From 686cd930142c0d4ece5bdffea617b2ad086c05fe Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Wed, 25 Jul 2018 00:44:24 +0200 Subject: [PATCH 01/14] Take existing nuspec analyzer as template --- .../owasp/dependencycheck/taskdefs/Check.java | 24 +++ .../java/org/owasp/dependencycheck/App.java | 1 + .../org/owasp/dependencycheck/CliParser.java | 18 ++ .../analyzer/NugetconfAnalyzer.java | 171 ++++++++++++++++++ .../data/nuget/NugetconfParseException.java | 74 ++++++++ .../data/nuget/NugetconfParser.java | 38 ++++ .../data/nuget/XPathNugetconfParser.java | 91 ++++++++++ ...rg.owasp.dependencycheck.analyzer.Analyzer | 1 + .../test/resources/dependencycheck.properties | 1 + .../owasp/dependencycheck/utils/Settings.java | 4 + 10 files changed, 423 insertions(+) create mode 100644 core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java create mode 100644 core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java create mode 100644 core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java create mode 100644 core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index 62d8436a904..f3b22de30df 100644 --- a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -208,6 +208,10 @@ public class Check extends Update { * Whether or not the .NET Nuspec Analyzer is enabled. */ private Boolean nuspecAnalyzerEnabled; + /** + * Whether or not the .NET Nuget config file Analyzer is enabled. + */ + private Boolean nugetconfAnalyzerEnabled; /** * Whether or not the PHP Composer Analyzer is enabled. */ @@ -658,6 +662,16 @@ public Boolean isNuspecAnalyzerEnabled() { return nuspecAnalyzerEnabled; } + /** + * Returns whether or not the analyzer is enabled. + * + * @return true if the analyzer is enabled + */ + public Boolean isNugetconfAnalyzerEnabled() { + return nugetconfAnalyzerEnabled; + } + + /** * Sets whether or not the analyzer is enabled. * @@ -667,6 +681,15 @@ public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) { this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled; } + /** + * Sets whether or not the analyzer is enabled. + * + * @param nuspecAnalyzerEnabled the value of the new setting + */ + public void setNugetconfAnalyzerEnabled(Boolean nugetconfAnalyzerEnabled) { + this.nugetconfAnalyzerEnabled = nugetconfAnalyzerEnabled; + } + /** * Get the value of composerAnalyzerEnabled. * @@ -1337,6 +1360,7 @@ protected void populateSettings() throws BuildException { getSettings().setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, retirejsFilters); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled); + getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, nugetconfAnalyzerEnabled); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled); getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled); diff --git a/cli/src/main/java/org/owasp/dependencycheck/App.java b/cli/src/main/java/org/owasp/dependencycheck/App.java index d392de1571a..c686eda8c48 100644 --- a/cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/cli/src/main/java/org/owasp/dependencycheck/App.java @@ -461,6 +461,7 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException { settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.isAutoconfDisabled()); settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, !cli.isCmakeDisabled()); settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !cli.isNuspecDisabled()); + settings.setBoolean(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, !cli.isNugetconfDisabled()); settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !cli.isAssemblyDisabled()); settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, !cli.isBundleAuditDisabled()); settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled()); diff --git a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 7594a39a4ba..13c9384c981 100644 --- a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -400,6 +400,8 @@ private void addAdvancedOptions(final Options options) { .desc("Disable the Archive Analyzer.").build(); final Option disableNuspecAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NUSPEC) .desc("Disable the Nuspec Analyzer.").build(); + final Option disableNugetconfAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NUGETCONF) + .desc("Disable the Nuget Config Analyzer.").build(); final Option disableAssemblyAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_ASSEMBLY) .desc("Disable the .NET Assembly Analyzer.").build(); final Option disablePythonDistributionAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_PY_DIST) @@ -460,6 +462,7 @@ private void addAdvancedOptions(final Options options) { .addOption(disableComposerAnalyzer) .addOption(disableOpenSSLAnalyzer) .addOption(disableNuspecAnalyzer) + .addOption(disableNugetconfAnalyzer) .addOption(disableCentralAnalyzer) .addOption(disableNexusAnalyzer) .addOption(cocoapodsAnalyzerEnabled) @@ -622,6 +625,17 @@ public boolean isNuspecDisabled() { return hasDisableOption(ARGUMENT.DISABLE_NUSPEC, Settings.KEYS.ANALYZER_NUSPEC_ENABLED); } + /** + * Returns true if the disableNugetconf command line argument was specified. + * + * @return true if the disableNugetconf command line argument was specified; + * otherwise false + */ + public boolean isNugetconfDisabled() { + return hasDisableOption(ARGUMENT.DISABLE_NUGETCONF, Settings.KEYS.ANALYZER_NUGETCONF_ENABLED); + } + + /** * Returns true if the disableAssembly command line argument was specified. * @@ -1515,6 +1529,10 @@ public static class ARGUMENT { * Disables the Nuspec Analyzer. */ public static final String DISABLE_NUSPEC = "disableNuspec"; + /** + * Disables the Nuget Config Analyzer. + */ + public static final String DISABLE_NUGETCONF = "disableNugetconf"; /** * Disables the Central Analyzer. */ diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java new file mode 100644 index 00000000000..f775b5c8698 --- /dev/null +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java @@ -0,0 +1,171 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.data.nuget.NugetPackage; +import org.owasp.dependencycheck.data.nuget.NugetconfParseException; +import org.owasp.dependencycheck.data.nuget.NugetconfParser; +import org.owasp.dependencycheck.data.nuget.XPathNugetconfParser; +import org.owasp.dependencycheck.dependency.Confidence; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.FileFilterBuilder; +import org.owasp.dependencycheck.utils.Settings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.FileFilter; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import javax.annotation.concurrent.ThreadSafe; +import org.owasp.dependencycheck.dependency.EvidenceType; +import org.owasp.dependencycheck.exception.InitializationException; + +/** + * Analyzer which will parse a Nuget packages config file to gather module information. + * + * @author colezlaw + */ +@ThreadSafe +public class NugetconfAnalyzer extends AbstractFileTypeAnalyzer { + + /** + * A descriptor for the type of dependencies processed or added by this + * analyzer. + */ + public static final String DEPENDENCY_ECOSYSTEM = "NuGet"; + + /** + * The logger. + */ + private static final Logger LOGGER = LoggerFactory.getLogger(NugetconfAnalyzer.class); + + /** + * The name of the analyzer. + */ + private static final String ANALYZER_NAME = "Nugetconf Analyzer"; + + /** + * The phase in which the analyzer runs. + */ + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; + + /** + * The types of files on which this will work. + */ + private static final String SUPPORTED_EXTENSIONS = "config"; + /** + * The file filter used to determine which files this analyzer supports. + */ + private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build(); + + /** + * Initializes the analyzer once before any analysis is