├── .gitattributes ├── .github ├── ISSUE_TEMPLATE.md ├── ISSUE_TEMPLATE │ ├── ask_a_question.md │ ├── bug_report.md │ ├── false_positive_report.md │ └── feature_request.md ├── contributing.md ├── dependabot.yml ├── pull_request_template.md └── workflows │ └── ci.yml ├── .gitignore ├── .scala-steward.conf ├── LICENSE ├── NOTICES ├── README.md ├── build.sbt ├── dependency-check-suppressions.xml ├── project ├── build.properties ├── plugins.sbt ├── release.sbt ├── scripted.sbt └── sonatype.sbt ├── src ├── main │ ├── resources │ │ └── META-INF │ │ │ └── licenses │ │ │ ├── commons │ │ │ └── LICENSE │ │ │ └── dependency-check │ │ │ ├── LICENSE │ │ │ └── NOTICE │ └── scala │ │ └── net │ │ └── vonbuchholtz │ │ └── sbt │ │ └── dependencycheck │ │ ├── DependencyCheckKeys.scala │ │ ├── DependencyCheckListSettingsTask.scala │ │ ├── DependencyCheckPlugin.scala │ │ ├── DependencyCheckPurgeTask.scala │ │ ├── DependencyCheckUpdateTask.scala │ │ └── VulnerabilityFoundException.scala └── sbt-test │ └── sbt-dependency-check │ ├── aggregateException │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── aggregateMetaProject │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── aggregateNonJVMPluginProject │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── aggregateProject │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── anyProject │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── buildFailsForCVSS │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── check-suppression-file │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ ├── suppressions.xml │ └── test │ ├── check │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── checkMultiProject │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── checkScanSet │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ ├── src │ │ └── main │ │ │ └── customDir │ │ │ └── jetty-runner-9.2.4.v20141103.jar │ └── test │ ├── customDataDirectoryWithNewDatabase │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── formatsSetting │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── globalAndProjectSettings │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── listSettings │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ ├── purgeCustomConnectionString │ ├── build.sbt │ ├── project │ │ └── plugins.sbt │ └── test │ └── purgeDeletesDatabase │ ├── build.sbt │ ├── data │ └── odc.mv.db │ ├── project │ └── plugins.sbt │ └── test ├── testProject ├── build.sbt └── project │ └── plugins.sbt └── version.sbt /.gitattributes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/albuch/sbt-dependency-check/ccf1818af44952266eae7e23d705c230a76748de/.gitattributes -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ### Reporting Bugs/Errors 2 | 3 | When reporting errors, 99% of the time log file output is required. Please post the log file as a [gist](https://gist.github.com/) and provide a link in the new issue. 4 | 5 | Also please have a look at the docs of the [core dependency-check](https://github.com/jeremylong/DependencyCheck) library to understand how the library works before you report a bug: 6 | * [How does dependency-check work?](http://jeremylong.github.io/DependencyCheck/general/internals.html) 7 | * [How to read the report](http://jeremylong.github.io/DependencyCheck/general/thereport.html) 8 | * [Suppressing False Positives](http://jeremylong.github.io/DependencyCheck/general/suppression.html) 9 | 10 | 11 | ### Reporting False Positives/Negatives 12 | 13 | As `sbt-dependency-check` is just a wrapper for SBT around the awesome [core dependency-check](https://github.com/jeremylong/DependencyCheck) 14 | project please report false positives/negatives [issues](https://github.com/jeremylong/DependencyCheck/issues) there. 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/ask_a_question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Ask a question 3 | about: Have a question about sbt-dependency-check? 4 | title: '' 5 | labels: question 6 | assignees: '' 7 | 8 | --- 9 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | #### Describe the bug 11 | A clear and concise description of what the bug is. 12 | 13 | #### Version of sbt-dependency-check used 14 | The problem occurs using version X.X.X of the the plugin. 15 | 16 | #### Log file 17 | When reporting errors, 99% of the time log file output is required. Please post the log file as a [gist](https://gist.github.com/) and provide a link in the new issue. 18 | 19 | #### To Reproduce 20 | Steps to reproduce the behavior: 21 | 1. Go to '...' 22 | 2. Click on '....' 23 | 3. Scroll down to '....' 