dependency-check / dependency-check-gradle Goto Github PK

The dependency-check gradle plugin is a Software Composition Analysis (SCA) tool that allows projects to monitor dependent libraries for known, published vulnerabilities.

Home Page: http://jeremylong.github.io/DependencyCheck/

License: Apache License 2.0

Groovy 100.00%

security-audit

dependency-check-gradle's Introduction

Dependency-Check-Gradle

The dependency-check gradle plugin allows projects to monitor dependent libraries for known, published vulnerabilities.

9.0.0 Upgrade Notice

Breaking Changes are included in the 9.0.0 release. Please see the 9.0.0 Upgrade Notice on the primary dependency-check site for more information.

Gradle Build Environment

With 9.0.0 users may encounter issues with NoSuchMethodError exceptions due to dependency resolution. If you encounter this issue you will need to pin some of the transitive dependencies of dependency-check to specific versions. For example:

/buildSrc/build.gradle

dependencies {
    constraints {
        // org.owasp.dependencycheck needs at least this version of jackson. Other plugins pull in older versions..
        add("implementation", "com.fasterxml.jackson:jackson-bom:2.16.1")
        // org.owasp.dependencycheck needs these versions. Other plugins pull in older versions..
        add("implementation", "org.apache.commons:commons-lang3:3.14.0")
        add("implementation", "org.apache.commons:commons-text:1.11.0")
    }
}

Current Release

The latest version is

Usage

Below are the quick start instructions. Please see the documentation site for more detailed information on configuration and usage.

Step 1, Apply dependency check gradle plugin

Install from Maven central repo

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:9.2.0'
    }
}

apply plugin: 'org.owasp.dependencycheck'

Step 2, Run gradle task

Once gradle plugin applied, run following gradle task to check dependencies:

gradle dependencyCheckAnalyze --info

The reports will be generated automatically under build/reports directory.

If your project includes multiple sub-projects, the report will be generated for each sub-project in their own build/reports.

FAQ

Questions List:

What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?

How to customize the report directory?

What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?

Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:

(1) For all projects including root project:

buildscript {
  repositories {
    mavenCentral()
  }
  dependencies {
    classpath 'org.owasp:dependency-check-gradle:9.2.0'
  }
}

allprojects {
    apply plugin: 'org.owasp.dependencycheck'
}

(2) For all sub-projects:

buildscript {
  repositories {
    mavenCentral()
  }
  dependencies {
    classpath 'org.owasp:dependency-check-gradle:9.2.0'
  }
}

subprojects {
    apply plugin: 'org.owasp.dependencycheck'
}

In this way, the dependency check will be executed for all projects (including root project) or just sub projects.

How to customize the report directory?

By default, all reports will be placed under build/reports folder, to change the default reporting folder name modify the configuration section like this:

subprojects {
    apply plugin: 'org.owasp.dependencycheck'

    dependencyCheck {
        outputDirectory = "$buildDir/security-report"
    }
}

How do I use the plugin with Gradle Kotlin DSL?

plugins {
    id("org.owasp.dependencycheck") version "9.2.0" apply false 
}

allprojects {
    apply(plugin = "org.owasp.dependencycheck")
}

configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
    format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString()
}

dependency-check-gradle's People

Contributors

Stargazers

Watchers

Forkers

wmaintw caligin pombredanne bodewig andi68 imbeyondboredom tristan-perryman brianpreuss cmpoon ecneladis bloihl chrisbadalucco compwron drpaul65 childnode i-nexus joymarielim robertoschwald safetytrick gregory-lyons authada reddyalready thelittlefireman opt9 quinnjn tilllorentzenbreuninger tduehr jcdeoferio larsgrefer skjolber alvin917 florianschmitt deepy n0rthdev hakanai lkoe nsmolenskii linkmjb showmecodex glennvdv bdhave marx314 shevek cybernhl karuppiah7890 petergphillips herbert-venancio rarspace01 normanwang06 holubec-petr furikake azurecloudmonk agrigoryev-gwre costcost laffer1 fabianlinz jprinet andygnelson nikitin-da woshizilong 317394245 ideazinfinite stefanneuhaus quiro91 andreschaefer cy4n bulivlad vikaschoudhary22 paveljandejsek aikebah bdsimpteam jdmmnn mangalarora herrlock keymaster65 stuartraetaylor alifahadk gordonc64 00mjk olivero2 lucassasha grimoren nvervelle mfahrurr 9amhealth qstesiro gordoninnes jnlmiro ldanesi sachin2dehury

dependency-check-gradle's Issues

Add GAV to XML Report

See jeremylong/DependencyCheck#665 - the gradle plugin needs to be updated to take advantage of this new feature.

Support for hosted maven repositories and jCenter

I see in logs:

...
Unable to download pom.xml for javax.inject-1.jar from Central; this could result in undetected CPE/CVEs.
Unable to download pom.xml for equalsverifier-2.1.7.jar from Central; this could result in undetected CPE/CVEs.
...

That is might be related that we use own hosted maven repo, or that some dependencies are only distributed through jCenter.

Can I troubleshoot this situation with any setting? Or I should use plugin from sources and modify it?

Android test dependencies are not ignored

When using this library with Android, none of the Android test dependencies are ignored.

I've added some code here for a PR but whenever I run the command
./gradlew build install integTest --info
the test still fails.

So this is both a bug report as well as my asking:
It seems like my changes aren't taking effect, am I running the tests in a way that wont get my changes?

getting java.util.NoSuchElementException on dependencyCheck

Hey there,

I just tried to setup this dependency check plugin for one of my gradle builds.

My build.gradle

buildscript {
    repositories {
        mavenLocal()
        mavenCentral()
        jcenter()
    }
}
plugins {
    id "org.sonarqube" version "2.2.1"
    id "org.owasp.dependencycheck" version "1.4.5"
}

repositories {
    mavenLocal()
    mavenCentral()
    jcenter()
}

apply plugin: 'java'
apply plugin: 'idea'
apply plugin: 'maven'

group = 'com.example'
version = '1.0.0-SNAPSHOT'

dependencies {
    compile gradleApi()

    compile 'com.atlassian.jgitflow:jgit-flow-core:0.21'
    compile 'com.github.zafarkhaja:java-semver:0.9.0'
}


compileJava {
    sourceCompatibility = 1.8
    targetCompatibility = 1.8
}

wrapper.gradleVersion = '2.14.1'

my gradlew call: gradlew dependencyCheck --stacktrace

and finally the build log:

:dependencyCheck                                                                 
Verifying dependencies for project gradle-gitflow-release
Checking for updates and analyzing vulnerabilities for dependencies 
:dependencyCheck FAILED         
             
FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':dependencyCheck'.
> java.util.NoSuchElementException (no error message)

* Try:
Run with --info or --debug option to get more log output.

