diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 92b4cdd..a7fc989 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -1,5 +1,5 @@ [versions] -odc = '11.1.1' +odc = '11.1.2-SNAPSHOT' spock = '2.3-groovy-3.0' junit = '5.10.3' diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/AnalyzerExtension.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/AnalyzerExtension.groovy index 2bbf07f..e07c28b 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/AnalyzerExtension.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/AnalyzerExtension.groovy @@ -39,18 +39,6 @@ class AnalyzerExtension { * Sets whether the Archive Analyzer will be used. */ Boolean archiveEnabled - /** - * Sets whether the Known Exploited Vulnerability update and Analyzer will be used. - */ - Boolean knownExploitedEnabled - /** - * URL to the CISA Known Exploited Vulnerabilities JSON data feed. - */ - String knownExploitedURL - /** - * Controls the skipping of the check for Known Exploited Vulnerabilities updates. - */ - Integer knownExploitedValidForHours /** * A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. */ @@ -187,6 +175,11 @@ class AnalyzerExtension { @Deprecated Boolean ossIndexEnabled + /** + * The configuration extension for known exploited vulnerabilities settings. + */ + KEVExtension kev = new KEVExtension() + /** * The configuration extension for retirejs settings. */ @@ -212,6 +205,27 @@ class AnalyzerExtension { */ OssIndexExtension ossIndex = new OssIndexExtension() + /** + * Allows programmatic configuration of the KEV extension + * @param configClosure the closure to configure the KEV extension + * @return the KEV extension + * @deprecated Use the {@code Action} variant instead + */ + @Deprecated + def kev(Closure configClosure) { + return project.configure(kev, configClosure) + } + + /** + * Allows programmatic configuration of the KEV extension + * @param config the action to configure the KEV extension + * @return the KEV extension + */ + def kev(Action config) { + config.execute(kev) + return kev + } + /** * Allows programmatic configuration of the retirejs extension * @param configClosure the closure to configure the retirejs extension diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy index ed8ad2f..7017bb1 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy @@ -111,13 +111,17 @@ class DependencyCheckExtension { } } /** - * The username for downloading the suppression file(s) + * The username for downloading the suppression file(s) from HTTP Basic protected locations */ String suppressionFileUser /** - * The password for downloading the suppression file(s) + * The password for downloading the suppression file(s) from HTTP Basic protected locations */ String suppressionFilePassword + /** + * The token for downloading the suppression file(s) from HTTP Bearer protected locations + */ + String suppressionFileBearerToken /** * The path to the hints file. */ diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/HostedSuppressionsExtension.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/HostedSuppressionsExtension.groovy index a28200b..6c08c23 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/HostedSuppressionsExtension.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/HostedSuppressionsExtension.groovy @@ -12,6 +12,18 @@ class HostedSuppressionsExtension { * The URL for a mirrored hosted suppressions file. */ String url + /** + * Credentials used for basic authentication for a mirrored hosted suppressions file. + */ + String user + /** + * Credentials used for basic authentication for a mirrored hosted suppressions file. + */ + String password + /** + * Credentials used for bearer authentication for a mirrored hosted suppressions file. + */ + String bearerToken /** * Whether the hosted suppressions file should be updated regardless of the `autoupdate` setting. */ diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/KEVExtension.