diff --git a/build.gradle b/build.gradle index c828cd7..d46ba41 100644 --- a/build.gradle +++ b/build.gradle @@ -16,67 +16,35 @@ * Copyright (c) 2015 Wei Ma. All Rights Reserved. */ -ext { - odcVersion = '10.0.3' - openVulnClientVersion = '5.1.1' - slackWebhookVersion = '1.4.0' - spockCoreVersion = '2.3-groovy-3.0' +plugins { + id('groovy') + id('idea') + id('eclipse') + id('signing') + id('project-report') + id('build-dashboard') + alias(libs.plugins.gradle.plugin.publish) } group = 'org.owasp' -version = "${odcVersion}" - -buildscript { - repositories { - mavenLocal() - mavenCentral() - maven { - url 'https://plugins.gradle.org/m2/' - } - } - dependencies { - classpath "com.gradle.publish:plugin-publish-plugin:0.11.0" - } -} - -apply plugin: 'groovy' -apply plugin: 'java-gradle-plugin' -apply plugin: 'idea' -apply plugin: 'eclipse' -apply plugin: 'maven-publish' -apply plugin: 'signing' -apply plugin: 'project-report' -apply plugin: 'build-dashboard' -apply plugin: 'com.gradle.plugin-publish' - -repositories { - mavenLocal() - maven { - name 'OWASP dependency-check snapshot' - url 'https://oss.sonatype.org/content/repositories/snapshots' - } - mavenCentral() -} +version = libs.versions.odc.get() dependencies { - implementation( - localGroovy(), - gradleApi() - ) - api( - "org.owasp:dependency-check-core:$odcVersion", - "org.owasp:dependency-check-utils:$odcVersion", - "io.github.jeremylong:open-vulnerability-clients:$openVulnClientVersion", - "net.gpedro.integrations.slack:slack-webhook:$slackWebhookVersion" - ) + implementation localGroovy() + implementation gradleApi() + + api libs.owasp.dependencyCheck.core + api libs.owasp.dependencyCheck.utils + api libs.openVuln.clients + api libs.slack.webhook testImplementation gradleTestKit() - testImplementation("org.spockframework:spock-core:$spockCoreVersion") { + testImplementation(libs.spock.core) { exclude module: 'groovy-all' } - testImplementation 'org.junit.jupiter:junit-jupiter-api:5.9.3' - testImplementation 'org.junit.jupiter:junit-jupiter-params:5.9.3' - testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.9.3' + testImplementation libs.junit.jupiter.api + testImplementation libs.junit.jupiter.params + testRuntimeOnly libs.junit.jupiter.engine } test { useJUnitPlatform() @@ -86,13 +54,10 @@ test.onlyIf { !project.hasProperty('skipTests') } java { sourceCompatibility = JavaVersion.VERSION_1_8 targetCompatibility = JavaVersion.VERSION_1_8 - - withJavadocJar() - withSourcesJar() } javadoc { - if(JavaVersion.current().isJava9Compatible()) { + if (JavaVersion.current().isJava9Compatible()) { options.addBooleanOption('html5', true) } } @@ -100,14 +65,13 @@ javadoc { publishing { publications { maven(MavenPublication) { - groupId "$group" - artifactId 'dependency-check-gradle' - version "$version" + groupId = project.group + artifactId = 'dependency-check-gradle' + version = project.version from components.java pom { name = 'dependency-check-gradle' - description = 'OWASP dependency-check gradle plugin is a software ' + - 'composition analysis tool used to find known vulnerable dependencies.' + description = 'OWASP dependency-check gradle plugin is a software composition analysis tool used to find known vulnerable dependencies.' url = 'https://jeremylong.github.io/DependencyCheck/' @@ -131,15 +95,14 @@ publishing { } } } - pluginPublication (MavenPublication) { - groupId "$group" - artifactId 'dependency-check-gradle' - version "$version" + pluginPublication(MavenPublication) { + groupId = project.group + artifactId = 'dependency-check-gradle' + version = project.version from components.java pom { name = 'dependency-check-gradle' - description = 'OWASP dependency-check gradle plugin is a software ' + - 'composition analysis tool used to find known vulnerable dependencies.' + description = 'OWASP dependency-check gradle plugin is a software composition analysis tool used to find known vulnerable dependencies.' url = 'https://jeremylong.github.io/DependencyCheck/' @@ -179,21 +142,19 @@ signing { sign publishing.publications.pluginPublication } -pluginBundle { +gradlePlugin { website = 'http://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html' vcsUrl = 'https://github.com/dependency-check/dependency-check-gradle/' - description = 'A software composition analysis plugin that identifies known vulnerable dependencies used by the project.' - tags = ['OWASP', 'dependency-check', 'gradle-plugin', 'software-composition-analysis', 'vulnerability-detection', 'security'] plugins { dependencyCheck { id = 'org.owasp.dependencycheck' displayName = 'OWASP dependency-check-gradle plugin' + description = 'A software composition analysis plugin that identifies known vulnerable dependencies used by the project.' + tags.addAll('OWASP', 'dependency-check', 'gradle-plugin', 'software-composition-analysis', 'vulnerability-detection', 'security') + implementationClass = 'org.owasp.dependencycheck.gradle.DependencyCheckPlugin' } } - mavenCoordinates { - groupId = "org.owasp" - } } publish.dependsOn publishPlugins diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml new file mode 100644 index 0000000..d4ff7ae --- /dev/null +++ b/gradle/libs.versions.toml @@ -0,0 +1,21 @@ +[versions] +odc = '10.0.3' +spock = '2.3-groovy-3.0' +junit = '5.10.3' + +[libraries] +owasp-dependencyCheck-core = { module = "org.owasp:dependency-check-core", version.ref = "odc" } +owasp-dependencyCheck-utils = { module = "org.owasp:dependency-check-utils", version.ref = "odc" } +openVuln-clients = { module = "io.github.jeremylong:open-vulnerability-clients", version = "6.1.7" } +slack-webhook = { module = "net.gpedro.integrations.slack:slack-webhook", version = "1.4.0" } + +junit-jupiter-api = { module = 'org.junit.jupiter:junit-jupiter-api', version.ref = "junit" } +junit-jupiter-params = { module = 'org.junit.jupiter:junit-jupiter-params', version.ref = "junit" } +junit-jupiter-engine = { module = 'org.junit.jupiter:junit-jupiter-engine', version.ref = "junit" } + +spock-core = { module = 'org.spockframework:spock-core', version.ref = "spock" } + +[bundles] + +[plugins] +gradle-plugin-publish = { id = "com.gradle.plugin-publish", version = "1.2.1" } \ No newline at end of file diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar index afba109..2c35211 100644 Binary files a/gradle/wrapper/gradle-wrapper.jar and b/gradle/wrapper/gradle-wrapper.jar differ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 5c00f61..09523c0 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.4-all.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-bin.zip networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/gradlew b/gradlew index 65dcd68..f5feea6 100755 --- a/gradlew +++ b/gradlew @@ -15,6 +15,8 @@ # See the License for the specific language governing permissions and # limitations under the License. # +# SPDX-License-Identifier: Apache-2.0 +# ############################################################################## # @@ -55,7 +57,7 @@ # Darwin, MinGW, and NonStop. # # (3) This script is generated from the Groovy template -# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt # within the Gradle project. # # You can find Gradle at https://github.com/gradle/gradle/. @@ -83,10 +85,9 @@ done # This is normally unused # shellcheck disable=SC2034 APP_BASE_NAME=${0##*/} -APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s +' "$PWD" ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. MAX_FD=maximum @@ -133,10 +134,13 @@ location of your Java installation." fi else JAVACMD=java - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. @@ -144,7 +148,7 @@ if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then case $MAX_FD in #( max*) # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. - # shellcheck disable=SC3045 + # shellcheck disable=SC2039,SC3045 MAX_FD=$( ulimit -H -n ) || warn "Could not query maximum file descriptor limit" esac @@ -152,7 +156,7 @@ if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then '' | soft) :;; #( *) # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. - # shellcheck disable=SC3045 + # shellcheck disable=SC2039,SC3045 ulimit -n "$MAX_FD" || warn "Could not set maximum file descriptor limit to $MAX_FD" esac @@ -197,11 +201,15 @@ if "$cygwin" || "$msys" ; then done fi -# Collect all arguments for the java command; -# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of -# shell script including quotes and variable substitutions, so put them in -# double quotes to make sure that they get re-expanded; and -# * put everything else in single quotes, so that it's not re-expanded. + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. set -- \ "-Dorg.gradle.appname=$APP_BASE_NAME" \ diff --git a/gradlew.bat b/gradlew.bat index 6689b85..9b42019 100644 --- a/gradlew.bat +++ b/gradlew.bat @@ -13,6 +13,8 @@ @rem See the License for the specific language governing permissions and @rem limitations under the License. @rem +@rem SPDX-License-Identifier: Apache-2.0 +@rem @if "%DEBUG%"=="" @echo off @rem ########################################################################## @@ -43,11 +45,11 @@ set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 if %ERRORLEVEL% equ 0 goto execute -echo. -echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. -echo. -echo Please set the JAVA_HOME variable in your environment to match the -echo location of your Java installation. +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 goto fail @@ -57,11 +59,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe if exist "%JAVA_EXE%" goto execute -echo. -echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% -echo. -echo Please set the JAVA_HOME variable in your environment to match the -echo location of your Java installation. +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 goto fail diff --git a/settings.gradle b/settings.gradle index 522f2e6..84a4d49 100644 --- a/settings.gradle +++ b/settings.gradle @@ -16,4 +16,22 @@ * Copyright (c) 2015 Wei Ma. All Rights Reserved. */ -rootProject.name = 'dependency-check-gradle' \ No newline at end of file +pluginManagement { + repositories { + gradlePluginPortal() + } +} + +dependencyResolutionManagement() { + repositories { + mavenLocal() + maven { + name 'OWASP dependency-check snapshot' + url 'https://oss.sonatype.org/content/repositories/snapshots' + } + mavenCentral() + } +} + + +rootProject.name = 'dependency-check-gradle' diff --git a/src/main/resources/META-INF/gradle-plugins/org.owasp.dependencycheck.properties b/src/main/resources/META-INF/gradle-plugins/org.owasp.dependencycheck.properties deleted file mode 100644 index d0edede..0000000 --- a/src/main/resources/META-INF/gradle-plugins/org.owasp.dependencycheck.properties +++ /dev/null @@ -1,19 +0,0 @@ -# -# This file is part of dependency-check-gradle. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Copyright (c) 2015 Wei Ma. All Rights Reserved. -# - -implementation-class=org.owasp.dependencycheck.gradle.DependencyCheckPlugin \ No newline at end of file diff --git a/src/main/resources/META-INF/licenses/gradle/LICENSE.txt b/src/main/resources/META-INF/licenses/gradle/LICENSE.txt deleted file mode 100644 index d645695..0000000 --- a/src/main/resources/META-INF/licenses/gradle/LICENSE.txt +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License.