Skip to content

Commit

Permalink
feat: utilize nvd api
Browse files Browse the repository at this point in the history
  • Loading branch information
jeremylong committed Nov 22, 2023
1 parent f98d14c commit 4ee066f
Show file tree
Hide file tree
Showing 18 changed files with 121 additions and 90 deletions.
13 changes: 9 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@
The dependency-check gradle plugin allows projects to monitor dependent libraries for
known, published vulnerabilities.

## 9.0.0 Upgrade Notice

**Breaking Changes** are included in the 9.0.0 release. Please see the [9.0.0 Upgrade Notice](https://github.com/jeremylong/DependencyCheck#900-upgrade-notice)
on the primary dependency-check site for more information.

## Current Release

The latest version is
Expand All @@ -25,7 +30,7 @@ buildscript {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:8.4.3'
classpath 'org.owasp:dependency-check-gradle:9.0.0'
}
}
Expand Down Expand Up @@ -62,7 +67,7 @@ buildscript {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:8.4.3'
classpath 'org.owasp:dependency-check-gradle:9.0.0'
}
}
Expand All @@ -79,7 +84,7 @@ buildscript {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:8.4.3'
classpath 'org.owasp:dependency-check-gradle:9.0.0'
}
}
Expand Down Expand Up @@ -108,7 +113,7 @@ subprojects {

```kotlin
plugins {
id("org.owasp.dependencycheck") version "8.4.3" apply false
id("org.owasp.dependencycheck") version "9.0.0" apply false
}

allprojects {
Expand Down
4 changes: 3 additions & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
*/

ext {
odcVersion = '8.4.3'
odcVersion = '9.0.0'
openVulnClientVersion = '5.0.1'
slackWebhookVersion = '1.4.0'
spockCoreVersion = '2.3-groovy-3.0'
}
Expand Down Expand Up @@ -64,6 +65,7 @@ dependencies {
api(
"org.owasp:dependency-check-core:$odcVersion",
"org.owasp:dependency-check-utils:$odcVersion",
"io.github.jeremylong:open-vulnerability-clients:$openVulnClientVersion",
"net.gpedro.integrations.slack:slack-webhook:$slackWebhookVersion"
)

Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ class DependencyCheckExtension {
/**
* The configuration extension that defines the location of the NVD CVE data.
*/
CveExtension cve = new CveExtension()
NvdExtension nvd = new NvdExtension()

/**
* The configuration extension that configures the hosted suppressions file.
Expand All @@ -81,10 +81,6 @@ class DependencyCheckExtension {
* Set to false if the proxy does not support HEAD requests. The default is true.
*/
Boolean quickQueryTimestamp
/**
* The number of hours to wait before checking for additional updates from the NVD.
*/
Integer cveValidForHours
/**
* The directory where the reports will be written. Defaults to 'build/reports'.
*/
Expand Down Expand Up @@ -235,12 +231,12 @@ class DependencyCheckExtension {
}

/**
* Allows programmatic configuration of the cve extension
* @param configClosure the closure to configure the cve extension
* @return the cve extension
* Allows programmatic configuration of the nvd extension
* @param configClosure the closure to configure the nvd extension
* @return the nvd extension
*/
def cve(Closure configClosure) {
return project.configure(cve, configClosure)
def nvd(Closure configClosure) {
return project.configure(nvd, configClosure)
}

/**
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
/*
* This file is part of dependency-check-gradle.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2023 Jeremy Long. All Rights Reserved.
*/

package org.owasp.dependencycheck.gradle.extension;

@groovy.transform.CompileStatic
class NvdExtension {
/**
* The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key.
*/
String apiKey
/**
* The number of milliseconds to wait between calls to the NVD API.
*/
Integer delay
/**
* The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data.
*/
String datafeedUrl
/**
* Credentials used for basic authentication for the NVD API Data feed.
*/
