View Javadoc
1   /*
2    * This file is part of dependency-check-cli.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck;
19  
20  import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
21  
22  import java.io.File;
23  import java.io.FileNotFoundException;
24  
25  import org.apache.commons.cli.CommandLine;
26  import org.apache.commons.cli.CommandLineParser;
27  import org.apache.commons.cli.DefaultParser;
28  import org.apache.commons.cli.HelpFormatter;
29  import org.apache.commons.cli.Option;
30  import org.apache.commons.cli.OptionGroup;
31  import org.apache.commons.cli.Options;
32  import org.apache.commons.cli.ParseException;
33  import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
34  import org.owasp.dependencycheck.utils.InvalidSettingException;
35  import org.owasp.dependencycheck.utils.Settings;
36  import org.slf4j.Logger;
37  import org.slf4j.LoggerFactory;
38  
39  /**
40   * A utility to parse command line arguments for the DependencyCheck.
41   *
42   * @author Jeremy Long
43   */
44  //suppress hard-coded password rule
45  @SuppressWarnings("squid:S2068")
46  public final class CliParser {
47  
48      /**
49       * The logger.
50       */
51      private static final Logger LOGGER = LoggerFactory.getLogger(CliParser.class);
52      /**
53       * The command line.
54       */
55      private CommandLine line;
56      /**
57       * Indicates whether the arguments are valid.
58       */
59      private boolean isValid = true;
60      /**
61       * The configured settings.
62       */
63      private final Settings settings;
64      /**
65       * The supported reported formats.
66       */
67      private static final String SUPPORTED_FORMATS = "HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB or ALL";
68  
69      /**
70       * Constructs a new CLI Parser object with the configured settings.
71       *
72       * @param settings the configured settings
73       */
74      public CliParser(Settings settings) {
75          this.settings = settings;
76      }
77  
78      /**
79       * Parses the arguments passed in and captures the results for later use.
80       *
81       * @param args the command line arguments
82       * @throws FileNotFoundException is thrown when a 'file' argument does not
83       * point to a file that exists.
84       * @throws ParseException is thrown when a Parse Exception occurs.
85       */
86      public void parse(String[] args) throws FileNotFoundException, ParseException {
87          line = parseArgs(args);
88  
89          if (line != null) {
90              validateArgs();
91          }
92      }
93  
94      /**
95       * Parses the command line arguments.
96       *
97       * @param args the command line arguments
98       * @return the results of parsing the command line arguments
99       * @throws ParseException if the arguments are invalid
100      */
101     private CommandLine parseArgs(String[] args) throws ParseException {
102         final CommandLineParser parser = new DefaultParser();
103         final Options options = createCommandLineOptions();
104         return parser.parse(options, args);
105     }
106 
107     /**
108      * Validates that the command line arguments are valid.
109      *
110      * @throws FileNotFoundException if there is a file specified by either the
111      * SCAN or CPE command line arguments that does not exist.
112      * @throws ParseException is thrown if there is an exception parsing the
113      * command line.
114      */
115     private void validateArgs() throws FileNotFoundException, ParseException {
116         if (isUpdateOnly() || isRunScan()) {
117 
118             String value = line.getOptionValue(ARGUMENT.NVD_API_VALID_FOR_HOURS);
119             if (value != null) {
120                 try {
121                     final int i = Integer.parseInt(value);
122                     if (i < 0) {
123                         throw new ParseException("Invalid Setting: nvdValidForHours must be a number greater than or equal to 0.");
124                     }
125                 } catch (NumberFormatException ex) {
126                     throw new ParseException("Invalid Setting: nvdValidForHours must be a number greater than or equal to 0.");
127                 }
128             }
129             value = line.getOptionValue(ARGUMENT.NVD_API_MAX_RETRY_COUNT);
130             if (value != null) {
131                 try {
132                     final int i = Integer.parseInt(value);
133                     if (i <= 0) {
134                         throw new ParseException("Invalid Setting: nvdMaxRetryCount must be a number greater than 0.");
135                     }
136                 } catch (NumberFormatException ex) {
137                     throw new ParseException("Invalid Setting: nvdMaxRetryCount must be a number greater than 0.");
138                 }
139             }
140             value = line.getOptionValue(ARGUMENT.NVD_API_DELAY);
141             if (value != null) {
142                 try {
143                     final int i = Integer.parseInt(value);
144                     if (i < 0) {
145                         throw new ParseException("Invalid Setting: nvdApiDelay must be a number greater than or equal to 0.");
146                     }
147                 } catch (NumberFormatException ex) {
148                     throw new ParseException("Invalid Setting: nvdApiDelay must be a number greater than or equal to 0.");
149                 }
150             }
151             value = line.getOptionValue(ARGUMENT.NVD_API_RESULTS_PER_PAGE);
152             if (value != null) {
153                 try {
154                     final int i = Integer.parseInt(value);
155                     if (i <= 0 || i > 2000) {
156                         throw new ParseException("Invalid Setting: nvdApiResultsPerPage must be a number in the range [1, 2000].");
157                     }
158                 } catch (NumberFormatException ex) {
159                     throw new ParseException("Invalid Setting: nvdApiResultsPerPage must be a number in the range [1, 2000].");
160                 }
161             }
162         }
163         if (isRunScan()) {
164             validatePathExists(getScanFiles(), ARGUMENT.SCAN);
165             validatePathExists(getReportDirectory(), ARGUMENT.OUT);
166             final String pathToCore = getStringArgument(ARGUMENT.PATH_TO_CORE);
167             if (pathToCore != null) {
168                 validatePathExists(pathToCore, ARGUMENT.PATH_TO_CORE);
169             }
170             if (line.hasOption(ARGUMENT.OUTPUT_FORMAT)) {
171                 for (String validating : getReportFormat()) {
172                     if (!isValidFormat(validating)
173                             && !isValidFilePath(validating, "format")) {
174                         final String msg = String.format("An invalid 'format' of '%s' was specified. "
175                                 + "Supported output formats are %s, and custom template files.",
176                                 validating, SUPPORTED_FORMATS);
177                         throw new ParseException(msg);
178                     }
179                 }
180             }
181             if (line.hasOption(ARGUMENT.SYM_LINK_DEPTH)) {
182                 try {
183                     final int i = Integer.parseInt(line.getOptionValue(ARGUMENT.SYM_LINK_DEPTH));
184                     if (i < 0) {
185                         throw new ParseException("Symbolic Link Depth (symLink) must be greater than zero.");
186                     }
187                 } catch (NumberFormatException ex) {
188                     throw new ParseException("Symbolic Link Depth (symLink) is not a number.");
189                 }
190             }
191         }
192     }
193 
194     /**
195      * Validates the format to be one of the known Formats.
196      *
197      * @param format the format to validate
198      * @return true, if format is known in Format; false otherwise
199      * @see Format
200      */
201     private boolean isValidFormat(String format) {
202         try {
203             Format.valueOf(format);
204             return true;
205         } catch (IllegalArgumentException ex) {
206             return false;
207         }
208     }
209 
210     /**
211      * Validates the path to point at an existing file.
212      *
213      * @param path the path to validate if it exists
214      * @param argumentName the argument being validated (e.g. scan, out, etc.)
215      * @return true, if path exists; false otherwise
216      */
217     private boolean isValidFilePath(String path, String argumentName) {
218         try {
219             validatePathExists(path, argumentName);
220             return true;
221         } catch (FileNotFoundException ex) {
222             return false;
223         }
224     }
225 
226     /**
227      * Validates whether or not the path(s) points at a file that exists; if the
228      * path(s) does not point to an existing file a FileNotFoundException is
229      * thrown.
230      *
231      * @param paths the paths to validate if they exists
232      * @param optType the option being validated (e.g. scan, out, etc.)
233      * @throws FileNotFoundException is thrown if one of the paths being
234      * validated does not exist.
235      */
236     private void validatePathExists(String[] paths, String optType) throws FileNotFoundException {
237         for (String path : paths) {
238             validatePathExists(path, optType);
239         }
240     }
241 
242     /**
243      * Validates whether or not the path points at a file that exists; if the
244      * path does not point to an existing file a FileNotFoundException is
245      * thrown.
246      *
247      * @param path the paths to validate if they exists
248      * @param argumentName the argument being validated (e.g. scan, out, etc.)
249      * @throws FileNotFoundException is thrown if the path being validated does
250      * not exist.
