1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.owasp.dependencycheck;
19
20 import java.io.File;
21 import java.io.FileNotFoundException;
22 import java.io.IOException;
23 import java.util.ArrayList;
24 import java.util.List;
25 import java.util.Set;
26
27 import org.apache.commons.cli.ParseException;
28 import org.apache.tools.ant.DirectoryScanner;
29 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
30 import org.owasp.dependencycheck.dependency.Dependency;
31 import org.owasp.dependencycheck.dependency.Vulnerability;
32 import org.apache.tools.ant.types.LogLevel;
33 import org.owasp.dependencycheck.data.update.exception.UpdateException;
34 import org.owasp.dependencycheck.exception.ExceptionCollection;
35 import org.owasp.dependencycheck.exception.ReportException;
36 import org.owasp.dependencycheck.utils.InvalidSettingException;
37 import org.owasp.dependencycheck.utils.Settings;
38 import org.slf4j.Logger;
39 import org.slf4j.LoggerFactory;
40
41 import ch.qos.logback.core.FileAppender;
42 import ch.qos.logback.classic.encoder.PatternLayoutEncoder;
43 import ch.qos.logback.classic.filter.ThresholdFilter;
44 import ch.qos.logback.classic.spi.ILoggingEvent;
45 import ch.qos.logback.classic.Level;
46 import ch.qos.logback.classic.LoggerContext;
47 import io.github.jeremylong.jcs3.slf4j.Slf4jAdapter;
48 import java.util.TreeSet;
49 import org.owasp.dependencycheck.utils.SeverityUtil;
50
51
52
53
54
55
56 @SuppressWarnings("squid:S106")
57 public class App {
58
59
60
61
62 private static final Logger LOGGER = LoggerFactory.getLogger(App.class);
63
64
65
66 private static final String ERROR_LOADING_PROPERTIES_FILE = "Error loading properties file";
67
68
69
70 private static final String NEW_LINE = System.getProperty("line.separator", "\n");
71
72
73
74 private final Settings settings;
75
76
77
78
79
80
81 @SuppressWarnings("squid:S4823")
82 public static void main(String[] args) {
83 System.setProperty("jcs.logSystem", "slf4j");
84 if (!LOGGER.isDebugEnabled()) {
85 Slf4jAdapter.muteLogging(true);
86 }
87 final int exitCode;
88 final App app = new App();
89 exitCode = app.run(args);
90 LOGGER.debug("Exit code: {}", exitCode);
91 System.exit(exitCode);
92 }
93
94
95
96
97 public App() {
98 settings = new Settings();
99 }
100
101
102
103
104
105
106 protected App(Settings settings) {
107 this.settings = settings;
108 }
109
110
111
112
113
114
115
116 public int run(String[] args) {
117 int exitCode = 0;
118 final CliParser cli = new CliParser(settings);
119
120 try {
121 cli.parse(args);
122 } catch (FileNotFoundException ex) {
123 System.err.println(ex.getMessage());
124 cli.printHelp();
125 return 1;
126 } catch (ParseException ex) {
127 System.err.println(ex.getMessage());
128 cli.printHelp();
129 return 2;
130 }
131 final String verboseLog = cli.getStringArgument(CliParser.ARGUMENT.VERBOSE_LOG);
132 if (verboseLog != null) {
133 prepareLogger(verboseLog);
134 }
135
136 if (cli.isPurge()) {
137 final String connStr = cli.getStringArgument(CliParser.ARGUMENT.CONNECTION_STRING);
138 if (connStr != null) {
139 LOGGER.error("Unable to purge the database when using a non-default connection string");
140 exitCode = 3;
141 } else {
142 try {
143 populateSettings(cli);
144 } catch (InvalidSettingException ex) {
145 LOGGER.error(ex.getMessage());
146 LOGGER.debug(ERROR_LOADING_PROPERTIES_FILE, ex);
147 exitCode = 4;
148 return exitCode;
149 }
150 try (Engine engine = new Engine(Engine.Mode.EVIDENCE_PROCESSING, settings)) {
151 if (!engine.purge()) {
152 exitCode = 7;
153 return exitCode;
154 }
155 } finally {
156 settings.cleanup();
157 }
158 }
159 } else if (cli.isGetVersion()) {
160 cli.printVersionInfo();
161 } else if (cli.isUpdateOnly()) {
162 try {
163 populateSettings(cli);
164 settings.setBoolean(Settings.KEYS.AUTO_UPDATE, true);
165 } catch (InvalidSettingException ex) {
166 LOGGER.error(ex.getMessage());
167 LOGGER.debug(ERROR_LOADING_PROPERTIES_FILE, ex);
168 exitCode = 4;
169 return exitCode;
170 }
171 try {
172 runUpdateOnly();
173 } catch (UpdateException ex) {
174 LOGGER.error(ex.getMessage(), ex);
175 exitCode = 8;
176 } catch (DatabaseException ex) {
177 LOGGER.error(ex.getMessage(), ex);
178 exitCode = 9;
179 } finally {
180 settings.cleanup();
181 }
182 } else if (cli.isRunScan()) {
183 try {