String datafeedUser
/**
* Credentials used for basic authentication for the NVD API Data feed.
*/
String datafeedPassword
/**
* The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.
*/
Integer validForHours
}
Original file line number Diff line number Diff line change
Expand Up @@ -246,8 +246,8 @@ abstract class AbstractAnalyze extends ConfiguredTask {
Set<String> vulnerabilities = new HashSet<>();
for (Dependency d : engine.getDependencies()) {
for (Vulnerability v : d.getVulnerabilities()) {
if ((v.getCvssV2() != null && v.getCvssV2().getScore() >= config.failBuildOnCVSS)
|| (v.getCvssV3() != null && v.getCvssV3().getBaseScore() >= config.failBuildOnCVSS)
if ((v.getCvssV2() != null && v.getCvssV2().getCvssData() != null && v.getCvssV2().getCvssData().getBaseScore() >= config.failBuildOnCVSS)
|| (v.getCvssV3() != null && v.getCvssV3().getCvssData() != null && v.getCvssV3().getCvssData().getBaseScore() >= config.failBuildOnCVSS)
|| (v.getUnscoredSeverity() != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) >= config.failBuildOnCVSS)
//safety net to fail on any if for some reason the above misses on 0
|| (config.failBuildOnCVSS <= 0.0f)) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -86,30 +86,20 @@ abstract class ConfiguredTask extends DefaultTask {
settings.setStringIfNotEmpty(DB_CONNECTION_STRING, config.data.connectionString)
settings.setStringIfNotEmpty(DB_USER, config.data.username)
settings.setStringIfNotEmpty(DB_PASSWORD, config.data.password)
settings.setStringIfNotEmpty(CVE_MODIFIED_JSON, config.cve.urlModified)
settings.setStringIfNotEmpty(CVE_BASE_JSON, config.cve.urlBase)
settings.setIntIfNotNull(CVE_DOWNLOAD_WAIT_TIME, config.cve.waitTime)
if (config.cve.startYear != null) {
if (config.cve.startYear >= 2002) {
settings.setInt(CVE_START_YEAR, config.cve.startYear)
} else {
throw new InvalidUserDataException('Invalid setting: `cve.startYear` must be 2002 or greater')
}
}
if (config.cve.user && config.cve.password) {
settings.setStringIfNotEmpty(CVE_USER, config.cve.user)
settings.setStringIfNotEmpty(CVE_PASSWORD, config.cve.password)


settings.setStringIfNotEmpty(NVD_API_KEY, config.nvd.apiKey)
settings.setIntIfNotNull(NVD_API_DELAY, config.nvd.delay)
settings.setIntIfNotNull(NVD_API_VALID_FOR_HOURS, config.nvd.validForHours);

settings.setStringIfNotEmpty(NVD_API_DATAFEED_URL, config.nvd.datafeedUrl)
if (config.nvd.datafeedUser && config.nvd.datafeedPassword) {
settings.setStringIfNotEmpty(NVD_API_DATAFEED_USER, config.nvd.datafeedUser)
settings.setStringIfNotEmpty(NVD_API_DATAFEED_PASSWORD, config.nvd.datafeedPassword)
}

settings.setBooleanIfNotNull(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp)
settings.setFloat(JUNIT_FAIL_ON_CVSS, config.junitFailOnCVSS)
if (config.cveValidForHours != null) {
if (config.cveValidForHours >= 0) {
settings.setInt(CVE_CHECK_VALID_FOR_HOURS, config.cveValidForHours)
} else {
throw new InvalidUserDataException('Invalid setting: `validForHours` must be 0 or greater')
}
}
settings.setBooleanIfNotNull(HOSTED_SUPPRESSIONS_ENABLED, config.hostedSuppressions.enabled)
settings.setBooleanIfNotNull(HOSTED_SUPPRESSIONS_FORCEUPDATE, config.hostedSuppressions.forceupdate)
settings.setStringIfNotNull(HOSTED_SUPPRESSIONS_URL, config.hostedSuppressions.url)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,8 @@ class DependencyCheckGradlePluginSpec extends Specification {
project.dependencyCheck.proxy.port == null
project.dependencyCheck.proxy.username == null
project.dependencyCheck.proxy.password == null
project.dependencyCheck.cve.urlModified == null
project.dependencyCheck.cve.urlBase == null
project.dependencyCheck.nvd.apiKey == null
project.dependencyCheck.nvd.delay == null
project.dependencyCheck.outputDirectory == "${project.buildDir}/reports"
project.dependencyCheck.quickQueryTimestamp == null
project.dependencyCheck.scanConfigurations == []
Expand All @@ -103,9 +103,9 @@ class DependencyCheckGradlePluginSpec extends Specification {
