git a/cli/pom.xml b/cli/pom.xml index d15103299f0..7130074a552 100644 --- a/cli/pom.xml +++ b/cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0 + 8.4.1-SNAPSHOT dependency-check-cli @@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/main/cli scm:git:git@github.com:jeremylong/DependencyCheck.git - v8.4.0 + v6.4.1 dependency-check-${project.version} diff --git a/core/pom.xml b/core/pom.xml index 067b41ebfeb..04bf4bf3d94 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0 + 8.4.1-SNAPSHOT dependency-check-core @@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/main/core scm:git:git@github.com:jeremylong/DependencyCheck.git - v8.4.0 + v6.4.1 diff --git a/maven/pom.xml b/maven/pom.xml index c22f64208c4..59f5e9dd992 100644 --- a/maven/pom.xml +++ b/maven/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0 + 8.4.1-SNAPSHOT dependency-check-maven maven-plugin @@ -35,7 +35,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/maven scm:git:git@github.com:jeremylong/DependencyCheck.git - v8.4.0 + v6.4.1 3.1.0 diff --git a/pom.xml b/pom.xml index b7f891d1613..a3012a0e8b2 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 8.4.0 + 8.4.1-SNAPSHOT pom @@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck scm:git:https://github.com/jeremylong/DependencyCheck.git - v8.4.0 + v6.4.1 github @@ -112,7 +112,7 @@ Copyright (c) 2012 - Jeremy Long - 2023-08-19T12:56:52Z + 2023-08-19T12:57:43Z UTF-8 UTF-8 github diff --git a/utils/pom.xml b/utils/pom.xml index 0c104069aba..b912b89336e 100644 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.4.0 + 8.4.1-SNAPSHOT dependency-check-utils @@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/main/utils scm:git:git@github.com:jeremylong/DependencyCheck.git - v8.4.0 + v6.4.1 org.owasp.dependencycheck.utils.* From a1da7ef9a4da1837bf00679dc70fd4e3a81c9afc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Aug 2023 01:08:14 +0000 Subject: [PATCH 10/13] build(deps): bump apache.ant.version from 1.10.13 to 1.10.14 Bumps `apache.ant.version` from 1.10.13 to 1.10.14. Updates `org.apache.ant:ant` from 1.10.13 to 1.10.14 Updates `org.apache.ant:ant-testutil` from 1.10.13 to 1.10.14 --- updated-dependencies: - dependency-name: org.apache.ant:ant dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.apache.ant:ant-testutil dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index a3012a0e8b2..b65c7c17032 100644 --- a/pom.xml +++ b/pom.xml @@ -118,7 +118,7 @@ Copyright (c) 2012 - Jeremy Long github 8.11.2 - 1.10.13 + 1.10.14 1.7.36 From 9dc1cd8b96c454f209c6e078ff6d12d21990684a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Aug 2023 01:46:13 +0000 Subject: [PATCH 11/13] build(deps): bump org.apache.maven.plugins:maven-enforcer-plugin Bumps [org.apache.maven.plugins:maven-enforcer-plugin](https://github.com/apache/maven-enforcer) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/apache/maven-enforcer/releases) - [Commits](https://github.com/apache/maven-enforcer/compare/enforcer-3.3.0...enforcer-3.4.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-enforcer-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index a3012a0e8b2..d2acf44a013 100644 --- a/pom.xml +++ b/pom.xml @@ -237,7 +237,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-enforcer-plugin - 3.3.0 + 3.4.0 org.codehaus.mojo From c55d39fb806cc230f9344bfe73dfc86cb1b40d6c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Sep 2023 01:26:45 +0000 Subject: [PATCH 12/13] build(deps): bump org.apache.commons:commons-dbcp2 from 2.9.0 to 2.10.0 Bumps org.apache.commons:commons-dbcp2 from 2.9.0 to 2.10.0. --- updated-dependencies: - dependency-name: org.apache.commons:commons-dbcp2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 31125531834..a9083ca7d8f 100644 --- a/pom.xml +++ b/pom.xml @@ -1042,7 +1042,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.commons commons-dbcp2 - 2.9.0 + 2.10.0 com.github.package-url From ca6bb53a190c164ba3b16b4032daf203a9ac00c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 01:10:20 +0000 Subject: [PATCH 13/13] build(deps): bump us.springett:cpe-parser from 2.0.2 to 2.0.3 Bumps [us.springett:cpe-parser](https://github.com/stevespringett/CPE-Parser) from 2.0.2 to 2.0.3. - [Commits](https://github.com/stevespringett/CPE-Parser/compare/cpe-parser-2.0.2...cpe-parser-2.0.3) --- updated-dependencies: - dependency-name: us.springett:cpe-parser dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index a9083ca7d8f..ce41f34bbae 100644 --- a/pom.xml +++ b/pom.xml @@ -1052,7 +1052,7 @@ Copyright (c) 2012 - Jeremy Long us.springett cpe-parser - 2.0.2 + 2.0.3 com.github.spotbugs