184 populateSettings(cli);
185 } catch (InvalidSettingException ex) {
186 LOGGER.error(ex.getMessage(), ex);
187 LOGGER.debug(ERROR_LOADING_PROPERTIES_FILE, ex);
188 exitCode = 4;
189 return exitCode;
190 }
191 try {
192 final String[] scanFiles = cli.getScanFiles();
193 if (scanFiles != null) {
194 exitCode = runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getProjectName(), scanFiles,
195 cli.getExcludeList(), cli.getSymLinkDepth(), cli.getFailOnCVSS());
196 } else {
197 LOGGER.error("No scan files configured");
198 }
199 } catch (DatabaseException ex) {
200 LOGGER.error(ex.getMessage());
201 LOGGER.debug("database exception", ex);
202 exitCode = 11;
203 } catch (ReportException ex) {
204 LOGGER.error(ex.getMessage());
205 LOGGER.debug("report exception", ex);
206 exitCode = 12;
207 } catch (ExceptionCollection ex) {
208 if (ex.isFatal()) {
209 exitCode = 13;
210 LOGGER.error("One or more fatal errors occurred");
211 } else {
212 exitCode = 14;
213 }
214 for (Throwable e : ex.getExceptions()) {
215 if (e.getMessage() != null) {
216 LOGGER.error(e.getMessage());
217 LOGGER.debug("unexpected error", e);
218 }
219 }
220 } finally {
221 settings.cleanup();
222 }
223 } else {
224 cli.printHelp();
225 }
226 return exitCode;
227 }
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249 private int runScan(String reportDirectory, String[] outputFormats, String applicationName, String[] files,
250 String[] excludes, int symLinkDepth, float cvssFailScore) throws DatabaseException,
251 ExceptionCollection, ReportException {
252 Engine engine = null;
253 try {
254 final List<String> antStylePaths = getPaths(files);
255 final Set<File> paths = scanAntStylePaths(antStylePaths, symLinkDepth, excludes);
256
257 engine = new Engine(settings);
258 engine.scan(paths);
259
260 ExceptionCollection exCol = null;
261 try {
262 engine.analyzeDependencies();
263 } catch (ExceptionCollection ex) {
264 if (ex.isFatal()) {
265 throw ex;
266 }
267 exCol = ex;
268 }
269
270 try {
271 for (String outputFormat : outputFormats) {
272 engine.writeReports(applicationName, new File(reportDirectory), outputFormat, exCol);
273 }
274 } catch (ReportException ex) {
275 if (exCol != null) {
276 exCol.addException(ex);
277 throw exCol;
278 } else {
279 throw ex;
280 }
281 }
282 if (exCol != null && !exCol.getExceptions().isEmpty()) {
283 throw exCol;
284 }
285 return determineReturnCode(engine, cvssFailScore);
286 } finally {
287 if (engine != null) {
288 engine.close();
289 }
290 }
291 }
292
293
294
295
296
297
298
299
300
301
302 private int determineReturnCode(Engine engine, float cvssFailScore) {
303 int retCode = 0;
304
305 final StringBuilder ids = new StringBuilder();
306 for (Dependency d : engine.getDependencies()) {
307 boolean addName = true;
308 for (Vulnerability v : d.getVulnerabilities()) {
309 final Double cvssV2 = v.getCvssV2() != null && v.getCvssV2().getCvssData() != null
310 && v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1;
311 final Double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null
312 && v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1;
313 final Double unscoredCvss = v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1;
314
315 if (cvssV2 >= cvssFailScore
316 || cvssV3 >= cvssFailScore
317 || unscoredCvss >= cvssFailScore
318
319 || (cvssFailScore <= 0.0f)) {
320 double score = 0.0;
321 if (cvssV3 >= 0.0) {
322 score = cvssV3;
323 } else if (cvssV2 >= 0.0) {
324 score = cvssV2;
325 } else if (unscoredCvss >= 0.0) {
326 score = unscoredCvss;
327 }
328 if (addName) {
329 addName = false;
330 ids.append(NEW_LINE).append(d.getFileName()).append(": ");
331 ids.append(v.getName()).append('(').append(score).append(')');
332 } else {
333 ids.append(", ").append(v.getName()).append('(').append(score).append(')');
334 }
335 }
336 }
337 }
338 if (ids.length() > 0) {
339 LOGGER.error(
340 String.format("%n%nOne or more dependencies were identified with vulnerabilities that have a CVSS score greater than or "
341 + "equal to '%.1f': %n%s%n%nSee the dependency-check report for more details.%n%n", cvssFailScore, ids)
342 );
343
344 retCode = 15;
345 }
346
347 return retCode;
348 }
349
350
351
352
353
354
355
356
357
358 private Set<File> scanAntStylePaths(List<String> antStylePaths, int symLinkDepth, String[] excludes) {