24 | 4. See error 25 | 26 | #### Expected behavior 27 | A clear and concise description of what you expected to happen. 28 | 29 | #### Additional context 30 | Add any other context about the problem here. 31 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/false_positive_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: False Positive Report 3 | about: Report an identified false positive 4 | title: False Positive on [library] 5 | labels: wontfix 6 | assignees: '' 7 | 8 | --- 9 | As `sbt-dependency-check` is just a wrapper for SBT around the awesome [core dependency-check](https://github.com/jeremylong/DependencyCheck) 10 | project please report false positives/negatives [issues](https://github.com/jeremylong/DependencyCheck/issues) there. 11 | 12 | 13 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. -------------------------------------------------------------------------------- /.github/contributing.md: -------------------------------------------------------------------------------- 1 | # Contributing to sbt-dependency-check 2 | 3 | ## Reporting Bugs 4 | 5 | - Ensure you're running the latest version of sbt-dependency-check. 6 | - Ensure the bug has not [already been reported](https://github.com/albuch/sbt-dependency-check/issues). 7 | - If you're unable to find an open issue addressing the problem, please [submit a new issue](https://github.com/albuch/sbt-dependency-check/issues/new). 8 | - Please fill out the appropriate section of the bug report template provided. Please delete any sections not needed in the template. 9 | 10 | Also please have a look at the docs of the [dependency-check-core library](https://github.com/jeremylong/DependencyCheck) library to understand how the library works before you report a bug: 11 | * [How does DependencyCheck work?](http://jeremylong.github.io/DependencyCheck/general/internals.html) 12 | * [How to read the report](http://jeremylong.github.io/DependencyCheck/general/thereport.html) 13 | * [Suppressing False Positives](http://jeremylong.github.io/DependencyCheck/general/suppression.html) 14 | 15 | ## Reporting Vulnerabilities 16 | 17 | - If you believe you have found a vulnerability in sbt-dependency-check itself (not that sbt-dependency-check found a vulnerability); please send a DM on Twitter to [@vonBuchholtz](https://twitter.com/vonBuchholtz). 18 | 19 | ## Asking Questions 20 | 21 | - Your question may be answered by taking a look at the [documentation](https://github.com/albuch/sbt-dependency-check) and related docs from the [dependency-check-core library](https://jeremylong.github.io/DependencyCheck/). 22 | - If you still have a question consider opening a [new issue](https://github.com/albuch/sbt-dependency-check/issues/new) 23 | 24 | ## Enhancement Requests 25 | 26 | - Suggest changes by [submitting a new issue](https://github.com/albuch/sbt-dependency-check/issues/new) and begin coding. 27 | 28 | ## Contributing Code 29 | 30 | - If you have written a new feature or have fixed a bug please open a new pull request with the patch. 31 | - Ensure the PR description clearly describes the problem and solution. Include any related issue number(s) if applicable. 32 | - Please ensure the PR passes the automated checks performed (travis-ci, codacy, etc.) 33 | - Please consider adding test cases for any new functionality 34 | 35 | We appreciate all your contributions! 36 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: "/" 5 | schedule: 6 | interval: "daily" 7 | commit-message: 8 | prefix: ":arrow_up: " -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | ## Fixes Issue # 2 | 3 | ## Description of Change 4 | 5 | *Please add a description of the proposed change* 6 | 7 | ## Have test cases been added to cover the new functionality? 8 | 9 | *yes/no* -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: CI1 2 | on: 3 | pull_request: 4 | push: 5 | branches: 6 | - main 7 | schedule: 8 | - cron: '0 2 * * *' 9 | 10 | jobs: 11 | test: 12 | strategy: 13 | fail-fast: false 14 | matrix: 15 | include: 16 | - java: 8 17 | sbt: "1.2.8" 18 | - java: 11 19 | sbt: "1.2.8" 20 | - java: 11 21 | sbt: "1.7.3" 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout 25 | uses: actions/checkout@v4 26 | - name: Coursier cache 27 | uses: coursier/cache-action@v6 28 | - name: Setup Scala 29 | uses: coursier/setup-action@v1 30 | with: 31 | jvm: "adopt:${{ matrix.java }}" 32 | - name: Publish Local 33 | run: sbt -v -Dfile.encoding=UTF-8 "^ publishLocal" 34 | - name: Get plugin version 35 | run: | 36 | PLUGIN_VERSION=$(sbt -Dsbt.ci=true -Dsbt.supershell=false -Dsbt.color=false -Dsbt.log.noformat=true -error "print version") 37 | echo ${PLUGIN_VERSION} 38 | echo "PLUGIN_VERSION=${PLUGIN_VERSION}" >> $GITHUB_ENV 39 | - name: Test example project for current snapshot 40 | run: | 41 | echo "sbt.version=${{ matrix.sbt }}" > ./project/build.properties 42 | sbt -v -Dfile.encoding=UTF-8 -Dplugin.version="${{ env.PLUGIN_VERSION }}" version 43 | working-directory: ./testProject 44 | - name: Build and Test 45 | run: sbt -v -Dfile.encoding=UTF-8 "^^ ${{ matrix.sbt }}" clean test scripted 46 | - name: DependencyCheck 47 | run: sbt -v -Dfile.encoding=UTF-8 "^^ ${{ matrix.sbt }}" dependencyCheck 48 | - name: Print DependencyCheck Result 49 | uses: albuch/sbt-dependency-check-action@v1.0 50 | with: 51 | jsonReportPath: "target/scala-2.12/sbt-1.0/dependency-check-report.json" 52 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.class 2 | *.log 3 | 4 | # sbt specific 5 | .cache 6 | .history 7 | .lib/ 8 | dist/* 9 | target/ 10 | lib_managed/ 11 | src_managed/ 12 | project/boot/ 13 | project/plugins/project/ 14 | sbt.bat 15 | .bsp/ 16 | 17 | # Scala-IDE specific 18 | .scala_dependencies 19 | .worksheet 20 | 21 | # IDEA 22 | .idea/ 23 | /src/sbt-test/sbt-dependency-check/purgeDeletesDatabase/data/odc.trace.db 24 | -------------------------------------------------------------------------------- /.scala-steward.conf: -------------------------------------------------------------------------------- 1 | commits.message = ":arrow_up: ${default}" 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2019 Alexander v. Buchholtz 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /NOTICES: -------------------------------------------------------------------------------- 1 | sbt-dependency-check 2 | Copyright (c) 2016 Alexander v. Buchholtz. All Rights Reserved. 3 | 4 | 5 | The licenses for the software listed below can be found in the META-INF/licenses/[dependency name]. 6 | 7 | This product includes software developed by Jeremy Long (https://github.com/jeremylong/). 8 | 9 | This product includes software developed by The Apache Software Foundation (http://www.apache.org/). -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # sbt-dependency-check [![Build Status](https://github.com/albuch/sbt-dependency-check/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/albuch/sbt-dependency-check/actions/workflows/ci.yml) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/25bd3b5e4f8e4ee78cfbdca62de31ca7)](https://app.codacy.com/app/albuch/sbt-dependency-check?utm_source=github.com&utm_medium=referral&utm_content=albuch/sbt-dependency-check&utm_campaign=Badge_Grade_Dashboard) [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.txt) 2 | The sbt-dependency-check plugin allows projects to monitor dependent libraries for known, published vulnerabilities 3 | (e.g. CVEs). The plugin achieves this by using the awesome [OWASP DependencyCheck library](https://github.com/jeremylong/DependencyCheck) 4 | which already offers several integrations with other build and continuous integration systems. 5 | For more information on how OWASP DependencyCheck works and how to read the reports check the [project's documentation](https://jeremylong.github.io/DependencyCheck/index.html). 6 | 7 | ## Table of contents 8 | * [Getting started](#getting-started) 9 | * [Usage](#usage) 10 | * [Tasks](#tasks) 11 | * [Configuration](#configuration) 12 | * [Analyzer Configuration](#analyzer-configuration) 13 | * [Advanced Configuration](#advanced-configuration) 14 | * [Multi-Project setup](#multi-project-setup) 15 | * [Changing Log Level](#changing-log-level) 16 | * [Global Plugin Configuration](#global-plugin-configuration) 17 | * [Running behind a proxy](#running-behind-a-proxy) 18 | * [Development](#development) 19 | * [Release](#release) 20 | * [License](#license) 21 | 22 | ## Getting started 23 | sbt-dependency-check is an AutoPlugin. Simply add the plugin to `project/plugins.sbt` file. 24 | 25 | addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "5.1.0") 26 | 27 | Use sbt-dependency-check `v2.0.0` or higher as previous versions aren't compatible with NVD feeds anymore. 28 | Starting with sbt-dependency-check `v3.0.0` sbt v0.13.x is no longer supported. 