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/KEVExtension.groovy new file mode 100644 index 0000000..121c772 --- /dev/null +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/KEVExtension.groovy @@ -0,0 +1,28 @@ +package org.owasp.dependencycheck.gradle.extension + +class KEVExtension { + /** + * Sets whether the Known Exploited Vulnerability update and Analyzer will be used. + */ + Boolean enabled + /** + * URL to the CISA Known Exploited Vulnerabilities JSON data feed. + */ + String url + /** + * Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed. + */ + String user + /** + * Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed. + */ + String password + /** + * Credentials used for bearer authentication for the CISA Known Exploited Vulnerabilities JSON data feed. + */ + String bearerToken + /** + * Controls the skipping of the check for Known Exploited Vulnerabilities updates. + */ + Integer validForHours +} diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/NvdExtension.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/NvdExtension.groovy index 70629ce..40ff7ae 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/NvdExtension.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/NvdExtension.groovy @@ -48,6 +48,10 @@ class NvdExtension { * Credentials used for basic authentication for the NVD API Data feed. */ String datafeedPassword + /** + * Credentials used for bearer authentication for the NVD API Data feed. + */ + String datafeedBearerToken /** * The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. */ diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/RetireJSExtension.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/RetireJSExtension.groovy index 40c8aed..d01bc74 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/extension/RetireJSExtension.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/extension/RetireJSExtension.groovy @@ -39,6 +39,18 @@ class RetireJSExtension { * The Retire JS Repository URL. */ String retireJsUrl + /** + * Credentials used for basic authentication for the Retire JS Repository URL. + */ + String user + /** + * Credentials used for basic authentication for the Retire JS Repository URL. + */ + String password + /** + * Credentials used for bearer authentication for the Retire JS Repository URL. + */ + String bearerToken /** * Whether the Retire JS analyzer should be updated regardless of the `autoupdate` setting. */ diff --git a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/ConfiguredTask.groovy b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/ConfiguredTask.groovy index e09ba40..9b74807 100644 --- a/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/ConfiguredTask.groovy +++ b/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/ConfiguredTask.groovy @@ -74,6 +74,7 @@ abstract class ConfiguredTask extends DefaultTask { settings.setArrayIfNotEmpty(SUPPRESSION_FILE, suppressionLists) settings.setStringIfNotEmpty(SUPPRESSION_FILE_USER, config.suppressionFileUser) settings.setStringIfNotEmpty(SUPPRESSION_FILE_PASSWORD, config.suppressionFilePassword) + settings.setStringIfNotEmpty(SUPPRESSION_FILE_BEARER_TOKEN, config.suppressionFileBearerToken) settings.setStringIfNotEmpty(HINTS_FILE, config.hintsFile) configureProxy(settings) @@ -101,12 +102,16 @@ abstract class ConfiguredTask extends DefaultTask { settings.setStringIfNotEmpty(NVD_API_DATAFEED_USER, config.nvd.datafeedUser) settings.setStringIfNotEmpty(NVD_API_DATAFEED_PASSWORD, config.nvd.datafeedPassword) } + settings.setStringIfNotEmpty(NVD_API_DATAFEED_BEARER_TOKEN, config.nvd.datafeedBearerToken) settings.setBooleanIfNotNull(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp) settings.setFloat(JUNIT_FAIL_ON_CVSS, config.junitFailOnCVSS) settings.setBooleanIfNotNull(HOSTED_SUPPRESSIONS_ENABLED, config.hostedSuppressions.enabled) settings.setBooleanIfNotNull(HOSTED_SUPPRESSIONS_FORCEUPDATE, config.hostedSuppressions.forceupdate) settings.setStringIfNotNull(HOSTED_SUPPRESSIONS_URL, config.hostedSuppressions.url) + settings.setStringIfNotNull(HOSTED_SUPPRESSIONS_USER, config.hostedSuppressions.user) + settings.setStringIfNotNull(HOSTED_SUPPRESSIONS_PASSWORD, config.hostedSuppressions.password) + settings.setStringIfNotNull(HOSTED_SUPPRESSIONS_BEARER_TOKEN, config.hostedSuppressions.bearerToken) if (config.hostedSuppressions.validForHours != null) { if (config.hostedSuppressions.validForHours >= 0) { settings.setInt(HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, config.hostedSuppressions.validForHours) @@ -131,9 +136,12 @@ abstract class ConfiguredTask extends DefaultTask { settings.setBooleanIfNotNull(ANALYZER_EXPERIMENTAL_ENABLED, config.analyzers.experimentalEnabled) settings.setBooleanIfNotNull(ANALYZER_ARCHIVE_ENABLED, config.analyzers.archiveEnabled) - settings.setBooleanIfNotNull(ANALYZER_KNOWN_EXPLOITED_ENABLED, config.analyzers.knownExploitedEnabled) - settings.setStringIfNotNull(KEV_URL, config.analyzers.knownExploitedURL) - settings.setIntIfNotNull(KEV_CHECK_VALID_FOR_HOURS, config.analyzers.knownExploitedValidForHours) + settings.setBooleanIfNotNull(ANALYZER_KNOWN_EXPLOITED_ENABLED, config.analyzers.kev.enabled) + settings.setStringIfNotNull(KEV_URL, config.analyzers.kev.url) + settings.setIntIfNotNull(KEV_CHECK_VALID_FOR_HOURS, config.analyzers.kev.validForHours) + settings.setStringIfNotNull(KEV_USER, config.analyzers.kev.user) + settings.setStringIfNotNull(KEV_PASSWORD, config.analyzers.kev.password) + settings.setStringIfNotNull(KEV_BEARER_TOKEN, config.analyzers.kev.bearerToken) settings.setStringIfNotEmpty(ADDITIONAL_ZIP_EXTENSIONS, config.analyzers.zipExtensions) settings.setBooleanIfNotNull(ANALYZER_ASSEMBLY_ENABLED, config.analyzers.assemblyEnabled) settings.setBooleanIfNotNull(ANALYZER_MSBUILD_PROJECT_ENABLED, config.analyzers.msbuildEnabled) @@ -173,6 +181,9 @@ abstract class ConfiguredTask extends DefaultTask { settings.setBooleanIfNotNull(ANALYZER_RETIREJS_ENABLED, config.analyzers.retirejs.enabled) settings.setBooleanIfNotNull(ANALYZER_RETIREJS_FORCEUPDATE, config.analyzers.retirejs.forceupdate) settings.setStringIfNotNull(ANALYZER_RETIREJS_REPO_JS_URL, config.analyzers.retirejs.retireJsUrl) + settings.setStringIfNotNull(ANALYZER_RETIREJS_REPO_JS_USER, config.analyzers.retirejs.user) + settings.setStringIfNotNull(ANALYZER_RETIREJS_REPO_JS_PASSWORD, config.analyzers.retirejs.password) + settings.setStringIfNotNull(ANALYZER_RETIREJS_REPO_JS_BEARER_TOKEN, config.analyzers.retirejs.bearerToken) settings.setBooleanIfNotNull(ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, config.analyzers.retirejs.filterNonVulnerable) settings.setArrayIfNotEmpty(ANALYZER_RETIREJS_FILTERS, config.analyzers.retirejs.filters) diff --git a/src/test/groovy/org/owasp/dependencycheck/gradle/DependencyCheckGradlePluginSpec.groovy b/src/test/groovy/org/owasp/dependencycheck/gradle/DependencyCheckGradlePluginSpec.groovy index 6c95dac..3d1c73f 100644 --- a/src/test/groovy/org/owasp/dependencycheck/gradle/DependencyCheckGradlePluginSpec.groovy +++ b/src/test/groovy/org/owasp/dependencycheck/gradle/DependencyCheckGradlePluginSpec.groovy @@ -127,9 +127,11 @@ class DependencyCheckGradlePluginSpec extends Specification { url = 'https://example.com/artifacgtory' bearerToken = 'abc123==' } - knownExploitedEnabled = false - knownExploitedURL = "https://example.com" - knownExploitedValidForHours = 12 + kev { + enabled = false + url = "https://example.com" + validForHours = 12 + } retirejs { filters = ['filter1', 'filter2'] filterNonVulnerable = true @@ -199,8 +201,8 @@ class DependencyCheckGradlePluginSpec extends Specification { project.dependencyCheck.analyzers.artifactory.enabled == true project.dependencyCheck.analyzers.artifactory.url == 'https://example.com/artifacgtory' project.dependencyCheck.analyzers.artifactory.bearerToken == 'abc123==' - project.dependencyCheck.analyzers.knownExploitedEnabled == false - project.dependencyCheck.analyzers.knownExploitedURL == "https://example.com" + project.dependencyCheck.analyzers.kev.enabled == false + project.dependencyCheck.analyzers.kev.url == "https://example.com" project.dependencyCheck.analyzers.retirejs.filters == ['filter1', 'filter2'] project.dependencyCheck.analyzers.retirejs.filterNonVulnerable == true project.dependencyCheck.slack.enabled == true