performed. + * + * @param engine a reference to the dependency-check engine + * @throws InitializationException if there's an error during initialization + */ + @Override + public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException { + //nothing to initialize + } + + /** + * Returns the analyzer's name. + * + * @return the name of the analyzer + */ + @Override + public String getName() { + return ANALYZER_NAME; + } + + /** + * Returns the key used in the properties file to reference the analyzer's + * enabled property. + * + * @return the analyzer's enabled property setting key + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_NUGETCONF_ENABLED; + } + + /** + * Returns the analysis phase under which the analyzer runs. + * + * @return the phase under which this analyzer runs + */ + @Override + public AnalysisPhase getAnalysisPhase() { + return ANALYSIS_PHASE; + } + + /** + * Returns the FileFilter + * + * @return the FileFilter + */ + @Override + protected FileFilter getFileFilter() { + return FILTER; + } + + /** + * Performs the analysis. + * + * @param dependency the dependency to analyze + * @param engine the engine + * @throws AnalysisException when there's an exception during analysis + */ + @Override + public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { + LOGGER.debug("Checking Nugetconf file {}", dependency); + try { + final NugetconfParser parser = new XPathNugetconfParser(); + NugetPackage np = null; + try (FileInputStream fis = new FileInputStream(dependency.getActualFilePath())) { + np = parser.parse(fis); + } catch (NugetconfParseException | FileNotFoundException ex) { + throw new AnalysisException(ex); + } + + dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); + if (np.getOwners() != null) { + dependency.addEvidence(EvidenceType.VENDOR, "packages.config", "owners", np.getOwners(), Confidence.HIGHEST); + } + dependency.addEvidence(EvidenceType.VENDOR, "packages.config", "authors", np.getAuthors(), Confidence.HIGH); + dependency.addEvidence(EvidenceType.VERSION, "packages.config", "version", np.getVersion(), Confidence.HIGHEST); + dependency.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", np.getId(), Confidence.HIGHEST); + dependency.setName(np.getId()); + dependency.setVersion(np.getVersion()); + final String packagePath = String.format("%s:%s", np.getId(), np.getVersion()); + dependency.setPackagePath(packagePath); + dependency.setDisplayFileName(packagePath); + if (np.getLicenseUrl() != null && !np.getLicenseUrl().isEmpty()) { + dependency.setLicense(np.getLicenseUrl()); + } + if (np.getTitle() != null) { + dependency.addEvidence(EvidenceType.PRODUCT, "packages.config", "title", np.getTitle(), Confidence.MEDIUM); + } + } catch (Throwable e) { + throw new AnalysisException(e); + } + } +} diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java new file mode 100644 index 00000000000..a950bca5913 --- /dev/null +++ b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java @@ -0,0 +1,74 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nuget; + +import javax.annotation.concurrent.ThreadSafe; + +/** + * Exception during the parsing of a Nugetconf file. + * + * @author colezlaw + */ +@ThreadSafe +public class NugetconfParseException extends Exception { + + /** + * The serialVersionUID + */ + private static final long serialVersionUID = 1; + + /** + * Constructs a new exception with null as its detail message. + * + * The cause is not initialized, and may subsequently be initialized by a + * call to {@link java.lang.Throwable#initCause(java.lang.Throwable)}. + */ + public NugetconfParseException() { + super(); + } + + /** + * Constructs a new exception with the specified detail message. The cause + * is not initialized, and may subsequently be initialized by a call to + * {@link java.lang.Throwable#initCause(java.lang.Throwable)}. + * + * @param message the detail message. The detail message is saved for later + * retrieval by the {@link java.lang.Throwable#getMessage()} method. + */ + public NugetconfParseException(String message) { + super(message); + } + + /** + * Constructs a new exception with the specified detail message and cause. + * + * Note that the detail message associated with cause is + * not + * automatically incorporated in this exception's detail message. + * + * @param message the detail message (which is saved for later retrieval by + * the {@link java.lang.Throwable#getMessage()} method. + * @param cause the cause (which is saved for later retrieval by the + * {@link java.lang.Throwable#getCause()} method). (A null + * value is permitted, and indicates that the cause is nonexistent or + * unknown). + */ + public NugetconfParseException(String message, Throwable cause) { + super(message, cause); + } +} diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java new file mode 100644 index 00000000000..b569118780d --- /dev/null +++ b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java @@ -0,0 +1,38 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nuget; + +import java.io.InputStream; + +/** + * Interface defining methods for parsing a Nugetconf file. + * + * @author colezlaw + * + */ +public interface NugetconfParser { + + /** + * Parse an input stream and return the resulting {@link NugetPackage}. + * + * @param stream the input stream to parse + * @return the populated bean + * @throws NugetconfParseException when an exception occurs + */ + NugetPackage parse(InputStream stream) throws NugetconfParseException; +} diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java b/core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java new file mode 100644 index 00000000000..7711d2059e5 --- /dev/null +++ b/core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java @@ -0,0 +1,91 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2014 Jeremy Long. All Rights Reserved. + */ +package org.owasp.dependencycheck.data.nuget; + +import java.io.IOException; +import java.io.InputStream; +import javax.annotation.concurrent.ThreadSafe; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathConstants; +import javax.xml.xpath.XPathExpressionException; +import javax.xml.xpath.XPathFactory; +import org.owasp.dependencycheck.utils.XmlUtils; +import org.w3c.dom.Document; +import org.w3c.dom.Node; +import org.xml.sax.SAXException; + +/** + * Parse a Nugetconf file using XPath. + * + * @author colezlaw + */ +@ThreadSafe +public class XPathNugetconfParser implements NugetconfParser { + + /** + * Gets the string value of a node or null if it's not present + * + * @param n the node to test + * @return the string content of the node, or null if the node itself is + * null + */ + private String getOrNull(Node n) { + if (n != null) { + return n.getTextContent(); + } else { + return null; + } + } + + /** + * Parse an input stream and return the resulting {@link NugetPackage}. + * + * @param stream the input stream to parse + * @return the populated bean + * @throws NugetconfParseException when an exception occurs + */ + @Override + public NugetPackage parse(InputStream stream) throws NugetconfParseException { + try { + final DocumentBuilder db = XmlUtils.buildSecureDocumentBuilder(); + final Document d = db.parse(stream); + + final XPath xpath = XPathFactory.newInstance().newXPath(); + final NugetPackage nugetconf = new NugetPackage(); + + if (xpath.evaluate("/package/metadata/id", d, XPathConstants.NODE) == null + || xpath.evaluate("/package/metadata/version", d, XPathConstants.NODE) == null + || xpath.evaluate("/package/metadata/authors", d, XPathConstants.NODE) == null + || xpath.evaluate("/package/metadata/description", d, XPathConstants.NODE) == null) { + throw new NugetconfParseException("Invalid packages.config