Skip to content
This repository was archived by the owner on Feb 17, 2025. It is now read-only.

Commit

Permalink
fix merge conflict
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeremylong
jeremylong committed Jan 6, 2021
2 parents f1a8fcf + 1df6af2 commit f5cf238
Show file tree
Hide file tree
Showing 5 changed files with 54 additions and 20 deletions.
4 changes: 2 additions & 2 deletions core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,12 +189,12 @@ private List<SuppressionRule> loadSuppressionFile(final SuppressionParser parser
final URL url = new URL(suppressionFilePath);
final Downloader downloader = new Downloader(getSettings());
try {
downloader.fetchFile(url, file, false);
downloader.fetchFile(url, file, false, Settings.KEYS.SUPPRESSION_FILE_USER, Settings.KEYS.SUPPRESSION_FILE_PASSWORD);
} catch (DownloadFailedException ex) {
LOGGER.trace("Failed download suppression file - first attempt", ex);
try {
Thread.sleep(500);
downloader.fetchFile(url, file, true);
downloader.fetchFile(url, file, true, Settings.KEYS.SUPPRESSION_FILE_USER, Settings.KEYS.SUPPRESSION_FILE_PASSWORD);
} catch (TooManyRequestsException ex1) {
throw new SuppressionParseException("Unable to download supression file `" + file
+ "`; received 429 - too many requests", ex1);
Expand Down
23 changes: 23 additions & 0 deletions maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,23 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@SuppressWarnings("CanBeFinal")
@Parameter(property = "suppressionFile")
private String suppressionFile;
/**
* The username used when connecting to the suppressionFiles.
*/
@Parameter(property = "suppressionFileUser")
private String suppressionFileUser;
/**
* The password used when connecting to the suppressionFiles.
*/
@Parameter(property = "suppressionFilePassword")
private String suppressionFilePassword;
/**
* The server id in the settings.xml; used to retrieve encrypted passwords
* from the settings.xml for suppressionFile(s).
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "suppressionFileServerId")
private String suppressionFileServerId;
/**
* The path to the hints file.
*/
Expand Down Expand Up @@ -1951,6 +1968,12 @@ protected void populateSettings() {
settings.setStringIfNotEmpty(Settings.KEYS.CVE_USER, cveUser);
settings.setStringIfNotEmpty(Settings.KEYS.CVE_PASSWORD, cvePassword);
}
if (suppressionFileUser == null && suppressionFilePassword == null && suppressionFileServerId != null) {
configureServerCredentials(suppressionFileServerId, Settings.KEYS.SUPPRESSION_FILE_USER, Settings.KEYS.SUPPRESSION_FILE_PASSWORD);
} else {
settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_USER, suppressionFileUser);
settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_PASSWORD, suppressionFilePassword);
}
}

/**
Expand Down
33 changes: 18 additions & 15 deletions maven/src/site/markdown/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,21 +124,24 @@ Advanced Configuration
The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cveUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.