251      */
252     private void validatePathExists(String path, String argumentName) throws FileNotFoundException {
253         if (path == null) {
254             isValid = false;
255             final String msg = String.format("Invalid '%s' argument: null", argumentName);
256             throw new FileNotFoundException(msg);
257         } else if (!path.contains("*") && !path.contains("?")) {
258             File f = new File(path);
259             final String[] formats = this.getReportFormat();
260             if ("o".equalsIgnoreCase(argumentName.substring(0, 1)) && formats.length == 1 && !"ALL".equalsIgnoreCase(formats[0])) {
261                 final String checkPath = path.toLowerCase();
262                 if (checkPath.endsWith(".html") || checkPath.endsWith(".xml") || checkPath.endsWith(".htm")
263                         || checkPath.endsWith(".csv") || checkPath.endsWith(".json")) {
264                     if (f.getParentFile() == null) {
265                         f = new File(".", path);
266                     }
267                     if (!f.getParentFile().isDirectory()) {
268                         isValid = false;
269                         final String msg = String.format("Invalid '%s' argument: '%s' - directory path does not exist", argumentName, path);
270                         throw new FileNotFoundException(msg);
271                     }
272                 }
273             } else if ("o".equalsIgnoreCase(argumentName.substring(0, 1)) && !f.isDirectory()) {
274                 if (f.getParentFile() != null && f.getParentFile().isDirectory() && !f.mkdir()) {
275                     isValid = false;
276                     final String msg = String.format("Invalid '%s' argument: '%s' - unable to create the output directory", argumentName, path);
277                     throw new FileNotFoundException(msg);
278                 }
279                 if (!f.isDirectory()) {
280                     isValid = false;
281                     final String msg = String.format("Invalid '%s' argument: '%s' - path does not exist", argumentName, path);
282                     throw new FileNotFoundException(msg);
283                 }
284             } else if (!f.exists()) {
285                 isValid = false;
286                 final String msg = String.format("Invalid '%s' argument: '%s' - path does not exist", argumentName, path);
287                 throw new FileNotFoundException(msg);
288             }
289 //        } else if (path.startsWith("//") || path.startsWith("\\\\")) {
290 //            isValid = false;
291 //            final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
292 //            throw new FileNotFoundException(msg);
293         } else if ((path.endsWith("/*") && !path.endsWith("**/*")) || (path.endsWith("\\*") && path.endsWith("**\\*"))) {
294             LOGGER.warn("Possibly incorrect path '{}' from argument '{}' because it ends with a slash star; "
295                     + "dependency-check uses ant-style paths", path, argumentName);
296         }
297     }
298 
299     /**
300      * Generates an Options collection that is used to parse the command line
301      * and to display the help message.
302      *
303      * @return the command line options used for parsing the command line
304      */
305     @SuppressWarnings("static-access")
306     private Options createCommandLineOptions() {
307         final Options options = new Options();
308         addStandardOptions(options);
309         addAdvancedOptions(options);
310         addDeprecatedOptions(options);
311         return options;
312     }
313 
314     /**
315      * Adds the standard command line options to the given options collection.
316      *
317      * @param options a collection of command line arguments
318      */
319     @SuppressWarnings("static-access")
320     private void addStandardOptions(final Options options) {
321         //This is an option group because it can be specified more then once.
322 
323         options.addOptionGroup(newOptionGroup(newOptionWithArg(ARGUMENT.SCAN_SHORT, ARGUMENT.SCAN, "path",
324                 "The path to scan - this option can be specified multiple times. Ant style paths are supported (e.g. 'path/**/*.jar'); "
325                 + "if using Ant style paths it is highly recommended to quote the argument value.")))
326                 .addOptionGroup(newOptionGroup(newOptionWithArg(ARGUMENT.EXCLUDE, "pattern", "Specify an exclusion pattern. This option "
327                         + "can be specified multiple times and it accepts Ant style exclusions.")))
328                 .addOption(newOptionWithArg(ARGUMENT.PROJECT, "name", "The name of the project being scanned."))
329                 .addOption(newOptionWithArg(ARGUMENT.OUT_SHORT, ARGUMENT.OUT, "path",
330                         "The folder to write reports to. This defaults to the current directory. It is possible to set this to a specific "
331                         + "file name if the format argument is not set to ALL."))
332                 .addOption(newOptionWithArg(ARGUMENT.OUTPUT_FORMAT_SHORT, ARGUMENT.OUTPUT_FORMAT, "format",
333                         "The report format (" + SUPPORTED_FORMATS + "). The default is HTML. Multiple format parameters can be specified."))
334                 .addOption(newOption(ARGUMENT.PRETTY_PRINT, "When specified the JSON and XML report formats will be pretty printed."))
335                 .addOption(newOption(ARGUMENT.VERSION_SHORT, ARGUMENT.VERSION, "Print the version information."))
336                 .addOption(newOption(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, "Print this message."))
337                 .addOption(newOption(ARGUMENT.ADVANCED_HELP, "Print the advanced help message."))
338                 .addOption(newOption(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE,
339                         "Disables the automatic updating of the NVD-CVE, hosted-suppressions and RetireJS data."))
340                 .addOption(newOptionWithArg(ARGUMENT.VERBOSE_LOG_SHORT, ARGUMENT.VERBOSE_LOG, "file",
341                         "The file path to write verbose logging information."))
342                 .addOptionGroup(newOptionGroup(newOptionWithArg(ARGUMENT.SUPPRESSION_FILES, "file",
343                         "The file path to the suppression XML file. This can be specified more then once to utilize multiple suppression files")))
344                 .addOption(newOption(ARGUMENT.EXPERIMENTAL, "Enables the experimental analyzers."))
345                 .addOption(newOptionWithArg(ARGUMENT.NVD_API_KEY, "apiKey", "The API Key to access the NVD API."))
346                 .addOption(newOptionWithArg(ARGUMENT.FAIL_ON_CVSS, "score",
347                         "Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11; "
348                         + "since the CVSS scores are 0-10, by default the build will never fail."))
349                 .addOption(newOptionWithArg(ARGUMENT.FAIL_JUNIT_ON_CVSS, "score",
350                         "Specifies the CVSS score that is considered a failure when generating the junit report. The default is 0."));
351     }
352 
353     /**
354      * Adds the advanced command line options to the given options collection.
355      * These are split out for purposes of being able to display two different
356      * help messages.
357      *
358      * @param options a collection of command line arguments
359      */
360     @SuppressWarnings("static-access")
361     private void addAdvancedOptions(final Options options) {
362         options
363                 .addOption(newOption(ARGUMENT.UPDATE_ONLY,
364                         "Only update the local NVD data cache; no scan will be executed."))
365                 .addOption(newOptionWithArg(ARGUMENT.NVD_API_DELAY, "milliseconds",
366                         "Time in milliseconds to wait between downloading from the NVD."))
367                 .addOption(newOptionWithArg(ARGUMENT.NVD_API_RESULTS_PER_PAGE, "count",
368                         "The number records for a single page from NVD API (must be <=2000)."))
369                 .addOption(newOptionWithArg(ARGUMENT.NVD_API_ENDPOINT, "endpoint",
370                         "The NVD API Endpoint - setting this is rare."))
371                 .addOption(newOptionWithArg(ARGUMENT.NVD_API_DATAFEED_URL, "url",
372                         "The URL to the NVD API Datafeed."))
373                 .addOption(newOptionWithArg(ARGUMENT.NVD_API_DATAFEED_USER, "user",
374                         "Credentials for basic authentication to the NVD API Datafeed."))
375                 .addOption(newOptionWithArg(ARGUMENT.NVD_API_DATAFEED_PASSWORD, "password",
376                         "Credentials for basic authentication to the NVD API Datafeed."))
377                 .addOption(newOptionWithArg(ARGUMENT.NVD_API_MAX_RETRY_COUNT, "count",
378                         "The maximum number of retry requests for a single call to the NVD API."))
379                 .addOption(newOptionWithArg(ARGUMENT.NVD_API_VALID_FOR_HOURS, "hours",
380                         "The number of hours to wait before checking for new updates from the NVD."))
381                 .addOption(newOptionWithArg(ARGUMENT.PROXY_PORT, "port",
382                         "The proxy port to use when downloading resources."))
383                 .addOption(newOptionWithArg(ARGUMENT.PROXY_SERVER, "server",
384                         "The proxy server to use when downloading resources."))
385                 .addOption(newOptionWithArg(ARGUMENT.PROXY_USERNAME, "user",
386                         "The proxy username to use when downloading resources."))
387                 .addOption(newOptionWithArg(ARGUMENT.PROXY_PASSWORD, "pass",
388                         "The proxy password to use when downloading resources."))
389                 .addOption(newOptionWithArg(ARGUMENT.NON_PROXY_HOSTS, "list",
390                         "The proxy exclusion list: hostnames (or patterns) for which proxy should not be used. "
391                         + "Use pipe, comma or colon as list separator."))