format"); + } + + nugetconf.setId(xpath.evaluate("/package/metadata/id", d)); + nugetconf.setVersion(xpath.evaluate("/package/metadata/version", d)); + nugetconf.setAuthors(xpath.evaluate("/package/metadata/authors", d)); + nugetconf.setOwners(getOrNull((Node) xpath.evaluate("/package/metadata/owners", d, XPathConstants.NODE))); + nugetconf.setLicenseUrl(getOrNull((Node) xpath.evaluate("/package/metadata/licenseUrl", d, XPathConstants.NODE))); + nugetconf.setTitle(getOrNull((Node) xpath.evaluate("/package/metadata/title", d, XPathConstants.NODE))); + return nugetconf; + } catch (ParserConfigurationException | SAXException | IOException | XPathExpressionException | NugetconfParseException e) { + throw new NugetconfParseException("Unable to parse packages.config", e); + } + } +} diff --git a/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer b/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer index 78172b8e824..67c10f4e65d 100644 --- a/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer +++ b/core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer @@ -12,6 +12,7 @@ org.owasp.dependencycheck.analyzer.CentralAnalyzer org.owasp.dependencycheck.analyzer.NexusAnalyzer org.owasp.dependencycheck.analyzer.ArtifactoryAnalyzer org.owasp.dependencycheck.analyzer.NuspecAnalyzer +org.owasp.dependencycheck.analyzer.NugetconfAnalyzer org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer org.owasp.dependencycheck.analyzer.AssemblyAnalyzer org.owasp.dependencycheck.analyzer.PythonDistributionAnalyzer diff --git a/core/src/test/resources/dependencycheck.properties b/core/src/test/resources/dependencycheck.properties index cdeae792d5a..4aeb9dadd16 100644 --- a/core/src/test/resources/dependencycheck.properties +++ b/core/src/test/resources/dependencycheck.properties @@ -111,6 +111,7 @@ analyzer.autoconf.enabled=true analyzer.cmake.enabled=true analyzer.assembly.enabled=true analyzer.nuspec.enabled=true +analyzer.nugetconf.enabled=true analyzer.msbuildproject.enabled=true analyzer.openssl.enabled=true analyzer.central.enabled=true diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 8c8ea52e4a3..d11f23e841d 100644 --- a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -350,6 +350,10 @@ public static final class KEYS { * The properties key for whether the .NET Nuspec analyzer is enabled. */ public static final String ANALYZER_NUSPEC_ENABLED = "analyzer.nuspec.enabled"; + /** + * The properties key for whether the .NET Nuget packages config analyzer is enabled. + */ + public static final String ANALYZER_NUGETCONF_ENABLED = "analyzer.nugetconf.enabled"; /** * The properties key for whether the .NET MSBuild Project analyzer is * enabled. From 423250d09e99622c13765a3ce08ad920919cfd8e Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Thu, 26 Jul 2018 23:22:22 +0200 Subject: [PATCH 02/14] First draft --- .../analyzer/NugetconfAnalyzer.java | 58 +++++++++++------ .../data/nuget/NugetconfParser.java | 3 +- .../data/nuget/XPathNugetconfParser.java | 63 +++++++++---------- 3 files changed, 72 insertions(+), 52 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java index f775b5c8698..3aa710b4869 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java @@ -20,11 +20,13 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.data.nuget.NugetPackage; +import org.owasp.dependencycheck.data.nuget.NugetPackageReference; import org.owasp.dependencycheck.data.nuget.NugetconfParseException; import org.owasp.dependencycheck.data.nuget.NugetconfParser; import org.owasp.dependencycheck.data.nuget.XPathNugetconfParser; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.utils.Checksum; import org.owasp.dependencycheck.utils.FileFilterBuilder; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; @@ -33,6 +35,8 @@ import java.io.FileFilter; import java.io.FileInputStream; import java.io.FileNotFoundException; +import java.util.List; + import javax.annotation.concurrent.ThreadSafe; import org.owasp.dependencycheck.dependency.EvidenceType; import org.owasp.dependencycheck.exception.InitializationException; @@ -139,30 +143,46 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy LOGGER.debug("Checking Nugetconf file {}", dependency); try { final NugetconfParser parser = new XPathNugetconfParser(); - NugetPackage np = null; + List packages = null; try (FileInputStream fis = new FileInputStream(dependency.getActualFilePath())) { - np = parser.parse(fis); + packages = parser.parse(fis); } catch (NugetconfParseException | FileNotFoundException ex) { throw new AnalysisException(ex); } - dependency.setEcosystem(DEPENDENCY_ECOSYSTEM); - if (np.getOwners() != null) { - dependency.addEvidence(EvidenceType.VENDOR, "packages.config", "owners", np.getOwners(), Confidence.HIGHEST); - } - dependency.addEvidence(EvidenceType.VENDOR, "packages.config", "authors", np.getAuthors(), Confidence.HIGH); - dependency.addEvidence(EvidenceType.VERSION, "packages.config", "version", np.getVersion(), Confidence.HIGHEST); - dependency.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", np.getId(), Confidence.HIGHEST); - dependency.setName(np.getId()); - dependency.setVersion(np.getVersion()); - final String packagePath = String.format("%s:%s", np.getId(), np.getVersion()); - dependency.setPackagePath(packagePath); - dependency.setDisplayFileName(packagePath); - if (np.getLicenseUrl() != null && !np.getLicenseUrl().isEmpty()) { - dependency.setLicense(np.getLicenseUrl()); - } - if (np.getTitle() != null) { - dependency.addEvidence(EvidenceType.PRODUCT, "packages.config", "title", np.getTitle(), Confidence.MEDIUM); + for (NugetPackageReference np : packages) { + final Dependency child = new Dependency(dependency.getActualFile(), true); + + final String id = np.getId(); + final String version = np.getVersion(); + + child.setEcosystem(DEPENDENCY_ECOSYSTEM); + child.setName(id); + child.setVersion(version); + child.setPackagePath(String.format("%s:%s", id, version)); + child.setSha1sum(Checksum.getSHA1Checksum(String.format("%s:%s", id, version))); + child.setSha256sum(Checksum.getSHA256Checksum(String.format("%s:%s", id, version))); + child.setMd5sum(Checksum.getMD5Checksum(String.format("%s:%s", id, version))); + child.addEvidence(EvidenceType.VERSION, "packages.config", "version", np.getVersion(), Confidence.HIGHEST); + child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", np.getId(), Confidence.HIGHEST); + + if (id.indexOf(".") > 0) { + final String[] parts = id.split("\\."); + + // example: Microsoft.EntityFrameworkCore + child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", parts[0], Confidence.MEDIUM); + child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", parts[1], Confidence.MEDIUM); + + if (parts.length > 2) { + final String rest = id.substring(id.indexOf(".") + 1); + child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", rest, Confidence.MEDIUM); + } + } else { + // example: jQuery + child.addEvidence(EvidenceType.VENDOR, "packages.config", "id", id, Confidence.LOW); + } + + engine.addDependency(child); } } catch (Throwable e) { throw new AnalysisException(e); diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java index b569118780d..a2d00e1a45f 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java @@ -18,6 +18,7 @@ package org.owasp.dependencycheck.data.nuget; import java.io.InputStream; +import java.util.List; /** * Interface defining methods for parsing a Nugetconf file. @@ -34,5 +35,5 @@ public interface NugetconfParser { * @return the populated bean * @throws NugetconfParseException when an exception occurs */ - NugetPackage parse(InputStream stream) throws NugetconfParseException; + List parse(InputStream stream) throws NugetconfParseException; } diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java