359 final Set<File> paths = new TreeSet<>();
360 for (String file : antStylePaths) {
361 LOGGER.debug("Scanning {}", file);
362 final DirectoryScanner scanner = new DirectoryScanner();
363 String include = file.replace('\\', '/');
364 final File baseDir;
365 final int pos = getLastFileSeparator(include);
366 final String tmpBase = include.substring(0, pos);
367 final String tmpInclude = include.substring(pos + 1);
368 if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0
369 || new File(include).isFile()) {
370 baseDir = new File(tmpBase);
371 include = tmpInclude;
372 } else {
373 baseDir = new File(tmpBase, tmpInclude);
374 include = "**/*";
375 }
376 LOGGER.debug("BaseDir: " + baseDir);
377 LOGGER.debug("Include: " + include);
378 scanner.setBasedir(baseDir);
379 final String[] includes = {include};
380 scanner.setIncludes(includes);
381 scanner.setMaxLevelsOfSymlinks(symLinkDepth);
382 if (symLinkDepth <= 0) {
383 scanner.setFollowSymlinks(false);
384 }
385 if (excludes != null && excludes.length > 0) {
386 for (String e : excludes) {
387 LOGGER.debug("Exclude: " + e);
388 }
389 scanner.addExcludes(excludes);
390 }
391 scanner.scan();
392 if (scanner.getIncludedFilesCount() > 0) {
393 for (String s : scanner.getIncludedFiles()) {
394 final File f = new File(baseDir, s);
395 LOGGER.debug("Found file {}", f);
396 paths.add(f);
397 }
398 }
399 }
400 return paths;
401 }
402
403
404
405
406
407
408
409 private List<String> getPaths(String[] files) {
410 final List<String> antStylePaths = new ArrayList<>();
411 for (String file : files) {
412 final String antPath = ensureCanonicalPath(file);
413 antStylePaths.add(antPath);
414 }
415 return antStylePaths;
416 }
417
418
419
420
421
422
423
424
425 private void runUpdateOnly() throws UpdateException, DatabaseException {
426 try (Engine engine = new Engine(settings)) {
427 engine.doUpdates();
428 }
429 }
430
431
432
433
434
435
436
437
438
439
440 protected void populateSettings(CliParser cli) throws InvalidSettingException {
441 final File propertiesFile = cli.getFileArgument(CliParser.ARGUMENT.PROP);
442 if (propertiesFile != null) {
443 try {
444 settings.mergeProperties(propertiesFile);
445 } catch (FileNotFoundException ex) {
446 throw new InvalidSettingException("Unable to find properties file '" + propertiesFile.getPath() + "'", ex);
447 } catch (IOException ex) {
448 throw new InvalidSettingException("Error reading properties file '" + propertiesFile.getPath() + "'", ex);
449 }
450 }
451 final String dataDirectory = cli.getStringArgument(CliParser.ARGUMENT.DATA_DIRECTORY);
452 if (dataDirectory != null) {
453 settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
454 } else if (System.getProperty("basedir") != null) {
455 final File dataDir = new File(System.getProperty("basedir"), "data");
456 settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
457 } else {
458 final File jarPath = new File(App.class
459 .getProtectionDomain().getCodeSource().getLocation().getPath());
460 final File base = jarPath.getParentFile();
461 final String sub = settings.getString(Settings.KEYS.DATA_DIRECTORY);
462 final File dataDir = new File(base, sub);
463 settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
464 }
465 final Boolean autoUpdate = cli.hasOption(CliParser.ARGUMENT.DISABLE_AUTO_UPDATE) != null ? false : null;
466 settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
467 settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER,
468 cli.getStringArgument(CliParser.ARGUMENT.PROXY_SERVER));
469 settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT,
470 cli.getStringArgument(CliParser.ARGUMENT.PROXY_PORT));
471 settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME,
472 cli.getStringArgument(CliParser.ARGUMENT.PROXY_USERNAME));
473 settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD,
474 cli.getStringArgument(CliParser.ARGUMENT.PROXY_PASSWORD, Settings.KEYS.PROXY_PASSWORD));
475 settings.setStringIfNotEmpty(Settings.KEYS.PROXY_NON_PROXY_HOSTS,
476 cli.getStringArgument(CliParser.ARGUMENT.NON_PROXY_HOSTS));
477 settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT,
478 cli.getStringArgument(CliParser.ARGUMENT.CONNECTION_TIMEOUT));
479 settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_READ_TIMEOUT,