* Exception is:
org.gradle.api.tasks.TaskExecutionException: Execution failed for task ':dependencyCheck'.
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:69)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:46)
        at org.gradle.api.internal.tasks.execution.PostExecutionAnalysisTaskExecuter.execute(PostExecutionAnalysisTaskExecuter.java:35)
        at org.gradle.api.internal.tasks.execution.SkipUpToDateTaskExecuter.execute(SkipUpToDateTaskExecuter.java:66)
        at org.gradle.api.internal.tasks.execution.ValidatingTaskExecuter.execute(ValidatingTaskExecuter.java:58)
        at org.gradle.api.internal.tasks.execution.SkipEmptySourceFilesTaskExecuter.execute(SkipEmptySourceFilesTaskExecuter.java:52)
        at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:52)
        at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:53)
        at org.gradle.api.internal.tasks.execution.ExecuteAtMostOnceTaskExecuter.execute(ExecuteAtMostOnceTaskExecuter.java:43)
        at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker.execute(DefaultTaskGraphExecuter.java:203)
        at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker.execute(DefaultTaskGraphExecuter.java:185)
        at org.gradle.execution.taskgraph.AbstractTaskPlanExecutor$TaskExecutorWorker.processTask(AbstractTaskPlanExecutor.java:66)
        at org.gradle.execution.taskgraph.AbstractTaskPlanExecutor$TaskExecutorWorker.run(AbstractTaskPlanExecutor.java:50)
        at org.gradle.execution.taskgraph.DefaultTaskPlanExecutor.process(DefaultTaskPlanExecutor.java:25)
        at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter.execute(DefaultTaskGraphExecuter.java:110)
        at org.gradle.execution.SelectedTaskExecutionAction.execute(SelectedTaskExecutionAction.java:37)
        at org.gradle.execution.DefaultBuildExecuter.execute(DefaultBuildExecuter.java:37)
        at org.gradle.execution.DefaultBuildExecuter.access$000(DefaultBuildExecuter.java:23)
        at org.gradle.execution.DefaultBuildExecuter$1.proceed(DefaultBuildExecuter.java:43)
        at org.gradle.execution.DryRunBuildExecutionAction.execute(DryRunBuildExecutionAction.java:32)
        at org.gradle.execution.DefaultBuildExecuter.execute(DefaultBuildExecuter.java:37)
        at org.gradle.execution.DefaultBuildExecuter.execute(DefaultBuildExecuter.java:30)
        at org.gradle.initialization.DefaultGradleLauncher$4.run(DefaultGradleLauncher.java:153)
        at org.gradle.internal.Factories$1.create(Factories.java:22)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:91)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:53)
        at org.gradle.initialization.DefaultGradleLauncher.doBuildStages(DefaultGradleLauncher.java:150)
        at org.gradle.initialization.DefaultGradleLauncher.access$200(DefaultGradleLauncher.java:32)
        at org.gradle.initialization.DefaultGradleLauncher$1.create(DefaultGradleLauncher.java:98)
        at org.gradle.initialization.DefaultGradleLauncher$1.create(DefaultGradleLauncher.java:92)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:91)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:63)
        at org.gradle.initialization.DefaultGradleLauncher.doBuild(DefaultGradleLauncher.java:92)
        at org.gradle.initialization.DefaultGradleLauncher.run(DefaultGradleLauncher.java:83)
        at org.gradle.launcher.exec.InProcessBuildActionExecuter$DefaultBuildController.run(InProcessBuildActionExecuter.java:99)
        at org.gradle.tooling.internal.provider.ExecuteBuildActionRunner.run(ExecuteBuildActionRunner.java:28)
        at org.gradle.launcher.exec.ChainingBuildActionRunner.run(ChainingBuildActionRunner.java:35)
        at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:48)
        at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:30)
        at org.gradle.launcher.exec.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:81)
        at org.gradle.launcher.exec.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:46)
        at org.gradle.launcher.exec.DaemonUsageSuggestingBuildActionExecuter.execute(DaemonUsageSuggestingBuildActionExecuter.java:51)
        at org.gradle.launcher.exec.DaemonUsageSuggestingBuildActionExecuter.execute(DaemonUsageSuggestingBuildActionExecuter.java:28)
        at org.gradle.launcher.cli.RunBuildAction.run(RunBuildAction.java:43)
        at org.gradle.internal.Actions$RunnableActionAdapter.execute(Actions.java:173)
        at org.gradle.launcher.cli.CommandLineActionFactory$ParseAndBuildAction.execute(CommandLineActionFactory.java:239)
        at org.gradle.launcher.cli.CommandLineActionFactory$ParseAndBuildAction.execute(CommandLineActionFactory.java:212)
        at org.gradle.launcher.cli.JavaRuntimeValidationAction.execute(JavaRuntimeValidationAction.java:35)
        at org.gradle.launcher.cli.JavaRuntimeValidationAction.execute(JavaRuntimeValidationAction.java:24)
        at org.gradle.launcher.cli.ExceptionReportingAction.execute(ExceptionReportingAction.java:33)
        at org.gradle.launcher.cli.ExceptionReportingAction.execute(ExceptionReportingAction.java:22)
        at org.gradle.launcher.cli.CommandLineActionFactory$WithLogging.execute(CommandLineActionFactory.java:205)
        at org.gradle.launcher.cli.CommandLineActionFactory$WithLogging.execute(CommandLineActionFactory.java:169)
        at org.gradle.launcher.Main.doAction(Main.java:33)
        at org.gradle.launcher.bootstrap.EntryPoint.run(EntryPoint.java:45)
        at org.gradle.launcher.bootstrap.ProcessBootstrap.runNoExit(ProcessBootstrap.java:55)
        at org.gradle.launcher.bootstrap.ProcessBootstrap.run(ProcessBootstrap.java:36)
        at org.gradle.launcher.GradleMain.main(GradleMain.java:23)
        at org.gradle.wrapper.BootstrapMainStarter.start(BootstrapMainStarter.java:30)
        at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:129)
        at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:61)
Caused by: java.util.NoSuchElementException
        at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:261)
        at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:228)
        at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:101)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:348)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:267)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:87)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:683)
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:490)
        at org.owasp.dependencycheck.Engine$analyzeDependencies$0.call(Unknown Source)
        at org.owasp.dependencycheck.gradle.tasks.Check.check(Check.groovy:85)
        at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:75)
        at org.gradle.api.internal.project.taskfactory.AnnotationProcessingTaskFactory$StandardTaskAction.doExecute(AnnotationProcessingTaskFactory.java:228)
        at org.gradle.api.internal.project.taskfactory.AnnotationProcessingTaskFactory$StandardTaskAction.execute(AnnotationProcessingTaskFactory.java:221)
        at org.gradle.api.internal.project.taskfactory.AnnotationProcessingTaskFactory$StandardTaskAction.execute(AnnotationProcessingTaskFactory.java:210)
        at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:621)
        at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:604)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:80)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:61)
        ... 60 more


BUILD FAILED

Total time: 10.723 secs

org/owasp/dependencycheck/gradle/DependencyCheck : Unsupported major.minor version 52.0

Hi,

I'm trying to use the plugin but I'm getting:
org/owasp/dependencycheck/gradle/DependencyCheck : Unsupported major.minor version 52.0
The issue is happening with both 1.3.6 and 1.4.0 versions.
Are you compiling with Java 8?
Thanks

Cannot Connect to Maven Central

I am receiving "Unable to connect to Maven Central" when I use dependency-check-gradle plugin latest version. Seems it is trying to reach Maven central.

Its failing even when I set proxy in gradle.properties or Gradle command line

gradle dependencyCheckAnalyze

I am using a downloaded NVD file and setting data directory and using it.

