From ea3ad7b5269c0ee7941251964ee1c642920df2b7 Mon Sep 17 00:00:00 2001 From: Daan Rijkers Date: Tue, 19 Nov 2024 15:23:01 +0100 Subject: [PATCH 1/2] fix: 7093 add username/password properties to be able to authenticate for central.content.url and analyzer.central.url again --- .../java/org/owasp/dependencycheck/App.java | 4 ++++ .../org/owasp/dependencycheck/CliParser.java | 8 +++++++ .../dependencycheck/utils/Downloader.java | 22 +++++++++++++++++++ .../owasp/dependencycheck/utils/Settings.java | 16 ++++++++++++++ 4 files changed, 50 insertions(+) diff --git a/cli/src/main/java/org/owasp/dependencycheck/App.java b/cli/src/main/java/org/owasp/dependencycheck/App.java index bac9da24cc..2b176c96d3 100644 --- a/cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/cli/src/main/java/org/owasp/dependencycheck/App.java @@ -604,6 +604,10 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException { cli.hasOption(CliParser.ARGUMENT.ENABLE_NEXUS)); settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_URL, cli.getStringArgument(CliParser.ARGUMENT.CENTRAL_URL)); + settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_USER, + cli.getStringArgument(CliParser.ARGUMENT.CENTRAL_USERNAME)); + settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_PASSWORD, + cli.getStringArgument(CliParser.ARGUMENT.CENTRAL_PASSWORD)); settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, cli.getStringArgument(CliParser.ARGUMENT.OSSINDEX_URL)); settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_USER, diff --git a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 7a02e7d87e..4afa1c479a 100644 --- a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -1360,6 +1360,14 @@ public static class ARGUMENT { * The alternative URL for Maven Central Search. */ public static final String CENTRAL_URL = "centralUrl"; + /** + * The username for the alternative Maven Central Search. + */ + public static final String CENTRAL_USERNAME = "centralUsername"; + /** + * The password for the alternative Maven Central Search. + */ + public static final String CENTRAL_PASSWORD = "centralPassword"; /** * Disables the Nexus Analyzer. */ diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java index 2647b90014..de2f955cec 100644 --- a/utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java +++ b/utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java @@ -175,6 +175,8 @@ public void configure(Settings settings) throws InvalidSettingException { tryAddHostedSuppressionCredentials(settings, credentialsProvider); tryAddKEVCredentials(settings, credentialsProvider); tryAddNexusAnalyzerCredentials(settings, credentialsProvider); + tryAddCentralAnalyzerCredentials(settings, credentialsProvider); + tryAddCentralContentCredentials(settings, credentialsProvider); tryAddNVDApiDatafeed(settings, credentialsProvider); httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider); httpClientBuilderExplicitNoproxy.setDefaultCredentialsProvider(credentialsProvider); @@ -220,6 +222,26 @@ private void tryAddNexusAnalyzerCredentials(Settings settings, CredentialsStore } } + private void tryAddCentralAnalyzerCredentials(Settings settings, CredentialsStore credentialsStore) throws InvalidSettingException { + if (settings.getString(Settings.KEYS.ANALYZER_CENTRAL_PASSWORD) != null) { + addUserPasswordCreds(settings, credentialsStore, + Settings.KEYS.ANALYZER_CENTRAL_USER, + Settings.KEYS.ANALYZER_CENTRAL_URL, + Settings.KEYS.ANALYZER_CENTRAL_PASSWORD, + "Central Analyzer"); + } + } + + private void tryAddCentralContentCredentials(Settings settings, CredentialsStore credentialsStore) throws InvalidSettingException { + if (settings.getString(Settings.KEYS.CENTRAL_CONTENT_PASSWORD) != null) { + addUserPasswordCreds(settings, credentialsStore, + Settings.KEYS.CENTRAL_CONTENT_USER, + Settings.KEYS.CENTRAL_CONTENT_URL, + Settings.KEYS.CENTRAL_CONTENT_PASSWORD, + "Central Content"); + } + } + private void tryAddNVDApiDatafeed(Settings settings, CredentialsStore credentialsStore) throws InvalidSettingException { if (settings.getString(Settings.KEYS.NVD_API_DATAFEED_PASSWORD) != null) { addUserPasswordCreds(settings, credentialsStore, diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index ed5a48142d..d8c48eab53 100644 --- a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -620,6 +620,14 @@ public static final class KEYS { * Key for the URL to obtain content from Maven Central. */ public static final String CENTRAL_CONTENT_URL = "central.content.url"; + /** + * Key for the Username to obtain content from Maven Central. + */ + public static final String CENTRAL_CONTENT_USER = "central.content.username"; + /** + * Key for the Password to obtain content from Maven Central. + */ + public static final String CENTRAL_CONTENT_PASSWORD = "central.content.password"; /** * The properties key for whether the Central analyzer should use * parallel processing. @@ -656,6 +664,14 @@ public static final class KEYS { * The properties key for the Central search URL. */ public static final String ANALYZER_CENTRAL_URL = "analyzer.central.url"; + /** + * The properties key for the Central search username. + */ + public static final String ANALYZER_CENTRAL_USER = "analyzer.central.username"; + /** + * The properties key for the Central search password. + */ + public static final String ANALYZER_CENTRAL_PASSWORD = "analyzer.central.password"; /** * The properties key for the Central search query. */ From 3ad6492f8dccda807607024af2da7c02f3fd5996 Mon Sep 17 00:00:00 2001 From: Daan Rijkers Date: Thu, 21 Nov 2024 08:43:55 +0100 Subject: [PATCH 2/2] fix: 7093 Add cli arguments to arguments.md --- cli/src/site/markdown/arguments.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md index 9eeddb4263..d8c72b6216 100644 --- a/cli/src/site/markdown/arguments.md +++ b/cli/src/site/markdown/arguments.md @@ -86,6 +86,8 @@ Advanced Options | | \-\-disableCentral | | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Artifactory or Nexus Analyzer. |   | | | \-\-disableCentralCache | | When the argument is present the Central Analyzer will not cache results locally. By default results are cached locally for 30 days. |   | | | \-\-centralUrl | | Alternative URL for Maven Central Search. If not set the public Sonatype Maven Central will be used. | https://search.maven.org/solrsearch/select | +| | \-\-centralUsername | | The username to authenticate to the alternative Maven Central url set by the 'centralUrl' argument. If not set it will use an unauthenticated connection. |   | +| | \-\-centralPassword | | The password to authenticate to the alternative Maven Central url set by the 'centralUrl' argument. If not set it will use an unauthenticated connection. |   | | | \-\-enableNexus | | Sets whether the Nexus Analyzer will be used (requires Nexus v2 or Pro v3). You can configure the Nexus URL to utilize an internally hosted Nexus server. |   | | | \-\-enableArtifactory | | Sets whether Artifactory analyzer will be used |   | | | \-\-artifactoryUrl | \ | The Artifactory server URL. |   |