480 cli.getStringArgument(CliParser.ARGUMENT.CONNECTION_READ_TIMEOUT));
481 settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE,
482 cli.getStringArgument(CliParser.ARGUMENT.HINTS_FILE));
483 settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE,
484 cli.getStringArguments(CliParser.ARGUMENT.SUPPRESSION_FILES));
485
486 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED,
487 cli.hasOption(CliParser.ARGUMENT.EXPERIMENTAL));
488 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED,
489 cli.hasOption(CliParser.ARGUMENT.RETIRED));
490 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_GOLANG_PATH,
491 cli.getStringArgument(CliParser.ARGUMENT.PATH_TO_GO));
492 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_YARN_PATH,
493 cli.getStringArgument(CliParser.ARGUMENT.PATH_TO_YARN));
494 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_PNPM_PATH,
495 cli.getStringArgument(CliParser.ARGUMENT.PATH_TO_PNPM));
496 settings.setBooleanIfNotNull(Settings.KEYS.PRETTY_PRINT,
497 cli.hasOption(CliParser.ARGUMENT.PRETTY_PRINT));
498 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_URL,
499 cli.getStringArgument(CliParser.ARGUMENT.RETIREJS_URL));
500 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_USER,
501 cli.getStringArgument(CliParser.ARGUMENT.RETIREJS_URL_USER));
502 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_PASSWORD,
503 cli.getStringArgument(CliParser.ARGUMENT.RETIREJS_URL_PASSWORD));
504 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FORCEUPDATE,
505 cli.hasOption(CliParser.ARGUMENT.RETIRE_JS_FORCEUPDATE));
506 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FILTERS,
507 cli.getStringArgument(CliParser.ARGUMENT.RETIREJS_FILTERS));
508 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FILTER_NON_VULNERABLE,
509 cli.hasOption(CliParser.ARGUMENT.RETIREJS_FILTER_NON_VULNERABLE));
510 settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED,
511 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_JAR, Settings.KEYS.ANALYZER_JAR_ENABLED));
512 settings.setBoolean(Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED,
513 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_MSBUILD, Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED));
514 settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED,
515 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_ARCHIVE, Settings.KEYS.ANALYZER_ARCHIVE_ENABLED));
516 settings.setBoolean(Settings.KEYS.ANALYZER_KNOWN_EXPLOITED_ENABLED,
517 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_KEV, Settings.KEYS.ANALYZER_KNOWN_EXPLOITED_ENABLED));
518 settings.setStringIfNotNull(Settings.KEYS.KEV_URL,
519 cli.getStringArgument(CliParser.ARGUMENT.KEV_URL));
520 settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED,
521 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_PY_DIST, Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED));
522 settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED,
523 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_PY_PKG, Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED));
524 settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED,
525 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_AUTOCONF, Settings.KEYS.ANALYZER_AUTOCONF_ENABLED));
526 settings.setBoolean(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED,
527 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_MAVEN_INSTALL, Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED));
528 settings.setBoolean(Settings.KEYS.ANALYZER_PIP_ENABLED,
529 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_PIP, Settings.KEYS.ANALYZER_PIP_ENABLED));
530 settings.setBoolean(Settings.KEYS.ANALYZER_PIPFILE_ENABLED,
531 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_PIPFILE, Settings.KEYS.ANALYZER_PIPFILE_ENABLED));
532 settings.setBoolean(Settings.KEYS.ANALYZER_POETRY_ENABLED,
533 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_POETRY, Settings.KEYS.ANALYZER_POETRY_ENABLED));
534 settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED,
535 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_CMAKE, Settings.KEYS.ANALYZER_CMAKE_ENABLED));
536 settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED,
537 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_NUSPEC, Settings.KEYS.ANALYZER_NUSPEC_ENABLED));