12:03:09.428 [DEBUG] [sun.net.www.protocol.http.HttpURLConnection] sun.net.www.MessageHeader@67cf49485 pairs: {null: HTTP/1.1 400 Bad Request}{Date: Tue, 05 Dec 2017 20:03:09 GMT}{Server: nginx/1.12.1}{Content-Length: 0}{Connection: keep-alive}
12:03:09.429 [DEBUG] [org.owasp.dependencycheck.analyzer.CentralAnalyzer] Could not connect to Central search (tries left: 4): Could not connect to MavenCentral (400): Bad Request
12:03:09.429 [DEBUG] [sun.net.www.protocol.http.HttpURLConnection] sun.net.www.MessageHeader@6e895b925 pairs: {null: HTTP/1.1 400 Bad Request}{Date: Tue, 05 Dec 2017 20:03:09 GMT}{Server: nginx/1.12.1}{Content-Length: 0}{Connection: keep-alive}
12:03:09.429 [DEBUG] [org.owasp.dependencycheck.analyzer.CentralAnalyzer] Could not connect to Central search (tries left: 4): Could not connect to MavenCentral (400): Bad Request
12:03:09.429 [DEBUG] [sun.net.www.protocol.http.HttpURLConnection] sun.net.www.MessageHeader@272afc4e5 pairs: {null: HTTP/1.1 400 Bad Request}{Date: Tue, 05 Dec 2017 20:03:09 GMT}{Server: nginx/1.12.1}{Content-Length: 0}{Connection: keep-alive}
12:03:09.430 [DEBUG] [org.owasp.dependencycheck.analyzer.CentralAnalyzer] Could not connect to Central search (tries left: 4): Could not connect to MavenCentral (400): Bad Request
12:03:09.431 [DEBUG] [sun.net.www.protocol.http.HttpURLConnection] sun.net.www.MessageHeader@718e60f75 pairs: {null: HTTP/1.1 400 Bad Request}{Date: Tue, 05 Dec 2017 20:03:09 GMT}{Server: nginx/1.12.1}{Content-Length: 0}{Connection: keep-alive}
12:03:09.431 [DEBUG] [org.owasp.dependencycheck.analyzer.CentralAnalyzer] Could not connect to Central search (tries left: 4): Could not connect to MavenCentral (400): Bad Request
12:03:09.432 [DEBUG] [sun.net.www.protocol.http.HttpURLConnection] sun.net.www.MessageHeader@266e146b5 pairs: {null: HTTP/1.1 400 Bad Request}{Date: Tue, 05 Dec 2017 20:03:09 GMT}{Server: nginx/1.12.1}{Content-Length: 0}{Connection: keep-alive}
12:03:09.432 [DEBUG] [org.owasp.dependencycheck.analyzer.CentralAnalyzer] Could not connect to Central search (tries left: 4): Could not connect to MavenCentral (400): Bad Request
12:03:09.432 [DEBUG] [sun.net.www.protocol.http.HttpURLConnection] sun.net.www.MessageHeader@7070c4c5 pairs: {null: HTTP/1.1 400 Bad Request}{Date: Tue, 05 Dec 2017 20:03:09 GMT}{Server: nginx/1.12.1}{Content-Length: 0}{Connection: keep-alive}

org.h2.jdbc.JdbcSQLException: File corrupted while reading record: "65423 of 64658". Possible solution: use the recovery tool [90030-176]

Hi,
I downloaded the h2 database and manually set the data extension's directory option to the folder containing the db. I see intermittent issue throwing error message as shown below. Any suggestions ?

20:52:25.033 [DEBUG] [org.owasp.dependencycheck.data.nvdcve.ConnectionFactory] 
org.h2.jdbc.JdbcSQLException: File corrupted while reading record: "65423 of 64658". Possible solution: use the recovery tool [90030-176]
	at org.h2.message.DbException.getJdbcSQLException(DbException.java:344)
	at org.h2.message.DbException.get(DbException.java:178)
	at org.h2.message.DbException.get(DbException.java:154)
	at org.h2.store.PageStore.readPage(PageStore.java:1322)
	at org.h2.store.PageStore.getPage(PageStore.java:750)
	at org.h2.index.PageDataIndex.getPage(PageDataIndex.java:234)
	at org.h2.index.PageDataNode.getLastKey(PageDataNode.java:215)
	at org.h2.index.PageDataIndex.<init>(PageDataIndex.java:88)
	at org.h2.table.RegularTable.<init>(RegularTable.java:84)
	at org.h2.store.PageStore.addMeta(PageStore.java:1693)
	at org.h2.store.PageStore.readMetaData(PageStore.java:1624)
	at org.h2.store.PageStore.recover(PageStore.java:1406)
	at org.h2.store.PageStore.openExisting(PageStore.java:368)
	at org.h2.store.PageStore.open(PageStore.java:289)
	at org.h2.engine.Database.getPageStore(Database.java:2366)
	at org.h2.engine.Database.open(Database.java:657)
	at org.h2.engine.Database.openDatabase(Database.java:260)
	at org.h2.engine.Database.<init>(Database.java:254)
	at org.h2.engine.Engine.openSession(Engine.java:57)
	at org.h2.engine.Engine.openSession(Engine.java:164)
	at org.h2.engine.Engine.createSessionAndValidate(Engine.java:142)
	at org.h2.engine.Engine.createSession(Engine.java:125)
	at org.h2.engine.Engine.createSession(Engine.java:27)
	at org.h2.engine.SessionRemote.connectEmbeddedOrServer(SessionRemote.java:331)
	at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:107)
	at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:91)
	at org.h2.Driver.connect(Driver.java:74)
	at java.sql.DriverManager.getConnection(DriverManager.java:664)
	at java.sql.DriverManager.getConnection(DriverManager.java:247)
	at org.owasp.dependencycheck.data.nvdcve.ConnectionFactory.getConnection(ConnectionFactory.java:228)
	at org.owasp.dependencycheck.data.nvdcve.CveDB.open(CveDB.java:262)
	at org.owasp.dependencycheck.data.nvdcve.CveDB.getInstance(CveDB.java:210)
	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:576)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:492)
	at org.owasp.dependencycheck.Engine$analyzeDependencies$0.call(Unknown Source)
	at org.owasp.dependencycheck.gradle.tasks.Check.check(Check.groovy:79)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)
	at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.doExecute(DefaultTaskClassInfoStore.java:141)
	at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.execute(DefaultTaskClassInfoStore.java:134)
	at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.execute(DefaultTaskClassInfoStore.java:123)
	at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:692)
	at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:675)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$1.execute(ExecuteActionsTaskExecuter.java:115)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$1.execute(ExecuteActionsTaskExecuter.java:109)
	at org.gradle.internal.Transformers$4.transform(Transformers.java:169)
	at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:106)
	at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:56)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:109)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:90)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:68)
	at org.gradle.api.internal.tasks.execution.SkipCachedTaskExecuter.execute(SkipCachedTaskExecuter.java:94)
	at org.gradle.api.internal.tasks.execution.SkipUpToDateTaskExecuter.execute(SkipUpToDateTaskExecuter.java:62)
	at org.gradle.api.internal.tasks.execution.ResolveBuildCacheKeyExecuter.execute(ResolveBuildCacheKeyExecuter.java:51)
	at org.gradle.api.internal.tasks.execution.ValidatingTaskExecuter.execute(ValidatingTaskExecuter.java:58)
	at org.gradle.api.internal.tasks.execution.SkipEmptySourceFilesTaskExecuter.execute(SkipEmptySourceFilesTaskExecuter.java:88)
	at org.gradle.api.internal.tasks.execution.ResolveTaskArtifactStateTaskExecuter.execute(ResolveTaskArtifactStateTaskExecuter.java:46)
	at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:51)
	at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:54)
	at org.gradle.api.internal.tasks.execution.ResolveTaskOutputCachingStateExecuter.execute(ResolveTaskOutputCachingStateExecuter.java:47)
	at org.gradle.api.internal.tasks.execution.ExecuteAtMostOnceTaskExecuter.execute(ExecuteAtMostOnceTaskExecuter.java:43)
	at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:34)
	at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker$1.execute(DefaultTaskGraphExecuter.java:236)
	at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker$1.execute(DefaultTaskGraphExecuter.java:228)
	at org.gradle.internal.Transformers$4.transform(Transformers.java:169)
	at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:106)
	at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:61)
	at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker.execute(DefaultTaskGraphExecuter.java:228)
	at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker.execute(DefaultTaskGraphExecuter.java:215)
	at org.gradle.execution.taskgraph.AbstractTaskPlanExecutor$TaskExecutorWorker.processTask(AbstractTaskPlanExecutor.java:77)
	at org.gradle.execution.taskgraph.AbstractTaskPlanExecutor$TaskExecutorWorker.run(AbstractTaskPlanExecutor.java:58)
	at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:63)
	at org.gradle.internal.concurrent.StoppableExecutorImpl$1.run(StoppableExecutorImpl.java:46)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

dependencyCheckAnalyze fails in Android project with more than one modules

After updating an Android application to Gradle 4.1, the dependencyCheckAnalyze task has started failing. It appears that it is unable to handle multiple modules. I have created a sample app that demonstrates the problem: https://github.com/gmetal/sample-dependency-check-app
If you run the dependencyCheckAnalyze task, you'll see something like the following:

./gradlew dependencyCheckAnalyze

> Task :app:dependencyCheckAnalyze
Verifying dependencies for project app


FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':app:dependencyCheckAnalyze'.
> Could not resolve all dependencies for configuration ':app:debugCompileClasspath'.
   > More than one variant of project :mylibrary matches the consumer attributes:
       - Configuration ':mylibrary:debugApiElements' variant android-aidl:
           - Found artifactType 'android-aidl' but wasn't required.
           - Required com.android.build.api.attributes.BuildTypeAttr 'debug' and found compatible value 'debug'.
           - Required com.android.build.gradle.internal.dependency.AndroidTypeAttr 'Aar' and found compatible value 'Aar'.
           - Found com.android.build.gradle.internal.dependency.VariantAttr 'debug' but wasn't required.
           - Required org.gradle.api.attributes.Usage 'java-api' and found compatible value 'java-api'.
       - Configuration ':mylibrary:debugApiElements' variant android-classes:
           - Found artifactType 'android-classes' but wasn't required.
           - Required com.android.build.api.attributes.BuildTypeAttr 'debug' and found compatible value 'debug'.
           - Required com.android.build.gradle.internal.dependency.AndroidTypeAttr 'Aar' and found compatible value 'Aar'.
           - Found com.android.build.gradle.internal.dependency.VariantAttr 'debug' but wasn't required.
           - Required org.gradle.api.attributes.Usage 'java-api' and found compatible value 'java-api'.
       - Configuration ':mylibrary:debugApiElements' variant android-manifest:
           - Found artifactType 'android-manifest' but wasn't required.
           - Required com.android.build.api.attributes.BuildTypeAttr 'debug' and found compatible value 'debug'.
           - Required com.android.build.gradle.internal.dependency.AndroidTypeAttr 'Aar' and found compatible value 'Aar'.
           - Found com.android.build.gradle.internal.dependency.VariantAttr 'debug' but wasn't required.
           - Required org.gradle.api.attributes.Usage 'java-api' and found compatible value 'java-api'.
       - Configuration ':mylibrary:debugApiElements' variant android-renderscript:
           - Found artifactType 'android-renderscript' but wasn't required.
           - Required com.android.build.api.attributes.BuildTypeAttr 'debug' and found compatible value 'debug'.
           - Required com.android.build.gradle.internal.dependency.AndroidTypeAttr 'Aar' and found compatible value 'Aar'.
           - Found com.android.build.gradle.internal.dependency.VariantAttr 'debug' but wasn't required.
           - Required org.gradle.api.attributes.Usage 'java-api' and found compatible value 'java-api'.
       - Configuration ':mylibrary:debugApiElements' variant jar:
           - Found artifactType 'jar' but wasn't required.
           - Required com.android.build.api.attributes.BuildTypeAttr 'debug' and found compatible value 'debug'.
           - Required com.android.build.gradle.internal.dependency.AndroidTypeAttr 'Aar' and found compatible value 'Aar'.
           - Found com.android.build.gradle.internal.dependency.VariantAttr 'debug' but wasn't required.
           - Required org.gradle.api.attributes.Usage 'java-api' and found compatible value 'java-api'.

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

* Get more help at https://help.gradle.org

BUILD FAILED in 1s
1 actionable task: 1 executed

README.md refers to outdated reportsDirName

The reportsDirName does not exist now, but it is still referred in README.md.

It should be renamed. Maybe some explanation for this change should be added.

Aggregate report on multi-module-project

Hi,

is there a possiblity to create an aggregate report on a multi-module-project as in Maven?

Regards,

Brian

Can we add a disable all checks setting?

Would it be possible to add a configuration setting for the analyze task to skip all processing?

Context: In gradle-fury we have build profiles similar to maven profiles that we can enable/disable from the command line. If addition, the build script checks a properties file for a set to properties to conditionally enable/disable certain checks, pmd, checkstyle, etc, include the dependency check. There is no way in gradle (that i've discovered) to conditionally "apply" a plugin, therefore the plugin has to have an enabled/disabled property that can be set.

False positive against jetty-9.4.7

Greetings,

Updated to new dependency-check-gradle 3.0.0 and executed a scan however it appears to identify an extra dependency vulnerability against recent Jetty.

Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors.

Gradle dependency in question

+--- org.eclipse.jetty:apache-jsp:9.4.7.v20170914
|    +--- org.eclipse.jetty:jetty-util:9.4.7.v20170914
|    +--- org.eclipse.jetty.toolchain:jetty-schemas:3.1
|    +--- javax.servlet:javax.servlet-api:3.1.0
|    +--- org.mortbay.jasper:apache-jsp:8.5.9.1
|    |    +--- org.eclipse.jetty.toolchain:jetty-schemas:3.1
|    |    \--- org.mortbay.jasper:apache-el:8.5.9.1
|    +--- org.eclipse.jdt.core.compiler:ecj:4.4.2
|    \--- org.eclipse.jetty:jetty-annotations:9.4.7.v20170914 (*)

Plugin output:

00:39:27.802 jetty-schemas-3.1.jar (cpe:/a:mortbay_jetty:jetty:3.1, cpe:/a:jetty:jetty:3.1, org.eclipse.jetty.toolchain:jetty-schemas:3.1, cpe:/a:eclipse:jetty:3.1) : CVE-2017-9735, CVE-2007-5615, CVE-2007-5614, CVE-2007-5613

The dependency in question however is pretty recent and not from Jetty 10 years ago as targeted by the CVE in question.

false positive for mysql-connector-java 8.0.8-dmr

mysql-connector-java-8.0.8-dmr.jar (cpe:/a:mysql:mysql:8.0.8, cpe:/a:oracle:connector/j:8.0.8, cpe:/a:oracle:mysql:8.0.8, cpe:/a:oracle:mysql_connectors:8.0.8, cpe:/a:sun:mysql_connector/j:8.0.8, mysql:mysql-connector-java:8.0.8-dmr) : CVE-2012-5627

The CVE is an old one for MySQL-Server, not the connector as far as I can see.

False Positive for icu4j 59.1

Running dependency check in my spring boot app that depends on Slugify 2.1.12 by @srl295 that in turn depends on icu4j 59.1 (making this a transitive dependency) gives this output
icu4j-59.1.jar (com.ibm.icu:icu4j:59.1, cpe:/a:icu_project:international_components_for_unicode:59.1) : CVE-2017-14952 The CVE details refers to icu4c 59.1 but seems to have mistakenly flagged icu4j.