392                 .addOption(newOptionWithArg(ARGUMENT.CONNECTION_TIMEOUT_SHORT, ARGUMENT.CONNECTION_TIMEOUT, "timeout",
393                         "The connection timeout (in milliseconds) to use when downloading resources."))
394                 .addOption(newOptionWithArg(ARGUMENT.CONNECTION_READ_TIMEOUT, "timeout",
395                         "The read timeout (in milliseconds) to use when downloading resources."))
396                 .addOption(newOptionWithArg(ARGUMENT.CONNECTION_STRING, "connStr",
397                         "The connection string to the database."))
398                 .addOption(newOptionWithArg(ARGUMENT.DB_NAME, "user",
399                         "The username used to connect to the database."))
400                 .addOption(newOptionWithArg(ARGUMENT.DATA_DIRECTORY_SHORT, ARGUMENT.DATA_DIRECTORY, "path",
401                         "The location of the H2 Database file. This option should generally not be set."))
402                 .addOption(newOptionWithArg(ARGUMENT.DB_PASSWORD, "password",
403                         "The password for connecting to the database."))
404                 .addOption(newOptionWithArg(ARGUMENT.DB_DRIVER, "driver",
405                         "The database driver name."))
406                 .addOption(newOptionWithArg(ARGUMENT.DB_DRIVER_PATH, "path",
407                         "The path to the database driver; note, this does not need to be set unless the JAR is "
408                         + "outside of the classpath."))
409                 .addOption(newOptionWithArg(ARGUMENT.SYM_LINK_DEPTH, "depth",
410                         "Sets how deep nested symbolic links will be followed; 0 indicates symbolic links will not be followed."))
411                 .addOption(newOptionWithArg(ARGUMENT.PATH_TO_BUNDLE_AUDIT, "path",
412                         "The path to bundle-audit for Gem bundle analysis."))
413                 .addOption(newOptionWithArg(ARGUMENT.PATH_TO_BUNDLE_AUDIT_WORKING_DIRECTORY, "path",
414                         "The path to working directory that the bundle-audit command should be executed from when "
415                         + "doing Gem bundle analysis."))
416                 .addOption(newOptionWithArg(ARGUMENT.CENTRAL_URL, "url",
417                         "Alternative URL for Maven Central Search. If not set the public Sonatype Maven Central will be used."))
418                 .addOption(newOptionWithArg(ARGUMENT.OSSINDEX_URL, "url",
419                         "Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used."))
420                 .addOption(newOptionWithArg(ARGUMENT.OSSINDEX_USERNAME, "username",
421                         "The username to authenticate to Sonatype's OSS Index. If not set the Sonatype OSS Index "
422                         + "Analyzer will use an unauthenticated connection."))
423                 .addOption(newOptionWithArg(ARGUMENT.OSSINDEX_PASSWORD, "password", ""
424                         + "The password to authenticate to Sonatype's OSS Index. If not set the Sonatype OSS "
425                         + "Index Analyzer will use an unauthenticated connection."))
426                 .addOption(newOptionWithArg(ARGUMENT.OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, "true/false", ""
427                         + "Whether a Sonatype OSS Index remote error should result in a warning only or a failure."))
428                 .addOption(newOption(ARGUMENT.RETIRE_JS_FORCEUPDATE, "Force the RetireJS Analyzer to update "
429                         + "even if autoupdate is disabled"))
430                 .addOption(newOptionWithArg(ARGUMENT.RETIREJS_URL, "url",
431                         "The Retire JS Repository URL"))
432                 .addOption(newOptionWithArg(ARGUMENT.RETIREJS_URL_USER, "username",
433                         "The password to authenticate to Retire JS Repository URL"))
434                 .addOption(newOptionWithArg(ARGUMENT.RETIREJS_URL_PASSWORD, "password",
435                         "The password to authenticate to Retire JS Repository URL"))
436                 .addOption(newOption(ARGUMENT.RETIREJS_FILTER_NON_VULNERABLE, "Specifies that the Retire JS "
437                         + "Analyzer should filter out non-vulnerable JS files from the report."))
438                 .addOption(newOptionWithArg(ARGUMENT.ARTIFACTORY_PARALLEL_ANALYSIS, "true/false",
439                         "Whether the Artifactory Analyzer should use parallel analysis."))
440                 .addOption(newOptionWithArg(ARGUMENT.ARTIFACTORY_USES_PROXY, "true/false",
441                         "Whether the Artifactory Analyzer should use the proxy."))
442                 .addOption(newOptionWithArg(ARGUMENT.ARTIFACTORY_USERNAME, "username",
443                         "The Artifactory username for authentication."))
444                 .addOption(newOptionWithArg(ARGUMENT.ARTIFACTORY_API_TOKEN, "token",
445                         "The Artifactory API token."))
446                 .addOption(newOptionWithArg(ARGUMENT.ARTIFACTORY_BEARER_TOKEN, "token",
447                         "The Artifactory bearer token."))
448                 .addOption(newOptionWithArg(ARGUMENT.ARTIFACTORY_URL, "url",
449                         "The Artifactory URL."))
450                 .addOption(newOptionWithArg(ARGUMENT.PATH_TO_GO, "path",
451                         "The path to the `go` executable."))
452                 .addOption(newOptionWithArg(ARGUMENT.PATH_TO_YARN, "path",
453                         "The path to the `yarn` executable."))
454                 .addOption(newOptionWithArg(ARGUMENT.PATH_TO_PNPM, "path",
455                         "The path to the `pnpm` executable."))
456                 .addOption(newOptionWithArg(ARGUMENT.RETIREJS_FILTERS, "pattern",
457                         "Specify Retire JS content filter used to exclude files from analysis based on their content; "
458                         + "most commonly used to exclude based on your applications own copyright line. This "
459                         + "option can be specified multiple times."))
460                 .addOption(newOptionWithArg(ARGUMENT.NEXUS_URL, "url",
461                         "The url to the Nexus Server's REST API Endpoint (http://domain/nexus/service/local). If not "
462                         + "set the Nexus Analyzer will be disabled."))
463                 .addOption(newOptionWithArg(ARGUMENT.NEXUS_USERNAME, "username",
464                         "The username to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus "
465                         + "Analyzer will use an unauthenticated connection."))
466                 .addOption(newOptionWithArg(ARGUMENT.NEXUS_PASSWORD, "password",
467                         "The password to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus "
468                         + "Analyzer will use an unauthenticated connection."))
469                 //TODO remove as this should be covered by non-proxy hosts
470                 .addOption(newOptionWithArg(ARGUMENT.NEXUS_USES_PROXY, "true/false",
471                         "Whether or not the configured proxy should be used when connecting to Nexus."))
472                 .addOption(newOptionWithArg(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS, "extensions",
473                         "A comma separated list of additional extensions to be scanned as ZIP files (ZIP, EAR, WAR "
474                         + "are already treated as zip files)"))
475                 .addOption(newOptionWithArg(ARGUMENT.PROP_SHORT, ARGUMENT.PROP, "file", "A property file to load."))
476                 .addOption(newOptionWithArg(ARGUMENT.PATH_TO_CORE, "path", "The path to dotnet core."))
477                 .addOption(newOptionWithArg(ARGUMENT.HINTS_FILE, "file", "The file path to the hints XML file."))
478                 .addOption(newOption(ARGUMENT.RETIRED, "Enables the retired analyzers."))
479                 .addOption(newOption(ARGUMENT.DISABLE_MSBUILD, "Disable the MS Build Analyzer."))
480                 .addOption(newOption(ARGUMENT.DISABLE_JAR, "Disable the Jar Analyzer."))
481                 .addOption(newOption(ARGUMENT.DISABLE_ARCHIVE, "Disable the Archive Analyzer."))
482                 .addOption(newOption(ARGUMENT.DISABLE_KEV, "Disable the Known Exploited Vulnerability Analyzer."))
483                 .addOption(newOptionWithArg(ARGUMENT.KEV_URL, "url", "The url to the CISA Known Exploited Vulnerabilities JSON data feed"))
484                 .addOption(newOption(ARGUMENT.DISABLE_ASSEMBLY, "Disable the .NET Assembly Analyzer."))
485                 .addOption(newOption(ARGUMENT.DISABLE_PY_DIST, "Disable the Python Distribution Analyzer."))
486                 .addOption(newOption(ARGUMENT.DISABLE_CMAKE, "Disable the Cmake Analyzer."))
487                 .addOption(newOption(ARGUMENT.DISABLE_PY_PKG, "Disable the Python Package Analyzer."))