538 settings.setBoolean(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED,
539 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_NUGETCONF, Settings.KEYS.ANALYZER_NUGETCONF_ENABLED));
540 settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED,
541 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_ASSEMBLY, Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED));
542 settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED,
543 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_BUNDLE_AUDIT, Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED));
544 settings.setBoolean(Settings.KEYS.ANALYZER_FILE_NAME_ENABLED,
545 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_FILENAME, Settings.KEYS.ANALYZER_FILE_NAME_ENABLED));
546 settings.setBoolean(Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED,
547 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_MIX_AUDIT, Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED));
548 settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED,
549 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_OPENSSL, Settings.KEYS.ANALYZER_OPENSSL_ENABLED));
550 settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED,
551 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_COMPOSER, Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED));
552 settings.setBoolean(Settings.KEYS.ANALYZER_CPANFILE_ENABLED,
553 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_CPAN, Settings.KEYS.ANALYZER_CPANFILE_ENABLED));
554 settings.setBoolean(Settings.KEYS.ANALYZER_GOLANG_DEP_ENABLED,
555 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_GO_DEP, Settings.KEYS.ANALYZER_GOLANG_DEP_ENABLED));
556 settings.setBoolean(Settings.KEYS.ANALYZER_GOLANG_MOD_ENABLED,
557 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_GOLANG_MOD, Settings.KEYS.ANALYZER_GOLANG_MOD_ENABLED));
558 settings.setBoolean(Settings.KEYS.ANALYZER_DART_ENABLED,
559 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_DART, Settings.KEYS.ANALYZER_DART_ENABLED));
560 settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED,
561 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_NODE_JS, Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED));
562 settings.setBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED,
563 !cli.isNodeAuditDisabled());
564 settings.setBoolean(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED,
565 !cli.isYarnAuditDisabled());
566 settings.setBoolean(Settings.KEYS.ANALYZER_PNPM_AUDIT_ENABLED,
567 !cli.isPnpmAuditDisabled());
568 settings.setBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE,
569 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_NODE_AUDIT_CACHE, Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE));
570 settings.setBoolean(Settings.KEYS.ANALYZER_RETIREJS_ENABLED,
571 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_RETIRE_JS, Settings.KEYS.ANALYZER_RETIREJS_ENABLED));
572 settings.setBoolean(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED,
573 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_SWIFT, Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED));
574 settings.setBoolean(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED,
575 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_SWIFT_RESOLVED, Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED));
576 settings.setBoolean(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED,
577 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_COCOAPODS, Settings.KEYS.ANALYZER_COCOAPODS_ENABLED));
578 settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED,
579 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_RUBYGEMS, Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED));
580 settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED,
581 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_CENTRAL, Settings.KEYS.ANALYZER_CENTRAL_ENABLED));
582 settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE,
583 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_CENTRAL_CACHE, Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE));
584 settings.setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED,
585 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_OSSINDEX, Settings.KEYS.ANALYZER_OSSINDEX_ENABLED));