FYI we have dependency check as part of our build pipeline and the build fails when any dependency has a CVSS V2 base score of 7.0 and higher. CVE-2017-14952 has a CVSS score of 7.5

The issue was initially reported by @jzimermann here as an issue with slugify

NPE in dependencyCheckAnalyze Engine.writeReports(Engine.java:934)

Hi, I am using the gradle plugin with version 2.1.1. With 2.1.0, I had the problem as described in #52. After updating to 2.1.1., I get the exception as listed below. This is my gradle configuration:

dependencies {
		classpath('org.owasp:dependency-check-gradle:2.1.1')
                ...
}
apply plugin: 'org.owasp.dependencycheck'

I am using Gradle in version 3.4.1, output of
./gradlew dependencyCheckAnalyze --stacktrace

./gradlew dependencyCheckAnalyze --stacktrace 
Parallel execution with configuration on demand is an incubating feature.
:buildSrc:compileJava NO-SOURCE
:buildSrc:compileGroovy UP-TO-DATE
:buildSrc:processResources NO-SOURCE
:buildSrc:classes UP-TO-DATE
:buildSrc:jar UP-TO-DATE
:buildSrc:assemble UP-TO-DATE
:buildSrc:compileTestJava NO-SOURCE
:buildSrc:compileTestGroovy NO-SOURCE
:buildSrc:processTestResources NO-SOURCE
:buildSrc:testClasses UP-TO-DATE
:buildSrc:test NO-SOURCE
:buildSrc:check UP-TO-DATE
:buildSrc:build UP-TO-DATE
Trying to override old definition of datatype junit
Trying to override old definition of datatype junit
Trying to override old definition of datatype junit
:suite:dependencyCheckAnalyze
Verifying dependencies for project suite
Checking for updates and analyzing vulnerabilities for dependencies
Generating report for project suite
:suite:dependencyCheckAnalyze FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':suite:dependencyCheckAnalyze'.
> java.lang.NullPointerException (no error message)

* Try:
Run with --info or --debug option to get more log output.

* Exception is:
org.gradle.api.tasks.TaskExecutionException: Execution failed for task ':suite:dependencyCheckAnalyze'.
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:84)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:55)
        at org.gradle.api.internal.tasks.execution.SkipUpToDateTaskExecuter.execute(SkipUpToDateTaskExecuter.java:62)
        at org.gradle.api.internal.tasks.execution.ValidatingTaskExecuter.execute(ValidatingTaskExecuter.java:58)
        at org.gradle.api.internal.tasks.execution.SkipEmptySourceFilesTaskExecuter.execute(SkipEmptySourceFilesTaskExecuter.java:88)
        at org.gradle.api.internal.tasks.execution.ResolveTaskArtifactStateTaskExecuter.execute(ResolveTaskArtifactStateTaskExecuter.java:46)
        at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:51)
        at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:54)
        at org.gradle.api.internal.tasks.execution.ExecuteAtMostOnceTaskExecuter.execute(ExecuteAtMostOnceTaskExecuter.java:43)
        at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:34)
        at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker$1.execute(DefaultTaskGraphExecuter.java:236)
        at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker$1.execute(DefaultTaskGraphExecuter.java:228)
        at org.gradle.internal.Transformers$4.transform(Transformers.java:169)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:106)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:61)
        at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker.execute(DefaultTaskGraphExecuter.java:228)
        at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker.execute(DefaultTaskGraphExecuter.java:215)
        at org.gradle.execution.taskgraph.AbstractTaskPlanExecutor$TaskExecutorWorker.processTask(AbstractTaskPlanExecutor.java:77)
        at org.gradle.execution.taskgraph.AbstractTaskPlanExecutor$TaskExecutorWorker.run(AbstractTaskPlanExecutor.java:58)
        at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:63)
        at org.gradle.internal.concurrent.StoppableExecutorImpl$1.run(StoppableExecutorImpl.java:46)
Caused by: java.lang.NullPointerException
        at org.owasp.dependencycheck.Engine.writeReports(Engine.java:934)
        at org.owasp.dependencycheck.Engine$writeReports$1.call(Unknown Source)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:91)
        at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)
        at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.doExecute(DefaultTaskClassInfoStore.java:141)
        at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.execute(DefaultTaskClassInfoStore.java:134)
        at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.execute(DefaultTaskClassInfoStore.java:123)
        at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:632)
        at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:615)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:95)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:76)
        ... 20 more


BUILD FAILED

Total time: 7.22 secs

Need more control over analysed configuration

There are a lot of plugins that create their own configurations which end up only being used at build time and don't contribute to the final product, examples are checkstyle or findbugs. These configurations pull in the plugins' dependencies and I'm not really interested in them.

I think it would be good to have more control over the configurations that are analysed, something that generalizes skipTestGroups. A white/blacklist of configurations to analyse/skip wouldn't be too hard to implement and I'd be happy to provide a PR. Would you prefer white- or blacklists or even both but making the settings mutually exclusive?

HintParseException after upgrading 1.4.0 -> 1.4.1

After upgrading from 1.4.0 to 1.4.1 I'm getting a HintParseException regarding the "false positives" file. The error message:

...
Analysis Starting
Unable to parse hint rule xml file 'C:\...\kunden\src\test\resources\owasp.xml'
org.owasp.dependencycheck.xml.hints.HintParseException: org.xml.sax.SAXException Line=2, Column=99: cvc-elt.1: Deklaration des Elements 'suppressions' kann nicht gefunden werden.
Exception occurred initializing Hint Analyzer.

Translation of the German Phrase above:

The deklaration of the element 'suppressions' cannot be found.

The first 2 lines of owasp.xml:

<?xml version="1.0"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">

See https://jeremylong.github.io/DependencyCheck/general/suppression.html

DatabaseException: Unable to connect to the database

Hi everyone,

I am running the dependencyCheck task in debug mode with Gradle 3.5 and
and I am getting the following error:
08:55:07.227 [DEBUG] [org.owasp.dependencycheck.data.nvdcve.ConnectionFactory]
org.h2.jdbc.JdbcSQLException: Feature not supported: "MV_STORE combined with FILE_LOCK=SERIALIZED" [50100-193]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
at org.h2.message.DbException.get(DbException.java:179)
at org.h2.message.DbException.get(DbException.java:155)
at org.h2.message.DbException.getUnsupportedException(DbException.java:216)
at org.h2.engine.Database.(Database.java:236)
at org.h2.engine.Engine.openSession(Engine.java:64)
at org.h2.engine.Engine.openSession(Engine.java:176)
at org.h2.engine.Engine.createSessionAndValidate(Engine.java:154)
at org.h2.engine.Engine.createSession(Engine.java:137)
at org.h2.engine.Engine.createSession(Engine.java:27)
at org.h2.engine.SessionRemote.connectEmbeddedOrServer(SessionRemote.java:349)
at org.h2.jdbc.JdbcConnection.(JdbcConnection.java:115)
at org.h2.jdbc.JdbcConnection.(JdbcConnection.java:99)
at org.h2.Driver.connect(Driver.java:69)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at org.owasp.dependencycheck.data.nvdcve.ConnectionFactory.getConnection(ConnectionFactory.java:228)
at org.owasp.dependencycheck.data.nvdcve.CveDB.open(CveDB.java:124)
at org.owasp.dependencycheck.data.nvdcve.CveDB.(CveDB.java:87)
at org.owasp.dependencycheck.Engine.ensureDataExists(Engine.java:752)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:501)
at org.owasp.dependencycheck.Engine$analyzeDependencies$0.call(Unknown Source)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:117)
at org.owasp.dependencycheck.gradle.tasks.Check.check(Check.groovy:80)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)

It used to work just fine with previous dependency-check plugin versions. Can you advise?

Thank you,
Alin

Default suppressions

Hi Jeremy,

Could you tell me if the default suppressions defined here https://github.com/jeremylong/DependencyCheck/blob/60fd4f6311e1febf9b4e019f65fc0e8ef5e9897b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml are used by the dependency check CLI?

Thanks a lot,
Alin

dependencyCheckAnalyze: Cannot invoke method addProjectReference() on null object

I have a multi-module gradle build where this issue appears since version 2.1.x. With 2.0.1 it still works.
logging output of gradle dependencyCheckAnalyze --info or --debug doesnt really seem helpful, but I'll provide it upon your request.

