Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the ability to manually specify addtional CPE entries to be checked. #361

Merged
merged 3 commits into from
Mar 15, 2024
Merged

Add the ability to manually specify addtional CPE entries to be checked. #361

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
89a639a
Add the ability to manually specify addtional CPE entries to be checked.
gordoninnes Nov 10, 2023
9cc9648
Apply suggestions from code review
gordoninnes Jan 17, 2024
c28dba9
Fix build issue from last commit.
gordoninnes Jan 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions src/main/groovy/org/owasp/dependencycheck/gradle/extension/AdditionalCpe.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
package org.owasp.dependencycheck.gradle.extension

import org.gradle.api.Named

/**
* Holder for the information regarding an additional CPE to be checked.
*/
@groovy.transform.CompileStatic
class AdditionalCpe implements Named {

AdditionalCpe(String name) {
this.name = name;
}

/**
* Name assigned to the CPE entry during configuration.
*/
String name;

/**
* Description for the what the CPE represents.
*/
String description

/**
* The CPE to be checked against the database.
*/
String cpe
}
16 changes: 16 additions & 0 deletions src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@

package org.owasp.dependencycheck.gradle.extension

import org.gradle.api.Action
import org.gradle.api.NamedDomainObjectContainer
import org.gradle.api.Project

import java.util.stream.Collectors
Expand Down Expand Up @@ -210,12 +212,18 @@ class DependencyCheckExtension {
* A set of files or folders to scan.
*/
List<File> scanSet
/**
* Additional CPE to be analyzed.
*/
NamedDomainObjectContainer<AdditionalCpe> additionalCpes =
project.objects.domainObjectContainer(AdditionalCpe.class)

/**
* The configuration extension for cache settings.
*/
CacheExtension cache = new CacheExtension()


/**
* Allows programmatic configuration of the proxy extension
* @param configClosure the closure to configure the proxy extension
Expand Down Expand Up @@ -278,4 +286,12 @@ class DependencyCheckExtension {
def cache(Closure configClosure) {
return project.configure(cache, configClosure)
}

/**
* Allows programmatic configuration of additional CPEs to be analyzed
* @param action the action used to add entries to additional CPEs container.
*/
def additionalCpes(Action<NamedDomainObjectContainer<AdditionalCpe>> action) {
action.execute(additionalCpes)
}
}
16 changes: 16 additions & 0 deletions src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,13 @@ import org.owasp.dependencycheck.dependency.Confidence
import org.owasp.dependencycheck.dependency.Dependency
import org.owasp.dependencycheck.dependency.IncludedByReference
import org.owasp.dependencycheck.dependency.Vulnerability
import org.owasp.dependencycheck.dependency.naming.CpeIdentifier
import org.owasp.dependencycheck.exception.ExceptionCollection
import org.owasp.dependencycheck.exception.ReportException
import org.owasp.dependencycheck.gradle.service.SlackNotificationSenderService
import org.owasp.dependencycheck.utils.SeverityUtil
import org.owasp.dependencycheck.utils.Checksum
import us.springett.parsers.cpe.CpeParser
gordoninnes marked this conversation as resolved.
Show resolved Hide resolved

import static org.owasp.dependencycheck.dependency.EvidenceType.PRODUCT
import static org.owasp.dependencycheck.dependency.EvidenceType.VENDOR
Expand Down Expand Up @@ -458,6 +461,19 @@ abstract class AbstractAnalyze extends ConfiguredTask {
}
}
}

config.additionalCpes.each {
var dependency = new Dependency(true);
dependency.setDescription(it.description)
dependency.setDisplayFileName(it.cpe);
dependency.setSha1sum(Checksum.getSHA1Checksum(it.cpe));
dependency.setSha256sum(Checksum.getSHA256Checksum(it.cpe));
dependency.setMd5sum(Checksum.getMD5Checksum(it.cpe));
dependency.addVulnerableSoftwareIdentifier(new CpeIdentifier(CpeParser.parse(it.cpe), Confidence.HIGHEST))
dependency.setFileName("")
dependency.setActualFilePath("")
engine.addDependency(dependency)
}
}

/**
Expand Down
13 changes: 13 additions & 0 deletions ...vy/org/owasp/dependencycheck/gradle/DependencyCheckConfigurationSelectionIntegSpec.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,19 @@ class DependencyCheckConfigurationSelectionIntegSpec extends Specification {
//result.output.contains('CVE-2015-5262')
}

def "additional CPEs are scanned when present"() {
given:
copyBuildFileIntoProjectDir('scanAdditionalCpesConfiguration.gradle')

when:
def result = executeTaskAndGetResult(ANALYZE_TASK, false)

then:
result.task(":$ANALYZE_TASK").outcome == FAILED
result.output.contains('CVE-2015-6420')
result.output.contains('CVE-2016-3092')
}

def "custom configurations are scanned by default"() {
given:
copyBuildFileIntoProjectDir('scanCustomConfiguration.gradle')
Expand Down
21 changes: 21 additions & 0 deletions src/test/groovy/org/owasp/dependencycheck/gradle/DependencyCheckGradlePluginSpec.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,23 @@ class DependencyCheckGradlePluginSpec extends Specification {
suppressionFiles = ['./src/config/suppression1.xml', './src/config/suppression2.xml']
suppressionFileUser = 'suppressionFileUsername'
suppressionFilePassword = 'suppressionFilePassword'

additionalCpes {
additional1 {
description = "Additional1"
cpe = "cpe:2.3:a:aGroup1:aPackage1:123:*:*:*:*:*:*:*"
}

additional2 {
description = "Additional2"
cpe = "cpe:2.3:a:aGroup2:aPackage2:123:*:*:*:*:*:*:*"
}

additional3 {
description = "Additional3"
cpe = "cpe:2.3:a:aGroup3:aPackage3:123:*:*:*:*:*:*:*"
}
}
}

then:
Expand Down Expand Up @@ -185,6 +202,10 @@ class DependencyCheckGradlePluginSpec extends Specification {
project.dependencyCheck.analyzers.retirejs.filterNonVulnerable == true
project.dependencyCheck.slack.enabled == true
project.dependencyCheck.slack.webhookUrl == slackWebhookUrl
project.dependencyCheck.additionalCpes.size() == 3
project.dependencyCheck.additionalCpes.getByName('additional1').description == 'Additional1'
project.dependencyCheck.additionalCpes.getByName('additional1').cpe == 'cpe:2.3:a:aGroup1:aPackage1:123:*:*:*:*:*:*:*'

}

def 'scanConfigurations and skipConfigurations are mutually exclusive'() {
Expand Down
26 changes: 26 additions & 0 deletions src/test/resources/scanAdditionalCpesConfiguration.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
plugins {
id 'org.owasp.dependencycheck'
id 'java'
}

sourceCompatibility = 1.5
version = '1.0'

repositories {
mavenLocal()
mavenCentral()
}

dependencyCheck {
failBuildOnCVSS = 0
additionalCpes {
commonsCollections {
description = "Commons Collections 3.2"
cpe = "cpe:2.3:a:apache:commons_collections:3.2:*:*:*:*:*:*:*"
}
commonsFileUpload {
description = "Commons File Upload 1.3.1"
cpe = "cpe:2.3:a:apache:commons_fileupload:1.3.1:*:*:*:*:*:*:*"
}
}
}
Loading