586 settings.setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE,
587 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_OSSINDEX_CACHE, Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE));
588
589 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV,
590 cli.hasOption(CliParser.ARGUMENT.NODE_PACKAGE_SKIP_DEV_DEPENDENCIES));
591 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV,
592 cli.hasOption(CliParser.ARGUMENT.DISABLE_NODE_AUDIT_SKIPDEV));
593 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED,
594 cli.hasOption(CliParser.ARGUMENT.ENABLE_NEXUS));
595 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_URL,
596 cli.getStringArgument(CliParser.ARGUMENT.CENTRAL_URL));
597 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL,
598 cli.getStringArgument(CliParser.ARGUMENT.OSSINDEX_URL));
599 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_USER,
600 cli.getStringArgument(CliParser.ARGUMENT.OSSINDEX_USERNAME));
601 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD,
602 cli.getStringArgument(CliParser.ARGUMENT.OSSINDEX_PASSWORD, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD));
603 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS,
604 cli.getStringArgument(CliParser.ARGUMENT.OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS,
605 Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS));
606 settings.setFloat(Settings.KEYS.JUNIT_FAIL_ON_CVSS,
607 cli.getFloatArgument(CliParser.ARGUMENT.FAIL_JUNIT_ON_CVSS, 0));
608 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED,
609 cli.hasOption(CliParser.ARGUMENT.ARTIFACTORY_ENABLED));
610 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS,
611 cli.getBooleanArgument(CliParser.ARGUMENT.ARTIFACTORY_PARALLEL_ANALYSIS));
612 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY,
613 cli.getBooleanArgument(CliParser.ARGUMENT.ARTIFACTORY_USES_PROXY));
614 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_URL,
615 cli.getStringArgument(CliParser.ARGUMENT.ARTIFACTORY_URL));
616 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME,
617 cli.getStringArgument(CliParser.ARGUMENT.ARTIFACTORY_USERNAME));
618 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN,
619 cli.getStringArgument(CliParser.ARGUMENT.ARTIFACTORY_API_TOKEN));
620 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_BEARER_TOKEN,
621 cli.getStringArgument(CliParser.ARGUMENT.ARTIFACTORY_BEARER_TOKEN));
622 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_MIX_AUDIT_PATH,
623 cli.getStringArgument(CliParser.ARGUMENT.PATH_TO_MIX_AUDIT));
624 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH,
625 cli.getStringArgument(CliParser.ARGUMENT.PATH_TO_BUNDLE_AUDIT));
626 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY,
627 cli.getStringArgument(CliParser.ARGUMENT.PATH_TO_BUNDLE_AUDIT_WORKING_DIRECTORY));
628 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL,
629 cli.getStringArgument(CliParser.ARGUMENT.NEXUS_URL));
630 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_USER,
631 cli.getStringArgument(CliParser.ARGUMENT.NEXUS_USERNAME));
632 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_PASSWORD,
633 cli.getStringArgument(CliParser.ARGUMENT.NEXUS_PASSWORD, Settings.KEYS.ANALYZER_NEXUS_PASSWORD));
634
635 final boolean nexusUsesProxy = cli.isNexusUsesProxy();
636 settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
637 settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME,
638 cli.getStringArgument(CliParser.ARGUMENT.DB_DRIVER));
639 settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH,
640 cli.getStringArgument(CliParser.ARGUMENT.DB_DRIVER_PATH));
641 settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING,
642 cli.getStringArgument(CliParser.ARGUMENT.CONNECTION_STRING));
643 settings.setStringIfNotEmpty(Settings.KEYS.DB_USER,
644 cli.getStringArgument(CliParser.ARGUMENT.DB_NAME));
645 settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD,
646 cli.getStringArgument(CliParser.ARGUMENT.DB_PASSWORD, Settings.KEYS.DB_PASSWORD));
647 settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS,
648 cli.getStringArgument(CliParser.ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS));
649 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_DOTNET_PATH,
650 cli.getStringArgument(CliParser.ARGUMENT.PATH_TO_CORE));
651