488                 .addOption(newOption(ARGUMENT.DISABLE_MIX_AUDIT, "Disable the Elixir mix_audit Analyzer."))
489                 .addOption(newOption(ARGUMENT.DISABLE_RUBYGEMS, "Disable the Ruby Gemspec Analyzer."))
490                 .addOption(newOption(ARGUMENT.DISABLE_BUNDLE_AUDIT, "Disable the Ruby Bundler-Audit Analyzer."))
491                 .addOption(newOption(ARGUMENT.DISABLE_FILENAME, "Disable the File Name Analyzer."))
492                 .addOption(newOption(ARGUMENT.DISABLE_AUTOCONF, "Disable the Autoconf Analyzer."))
493                 .addOption(newOption(ARGUMENT.DISABLE_MAVEN_INSTALL, "Disable the Maven install Analyzer."))
494                 .addOption(newOption(ARGUMENT.DISABLE_PIP, "Disable the pip Analyzer."))
495                 .addOption(newOption(ARGUMENT.DISABLE_PIPFILE, "Disable the Pipfile Analyzer."))
496                 .addOption(newOption(ARGUMENT.DISABLE_COMPOSER, "Disable the PHP Composer Analyzer."))
497                 .addOption(newOption(ARGUMENT.COMPOSER_LOCK_SKIP_DEV, "Configures the PHP Composer Analyzer to skip packages-dev"))
498                 .addOption(newOption(ARGUMENT.DISABLE_CPAN, "Disable the Perl CPAN file Analyzer."))
499                 .addOption(newOption(ARGUMENT.DISABLE_POETRY, "Disable the Poetry Analyzer."))
500                 .addOption(newOption(ARGUMENT.DISABLE_GOLANG_MOD, "Disable the Golang Mod Analyzer."))
501                 .addOption(newOption(ARGUMENT.DISABLE_DART, "Disable the Dart Analyzer."))
502                 .addOption(newOption(ARGUMENT.DISABLE_OPENSSL, "Disable the OpenSSL Analyzer."))
503                 .addOption(newOption(ARGUMENT.DISABLE_NUSPEC, "Disable the Nuspec Analyzer."))
504                 .addOption(newOption(ARGUMENT.DISABLE_NUGETCONF, "Disable the Nuget packages.config Analyzer."))
505                 .addOption(newOption(ARGUMENT.DISABLE_CENTRAL, "Disable the Central Analyzer. If this analyzer "
506                         + "is disabled it is likely you also want to disable the Nexus Analyzer."))
507                 .addOption(newOption(ARGUMENT.DISABLE_CENTRAL_CACHE, "Disallow the Central Analyzer from caching results"))
508                 .addOption(newOption(ARGUMENT.DISABLE_OSSINDEX, "Disable the Sonatype OSS Index Analyzer."))
509                 .addOption(newOption(ARGUMENT.DISABLE_OSSINDEX_CACHE, "Disallow the OSS Index Analyzer from caching results"))
510                 .addOption(newOption(ARGUMENT.DISABLE_COCOAPODS, "Disable the CocoaPods Analyzer."))
511                 .addOption(newOption(ARGUMENT.DISABLE_CARTHAGE, "Disable the Carthage Analyzer."))
512                 .addOption(newOption(ARGUMENT.DISABLE_SWIFT, "Disable the swift package Analyzer."))
513                 .addOption(newOption(ARGUMENT.DISABLE_SWIFT_RESOLVED, "Disable the swift package resolved Analyzer."))
514                 .addOption(newOption(ARGUMENT.DISABLE_GO_DEP, "Disable the Golang Package Analyzer."))
515                 .addOption(newOption(ARGUMENT.DISABLE_NODE_JS, "Disable the Node.js Package Analyzer."))
516                 .addOption(newOption(ARGUMENT.NODE_PACKAGE_SKIP_DEV_DEPENDENCIES, "Configures the Node Package Analyzer to skip devDependencies"))
517                 .addOption(newOption(ARGUMENT.DISABLE_NODE_AUDIT, "Disable the Node Audit Analyzer."))
518                 .addOption(newOption(ARGUMENT.DISABLE_PNPM_AUDIT, "Disable the Pnpm Audit Analyzer."))
519                 .addOption(newOption(ARGUMENT.DISABLE_YARN_AUDIT, "Disable the Yarn Audit Analyzer."))
520                 .addOption(newOption(ARGUMENT.DISABLE_NODE_AUDIT_CACHE, "Disallow the Node Audit Analyzer from caching results"))
521                 .addOption(newOption(ARGUMENT.DISABLE_NODE_AUDIT_SKIPDEV, "Configures the Node Audit Analyzer to skip devDependencies"))
522                 .addOption(newOption(ARGUMENT.DISABLE_RETIRE_JS, "Disable the RetireJS Analyzer."))
523                 .addOption(newOption(ARGUMENT.ENABLE_NEXUS, "Enable the Nexus Analyzer."))
524                 .addOption(newOption(ARGUMENT.ARTIFACTORY_ENABLED, "Whether the Artifactory Analyzer should be enabled."))
525                 .addOption(newOption(ARGUMENT.PURGE_NVD, "Purges the local NVD data cache"))
526                 .addOption(newOption(ARGUMENT.DISABLE_HOSTED_SUPPRESSIONS, "Disable the usage of the hosted suppressions file"))
527                 .addOption(newOption(ARGUMENT.HOSTED_SUPPRESSIONS_FORCEUPDATE, "Force the hosted suppressions file to update even"
528                         + " if autoupdate is disabled"))
529                 .addOption(newOptionWithArg(ARGUMENT.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, "hours",
530                         "The number of hours to wait before checking for new updates of the the hosted suppressions file."))
531                 .addOption(newOptionWithArg(ARGUMENT.HOSTED_SUPPRESSIONS_URL, "url",
532                         "The URL for a mirrored hosted suppressions file"));
533 
534     }
535 
536     /**
537      * Adds the deprecated command line options to the given options collection.
538      * These are split out for purposes of not including them in the help
539      * message. We need to add the deprecated options so as not to break
540      * existing scripts.
541      *
542      * @param options a collection of command line arguments
543      */
544     @SuppressWarnings({"static-access", "deprecation"})
545     private void addDeprecatedOptions(final Options options) {
546         //not a real option - but enables java debugging via the shell script
547         options.addOption(newOption("debug",
548                 "Used to enable java debugging of the cli via dependency-check.sh."));
549     }
550 
551     /**
552      * Determines if the 'version' command line argument was passed in.
553      *
554      * @return whether or not the 'version' command line argument was passed in
555      */
556     public boolean isGetVersion() {
557         return (line != null) && line.hasOption(ARGUMENT.VERSION);
558     }
559 
560     /**
561      * Determines if the 'help' command line argument was passed in.
562      *
563      * @return whether or not the 'help' command line argument was passed in
564      */
565     public boolean isGetHelp() {
566         return (line != null) && line.hasOption(ARGUMENT.HELP);
567     }
568 
569     /**
570      * Determines if the 'scan' command line argument was passed in.
571      *
572      * @return whether or not the 'scan' command line argument was passed in
573      */
574     public boolean isRunScan() {
575         return (line != null) && isValid && line.hasOption(ARGUMENT.SCAN);
576     }
577 
578     /**
579      * Returns the symbolic link depth (how deeply symbolic links will be
580      * followed).
581      *
582      * @return the symbolic link depth
583      */
584     public int getSymLinkDepth() {
585         int value = 0;
586         try {
587             value = Integer.parseInt(line.getOptionValue(ARGUMENT.SYM_LINK_DEPTH, "0"));
588             if (value < 0) {
589                 value = 0;
590             }
591         } catch (NumberFormatException ex) {
592             LOGGER.debug("Symbolic link was not a number");
593         }
594         return value;
595     }
596 
597     /**
598      * Utility method to determine if one of the disable options has been set.
599      * If not set, this method will check the currently configured settings for
600      * the current value to return.
601      * <p>
602      * Example given `--disableArchive` on the command line would cause this
603      * method to return true for the disable archive setting.
604      *
605      * @param disableFlag the command line disable option
606      * @param setting the corresponding settings key
607      * @return true if the disable option was set, if not set the currently
608      * configured value will be returned
609      */
610     public boolean isDisabled(String disableFlag, String setting) {
611         if (line == null || !line.hasOption(disableFlag)) {
612             try {
613                 return !settings.getBoolean(setting);
614             } catch (InvalidSettingException ise) {
615                 LOGGER.warn("Invalid property setting '{}' defaulting to false", setting);
616                 return false;
617             }
618         } else {
619             return true;
620         }
621     }
622 
623     /**
624      * Returns true if the disableNodeAudit command line argument was specified.