b/core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java index 7711d2059e5..7f8cfb2cbb3 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java @@ -19,6 +19,9 @@ import java.io.IOException; import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + import javax.annotation.concurrent.ThreadSafe; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.ParserConfigurationException; @@ -28,32 +31,18 @@ import javax.xml.xpath.XPathFactory; import org.owasp.dependencycheck.utils.XmlUtils; import org.w3c.dom.Document; +import org.w3c.dom.NamedNodeMap; import org.w3c.dom.Node; +import org.w3c.dom.NodeList; import org.xml.sax.SAXException; /** * Parse a Nugetconf file using XPath. * - * @author colezlaw + * @author doshyt */ @ThreadSafe public class XPathNugetconfParser implements NugetconfParser { - - /** - * Gets the string value of a node or null if it's not present - * - * @param n the node to test - * @return the string content of the node, or null if the node itself is - * null - */ - private String getOrNull(Node n) { - if (n != null) { - return n.getTextContent(); - } else { - return null; - } - } - /** * Parse an input stream and return the resulting {@link NugetPackage}. * @@ -62,30 +51,40 @@ private String getOrNull(Node n) { * @throws NugetconfParseException when an exception occurs */ @Override - public NugetPackage parse(InputStream stream) throws NugetconfParseException { + public List parse(InputStream stream) throws NugetconfParseException { try { final DocumentBuilder db = XmlUtils.buildSecureDocumentBuilder(); final Document d = db.parse(stream); final XPath xpath = XPathFactory.newInstance().newXPath(); - final NugetPackage nugetconf = new NugetPackage(); + final List packages = new ArrayList<>(); + + final NodeList nodeList = (NodeList) xpath.evaluate("//packages", d, XPathConstants.NODESET); + + if (nodeList == null) { + throw new NugetconfParseException("Unable to parse pacakcges.config project file"); + } + + for (int i = 0; i < nodeList.getLength(); i++) { + final Node node = nodeList.item(i); + final NamedNodeMap attrs = node.getAttributes(); + + final Node id = attrs.getNamedItem("id"); + final Node version = attrs.getNamedItem("version"); + + if (id != null && version != null) { + final NugetPackageReference npr = new NugetPackageReference(); + + npr.setId(id.getNodeValue()); + npr.setVersion(version.getNodeValue()); - if (xpath.evaluate("/package/metadata/id", d, XPathConstants.NODE) == null - || xpath.evaluate("/package/metadata/version", d, XPathConstants.NODE) == null - || xpath.evaluate("/package/metadata/authors", d, XPathConstants.NODE) == null - || xpath.evaluate("/package/metadata/description", d, XPathConstants.NODE) == null) { - throw new NugetconfParseException("Invalid packages.config format"); + packages.add(npr); + } } - nugetconf.setId(xpath.evaluate("/package/metadata/id", d)); - nugetconf.setVersion(xpath.evaluate("/package/metadata/version", d)); - nugetconf.setAuthors(xpath.evaluate("/package/metadata/authors", d)); - nugetconf.setOwners(getOrNull((Node) xpath.evaluate("/package/metadata/owners", d, XPathConstants.NODE))); - nugetconf.setLicenseUrl(getOrNull((Node) xpath.evaluate("/package/metadata/licenseUrl", d, XPathConstants.NODE))); - nugetconf.setTitle(getOrNull((Node) xpath.evaluate("/package/metadata/title", d, XPathConstants.NODE))); - return nugetconf; + return packages; } catch (ParserConfigurationException | SAXException | IOException | XPathExpressionException | NugetconfParseException e) { - throw new NugetconfParseException("Unable to parse packages.config", e); + throw new NugetconfParseException("Unable to parse packages.config project file", e); } } } From 9d554df92afe295b803adb417bd758da69190f2b Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Sun, 29 Jul 2018 23:23:03 +0200 Subject: [PATCH 03/14] Fix minor issues --- .../dependencycheck/analyzer/NugetconfAnalyzer.java | 11 ++++++----- .../data/nuget/NugetconfParseException.java | 4 ++-- .../dependencycheck/data/nuget/NugetconfParser.java | 4 ++-- .../data/nuget/XPathNugetconfParser.java | 10 +++++----- 4 files changed, 15 insertions(+), 14 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java index 3aa710b4869..b2f2e45be01 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java @@ -19,7 +19,6 @@ import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; -import org.owasp.dependencycheck.data.nuget.NugetPackage; import org.owasp.dependencycheck.data.nuget.NugetPackageReference; import org.owasp.dependencycheck.data.nuget.NugetconfParseException; import org.owasp.dependencycheck.data.nuget.NugetconfParser; @@ -44,7 +43,7 @@ /** * Analyzer which will parse a Nuget packages config file to gather module information. * - * @author colezlaw + * @author igoand */ @ThreadSafe public class NugetconfAnalyzer extends AbstractFileTypeAnalyzer { @@ -71,13 +70,14 @@ public class NugetconfAnalyzer extends AbstractFileTypeAnalyzer { private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; /** - * The types of files on which this will work. + * The file filter used to determine which files this analyzer supports. */ - private static final String SUPPORTED_EXTENSIONS = "config"; + public static final String FILE_NAME = "packages.config"; + /** * The file filter used to determine which files this analyzer supports. */ - private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build(); + private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames(FILE_NAME).build(); /** * Initializes the analyzer once before any analysis is performed. @@ -166,6 +166,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy child.addEvidence(EvidenceType.VERSION, "packages.config", "version", np.getVersion(), Confidence.HIGHEST); child.addEvidence(EvidenceType.PRODUCT, "packages.config", "id", np.getId(), Confidence.HIGHEST); + // handle package names the same way as the MSBuild analyzer if (id.indexOf(".") > 0) { final String[] parts = id.split("\\."); diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java index a950bca5913..4a17bb21d5e 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java @@ -20,9 +20,9 @@ import javax.annotation.concurrent.ThreadSafe; /** - * Exception during the parsing of a Nugetconf file. + * Exception during the parsing of a packages.config file. * - * @author colezlaw + * @author igoand */ @ThreadSafe public class NugetconfParseException extends Exception { diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java index a2d00e1a45f..afd5cca763a 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java @@ -21,9 +21,9 @@ import java.util.List; /** - * Interface defining methods for parsing a Nugetconf file. + * Interface defining methods for parsing a packages.config file. * - * @author colezlaw + * @author igoand * */ public interface NugetconfParser { diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java b/core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java index 7f8cfb2cbb3..63cb4e19015 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNugetconfParser.java @@ -37,7 +37,7 @@ import org.xml.sax.SAXException; /** - * Parse a Nugetconf file using XPath. + * Parse a packages.config file using XPath. * * @author doshyt */ @@ -50,6 +50,7 @@ public class XPathNugetconfParser implements NugetconfParser { * @return the populated bean * @throws NugetconfParseException when an exception occurs */ + @Override public List parse(InputStream stream) throws NugetconfParseException { try { @@ -59,16 +60,15 @@ public List parse(InputStream stream) throws NugetconfPar final XPath xpath = XPathFactory.newInstance().newXPath(); final List packages = new ArrayList<>(); - final NodeList nodeList = (NodeList) xpath.evaluate("//packages", d, XPathConstants.NODESET); + final NodeList