I created a branch with the failing project configuration:
https://github.com/glever/xmlers/tree/owasp-dependencyCheck-gradle-error
Issue occurs on modules with references to other project modules. For example in above project from /domain/build.gradle to module :xml . Module xml has no references to other project modules and 'dependencyCheckAnalyze' works fine.

Seems to be related to Analyze.groovy:60-61 :)
//TODO determine why deps could be null in some cases. addInfoToDependencies(deps, artifact, configuration.name)

ps: This is an excellent project, thank you very much for your effort.

Add configuration options

Update configuration per jeremylong/DependencyCheck#635 to expose the additional settings.

Plugin version >= 2.0.0 incompatible with Gradle version < 3.3

When running the most recent plugin version with Gradle version 3.2 or older, after analyzing and printing the vulnerabilities to the console the build finally fails before writing the report:

:dependencyCheckAnalyze FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':dependencyCheckAnalyze'.
> 
  
  Dependency-Check Failure:
  One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '0.0': CVE-2011-0509, CVE-2017-5664, CVE-2017-5664
  See the dependency-check report for more details.

Plugin fails on Gradle 3.4+ project

Resolving configuration 'apiElements' directly is not allowed

This is because Gradle configurations can be unresolvable since 3.3 and some default configuration are in fact unresolvable since 3.4.

false dependencies reported

The plugin is reporting commons-collections-3.2.1 as a vulnerable dependency. Version 3.2.1 is definitely a transient dependency, but it is overridden by 3.2.2 elsewhere in the dependency graph. I'm thinking that the plugin isn't aware of how Gradle resolved version conflicts.

Issue when added to external gradle script

I'm getting an error when the following is added to an external gradle script.

external-script.gradle

buildscript {
    repositories {
        mavenCentral()
    }

    dependencies {
        classpath "org.owasp:dependency-check-gradle:2.1.1"
    }
}

allprojects {
    apply plugin: 'org.owasp.dependencycheck'
}

project's build.gradle

apply from: "/path/to/external-script.gradle"

Error:

* What went wrong:
A problem occurred evaluating script.
> Plugin with id 'org.owasp.dependencycheck' not found.

Regex support for scanConfigurations and skipConfigurations

To make selecting which configurations are being scanned more robust regular expressions should be added to scanConfigurations and skipConfigurations. For backward compatability we should leave the current scan/skip configuration options but I suggest we add:

configurations {
   scan: [list of configurations to scan]
   rxScan: [list of configurations to scan defined using regular expressions]
   skip: [list of configurations to skip]
   rxSkip: [list of configurations to skip defined using a regular expression]
}

The scanConfigurations can be removed from the documentation and a warning about a deprecated property can be issued (same for skipConfigurations). With the proposed changes the original skipConfigurations and scanConfigurations should be treated as a deprecated short cut to configurations { skip: []. scan: [] } respectively.

Lastly, the scan and skip configurations were mutually exclusive - I do not believe this is necessary with the addition of regular expressions. Skip should take precedence over scan.

dependencyCheckAnalyze Fails Due to Ruby Bundle Audit Analyzer

Plugin version 3.0.2. Getting this exception, which causes dependencyCheckAnalyze to fail:

Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during dependency-check analysis
Exception from bundle-audit process: java.io.IOException: Cannot run program "bundle-audit" (in directory "/tmp/dctempfb15b599-7ed4-4371-8936-fb14f05dc4ba"): error=2, No such file or directory. Disabling Ruby Bundle Audit Analyzer
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:693)
at org.owasp.dependencycheck.Engine$analyzeDependencies$0.call(Unknown Source)
at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:76)

Workaround:

dependencyCheck {
  analyzers {
    bundleAuditEnabled = false
  }
}

Test configuration detection is broken

The current implementation of the skipTestGroups configuration property is broken:

it compares case-sensitive to testcompile and testruntime, while the actual configuration names are camel case.
it does not yet support the new configurations testCompileClasspath and testCompileOnly introduced with Gradle 2.12: Java plugin - dependency configurations

Relying on the inheritance hierarchy of a configuration and checking whether a configuration extends from a well-known test configuration could be even more robust.

If you like these changes to be implemented, I can provide a PR.

Simple false positive?

Hi,

Apologies if this is simply my misunderstanding of the output.
I'm running the dependencyCheckAnalyze gradle plugin version 2.1.1 against my project and it's reporting that the javax.validation:validation-api:1.1.0.Final dependency is related to the vulnerability CVE-2013-4499. As that vulnerability relates to drupal I believe this to be a fairly wild false positive.
However, if I run the check against my project using version 2.1.0 of the plugin then the vulnerability in the library is not reported.

the config for the task is:

dependencyCheck {
    autoUpdate = true
    format = 'ALL'
    failBuildOnCVSS = project.ext.owaspDependencyThreshold
    outputDirectory = "${project.buildDir}/reports/dependencies/check"
}

Scan output:

> Task :dependencyCheckAnalyze
Verifying dependencies for project client-factory
Checking for updates and analyzing vulnerabilities for dependencies
Generating report for project client-factory
Found 1 vulnerability in project client-factory

One or more dependencies were identified with known vulnerabilities:

validation-api-1.1.0.Final.jar (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~, javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499


See the dependency-check report for more details.

Is this a bug, me misinterpreting the results, or a simple false positive?

Cheers

Pete

Unable to detect known vulnerability in gradle plugin

I am using gradle plugin to detect known issue but it unable to find known issue(CVE-2016-3720) in jackson-dataformat-xml-2.7.0.jar.

same thing is working fine with maven plugin.

Goal "dependencyCheckAnalyze" fails

I have a multi-module project and when executing:

gradlew dependencyCheckAnalyze --info

the result is:
Cannot invoke method forEach() on null object

My configuration is (root build.gradle):

buildscript {
    dependencies {
        classpath 'com.android.tools.build:gradle:2.3.3'
        classpath 'org.owasp:dependency-check-gradle:2.0.1'
    }
}
...
subprojects {
    ...
    apply plugin: 'org.owasp.dependencycheck
}

I cannot reproduce this problem in 2.0.0-2.0.1

Crash when generating report

When running this plugin on an android project Im getting the error below.

Command: ./gradlew dependencyCheck --info

Note that this error occurs only when putting the plugin on the app's build.gradle and not on the project level build.gradle. So from a project level standpoint it looks like this:
/build.gradle <-- when the dependency scanner is in this file it does not crash
/app/build.gradle <-- dependency scanner is in this file and has the crash

Parser Exception: templates/HtmlReport.vsl
org.apache.velocity.runtime.parser.ParseException: Encountered "[" at line 32, column 58144.
Was expecting one of:
    "," ...
    ")" ...
    <WHITESPACE> ...
    <DOT> ...
at org.apache.velocity.runtime.parser.Parser.generateParseException(Parser.java:3360)
    at org.apache.velocity.runtime.parser.Parser.jj_consume_token(Parser.java:3237)
    at org.apache.velocity.runtime.parser.Parser.Method(Parser.java:1207)
    at org.apache.velocity.runtime.parser.Parser.Reference(Parser.java:1247)
    at org.apache.velocity.runtime.parser.Parser.Statement(Parser.java:301)
    at org.apache.velocity.runtime.parser.Parser.process(Parser.java:258)
    at org.apache.velocity.runtime.parser.Parser.parse(Parser.java:105)
    at org.apache.velocity.runtime.RuntimeInstance.parse(RuntimeInstance.java:1042)
    at org.apache.velocity.runtime.RuntimeInstance.parse(RuntimeInstance.java:972)
    at org.apache.velocity.app.VelocityEngine.evaluate(VelocityEngine.java:307)
    at org.owasp.dependencycheck.reporting.ReportGenerator.generateReport(ReportGenerator.java:259)

Report for NPM Packages not generating

@jeremylong, I like this tool a lot and working great! Thanks for the tool and the gradle plugin.