652 String key = cli.getStringArgument(CliParser.ARGUMENT.NVD_API_KEY);
653 if (key != null) {
654 if ((key.startsWith("\"") && key.endsWith("\"") || (key.startsWith("'") && key.endsWith("'")))) {
655 key = key.substring(1, key.length() - 1);
656 }
657 settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, key);
658 }
659 settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_ENDPOINT,
660 cli.getStringArgument(CliParser.ARGUMENT.NVD_API_ENDPOINT));
661 settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, cli.getIntegerValue(CliParser.ARGUMENT.NVD_API_DELAY));
662 settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_URL));
663 settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_USER, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_USER));
664 settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_PASSWORD, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_PASSWORD));
665 settings.setIntIfNotNull(Settings.KEYS.NVD_API_MAX_RETRY_COUNT, cli.getIntegerValue(CliParser.ARGUMENT.NVD_API_MAX_RETRY_COUNT));
666 settings.setIntIfNotNull(Settings.KEYS.NVD_API_VALID_FOR_HOURS, cli.getIntegerValue(CliParser.ARGUMENT.NVD_API_VALID_FOR_HOURS));
667
668 settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_URL,
669 cli.getStringArgument(CliParser.ARGUMENT.HOSTED_SUPPRESSIONS_URL));
670 settings.setBoolean(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED,
671 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_HOSTED_SUPPRESSIONS, Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED));
672 settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE,
673 cli.hasOption(CliParser.ARGUMENT.HOSTED_SUPPRESSIONS_FORCEUPDATE));
674 settings.setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS,
675 cli.getIntegerValue(CliParser.ARGUMENT.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS));
676 }
677
678
679
680
681
682
683
684 private void prepareLogger(String verboseLog) {
685 final LoggerContext context = (LoggerContext) LoggerFactory.getILoggerFactory();
686 final PatternLayoutEncoder encoder = new PatternLayoutEncoder();
687 encoder.setPattern("%d %C:%L%n%-5level - %msg%n");
688 encoder.setContext(context);
689 encoder.start();
690 final FileAppender<ILoggingEvent> fa = new FileAppender<>();
691 fa.setAppend(true);
692 fa.setEncoder(encoder);
693 fa.setContext(context);
694 fa.setFile(verboseLog);
695 final File f = new File(verboseLog);
696 String name = f.getName();
697 final int i = name.lastIndexOf('.');
698 if (i > 1) {
699 name = name.substring(0, i);
700 }
701 fa.setName(name);
702 fa.start();
703 final ch.qos.logback.classic.Logger rootLogger = context.getLogger(ch.qos.logback.classic.Logger.ROOT_LOGGER_NAME);
704 rootLogger.setLevel(Level.DEBUG);
705 final ThresholdFilter filter = new ThresholdFilter();
706 filter.setLevel(LogLevel.INFO.getValue());
707 filter.setContext(context);
708 filter.start();
709 rootLogger.iteratorForAppenders().forEachRemaining(action -> action.addFilter(filter));
710 rootLogger.addAppender(fa);
711 }
712
713
714
715
716
717
718
719
720
721
722 protected String ensureCanonicalPath(String path) {
723 final String basePath;
724 String wildCards = null;
725 final String file = path.replace('\\', '/');
726 if (file.contains("*") || file.contains("?")) {
727
728 int pos = getLastFileSeparator(file);
729 if (pos < 0) {
730 return file;
731 }
732 pos += 1;
733 basePath = file.substring(0, pos);
734 wildCards = file.substring(pos);
735 } else {
736 basePath = file;
737 }
738
739 File f = new File(basePath);
740 try {
741 f = f.getCanonicalFile();
742 if (wildCards != null) {
743 f = new File(f, wildCards);
744 }
745 } catch (IOException ex) {
746 LOGGER.warn("Invalid path '{}' was provided.", path);
747 LOGGER.debug("Invalid path provided", ex);
748 }
749 return f.getAbsolutePath().replace('\\', '/');
750 }
751
752
753
754
755
756
757
758 @SuppressWarnings("ManualMinMaxCalculation")
759 private int getLastFileSeparator(String file) {
760 if (file.contains("*") || file.contains("?")) {
761 int p1 = file.indexOf('*');
762 int p2 = file.indexOf('?');
763 p1 = p1 > 0 ? p1 : file.length();
764 p2 = p2 > 0 ? p2 : file.length();
765 int pos = p1 < p2 ? p1 : p2;
766 pos = file.lastIndexOf('/', pos);
767 return pos;
768 } else {
769 return file.lastIndexOf('/');
770 }
771 }
772 }