nodeList = (NodeList) xpath.evaluate("/packages/package", d, XPathConstants.NODESET); if (nodeList == null) { - throw new NugetconfParseException("Unable to parse pacakcges.config project file"); + throw new NugetconfParseException("Unable to parse packages.config file"); } for (int i = 0; i < nodeList.getLength(); i++) { final Node node = nodeList.item(i); final NamedNodeMap attrs = node.getAttributes(); - final Node id = attrs.getNamedItem("id"); final Node version = attrs.getNamedItem("version"); @@ -84,7 +84,7 @@ public List parse(InputStream stream) throws NugetconfPar return packages; } catch (ParserConfigurationException | SAXException | IOException | XPathExpressionException | NugetconfParseException e) { - throw new NugetconfParseException("Unable to parse packages.config project file", e); + throw new NugetconfParseException("Unable to parse packages.config file", e); } } } From 7f73f1ae809f257ff92ee681251fb075007f3a7d Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Sun, 29 Jul 2018 23:29:23 +0200 Subject: [PATCH 04/14] Consistent naming in the module description --- .../main/java/org/owasp/dependencycheck/taskdefs/Check.java | 2 +- cli/src/main/java/org/owasp/dependencycheck/CliParser.java | 4 ++-- .../org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index f3b22de30df..360a34a2f37 100644 --- a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -209,7 +209,7 @@ public class Check extends Update { */ private Boolean nuspecAnalyzerEnabled; /** - * Whether or not the .NET Nuget config file Analyzer is enabled. + * Whether or not the .NET Nuget packages.config file Analyzer is enabled. */ private Boolean nugetconfAnalyzerEnabled; /** diff --git a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 13c9384c981..4806abb71fe 100644 --- a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -401,7 +401,7 @@ private void addAdvancedOptions(final Options options) { final Option disableNuspecAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NUSPEC) .desc("Disable the Nuspec Analyzer.").build(); final Option disableNugetconfAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NUGETCONF) - .desc("Disable the Nuget Config Analyzer.").build(); + .desc("Disable the Nuget packages.config Analyzer.").build(); final Option disableAssemblyAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_ASSEMBLY) .desc("Disable the .NET Assembly Analyzer.").build(); final Option disablePythonDistributionAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_PY_DIST) @@ -1530,7 +1530,7 @@ public static class ARGUMENT { */ public static final String DISABLE_NUSPEC = "disableNuspec"; /** - * Disables the Nuget Config Analyzer. + * Disables the Nuget packages.config Analyzer. */ public static final String DISABLE_NUGETCONF = "disableNugetconf"; /** diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java index b2f2e45be01..b9a0d5ee884 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java @@ -41,7 +41,7 @@ import org.owasp.dependencycheck.exception.InitializationException; /** - * Analyzer which will parse a Nuget packages config file to gather module information. + * Analyzer which will parse a Nuget packages.config file to gather module information. * * @author igoand */ @@ -140,7 +140,7 @@ protected FileFilter getFileFilter() { */ @Override public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { - LOGGER.debug("Checking Nugetconf file {}", dependency); + LOGGER.debug("Checking packages.config file {}", dependency); try { final NugetconfParser parser = new XPathNugetconfParser(); List packages = null; From 0e4a815f5f042aeb4af9d6be71b20267f8513d9d Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Sun, 29 Jul 2018 23:43:41 +0200 Subject: [PATCH 05/14] Add packages.config to base supression --- core/src/main/resources/dependencycheck-base-suppression.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 56f1d4282e5..e3719d73af0 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -75,7 +75,7 @@ 19. amazon_aws_project is a drupal utility (#1290) 20. google android should not be flagged for the base library ]]> - .*(\.(dll|jar|ear|war|pom|nupkg|nuspec|aar)|pom\.xml|package.json)$ + .*(\.(dll|jar|ear|war|pom|nupkg|nuspec|aar)|pom\.xml|package.json|packages.config)$ cpe:/a:sandbox:sandbox cpe:/a:openmedia:openmedia cpe:/a:file_project:file From ccb2b07225e11c56e8839983d2d9dc2bc52db889 Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Sun, 29 Jul 2018 23:44:15 +0200 Subject: [PATCH 06/14] Add Nugetconf options to Maven plugin --- .../dependencycheck/maven/BaseDependencyCheckMojo.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 6a1d6d7293f..f456ee1a5fd 100644 --- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -350,6 +350,13 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @Parameter(property = "nuspecAnalyzerEnabled", required = false) private Boolean nuspecAnalyzerEnabled; + /** + * Whether or not the .NET packages.config Analyzer is enabled. + */ + @SuppressWarnings("CanBeFinal") + @Parameter(property = "nugetconfAnalyzerEnabled", required = false) + private Boolean nugetconfAnalyzerEnabled; + /** * Whether or not the Central Analyzer is enabled. */ @@ -1359,6 +1366,7 @@ protected void populateSettings() { //File Type Analyzer Settings settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled); + settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, nugetconfAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED, artifactoryAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled); From 5656ea4ab921f347558e5462d340e3e9498118a4 Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Sun, 29 Jul 2018 23:44:36 +0200 Subject: [PATCH 07/14] Add Nugetconf to properties --- cli/src/test/resources/sample.properties | 1 + cli/src/test/resources/sample2.properties | 1 + core/src/main/resources/dependencycheck.properties | 1 + utils/src/test/resources/dependencycheck.properties | 1 + 4 files changed, 4 insertions(+) diff --git a/cli/src/test/resources/sample.properties b/cli/src/test/resources/sample.properties index 51fdaa87238..81ed9cce836 100644 --- a/cli/src/test/resources/sample.properties +++ b/cli/src/test/resources/sample.properties @@ -12,6 +12,7 @@ analyzer.autoconf.enabled=true analyzer.cmake.enabled=true analyzer.assembly.enabled=true analyzer.nuspec.enabled=true +analyzer.nugetconf.enabled=true analyzer.openssl.enabled=true analyzer.central.enabled=true analyzer.nexus.enabled=false diff --git a/cli/src/test/resources/sample2.properties b/cli/src/test/resources/sample2.properties index 00d0e5a2788..57f9dfe9c70 100644 --- a/cli/src/test/resources/sample2.properties +++ b/cli/src/test/resources/sample2.properties @@ -12,6 +12,7 @@ analyzer.autoconf.enabled=false analyzer.cmake.enabled=false analyzer.assembly.enabled=false analyzer.nuspec.enabled=false +analyzer.nugetconf.enabled=false analyzer.openssl.enabled=false analyzer.central.enabled=false analyzer.nexus.enabled=true diff --git a/core/src/main/resources/dependencycheck.properties b/core/src/main/resources/dependencycheck.properties index 75580bfa012..18ace841087 100644 --- a/core/src/main/resources/dependencycheck.properties +++ b/core/src/main/resources/dependencycheck.properties @@ -118,6 +118,7 @@ analyzer.autoconf.enabled=true analyzer.cmake.enabled=true analyzer.assembly.enabled=true analyzer.nuspec.enabled=true +analyzer.nugetconf.enabled=true analyzer.msbuildproject.enabled=true analyzer.openssl.enabled=true analyzer.central.enabled=true diff --git a/utils/src/test/resources/dependencycheck.properties b/utils/src/test/resources/dependencycheck.properties index c2c3095d8b8..340872ae598 100644 --- a/utils/src/test/resources/dependencycheck.properties +++ b/utils/src/test/resources/dependencycheck.properties @@ -111,6 +111,7 @@ analyzer.autoconf.enabled=true analyzer.cmake.enabled=true analyzer.assembly.enabled=true analyzer.nuspec.enabled=true +analyzer.nugetconf.enabled=true analyzer.openssl.enabled=true analyzer.central.enabled=true analyzer.nexus.enabled=false From 681c4c1346ea11b41a336c2fd49c499ba0aab1d6 Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Mon, 30 Jul 2018 00:11:59 +0200 Subject: [PATCH 08/14] Add tests for Nugetconf Analyzer --- .../analyzer/NugetconfAnalyzerTest.java | 107 ++++++++++++++++++ .../test-classes/nugetconf/packages.config | 7 ++ 2 files changed, 114 insertions(+) create mode 100644 core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java create mode 100644 core/target/test-classes/nugetconf/packages.config diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java new file mode 100644 index 00000000000..65ea5c78bc9 --- /dev/null +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java @@ -0,0 +1,107 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2018 Paul Irwin. All Rights Reserved. + */ +package org.owasp.dependencycheck.analyzer; + +import org.junit.Before; +import org.junit.Test; +import org.owasp.dependencycheck.BaseTest; +import org.owasp.dependencycheck.Engine; +import org.owasp.dependencycheck.dependency.Dependency; +import org.owasp.dependencycheck.dependency.EvidenceType; + +import java.io.File; + +import static junit.framework.TestCase.assertTrue; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.owasp.dependencycheck.analyzer.NuspecAnalyzer.DEPENDENCY_ECOSYSTEM; + +public class NugetconfAnalyzerTest extends BaseTest { + + private NugetconfAnalyzer instance; + + @Before + @Override + public void setUp() throws Exception { + super.setUp(); + instance = new NugetconfAnalyzer(); + instance.initialize(getSettings()); + instance.prepare(null); + instance.setEnabled(true); + } + + @Test + public void testGetAnalyzerName() { + assertEquals("Nugetconf Analyzer", instance.getName()); + } + + @Test + public void testSupportedFileNames() { + assertTrue(instance.accept(new File("packages.config"))); + assertFalse(instance.accept(new File("packages.json"))); + } + + @Test + public void testNugetconfAnalysis() throws Exception { + + try (Engine engine = new Engine(getSettings())) { + File file = BaseTest.getResourceAsFile(this, "nugetconf/packages.config"); + Dependency toScan = new Dependency(file); + NugetconfAnalyzer analyzer = new NugetconfAnalyzer(); + analyzer.setFilesMatched(true); + analyzer.initialize(getSettings()); + analyzer.prepare(engine); + analyzer.setEnabled(true); + analyzer.analyze(toScan, engine); + + int foundCount = 0; + + for (Dependency result : engine.getDependencies()) { + assertEquals(DEPENDENCY_ECOSYSTEM, result.getEcosystem()); + assertTrue(result.isVirtual()); + + switch(result.getName()) { + case "Autofac": + foundCount++; + assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("Autofac")); + assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("4.6.2")); + break; + + case "Microsoft.AspNet.WebApi.Core": + foundCount++; + assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("Microsoft.AspNet.WebApi.Core")); + assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("5.2.4")); + break; + + case "Microsoft.Owin": + foundCount++; + assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("Microsoft.Owin")); + assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("3.1.0")); + break; + + case "Newtonsoft.Json": + foundCount++; + assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("Newtonsoft.Json")); + assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("10.0.3")); + break; + } + } + assertEquals("4 dependencies should be found", 4, foundCount); + } + } +} diff --git a/core/target/test-classes/nugetconf/packages.config b/core/target/test-classes/nugetconf/packages.config new file mode 100644 index 00000000000..860a52fc31a --- /dev/null +++ b/core/target/test-classes/nugetconf/packages.config @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file From 18615711988186dac442a39eca1e081ddab792eb Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Mon, 30 Jul 2018 00:12:42 +0200 Subject: [PATCH 09/14] Fix spelling --- .../src/main/java/org/owasp/dependencycheck/utils/Settings.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index d11f23e841d..1617bc4649e 100644 --- a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -351,7 +351,7 @@ public static final class KEYS { */ public static final String ANALYZER_NUSPEC_ENABLED = "analyzer.nuspec.enabled"; /** - * The properties key for whether the .NET Nuget packages config analyzer is enabled. + * The properties key for whether the .NET Nuget packages.config analyzer is enabled. */ public static final String ANALYZER_NUGETCONF_ENABLED = "analyzer.nugetconf.enabled"; /** From 135fd6f5fb76a76df691036cfc10b06fd8918a21 Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Mon, 30 Jul 2018 00:37:49 +0200 Subject: [PATCH 10/14] Add documentation for Nugetconf Analyzer --- ant/src/site/markdown/configuration.md | 1 + cli/src/site/markdown/arguments.md | 1 + maven/src/site/markdown/configuration.md | 1 + src/site/markdown/analyzers/index.md | 1 + src/site/markdown/analyzers/nugetconf-analyzer.md | 9 +++++++++ .../dependency-check-gradle/configuration-aggregate.md | 1 + .../markdown/dependency-check-gradle/configuration.md | 1 + 7 files changed, 15 insertions(+) create mode 100644 src/site/markdown/analyzers/nugetconf-analyzer.md diff --git a/ant/src/site/markdown/configuration.md b/ant/src/site/markdown/configuration.md index e63bc087e24..b17f3264dc8 100644 --- a/ant/src/site/markdown/configuration.md +++ b/ant/src/site/markdown/configuration.md @@ -92,6 +92,7 @@ retireJsAnalyzerEnabled | Sets whether the [experimental](../analyze retirejsFilterNonVulnerable | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report. | false retirejsFilter | A nested configuration that can be specified multple times; The regex defined is used to filter JS files based on content. |   nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true +nugetconfAnalyzerEnabled | Sets whether the .NET Nuget packages.config Analyzer will be used. | true cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true bundleAuditAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. | true bundleAuditPath | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled. |   diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md index e23d3c3c552..f93d0fabe0a 100644 --- a/cli/src/site/markdown/arguments.md +++ b/cli/src/site/markdown/arguments.md @@ -62,6 +62,7 @@ Short | Argument Name        | Paramete | \-\-nexus | \ | The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |   | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | true | \-\-disableNuspec | | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | false + | \-\-disableNugetconf | | Sets whether or not the .NET Nuget packages.config Analyzer will be used. | false | \-\-disableAssembly | | Sets whether or not the .NET Assembly Analyzer should be used. | false | \-\-mono | \ | The path to Mono for .NET Assembly analysis on non-windows systems. |   | \-\-bundleAudit | | The path to the bundle-audit executable. |   diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md index 48d4b283a3c..560d9647d70 100644 --- a/maven/src/site/markdown/configuration.md +++ b/maven/src/site/markdown/configuration.md @@ -71,6 +71,7 @@ nodeAnalyzerEnabled | Sets whether the [retired](../analyzers/index.ht nspAnalyzerEnabled | Sets whether the NSP Analyzer should be used. | true retireJsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) RetireJS Analyzer should be used. | true nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true +nugetconfAnalyzerEnabled | Sets whether the .NET Nuget packages.config Analyzer will be used. | true cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true bundleAuditAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. | true bundleAuditPath | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled. |   diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index cdfc2fdca3e..5fabb9efefa 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -12,6 +12,7 @@ to extract identification information from the files analyzed. | [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parses the package.json to gather a bill-of-materials for a Node JS project. | | [NSP](./nsp-analyzer.html) | [Node Security Project](https://nodesecurity.io) is used to analyze Node.js' `package.json` files for known vulnerable packages.