It has been working well for gradle dependencies. I am referring to https://jeremylong.github.io/DependencyCheck/analyzers/nodejs.html and would like to use this plugin for NPM package scan too and trying with provided extensions and came across this

https://github.com/jeremylong/dependency-check-gradle/blob/master/src/main/groovy/org/owasp/dependencycheck/gradle/extension/AnalyzerExtension.groovy#L119
https://github.com/jeremylong/dependency-check-gradle/blob/master/src/main/groovy/org/owasp/dependencycheck/gradle/extension/AnalyzerExtension.groovy#L29

and trying out passing analyzerExtension with nodeEnable=true and experimentalEnabled:true but still seems to be not generating the report for npm packages.

Am I missing anything?

Gradle 3.4-rc-1: "Resolving configuration 'apiElements' directly is not allowed"

After upgrading to Gradle 3.4-rc-1 I'm getting the following stacktrace when I invoke gradle dependencyCheck:

09:04:45.327 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] FAILURE: Build failed with an exception.
09:04:45.327 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]
09:04:45.327 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] * What went wrong:
09:04:45.327 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] Execution failed for task ':dependencyCheck'.
09:04:45.328 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] > Resolving configuration 'apiElements' directly is not allowed
09:04:45.328 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]
09:04:45.328 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] * Exception is:
09:04:45.330 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] org.gradle.api.tasks.TaskExecutionException: Execution failed for task ':dependencyCheck'.
09:04:45.330 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:84)
09:04:45.330 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:55)
09:04:45.330 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.SkipUpToDateTaskExecuter.execute(SkipUpToDateTaskExecuter.java:62)
09:04:45.331 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.ValidatingTaskExecuter.execute(ValidatingTaskExecuter.java:58)
09:04:45.331 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.SkipEmptySourceFilesTaskExecuter.execute(SkipEmptySourceFilesTaskExecuter.java:88)
09:04:45.331 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.ResolveTaskArtifactStateTaskExecuter.execute(ResolveTaskArtifactStateTaskExecuter.java:46)
09:04:45.331 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:51)
09:04:45.331 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:54)
09:04:45.331 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.ExecuteAtMostOnceTaskExecuter.execute(ExecuteAtMostOnceTaskExecuter.java:43)
09:04:45.331 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:34)
09:04:45.331 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker$1.execute(DefaultTaskGraphExecuter.java:236)
09:04:45.331 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker$1.execute(DefaultTaskGraphExecuter.java:228)
09:04:45.331 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.internal.Transformers$4.transform(Transformers.java:169)
09:04:45.332 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:106)
09:04:45.332 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:61)
09:04:45.332 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker.execute(DefaultTaskGraphExecuter.java:228)
09:04:45.332 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.execution.taskgraph.DefaultTaskGraphExecuter$EventFiringTaskWorker.execute(DefaultTaskGraphExecuter.java:215)
09:04:45.332 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.execution.taskgraph.AbstractTaskPlanExecutor$TaskExecutorWorker.processTask(AbstractTaskPlanExecutor.java:77)
09:04:45.332 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.execution.taskgraph.AbstractTaskPlanExecutor$TaskExecutorWorker.run(AbstractTaskPlanExecutor.java:58)
09:04:45.332 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:63)
09:04:45.332 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.internal.concurrent.StoppableExecutorImpl$1.run(StoppableExecutorImpl.java:46)
09:04:45.332 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] Caused by: java.lang.IllegalStateException: Resolving configuration 'apiElements' directly is not allowed
09:04:45.332 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.artifacts.configurations.DefaultConfiguration.assertResolvingAllowed(DefaultConfiguration.java:818)
09:04:45.332 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.artifacts.configurations.DefaultConfiguration.resolveToStateOrLater(DefaultConfiguration.java:419)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.artifacts.configurations.DefaultConfiguration.getResolvedConfiguration(DefaultConfiguration.java:414)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.artifacts.configurations.DefaultConfiguration_Decorated.getResolvedConfiguration(Unknown Source)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.artifacts.Configuration$getResolvedConfiguration$3.call(Unknown Source)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.owasp.dependencycheck.gradle.tasks.Check$_scanDependencies_closure2.doCall(Check.groovy:205)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.owasp.dependencycheck.gradle.tasks.Check.scanDependencies(Check.groovy:202)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.owasp.dependencycheck.gradle.tasks.Check$scanDependencies.callCurrent(Unknown Source)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.owasp.dependencycheck.gradle.tasks.Check.check(Check.groovy:81)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.doExecute(DefaultTaskClassInfoStore.java:141)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.execute(DefaultTaskClassInfoStore.java:134)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.execute(DefaultTaskClassInfoStore.java:123)
09:04:45.333 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:632)
09:04:45.334 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:615)
09:04:45.334 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:95)
09:04:45.334 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:76)
09:04:45.334 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]   ... 20 more

org.gradle.api.GradleException: One or more exceptions occurred during analysis

Hi,
I noticed the below stack trace and Gradle task dependencyCheckAnalyze fails if any violations are found.
any inputs?


Caused by: org.gradle.api.GradleException: One or more exceptions occurred during analysis
        at sun.reflect.GeneratedConstructorAccessor609.newInstance(Unknown Source)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:83)
        at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105)
        at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:255)
        at org.owasp.dependencycheck.gradle.tasks.Check.check(Check.groovy:119)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)
        at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.doExecute(DefaultTaskClassInfoStore.java:141)
        at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.execute(DefaultTaskClassInfoStore.java:134)
        at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.execute(DefaultTaskClassInfoStore.java:123)
        at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:692)
        at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:675)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$1.execute(ExecuteActionsTaskExecuter.java:115)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$1.execute(ExecuteActionsTaskExecuter.java:109)
        at org.gradle.internal.Transformers$4.transform(Transformers.java:169)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:106)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:56)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:109)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:90)
        ... 23 more
Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during dependency-check analysis
        org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctemp79c5a3f9-db86-45bd-8f02-61a9cffc437c/check1305227328897147656tmp/366/pom.xml'
        org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctempd2a6a250-0ace-4864-b658-b542b68ec02a/pom8183594392549237733.xml'
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:541)
        at org.owasp.dependencycheck.Engine$analyzeDependencies$0.call(Unknown Source)
        at org.owasp.dependencycheck.gradle.tasks.Check.check(Check.groovy:79)

The "failOnError" property is missing in the documentation.

The "failOnError" property is missing in the documentation. For me it's useful and it would be good to have it documented.

plugins.gradle.org does not link to this github repo

If you look on the plugins.gradle.org website for this plugin (https://plugins.gradle.org/plugin/org.owasp.dependencycheck) when you try to click on the link that should take you to the github repo it does not. It instead takes you to https://plugins.gradle.org/plugin/[email protected]:jeremylong/dependency-check-gradle.git

Add an option to promote the summary log to a warning

When adding dependency check to commonly run task it would be nice to have the summary log printed as a warning so it stands out in a different colour. It would be useful to be able to see at a glance that vulnerabilities were found without failing the build.

Need more configurability of generated reports

I would like to be able to configure report outputs (both directory as well as filename itself). Please look at the reports closure as an example here: https://docs.gradle.org/current/dsl/org.gradle.api.reporting.Reporting.html. Till this is fixed, I will have to use https://github.com/danielsomerfield/gradle-cve-dependency-check/

My usage is that I include the plugin into all my root + subprojects (similar to what you have put in the README), but I need to also collect all the reports generated into a single test_artifacts directory to be exposed by the CI tool. For this scenario, I am forced to copy from each subproject into the final test_artifacts folder one-by-one. Instead, if the generation were to be configurable, I could set the output like this:

reports {
    html.destination = rootProject.file("test_artifacts/security-reports-${project.name}")
}

Many duplicate analyses degrade performance

A first observation after analyzing the bad runtimes (e.g. ~7 min for a rather simple project; dependencyCheckUpdate excluded) was the following:
Of a single artifact each combination of (artifact, configuration) will be analyzed by the Engine. E.g. a simple "compile" dependency will be analyzed at least 5 times (compile, compileClasspath compileOnly, runtime, default).