625      *
626      * @return true if the disableNodeAudit command line argument was specified;
627      * otherwise false
628      */
629     public boolean isNodeAuditDisabled() {
630         return isDisabled(ARGUMENT.DISABLE_NODE_AUDIT, Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED);
631     }
632 
633     /**
634      * Returns true if the disableYarnAudit command line argument was specified.
635      *
636      * @return true if the disableYarnAudit command line argument was specified;
637      * otherwise false
638      */
639     public boolean isYarnAuditDisabled() {
640         return isDisabled(ARGUMENT.DISABLE_YARN_AUDIT, Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED);
641     }
642 
643     /**
644      * Returns true if the disablePnpmAudit command line argument was specified.
645      *
646      * @return true if the disablePnpmAudit command line argument was specified;
647      * otherwise false
648      */
649     public boolean isPnpmAuditDisabled() {
650         return isDisabled(ARGUMENT.DISABLE_PNPM_AUDIT, Settings.KEYS.ANALYZER_PNPM_AUDIT_ENABLED);
651     }
652 
653     /**
654      * Returns true if the Nexus Analyzer should use the configured proxy to
655      * connect to Nexus; otherwise false is returned.
656      *
657      * @return true if the Nexus Analyzer should use the configured proxy to
658      * connect to Nexus; otherwise false
659      */
660     public boolean isNexusUsesProxy() {
661         // If they didn't specify whether Nexus needs to use the proxy, we should
662         // still honor the property if it's set.
663         if (line == null || !line.hasOption(ARGUMENT.NEXUS_USES_PROXY)) {
664             try {
665                 return settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY);
666             } catch (InvalidSettingException ise) {
667                 return true;
668             }
669         } else {
670             return Boolean.parseBoolean(line.getOptionValue(ARGUMENT.NEXUS_USES_PROXY));
671         }
672     }
673 
674     /**
675      * Returns the argument boolean value.
676      *
677      * @param argument the argument
678      * @return the argument boolean value
679      */
680     @SuppressFBWarnings(justification = "Accepting that this is a bad practice - used a Boolean as we needed three states",
681             value = {"NP_BOOLEAN_RETURN_NULL"})
682     public Boolean getBooleanArgument(String argument) {
683         if (line != null && line.hasOption(argument)) {
684             final String value = line.getOptionValue(argument);
685             if (value != null) {
686                 return Boolean.parseBoolean(value);
687             }
688         }
689         return null;
690     }
691 
692     /**
693      * Returns the argument value for the given option.
694      *
695      * @param option the option
696      * @return the value of the argument
697      */
698     public String getStringArgument(String option) {
699         return getStringArgument(option, null);
700     }
701 
702     /**
703      * Returns the argument value for the given option.
704      *
705      * @param option the option
706      * @param key the dependency-check settings key for the option.
707      * @return the value of the argument
708      */
709     public String getStringArgument(String option, String key) {
710         if (line != null && line.hasOption(option)) {
711             if (key != null && (option.toLowerCase().endsWith("password")
712                     || option.toLowerCase().endsWith("pass"))) {
713                 LOGGER.warn("{} used on the command line, consider moving the password "
714                         + "to a properties file using the key `{}` and using the "
715                         + "--propertyfile argument instead", option, key);
716             }
717             return line.getOptionValue(option);
718         }
719         return null;
720     }
721 
722     /**
723      * Returns the argument value for the given option.
724      *
725      * @param option the option
726      * @return the value of the argument
727      */
728     public String[] getStringArguments(String option) {
729         if (line != null && line.hasOption(option)) {
730             return line.getOptionValues(option);
731         }
732         return null;
733     }
734 
735     /**
736      * Returns the argument value for the given option.
737      *
738      * @param option the option
739      * @return the value of the argument
740      */
741     public File getFileArgument(String option) {
742         final String path = line.getOptionValue(option);
743         if (path != null) {
744             return new File(path);
745         }
746         return null;
747     }
748 
749     /**
750      * Displays the command line help message to the standard output.
751      */
752     public void printHelp() {
753         final HelpFormatter formatter = new HelpFormatter();
754         final Options options = new Options();
755         addStandardOptions(options);
756         if (line != null && line.hasOption(ARGUMENT.ADVANCED_HELP)) {
757             addAdvancedOptions(options);
758         }
759         final String helpMsg = String.format("%n%s"
760                 + " can be used to identify if there are any known CVE vulnerabilities in libraries utilized by an application. "
761                 + "%s will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov.%n%n",
762                 settings.getString(Settings.KEYS.APPLICATION_NAME, "DependencyCheck"),
763                 settings.getString(Settings.KEYS.APPLICATION_NAME, "DependencyCheck"));
764 
765         formatter.printHelp(settings.getString(Settings.KEYS.APPLICATION_NAME, "DependencyCheck"),
766                 helpMsg,
767                 options,
768                 "",
769                 true);
770     }
771 
772     /**
773      * Retrieves the file command line parameter(s) specified for the 'scan'
774      * argument.
775      *
776      * @return the file paths specified on the command line for scan
777      */
778     public String[] getScanFiles() {
779         return line.getOptionValues(ARGUMENT.SCAN);
780     }
781 
782     /**
783      * Retrieves the list of excluded file patterns specified by the 'exclude'
784      * argument.
785      *
786      * @return the excluded file patterns
787      */
788     public String[] getExcludeList() {
789         return line.getOptionValues(ARGUMENT.EXCLUDE);
790     }
791 
792     /**
793      * Retrieves the list of retire JS content filters used to exclude JS files
794      * by content.
795      *
796      * @return the retireJS filters
797      */
798     public String[] getRetireJsFilters() {
799         return line.getOptionValues(ARGUMENT.RETIREJS_FILTERS);
800     }
801 
802     /**
803      * Returns whether or not the retireJS analyzer should exclude
804      * non-vulnerable JS from the report.
805      *
806      * @return <code>true</code> if non-vulnerable JS should be filtered in the
807      * RetireJS Analyzer; otherwise <code>null</code>
808      */
809     @SuppressFBWarnings(justification = "Accepting that this is a bad practice - but made more sense in this use case",
810             value = {"NP_BOOLEAN_RETURN_NULL"})
811     public Boolean isRetireJsFilterNonVulnerable() {
812         return (line != null && line.hasOption(ARGUMENT.RETIREJS_FILTER_NON_VULNERABLE)) ? true : null;
813     }
814 
815     /**
816      * Returns the directory to write the reports to specified on the command
817      * line.
818      *
819      * @return the path to the reports directory.
820      */
821     public String getReportDirectory() {
822         return line.getOptionValue(ARGUMENT.OUT, ".");
823     }
824 
825     /**
826      * Returns the output format specified on the command line. Defaults to HTML
827      * if no format was specified.
828      *
829      * @return the output format name.
830      */
831     public String[] getReportFormat() {
832         if (line.hasOption(ARGUMENT.OUTPUT_FORMAT)) {
833             return line.getOptionValues(ARGUMENT.OUTPUT_FORMAT);
834         }
835         return new String[]{"HTML"};
836     }
837 
838     /**
839      * Returns the application name specified on the command line.
840      *
841      * @return the application name.
842      */
843     public String getProjectName() {
844         String name = line.getOptionValue(ARGUMENT.PROJECT);
845         if (name == null) {
846             name = "";
847         }
848         return name;
849     }
850 
851     /**
852      * <p>
853      * Prints the manifest information to standard output.</p>
854      * <ul><li>Implementation-Title: ${pom.name}</li>
855      * <li>Implementation-Version: ${pom.version}</li></ul>
856      */
857     public void printVersionInfo() {
858         final String version = String.format("%s version %s",
859                 settings.getString(Settings.KEYS.APPLICATION_NAME, "dependency-check"),
860                 settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
861         System.out.println(version);
862     }
863 
864     /**
865      * Checks if the update only flag has been set.
866      *
867      * @return <code>true</code> if the update only flag has been set; otherwise
868      * <code>false</code>.
869      */
870     public boolean isUpdateOnly() {
871         return line != null && line.hasOption(ARGUMENT.UPDATE_ONLY);
872     }
873 
874     /**
875      * Checks if the purge NVD flag has been set.
876      *
877      * @return <code>true</code> if the purge nvd flag has been set; otherwise
878      * <code>false</code>.
879      */
880     public boolean isPurge() {
881         return line != null && line.hasOption(ARGUMENT.PURGE_NVD);
882     }
883 
884     /**
885      * Returns the database driver name if specified; otherwise null is
886      * returned.