password = 'proxyPassword'
nonProxyHosts = ['localhost']
}
cve {
urlBase = 'urlBase'
urlModified = 'urlModified'
nvd {
apiKey = 'apiKey'
delay = 5000
}

hostedSuppressions {
Expand Down Expand Up @@ -157,8 +157,8 @@ class DependencyCheckGradlePluginSpec extends Specification {
project.dependencyCheck.proxy.password == 'proxyPassword'
project.dependencyCheck.proxy.nonProxyHosts == ['localhost']

project.dependencyCheck.cve.urlModified == 'urlModified'
project.dependencyCheck.cve.urlBase == 'urlBase'
project.dependencyCheck.nvd.apiKey == 'apiKey'
project.dependencyCheck.nvd.delay == 5000
project.dependencyCheck.hostedSuppressions.url == 'suppressionsurl'
project.dependencyCheck.hostedSuppressions.validForHours == 5
project.dependencyCheck.hostedSuppressions.forceupdate == true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,11 @@ class DependencyCheckPluginIntegSpec extends Specification {
dependencies {
implementation group: 'commons-collections', name: 'commons-collections', version: '3.2'
}
dependencyCheck {
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
}
""".stripIndent()
}
}
Expand Down Expand Up @@ -95,6 +100,11 @@ class DependencyCheckPluginIntegSpec extends Specification {
dependencies {
implementation group: 'commons-collections', name: 'commons-collections', version: '3.2'
}
dependencyCheck {
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
}
""".stripIndent()
}
}
Expand Down
3 changes: 3 additions & 0 deletions src/test/resources/aggregateParent.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ plugins {
dependencyCheck {
failOnError=true
format="ALL"
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
}

subprojects {
Expand Down
3 changes: 3 additions & 0 deletions src/test/resources/blacklistCustomConfiguration.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,7 @@ dependencies {
dependencyCheck {
failBuildOnCVSS = 0
skipConfigurations = ['foo']
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
}
3 changes: 3 additions & 0 deletions src/test/resources/noSkipTestGroups.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,7 @@ dependencies {
dependencyCheck {
failBuildOnCVSS = 0
skipTestGroups = false
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
}
4 changes: 3 additions & 1 deletion src/test/resources/outputDir.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,7 @@ dependencies {
}

dependencyCheck {

nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
}
3 changes: 3 additions & 0 deletions src/test/resources/scanCustomConfiguration.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,7 @@ dependencies {

dependencyCheck {
failBuildOnCVSS = 0
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
}
3 changes: 3 additions & 0 deletions src/test/resources/skipCustomConfigurationViaWhitelist.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,7 @@ dependencies {
dependencyCheck {
failBuildOnCVSS = 0
scanConfigurations = ['runtime']
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
}
3 changes: 3 additions & 0 deletions src/test/resources/skipGroups.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,7 @@ dependencies {
dependencyCheck {
skipGroups = ['commons-collections', 'commons-httpclient', 'commons-io', 'commons-file']
failBuildOnCVSS = 0
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
}
3 changes: 3 additions & 0 deletions src/test/resources/skipTestGroups.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,7 @@ dependencies {

dependencyCheck {
failBuildOnCVSS = 0
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
}
3 changes: 3 additions & 0 deletions src/test/resources/suppressionFiles.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,7 @@ dependencyCheck {
}
failBuildOnCVSS = 0
suppressionFiles = ["${project.rootDir}/suppressions.xml"]
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
}

0 comments on commit 4ee066f

Please sign in to comment.