Property | Description | Default Value |
---------------------|----------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
cveUrlModified | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz |
cveUrlBase | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz |
cveServerId | The id of a server defined in the settings.xml that configures the credentials (username and password) for accessing the cveUrl. | &nbsp; |
cveUser | The username used when connecting to the cveUrl. Must be empty if cveServerId is specified and should be used. | &nbsp; |
cvePassword | The password used when connecting to the cveUrl. Must be empty if cveServerId is specified and should be used. | &nbsp; |
connectionTimeout | Sets the URL Connection Timeout used when downloading external data. | &nbsp; |
dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | ~/.m2/repository/org/owasp/dependency-check-data/ |
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp; |
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp; |
connectionString | The connection string used to connect to the database. See using a [database server](../data/database.html). | &nbsp; |
serverId | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information. | &nbsp; |
databaseUser | The username used when connecting to the database. | &nbsp; |
databasePassword | The password used when connecting to the database. | &nbsp; |
Property | Description | Default Value |
-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
cveUrlModified | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz |
cveUrlBase | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz |
cveServerId | The id of a server defined in the settings.xml that configures the credentials (username and password) for accessing the cveUrl. | &nbsp; |
cveUser | The username used when connecting to the cveUrl. Must be empty if cveServerId is specified and should be used. | &nbsp; |
cvePassword | The password used when connecting to the cveUrl. Must be empty if cveServerId is specified and should be used. | &nbsp; |
suppressionFileServerId | The id of a server defined in the settings.xml that configures the credentials (username and password) for accessing the suppressionFiles. | &nbsp; |
suppressionFileUser | The username used when connecting to the suppressionFiles. Must be empty if suppressionFileServerId is specified and should be used. | &nbsp; |
suppressionFilePassword | The password used when connecting to the suppressionFiles. Must be empty if suppressionFileServerId is specified and should be used. | &nbsp; |
connectionTimeout | Sets the URL Connection Timeout used when downloading external data. | &nbsp; |
dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | ~/.m2/repository/org/owasp/dependency-check-data/ |
databaseDriverName | The name of the database driver. Example: org.h2.Driver. | &nbsp; |
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp; |
connectionString | The connection string used to connect to the database. See using a [database server](../data/database.html). | &nbsp; |
serverId | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information. | &nbsp; |
databaseUser | The username used when connecting to the database. | &nbsp; |
databasePassword | The password used when connecting to the database. | &nbsp; |

Proxy Configuration
====================
Expand Down
6 changes: 3 additions & 3 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ Copyright (c) 2012 - Jeremy Long
<maven-project-info-reports-plugin.version>3.1.1</maven-project-info-reports-plugin.version>
<maven-surefire-report-plugin.version>2.22.2</maven-surefire-report-plugin.version>
<jacoco-maven-plugin.version>0.8.6</jacoco-maven-plugin.version>
<spotbugs.maven.plugin.version>4.1.4</spotbugs.maven.plugin.version>
<spotbugs.maven.plugin.version>4.2.0</spotbugs.maven.plugin.version>
<taglist-maven-plugin.version>2.4</taglist-maven-plugin.version>
<versions-maven-plugin.version>2.8.1</versions-maven-plugin.version>

Expand All @@ -158,7 +158,7 @@ Copyright (c) 2012 - Jeremy Long
<hamcrest-core.version>2.2</hamcrest-core.version>
<jackson.version>2.12.0</jackson.version>
<jmockit.version>1.49</jmockit.version>
<mockito-core.version>3.6.28</mockito-core.version>
<mockito-core.version>3.7.0</mockito-core.version>
<jsoup.version>1.13.1</jsoup.version>
<commons-compress.version>1.20</commons-compress.version>
<org.apache.maven.shared.file-management.version>3.0.0</org.apache.maven.shared.file-management.version>
Expand All @@ -172,7 +172,7 @@ Copyright (c) 2012 - Jeremy Long
<org.glassfish.javax.json.version>1.1.4</org.glassfish.javax.json.version>
<maven-artifact-transfer.version>0.13.1</maven-artifact-transfer.version>
<groovy-all.version>2.4.21</groovy-all.version>
<gmavenplus-plugin.version>1.12.0</gmavenplus-plugin.version>
<gmavenplus-plugin.version>1.12.1</gmavenplus-plugin.version>
<com.h3xstream.retirejs.core.version>3.0.2</com.h3xstream.retirejs.core.version>
<com.google.guava.version>30.1-jre</com.google.guava.version>

Expand Down
8 changes: 8 additions & 0 deletions utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,14 @@ public static final class KEYS {
* The key for the suppression file.
*/
public static final String SUPPRESSION_FILE = "suppression.file";
/**
* The username used when connecting to the suppressionFiles.
*/
public static final String SUPPRESSION_FILE_USER = "suppression.file.user";
/**
* The password used when connecting to the suppressionFiles.
*/
public static final String SUPPRESSION_FILE_PASSWORD = "suppression.file.password";
/**
* The key for the hint file.
*/
Expand Down

0 comments on commit f5cf238

Please sign in to comment.