887      *
888      * @return the database driver name if specified; otherwise null is returned
889      */
890     public String getDatabaseDriverName() {
891         return line.getOptionValue(ARGUMENT.DB_DRIVER);
892     }
893 
894     /**
895      * Returns the argument value.
896      *
897      * @param argument the argument
898      * @return the value of the argument
899      */
900     public Integer getIntegerValue(String argument) {
901         final String v = line.getOptionValue(argument);
902         if (v != null) {
903             return Integer.parseInt(v);
904         }
905         return null;
906     }
907 
908     /**
909      * Checks if the option is present. If present it will return
910      * <code>true</code>; otherwise <code>false</code>.
911      *
912      * @param option the option to check
913      * @return <code>true</code> if auto-update is allowed; otherwise
914      * <code>null</code>
915      */
916     @SuppressFBWarnings(justification = "Accepting that this is a bad practice - but made more sense in this use case",
917             value = {"NP_BOOLEAN_RETURN_NULL"})
918     public Boolean hasOption(String option) {
919         return (line != null && line.hasOption(option)) ? true : null;
920     }
921 
922     /**
923      * Returns the CVSS value to fail on.
924      *
925      * @return 11 if nothing is set. Otherwise it returns the int passed from
926      * the command line arg
927      */
928     public float getFailOnCVSS() {
929         if (line.hasOption(ARGUMENT.FAIL_ON_CVSS)) {
930             final String value = line.getOptionValue(ARGUMENT.FAIL_ON_CVSS);
931             try {
932                 return Float.parseFloat(value);
933             } catch (NumberFormatException nfe) {
934                 return 11;
935             }
936         } else {
937             return 11;
938         }
939     }
940 
941     /**
942      * Returns the float argument for the given option.
943      *
944      * @param option the option
945      * @param defaultValue the value if the option is not present
946      * @return the value of the argument if present; otherwise the defaultValue
947      */
948     public float getFloatArgument(String option, float defaultValue) {
949         if (line.hasOption(option)) {
950             final String value = line.getOptionValue(option);
951             try {
952                 return Integer.parseInt(value);
953             } catch (NumberFormatException nfe) {
954                 return defaultValue;
955             }
956         } else {
957             return defaultValue;
958         }
959     }
960 
961     /**
962      * Builds a new option.
963      *
964      * @param name the long name
965      * @param description the description
966      * @return a new option
967      */
968     private Option newOption(String name, String description) {
969         return Option.builder().longOpt(name).desc(description).build();
970     }
971 
972     /**
973      * Builds a new option.
974      *
975      * @param shortName the short name
976      * @param name the long name
977      * @param description the description
978      * @return a new option
979      */
980     private Option newOption(String shortName, String name, String description) {
981         return Option.builder(shortName).longOpt(name).desc(description).build();
982     }
983 
984     /**
985      * Builds a new option.
986      *
987      * @param name the long name
988      * @param arg the argument name
989      * @param description the description
990      * @return a new option
991      */
992     private Option newOptionWithArg(String name, String arg, String description) {
993         return Option.builder().longOpt(name).argName(arg).hasArg().desc(description).build();
994     }
995 
996     /**
997      * Builds a new option.
998      *
999      * @param shortName the short name
1000      * @param name the long name
1001      * @param arg the argument name
1002      * @param description the description
1003      * @return a new option
1004      */
1005     private Option newOptionWithArg(String shortName, String name, String arg, String description) {
1006         return Option.builder(shortName).longOpt(name).argName(arg).hasArg().desc(description).build();
1007     }
1008 
1009     /**
1010      * Builds a new option group so that an option can be specified multiple
1011      * times on the command line.
1012      *
1013      * @param option the option to add to the group
1014      * @return a new option group
1015      */
1016     private OptionGroup newOptionGroup(Option option) {
1017         final OptionGroup group = new OptionGroup();
1018         group.addOption(option);
1019         return group;
1020     }
1021 
1022     /**
1023      * A collection of static final strings that represent the possible command
1024      * line arguments.
1025      */
1026     public static class ARGUMENT {
1027 
1028         /**
1029          * The long CLI argument name specifying the directory/file to scan.
1030          */
1031         public static final String SCAN = "scan";
1032         /**
1033          * The short CLI argument name specifying the directory/file to scan.
1034          */
1035         public static final String SCAN_SHORT = "s";
1036         /**
1037          * The long CLI argument name specifying that the CPE/CVE/etc. data
1038          * should not be automatically updated.
1039          */
1040         public static final String DISABLE_AUTO_UPDATE = "noupdate";
1041         /**
1042          * The short CLI argument name specifying that the CPE/CVE/etc. data
1043          * should not be automatically updated.
1044          */
1045         public static final String DISABLE_AUTO_UPDATE_SHORT = "n";
1046         /**
1047          * The long CLI argument name specifying that only the update phase
1048          * should be executed; no scan should be run.
1049          */
1050         public static final String UPDATE_ONLY = "updateonly";
1051         /**
1052          * The long CLI argument name specifying that only the update phase
1053          * should be executed; no scan should be run.
1054          */
1055         public static final String PURGE_NVD = "purge";
1056         /**
1057          * The long CLI argument name specifying the directory to write the
1058          * reports to.
1059          */
1060         public static final String OUT = "out";
1061         /**
1062          * The short CLI argument name specifying the directory to write the
1063          * reports to.
1064          */
1065         public static final String OUT_SHORT = "o";
1066         /**
1067          * The long CLI argument name specifying the output format to write the
1068          * reports to.
1069          */
1070         public static final String OUTPUT_FORMAT = "format";
1071         /**
1072          * The short CLI argument name specifying the output format to write the
1073          * reports to.
1074          */
1075         public static final String OUTPUT_FORMAT_SHORT = "f";
1076         /**
1077          * The long CLI argument name specifying the name of the project to be
1078          * scanned.
1079          */
1080         public static final String PROJECT = "project";
1081         /**
1082          * The long CLI argument name asking for help.
1083          */
1084         public static final String HELP = "help";
1085         /**
1086          * The long CLI argument name asking for advanced help.
1087          */
1088         public static final String ADVANCED_HELP = "advancedHelp";
1089         /**
1090          * The short CLI argument name asking for help.
1091          */
1092         public static final String HELP_SHORT = "h";
1093         /**
1094          * The long CLI argument name asking for the version.
1095          */
1096         public static final String VERSION_SHORT = "v";
1097         /**
1098          * The short CLI argument name asking for the version.
1099          */
1100         public static final String VERSION = "version";
1101         /**
1102          * The CLI argument name indicating the proxy port.
1103          */
1104         public static final String PROXY_PORT = "proxyport";
1105         /**
1106          * The CLI argument name indicating the proxy server.
1107          */
1108         public static final String PROXY_SERVER = "proxyserver";
1109         /**
1110          * The CLI argument name indicating the proxy username.
1111          */
1112         public static final String PROXY_USERNAME = "proxyuser";
1113         /**
1114          * The CLI argument name indicating the proxy password.
1115          */
1116         public static final String PROXY_PASSWORD = "proxypass";
1117         /**
1118          * The CLI argument name indicating the proxy proxy exclusion list.
1119          */
1120         public static final String NON_PROXY_HOSTS = "nonProxyHosts";
1121         /**
1122          * The short CLI argument name indicating the connection timeout.
1123          */
1124         public static final String CONNECTION_TIMEOUT_SHORT = "c";
1125         /**
1126          * The CLI argument name indicating the connection timeout.
1127          */
1128         public static final String CONNECTION_TIMEOUT = "connectiontimeout";
1129         /**
1130          * The CLI argument name indicating the connection read timeout.
1131          */
1132         public static final String CONNECTION_READ_TIMEOUT = "readtimeout";
1133         /**
1134          * The short CLI argument name for setting the location of an additional
1135          * properties file.
1136          */
1137         public static final String PROP_SHORT = "P";
1138         /**
1139          * The CLI argument name for setting the location of an additional
1140          * properties file.
1141          */
1142         public static final String PROP = "propertyfile";
1143         /**
1144          * The CLI argument name for setting the location of the data directory.
1145          */
1146         public static final String DATA_DIRECTORY = "data";
1147         /**
1148          * The CLI argument name for setting the URL for the NVD API Endpoint.
1149          */
1150         public static final String NVD_API_ENDPOINT = "nvdApiEndpoint";
1151         /**
1152          * The CLI argument name for setting the URL for the NVD API Key.
1153          */
1154         public static final String NVD_API_KEY = "nvdApiKey";
1155         /**
1156          * The CLI argument name for setting the maximum number of retry
1157          * requests for a single call to the NVD API.