Unable to skip dependencyCheck task programatically

Plugin adds dependencyCheck task as a dependency on check task. I don't want to execute the analysis on every single build and I would like to execute it only when invoking the task on purpose.

While performing "gradle build -x dependencyCheck" works perfectly neither of these two options work:

check.dependsOn.remove('dependencyCheck') -> It actually does nothing
enabled = false within dependencyCheck config (or dependencyCheck.enabled = false) -> Returns error "No such property: enabled for class: org.owasp.dependencycheck.gradle.extension.CheckExtension_Decorated"

Document scanConfigurations and skipConfigurations

Hi,

by looking at the source code from CheckExtension.groovy I found the configurations scanConfigurations and skipConfigurations which are not documented (only GroovyDoc).

Regards,

Brian

Unable to set custom option

I'm using the latest version (1.3.3) of this gradle plugin. But, if I try to set the cveValidForHours as documented here, I get the following error:

Could not find property 'CVE_CHECK_VALID_FOR_HOURS' on task ':dependencyCheck'.

The reason I am trying to set this value to something greater than the default is since we are trying to reduce our build times, and this seems like a low hanging fruit with high ROI in our usecase.

SuppressionFiles doesn't supports interpolated strings

Description: _

suppressionFiles when provided with interpolatedStrings gives java.lang.ArrayStoreException
_
Example:
suppressionFiles = [ "${rootProject.rootDir}/dependencyCheckSuppressionFile.xml",
"${rootProject.rootDir}/dependencyCheckSuppressionFile2.xml" ]

Caused by: java.lang.ArrayStoreException
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.determineSuppressions(AbstractAnalyze.groovy:210)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze$determineSuppressions.callCurrent(Unknown Source)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.initializeSettings(AbstractAnalyze.groovy:141)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:60)
        at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)
        at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.doExecute(DefaultTaskClassInfoStore.java:141)
        at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.execute(DefaultTaskClassInfoStore.java:134)
        at org.gradle.api.internal.project.taskfactory.DefaultTaskClassInfoStore$StandardTaskAction.execute(DefaultTaskClassInfoStore.java:121)
        at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:731)
        at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:705)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$1.run(ExecuteActionsTaskExecuter.java:122)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:336)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:328)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:197)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:107)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:111)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:92)
        ... 92 more

Subprojects are reported to the same file, effectively having the last result only

Steps to reproduce: Run it on a project with subprojects.

Expected results: Reports for various projects are stored to different files.

Actual results: Reports are written to the same file. As a results, all reports except the last one are overwritten by some other report.

ODC version: 1.3.6

Workarounds: See #1 . Note that the name of the option has been slightly changed to outputDirectory.

Generate the short report

Is there a way to generate the short report: Vulnerability Report

thanks

Intermittent owasp dependencyCheck failure on Jenkins build job

Hi,

We are using the owasp dependencyCheck plugin in our project.
Version used: 1.4.5.1
Gradle version used: 3.5

We are facing the following issue in our build jobs:
The build jobs fail intermittently saying " :dependencyCheck FAILED "

The stacktrace of the error is as follows:

:dependencyCheck
Verifying dependencies for project stock-service
Checking for updates and analyzing vulnerabilities for dependencies
Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
Exception occurred initializing CPE Analyzer.
Generating report for project stock-service
Found 0 vulnerabilities in project stock-service
:dependencyCheck FAILED
Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during dependency-check analysis
org.xml.sax.SAXException: Unable to get primary key for new cpe: cpe:/a:uchida_yoko_co._ltd:assetbase:8.0
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to get primary key for new cpe: cpe:/a:uchida_yoko_co._ltd:assetbase:8.0
An exception occurred accessing the database
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:543)
at org.owasp.dependencycheck.Engine$analyzeDependencies$0.call(Unknown Source)
at org.owasp.dependencycheck.gradle.tasks.Check.check(Check.groovy:86)
... 66 more

Could you help us with this?

Error while trying to manually order tasks

I'm trying to run the dependencyCheck task at the end of my build chain - so that I can get faster feedback on broken tests, etc. For this, I am using

dependencyCheck.mustRunAfter jsTest

But, its failing with the following stack trace:

Caused by: org.gradle.api.internal.MissingMethodException: Could not find method mustRunAfter() for arguments [task ':contractTest'] on org.owasp.dependencycheck.gradle.extension.CheckExtension_Decorated@6d0e45a5.
    at org.gradle.api.internal.AbstractDynamicObject.methodMissingException(AbstractDynamicObject.java:68)
    at org.gradle.api.internal.AbstractDynamicObject.invokeMethod(AbstractDynamicObject.java:56)
    at org.gradle.api.internal.CompositeDynamicObject.invokeMethod(CompositeDynamicObject.java:175)
    at org.owasp.dependencycheck.gradle.extension.CheckExtension_Decorated.invokeMethod(Unknown Source)
    at build_d3310nd5p6g1pudrt5tlgq4gx.run(/Users/vijay/dev/gruppoPam/store_assortment_service/build.gradle:204)
    at org.gradle.groovy.scripts.internal.DefaultScriptRunnerFactory$ScriptRunnerImpl.run(DefaultScriptRunnerFactory.java:91)
    ... 50 more

Add version of https://nvd.nist.gov/ to report

From the report, it is hard to guess which version of https://nvd.nist.gov/ is used.

I'm not familiar with this database but I see they have at least date when database was updated.

Can we include it?

Plugin Pulling in commons-collections:3.2.1 - Gets Reported as Vulnerability

Plugin version 1.4.5 is pulling in commons-collections:3.2.1, which then gets reported as a vulnerability.

Filename: commons-collections-3.2.1.jar | Reference: CVE-2015-6420 | CVSS Score: 7.5 | Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

+--- org.owasp:dependency-check-gradle:1.4.5
|    +--- org.owasp:dependency-check-core:1.4.5
|    |    +--- joda-time:joda-time:1.6
|    |    +--- org.slf4j:slf4j-api:1.7.22
|    |    +--- org.owasp:dependency-check-utils:1.4.5
|    |    |    +--- commons-io:commons-io:2.5
|    |    |    +--- org.apache.commons:commons-lang3:3.3.2
|    |    |    \--- org.slf4j:slf4j-api:1.7.22
|    |    +--- org.apache.commons:commons-compress:1.13
|    |    +--- commons-io:commons-io:2.5
|    |    +--- org.apache.commons:commons-lang3:3.3.2
|    |    +--- org.apache.lucene:lucene-core:4.7.2
|    |    +--- org.apache.lucene:lucene-analyzers-common:4.7.2
|    |    |    \--- org.apache.lucene:lucene-core:4.7.2
|    |    +--- org.apache.lucene:lucene-queryparser:4.7.2
|    |    |    +--- org.apache.lucene:lucene-core:4.7.2
|    |    |    +--- org.apache.lucene:lucene-queries:4.7.2
|    |    |    \--- org.apache.lucene:lucene-sandbox:4.7.2
|    |    +--- org.apache.velocity:velocity:1.7
|    |    |    +--- commons-collections:commons-collections:3.2.1
|    |    |    \--- commons-lang:commons-lang:2.4
|    |    +--- com.h2database:h2:1.3.176
|    |    +--- org.glassfish:javax.json:1.0.4
|    |    +--- org.jsoup:jsoup:1.10.1
|    |    \--- com.sun.mail:mailapi:1.5.6
|    \--- org.owasp:dependency-check-utils:1.4.5 (*)