| | [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | +| [Nugetconf](./nugetconf-analyzer.html) | Nuget packages.config file | Uses XPath to parse specification XML. | | [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | | [Ruby bundler‑audit](./bundle-audit.html) | Ruby `Gemfile.lock` files | Executes bundle-audit and incorporates the results into the dependency-check report. | diff --git a/src/site/markdown/analyzers/nugetconf-analyzer.md b/src/site/markdown/analyzers/nugetconf-analyzer.md new file mode 100644 index 00000000000..9144b5d558b --- /dev/null +++ b/src/site/markdown/analyzers/nugetconf-analyzer.md @@ -0,0 +1,9 @@ +Nugetconf Analyzer +============== + +OWASP dependency-check includes an analyzer that will scan NuGet's packages.config files to +collect information about the component being used. The evidence collected +is used by other analyzers to determine if there are any known vulnerabilities +associated with the component. + +Files Scanned: packages.config diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md index 953220251d2..184e31b1e27 100644 --- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md +++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md @@ -119,6 +119,7 @@ analyzers | pyPackageEnabled | Sets whether the [experimental](../analyz analyzers | rubygemsEnabled | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. | true analyzers | opensslEnabled | Sets whether or not the openssl Analyzer should be used. | true analyzers | nuspecEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true +analyzers | nugetconfEnabled | Sets whether or not the .NET Nuget packages.config Analyzer will be used. | true analyzers | assemblyEnabled | Sets whether or not the .NET Assembly Analyzer should be used. | true analyzers | pathToMono | The path to Mono for .NET assembly analysis on non-windows systems. |   analyzers | cmakeEnabled | Sets whether or not the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md index 23bb7efb7c0..ba3e9cf0be0 100644 --- a/src/site/markdown/dependency-check-gradle/configuration.md +++ b/src/site/markdown/dependency-check-gradle/configuration.md @@ -119,6 +119,7 @@ analyzers | pyPackageEnabled | Sets whether the [experimental](../analyz analyzers | rubygemsEnabled | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. | true analyzers | opensslEnabled | Sets whether or not the openssl Analyzer should be used. | true analyzers | nuspecEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true +analyzers | nugetconfEnabled | Sets whether or not the .NET Nuget packages.config Analyzer will be used. | true analyzers | assemblyEnabled | Sets whether or not the .NET Assembly Analyzer should be used. | true analyzers | pathToMono | The path to Mono for .NET assembly analysis on non-windows systems. |   analyzers | cmakeEnabled | Sets whether or not the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true From 2449ed1079a6b633e08654b6e0e4ee4f2d0ba58b Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Mon, 30 Jul 2018 00:51:00 +0200 Subject: [PATCH 11/14] Make Nugetconf Analyzer experimental --- .../org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java index b9a0d5ee884..ee2a42abb2b 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java @@ -41,10 +41,12 @@ import org.owasp.dependencycheck.exception.InitializationException; /** - * Analyzer which will parse a Nuget packages.config file to gather module information. + * Analyzer which parses a Nuget packages.config file to gather module information. * * @author igoand */ + +@Experimental @ThreadSafe public class NugetconfAnalyzer extends AbstractFileTypeAnalyzer { From d4a048e3edb8fbff936bfc4f17e4973aefe76d64 Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Mon, 30 Jul 2018 00:51:53 +0200 Subject: [PATCH 12/14] Update docs after making the analyzer experimental --- ant/src/site/markdown/configuration.md | 2 +- cli/src/site/markdown/arguments.md | 2 +- maven/src/site/markdown/configuration.md | 2 +- src/site/markdown/analyzers/index.md | 2 +- src/site/markdown/analyzers/nugetconf-analyzer.md | 4 ++++ .../dependency-check-gradle/configuration-aggregate.md | 2 +- src/site/markdown/dependency-check-gradle/configuration.md | 2 +- 7 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ant/src/site/markdown/configuration.md b/ant/src/site/markdown/configuration.md index b17f3264dc8..77a07150970 100644 --- a/ant/src/site/markdown/configuration.md +++ b/ant/src/site/markdown/configuration.md @@ -92,7 +92,7 @@ retireJsAnalyzerEnabled | Sets whether the [experimental](../analyze retirejsFilterNonVulnerable | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report. | false retirejsFilter | A nested configuration that can be specified multple times; The regex defined is used to filter JS files based on content. |   nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true -nugetconfAnalyzerEnabled | Sets whether the .NET Nuget packages.config Analyzer will be used. | true +nugetconfAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. | true cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true bundleAuditAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. | true bundleAuditPath | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled. |   diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md index f93d0fabe0a..886fd6e8960 100644 --- a/cli/src/site/markdown/arguments.md +++ b/cli/src/site/markdown/arguments.md @@ -62,7 +62,7 @@ Short | Argument Name        | Paramete | \-\-nexus | \ | The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |   | \-\-nexusUsesProxy | \ | Whether or not the defined proxy should be used when connecting to Nexus. | true | \-\-disableNuspec | | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | false - | \-\-disableNugetconf | | Sets whether or not the .NET Nuget packages.config Analyzer will be used. | false + | \-\-disableNugetconf | | Sets whether or not the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. | false | \-\-disableAssembly | | Sets whether or not the .NET Assembly Analyzer should be used. | false | \-\-mono | \ | The path to Mono for .NET Assembly analysis on non-windows systems. |   | \-\-bundleAudit | | The path to the bundle-audit executable. |   diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md index 560d9647d70..d5643a1bf5b 100644 --- a/maven/src/site/markdown/configuration.md +++ b/maven/src/site/markdown/configuration.md @@ -71,7 +71,7 @@ nodeAnalyzerEnabled | Sets whether the [retired](../analyzers/index.ht nspAnalyzerEnabled | Sets whether the NSP Analyzer should be used. | true retireJsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) RetireJS Analyzer should be used. | true nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true -nugetconfAnalyzerEnabled | Sets whether the .NET Nuget packages.config Analyzer will be used. | true +nugetconfAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. | true cocoapodsAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true bundleAuditAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. | true bundleAuditPath | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled. |   diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 5fabb9efefa..d5286227da5 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -12,7 +12,6 @@ to extract identification information from the files analyzed. | [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parses the package.json to gather a bill-of-materials for a Node JS project. | | [NSP](./nsp-analyzer.html) | [Node Security Project](https://nodesecurity.io) is used to analyze Node.js' `package.json` files for known vulnerable packages.