1158          */
1159         public static final String NVD_API_MAX_RETRY_COUNT = "nvdMaxRetryCount";
1160         /**
1161          * The CLI argument name for setting the number of hours to wait before
1162          * checking for new updates from the NVD.
1163          */
1164         public static final String NVD_API_VALID_FOR_HOURS = "nvdValidForHours";
1165         /**
1166          * The CLI argument name for the NVD API Data Feed URL.
1167          */
1168         public static final String NVD_API_DATAFEED_URL = "nvdDatafeed";
1169         /**
1170          * The username for basic auth to the CVE data.
1171          */
1172         public static final String NVD_API_DATAFEED_USER = "nvdUser";
1173         /**
1174          * The password for basic auth to the CVE data.
1175          */
1176         public static final String NVD_API_DATAFEED_PASSWORD = "nvdPassword";
1177         /**
1178          * The time in milliseconds to wait between downloading NVD API data.
1179          */
1180         public static final String NVD_API_DELAY = "nvdApiDelay";
1181         /**
1182          * The number records for a single page from NVD API.
1183          */
1184         public static final String NVD_API_RESULTS_PER_PAGE = "nvdApiResultsPerPage";
1185         /**
1186          * The short CLI argument name for setting the location of the data
1187          * directory.
1188          */
1189         public static final String DATA_DIRECTORY_SHORT = "d";
1190         /**
1191          * The CLI argument name for setting the location of the data directory.
1192          */
1193         public static final String VERBOSE_LOG = "log";
1194         /**
1195          * The short CLI argument name for setting the location of the data
1196          * directory.
1197          */
1198         public static final String VERBOSE_LOG_SHORT = "l";
1199         /**
1200          * The CLI argument name for setting the depth of symbolic links that
1201          * will be followed.
1202          */
1203         public static final String SYM_LINK_DEPTH = "symLink";
1204         /**
1205          * The CLI argument name for setting the location of the suppression
1206          * file(s).
1207          */
1208         public static final String SUPPRESSION_FILES = "suppression";
1209         /**
1210          * The CLI argument name for setting the location of the hint file.
1211          */
1212         public static final String HINTS_FILE = "hints";
1213         /**
1214          * Disables the Jar Analyzer.
1215          */
1216         public static final String DISABLE_JAR = "disableJar";
1217         /**
1218          * Disable the MS Build Analyzer.
1219          */
1220         public static final String DISABLE_MSBUILD = "disableMSBuild";
1221         /**
1222          * Disables the Archive Analyzer.
1223          */
1224         public static final String DISABLE_ARCHIVE = "disableArchive";
1225         /**
1226          * Disables the Known Exploited Analyzer.
1227          */
1228         public static final String DISABLE_KEV = "disableKnownExploited";
1229         /**
1230          * The URL to the CISA Known Exploited Vulnerability JSON datafeed.
1231          */
1232         public static final String KEV_URL = "kevURL";
1233         /**
1234          * Disables the Python Distribution Analyzer.
1235          */
1236         public static final String DISABLE_PY_DIST = "disablePyDist";
1237         /**
1238          * Disables the Python Package Analyzer.
1239          */
1240         public static final String DISABLE_PY_PKG = "disablePyPkg";
1241         /**
1242          * Disables the Elixir mix audit Analyzer.
1243          */
1244         public static final String DISABLE_MIX_AUDIT = "disableMixAudit";
1245         /**
1246          * Disables the Golang Dependency Analyzer.
1247          */
1248         public static final String DISABLE_GO_DEP = "disableGolangDep";
1249         /**
1250          * Disables the PHP Composer Analyzer.
1251          */
1252         public static final String DISABLE_COMPOSER = "disableComposer";
1253         /**
1254          * Whether the PHP Composer Analyzer skips dev packages.
1255          */
1256         public static final String COMPOSER_LOCK_SKIP_DEV = "composerSkipDev";
1257         /**
1258          * Disables the Perl CPAN File Analyzer.
1259          */
1260         public static final String DISABLE_CPAN = "disableCpan";
1261         /**
1262          * Disables the Golang Mod Analyzer.
1263          */
1264         public static final String DISABLE_GOLANG_MOD = "disableGolangMod";
1265         /**
1266          * Disables the Dart Analyzer.
1267          */
1268         public static final String DISABLE_DART = "disableDart";
1269         /**
1270          * The CLI argument name for setting the path to `go`.
1271          */
1272         public static final String PATH_TO_GO = "go";
1273         /**
1274          * The CLI argument name for setting the path to `yarn`.
1275          */
1276         public static final String PATH_TO_YARN = "yarn";
1277         /**
1278          * The CLI argument name for setting the path to `pnpm`.
1279          */
1280         public static final String PATH_TO_PNPM = "pnpm";
1281         /**
1282          * Disables the Ruby Gemspec Analyzer.
1283          */
1284         public static final String DISABLE_RUBYGEMS = "disableRubygems";
1285         /**
1286          * Disables the Autoconf Analyzer.
1287          */
1288         public static final String DISABLE_AUTOCONF = "disableAutoconf";
1289         /**
1290          * Disables the Maven install Analyzer.
1291          */
1292         public static final String DISABLE_MAVEN_INSTALL = "disableMavenInstall";
1293         /**
1294          * Disables the pip Analyzer.
1295          */
1296         public static final String DISABLE_PIP = "disablePip";
1297         /**
1298          * Disables the Pipfile Analyzer.
1299          */
1300         public static final String DISABLE_PIPFILE = "disablePipfile";
1301         /**
1302          * Disables the Poetry Analyzer.
1303          */
1304         public static final String DISABLE_POETRY = "disablePoetry";
1305         /**
1306          * Disables the Cmake Analyzer.
1307          */
1308         public static final String DISABLE_CMAKE = "disableCmake";
1309         /**
1310          * Disables the cocoapods analyzer.
1311          */
1312         public static final String DISABLE_COCOAPODS = "disableCocoapodsAnalyzer";
1313         /**
1314          * Disables the Carthage analyzer.
1315          */
1316         public static final String DISABLE_CARTHAGE = "disableCarthageAnalyzer";
1317         /**
1318          * Disables the swift package manager analyzer.
1319          */
1320         public static final String DISABLE_SWIFT = "disableSwiftPackageManagerAnalyzer";
1321         /**
1322          * Disables the swift package resolved analyzer.
1323          */
1324         public static final String DISABLE_SWIFT_RESOLVED = "disableSwiftPackageResolvedAnalyzer";
1325         /**
1326          * Disables the Assembly Analyzer.
1327          */
1328         public static final String DISABLE_ASSEMBLY = "disableAssembly";
1329         /**
1330          * Disables the Ruby Bundler Audit Analyzer.
1331          */
1332         public static final String DISABLE_BUNDLE_AUDIT = "disableBundleAudit";
1333         /**
1334          * Disables the File Name Analyzer.
1335          */
1336         public static final String DISABLE_FILENAME = "disableFileName";
1337         /**
1338          * Disables the Nuspec Analyzer.
1339          */
1340         public static final String DISABLE_NUSPEC = "disableNuspec";
1341         /**
1342          * Disables the Nuget packages.config Analyzer.
1343          */
1344         public static final String DISABLE_NUGETCONF = "disableNugetconf";
1345         /**
1346          * Disables the Central Analyzer.
1347          */
1348         public static final String DISABLE_CENTRAL = "disableCentral";
1349         /**
1350          * Disables the Central Analyzer's ability to cache results locally.
1351          */
1352         public static final String DISABLE_CENTRAL_CACHE = "disableCentralCache";
1353         /**
1354          * The alternative URL for Maven Central Search.
1355          */
1356         public static final String CENTRAL_URL = "centralUrl";
1357         /**
1358          * Disables the Nexus Analyzer.
1359          */
1360         public static final String ENABLE_NEXUS = "enableNexus";
1361         /**
1362          * Disables the Sonatype OSS Index Analyzer.
1363          */
1364         public static final String DISABLE_OSSINDEX = "disableOssIndex";
1365         /**
1366          * Disables the Sonatype OSS Index Analyzer's ability to cache results
1367          * locally.
1368          */
1369         public static final String DISABLE_OSSINDEX_CACHE = "disableOssIndexCache";
1370         /**
1371          * The alternative URL for the Sonatype OSS Index.
1372          */
1373         public static final String OSSINDEX_URL = "ossIndexUrl";
1374         /**
1375          * The username for the Sonatype OSS Index.
1376          */
1377         public static final String OSSINDEX_USERNAME = "ossIndexUsername";
1378         /**
1379          * The password for the Sonatype OSS Index.
1380          */
1381         public static final String OSSINDEX_PASSWORD = "ossIndexPassword";
1382         /**
1383          * The password for the Sonatype OSS Index.
1384          */
1385         public static final String OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS = "ossIndexRemoteErrorWarnOnly";
1386         /**
1387          * Disables the OpenSSL Analyzer.
1388          */
1389         public static final String DISABLE_OPENSSL = "disableOpenSSL";
1390         /**
1391          * Disables the Node.js Package Analyzer.
1392          */
1393         public static final String DISABLE_NODE_JS = "disableNodeJS";
1394         /**
1395          * Skips dev dependencies in Node Package Analyzer.
1396          */
1397         public static final String NODE_PACKAGE_SKIP_DEV_DEPENDENCIES = "nodePackageSkipDevDependencies";
1398         /**
1399          * Disables the Node Audit Analyzer.
1400          */
1401         public static final String DISABLE_NODE_AUDIT = "disableNodeAudit";
1402         /**
1403          * Disables the Yarn Audit Analyzer.
1404          */
1405         public static final String DISABLE_YARN_AUDIT = "disableYarnAudit";
1406         /**
1407          * Disables the Pnpm Audit Analyzer.
1408          */
1409         public static final String DISABLE_PNPM_AUDIT = "disablePnpmAudit";
1410         /**
1411          * Disables the Node Audit Analyzer's ability to cache results locally.
1412          */
1413         public static final String DISABLE_NODE_AUDIT_CACHE = "disableNodeAuditCache";
1414         /**
1415          * Configures the Node Audit Analyzer to skip the dev dependencies.
1416          */
1417         public static final String DISABLE_NODE_AUDIT_SKIPDEV = "nodeAuditSkipDevDependencies";
1418         /**
1419          * Disables the RetireJS Analyzer.
1420          */
1421         public static final String DISABLE_RETIRE_JS = "disableRetireJS";
1422         /**
1423          * Whether the RetireJS Analyzer will update regardless of the
1424          * `autoupdate` setting.
1425          */
1426         public static final String RETIRE_JS_FORCEUPDATE = "retireJsForceUpdate";
1427         /**
1428          * The URL to the retire JS repository.
1429          */
1430         public static final String RETIREJS_URL = "retireJsUrl";
1431         /**
1432          * The username to the retire JS repository.
1433          */
1434         public static final String RETIREJS_URL_USER = "retireJsUrlUser";
1435         /**
1436          * The password to the retire JS repository.
1437          */
1438         public static final String RETIREJS_URL_PASSWORD = "retireJsUrlPass";
1439         /**
1440          * The URL of the nexus server.
1441          */
1442         public static final String NEXUS_URL = "nexus";
1443         /**
1444          * The username for the nexus server.
1445          */
1446         public static final String NEXUS_USERNAME = "nexusUser";
1447         /**
1448          * The password for the nexus server.
1449          */
1450         public static final String NEXUS_PASSWORD = "nexusPass";
1451         /**
1452          * Whether or not the defined proxy should be used when connecting to
1453          * Nexus.
1454          */
1455         public static final String NEXUS_USES_PROXY = "nexusUsesProxy";
1456         /**
1457          * The CLI argument name for setting the connection string.
1458          */
1459         public static final String CONNECTION_STRING = "connectionString";
1460         /**
1461          * The CLI argument name for setting the database user name.
1462          */
1463         public static final String DB_NAME = "dbUser";
1464         /**
1465          * The CLI argument name for setting the database password.
1466          */
1467         public static final String DB_PASSWORD = "dbPassword";
1468         /**
1469          * The CLI argument name for setting the database driver name.
1470          */
1471         public static final String DB_DRIVER = "dbDriverName";
1472         /**
1473          * The CLI argument name for setting the path to the database driver; in
1474          * case it is not on the class path.
1475          */
1476         public static final String DB_DRIVER_PATH = "dbDriverPath";
1477         /**
1478          * The CLI argument name for setting the path to dotnet core.
1479          */
1480         public static final String PATH_TO_CORE = "dotnet";
1481         /**
1482          * The CLI argument name for setting extra extensions.
1483          */
1484         public static final String ADDITIONAL_ZIP_EXTENSIONS = "zipExtensions";
1485         /**
1486          * Exclude path argument.
1487          */
1488         public static final String EXCLUDE = "exclude";
1489         /**
1490          * The CLI argument name for setting the path to bundle-audit for Ruby
1491          * bundle analysis.
1492          */
1493         public static final String PATH_TO_BUNDLE_AUDIT = "bundleAudit";
1494         /**
1495          * The CLI argument name for setting the path that should be used as the
1496          * working directory that the bundle-audit command used for Ruby bundle
1497          * analysis should be executed from. This will allow for the usage of
1498          * rbenv
1499          */
1500         public static final String PATH_TO_BUNDLE_AUDIT_WORKING_DIRECTORY = "bundleAuditWorkingDirectory";
1501         /**
1502          * The CLI argument name for setting the path to mix_audit for Elixir
1503          * analysis.
1504          */
1505         public static final String PATH_TO_MIX_AUDIT = "mixAudit";
1506         /**
1507          * The CLI argument to enable the experimental analyzers.
1508          */
1509         public static final String EXPERIMENTAL = "enableExperimental";
1510         /**
1511          * The CLI argument to enable the retired analyzers.
1512          */
1513         public static final String RETIRED = "enableRetired";
1514         /**
1515          * The CLI argument for the retire js content filters.
1516          */
1517         public static final String RETIREJS_FILTERS = "retirejsFilter";
1518         /**
1519          * The CLI argument for the retire js content filters.
1520          */
1521         public static final String RETIREJS_FILTER_NON_VULNERABLE = "retirejsFilterNonVulnerable";
1522         /**
1523          * The CLI argument for indicating if the Artifactory analyzer should be
1524          * enabled.
1525          */
1526         public static final String ARTIFACTORY_ENABLED = "enableArtifactory";
1527         /**
1528          * The CLI argument for indicating if the Artifactory analyzer should
1529          * use the proxy.
1530          */
1531         public static final String ARTIFACTORY_URL = "artifactoryUrl";
1532         /**
1533          * The CLI argument for indicating the Artifactory username.
1534          */
1535         public static final String ARTIFACTORY_USERNAME = "artifactoryUsername";
1536         /**
1537          * The CLI argument for indicating the Artifactory API token.
1538          */
1539         public static final String ARTIFACTORY_API_TOKEN = "artifactoryApiToken";
1540         /**
1541          * The CLI argument for indicating the Artifactory bearer token.
1542          */
1543         public static final String ARTIFACTORY_BEARER_TOKEN = "artifactoryBearerToken";
1544         /**
1545          * The CLI argument for indicating if the Artifactory analyzer should
1546          * use the proxy.
1547          */
1548         public static final String ARTIFACTORY_USES_PROXY = "artifactoryUseProxy";
1549         /**
1550          * The CLI argument for indicating if the Artifactory analyzer should
1551          * use the parallel analysis.
1552          */
1553         public static final String ARTIFACTORY_PARALLEL_ANALYSIS = "artifactoryParallelAnalysis";
1554         /**
1555          * The CLI argument to configure when the execution should be considered
1556          * a failure.
1557          */
1558         public static final String FAIL_ON_CVSS = "failOnCVSS";
1559         /**
1560          * The CLI argument to configure if the XML and JSON reports should be
1561          * pretty printed.
1562          */
1563         public static final String PRETTY_PRINT = "prettyPrint";
1564         /**
1565          * The CLI argument to set the threshold that is considered a failure
1566          * when generating the JUNIT report format.
1567          */
1568         public static final String FAIL_JUNIT_ON_CVSS = "junitFailOnCVSS";
1569         /**
1570          * The CLI argument to set the number of hours to wait before
1571          * re-checking hosted suppressions file for updates.
1572          */
1573         public static final String DISABLE_HOSTED_SUPPRESSIONS = "disableHostedSuppressions";
1574         /**
1575          * The CLI argument to set the number of hours to wait before
1576          * re-checking hosted suppressions file for updates.
1577          */
1578         public static final String HOSTED_SUPPRESSIONS_VALID_FOR_HOURS = "hostedSuppressionsValidForHours";
1579         /**
1580          * The CLI argument to set Whether the hosted suppressions file will
1581          * update regardless of the `noupdate` argument.
1582          */
1583         public static final String HOSTED_SUPPRESSIONS_FORCEUPDATE = "hostedSuppressionsForceUpdate";
1584         /**
1585          * The CLI argument to set the location of a mirrored hosted
1586          * suppressions file .
1587          */
1588         public static final String HOSTED_SUPPRESSIONS_URL = "hostedSuppressionsUrl";
1589     }
1590 }