| | [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. | -| [Nugetconf](./nugetconf-analyzer.html) | Nuget packages.config file | Uses XPath to parse specification XML. | | [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. | | [Ruby bundler‑audit](./bundle-audit.html) | Ruby `Gemfile.lock` files | Executes bundle-audit and incorporates the results into the dependency-check report. | @@ -30,6 +29,7 @@ several teams have found them useful in their current state. | [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. | | [CocoaPods](./cocoapods.html) | CocoaPods `.podspec` files | Extracts dependency information from specification file. | | [Composer Lock](./composer-lock.html) | PHP [Composer](http://getcomposer.org) Lock files (composer.lock) | Parses PHP [Composer](http://getcomposer.org) lock files for exact versions of dependencies. | +| [Nugetconf](./nugetconf-analyzer.html) | Nuget packages.config file | Uses XPath to parse specification XML. | | [Python](./python.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. | | [Ruby Gemspec](./ruby-gemspec.html) | Ruby makefiles (Rakefile); Ruby Gemspec files (\*.gemspec) | Regex scan Gemspec initialization blocks for metadata. | | [RetireJS](./retirejs-analyzer.html) | JavaScript files | Analyzes JavaScript files using the [RetireJS](https://github.com/RetireJS/retire.js) database. | diff --git a/src/site/markdown/analyzers/nugetconf-analyzer.md b/src/site/markdown/analyzers/nugetconf-analyzer.md index 9144b5d558b..c19be0a9360 100644 --- a/src/site/markdown/analyzers/nugetconf-analyzer.md +++ b/src/site/markdown/analyzers/nugetconf-analyzer.md @@ -1,6 +1,10 @@ Nugetconf Analyzer ============== +*Experimental*: This analyzer is considered experimental. While this analyzer may +be useful and provide valid results more testing must be completed to ensure that +the false negative/false positive rates are acceptable. + OWASP dependency-check includes an analyzer that will scan NuGet's packages.config files to collect information about the component being used. The evidence collected is used by other analyzers to determine if there are any known vulnerabilities diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md index 184e31b1e27..dd05119978b 100644 --- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md +++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md @@ -119,7 +119,7 @@ analyzers | pyPackageEnabled | Sets whether the [experimental](../analyz analyzers | rubygemsEnabled | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. | true analyzers | opensslEnabled | Sets whether or not the openssl Analyzer should be used. | true analyzers | nuspecEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true -analyzers | nugetconfEnabled | Sets whether or not the .NET Nuget packages.config Analyzer will be used. | true +analyzers | nugetconfEnabled | Sets whether or not the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. | true analyzers | assemblyEnabled | Sets whether or not the .NET Assembly Analyzer should be used. | true analyzers | pathToMono | The path to Mono for .NET assembly analysis on non-windows systems. |   analyzers | cmakeEnabled | Sets whether or not the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md index ba3e9cf0be0..761bdb25057 100644 --- a/src/site/markdown/dependency-check-gradle/configuration.md +++ b/src/site/markdown/dependency-check-gradle/configuration.md @@ -119,7 +119,7 @@ analyzers | pyPackageEnabled | Sets whether the [experimental](../analyz analyzers | rubygemsEnabled | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. | true analyzers | opensslEnabled | Sets whether or not the openssl Analyzer should be used. | true analyzers | nuspecEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true -analyzers | nugetconfEnabled | Sets whether or not the .NET Nuget packages.config Analyzer will be used. | true +analyzers | nugetconfEnabled | Sets whether or not the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. | true analyzers | assemblyEnabled | Sets whether or not the .NET Assembly Analyzer should be used. | true analyzers | pathToMono | The path to Mono for .NET assembly analysis on non-windows systems. |   analyzers | cmakeEnabled | Sets whether or not the [experimental](../analyzers/index.html) CMake Analyzer should be used. | true From e3d59a85166b0e75feaf21e8c484d3c7a00b1a60 Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Mon, 30 Jul 2018 01:03:30 +0200 Subject: [PATCH 13/14] Fix author handle --- .../org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java | 2 +- .../dependencycheck/data/nuget/NugetconfParseException.java | 2 +- .../org/owasp/dependencycheck/data/nuget/NugetconfParser.java | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java index ee2a42abb2b..f62282a46f9 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzer.java @@ -43,7 +43,7 @@ /** * Analyzer which parses a Nuget packages.config file to gather module information. * - * @author igoand + * @author doshyt */ @Experimental diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java index 4a17bb21d5e..e094e7f6b49 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParseException.java @@ -22,7 +22,7 @@ /** * Exception during the parsing of a packages.config file. * - * @author igoand + * @author doshyt */ @ThreadSafe public class NugetconfParseException extends Exception { diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java index afd5cca763a..27d019a157e 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetconfParser.java @@ -23,7 +23,7 @@ /** * Interface defining methods for parsing a packages.config file. * - * @author igoand + * @author doshyt * */ public interface NugetconfParser { From 539f2b9d243867ef64697baa907578474e4685b4 Mon Sep 17 00:00:00 2001 From: Igor Andriushchenko Date: Mon, 30 Jul 2018 09:49:13 +0200 Subject: [PATCH 14/14] Address automated code review findings --- .../main/java/org/owasp/dependencycheck/taskdefs/Check.java | 2 +- .../owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index 360a34a2f37..4b672aa4362 100644 --- a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -684,7 +684,7 @@ public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) { /** * Sets whether or not the analyzer is enabled. * - * @param nuspecAnalyzerEnabled the value of the new setting + * @param nugetconfAnalyzerEnabled the value of the new setting */ public void setNugetconfAnalyzerEnabled(Boolean nugetconfAnalyzerEnabled) { this.nugetconfAnalyzerEnabled = nugetconfAnalyzerEnabled; diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java index 65ea5c78bc9..884f329fb5f 100644 --- a/core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java @@ -99,6 +99,9 @@ public void testNugetconfAnalysis() throws Exception { assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("Newtonsoft.Json")); assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("10.0.3")); break; + + default : + break; } } assertEquals("4 dependencies should be found", 4, foundCount);