29 | 30 | ## Usage 31 | ### Tasks 32 | | Task | Description | Command | 33 | |:----------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------| 34 | | dependencyCheck | Runs dependency-check against the current project, its aggregates and dependencies and generates a report for each project. | ```$ sbt dependencyCheck``` | 35 | | dependencyCheckAggregate | Runs dependency-check against the current project, its aggregates and dependencies and generates a single report in the current project's output directory. | ```$ sbt dependencyCheckAggregate``` | 36 | | dependencyCheckAnyProject | Runs dependency-check against all projects, aggregates and dependencies and generates a single report in the current project's output directory. | ```$ sbt dependencyCheckAnyProject``` | 37 | | dependencyCheckUpdateOnly | Updates the local cache of the NVD data from NIST. | ```$ sbt dependencyCheckUpdateOnly``` | 38 | | dependencyCheckPurge | Deletes the local copy of the NVD. This is used to force a refresh of the data. | ```$ sbt dependencyCheckPurge``` | 39 | | dependencyCheckListSettings | Prints all settings and their values for the project. | ```$ sbt dependencyCheckListSettings``` | 40 | 41 | The reports will be written to the default location `crossTarget.value`. This can be overwritten by setting `dependencyCheckOutputDirectory`. See Configuration for details. 42 | 43 | **Note:** The first run might take a while as the full data from the National Vulnerability Database (NVD) hosted by NIST: has to be downloaded and imported into the database. 44 | Later runs will only download change sets unless the last update was more than 7 days ago. 45 | It is recommended to set up a mirror of the NVD feed in your local network to reduce the risk of rate limiting. See https://github.com/stevespringett/nist-data-mirror for instructions. 46 | 47 | ### Configuration 48 | `sbt-dependency-check` uses the default configuration of [OWASP DependencyCheck](https://github.com/jeremylong/DependencyCheck). 49 | You can override them in your `build.sbt` files. 50 | Use the task `dependencyCheckListSettings` to print all available settings and their values to sbt console. 51 | 52 | | Setting | Description | Default Value | 53 | |:------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------| 54 | | dependencyCheckAutoUpdate | Sets whether auto-updating of the NVD CVE/CPE, retireJS and hosted suppressions data is enabled. It is not recommended that this be turned to false. | true | 55 | | dependencyCheckCveValidForHours | Sets the number of hours to wait before checking for new updates from the NVD. | 4 | 56 | | dependencyCheckFailBuildOnCVSS | Specifies if the build should be failed if a CVSS score above, or equal to, a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss) | 11.0 | 57 | | dependencyCheckJUnitFailBuildOnCVSS | If using the JUNIT report format the dependencyCheckJUnitFailOnCVSS sets the CVSS score threshold that is considered a failure. The default value is 0 - all vulnerabilities are considered a failure. | 0 | 58 | | dependencyCheckFormat | The report format to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS, ALL). This setting is ignored if dependencyCheckReportFormats is set. | HTML | 59 | | dependencyCheckFormats | A sequence of report formats to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS, ALL). | | 60 | | dependencyCheckOutputDirectory | The location to write the report(s). | `crossTarget.value` e.g. `./target/scala-2.11` | 61 | | dependencyCheckScanSet | An optional sequence of files that specify additional files and/or directories to analyze as part of the scan. If not specified, defaults to standard scala conventions (see [SBT documentation](http://www.scala-sbt.org/0.13/docs/Directories.html#Source+code) for details). | `/src/main/resources` | 62 | | dependencyCheckSkip | Skips the dependency-check analysis | false | 63 | | dependencyCheckSkipTestScope | Skips analysis for artifacts with Test Scope | true | 64 | | dependencyCheckSkipRuntimeScope | Skips analysis for artifacts with Runtime Scope | false | 65 | | dependencyCheckSkipProvidedScope | Skips analysis for artifacts with Provided Scope | false | 66 | | dependencyCheckSkipOptionalScope | Skips analysis for artifacts with Optional Scope | false | 67 | | dependencyCheckSuppressionFiles | The sequence of file paths to the XML suppression files - used to suppress false positives. See [Suppressing False Positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html) for the file syntax. | | 68 | | dependencyCheckCpeStartsWith | The starting String to identify the CPEs that are qualified to be imported. | | 69 | | dependencyCheckHintsFile | The file path to the XML hints file - used to resolve [false negatives](https://jeremylong.github.io/DependencyCheck/general/hints.html). | | 70 | | dependencyCheckUseSbtModuleIdAsGav | Use the SBT ModuleId as GAV identifier. Ensures GAV is available even if Maven Central isn't. | false | 71 | | dependencyCheckAnalysisTimeout | Set the analysis timeout in minutes | 20 | 72 | | dependencyCheckEnableExperimental | Enable the experimental analyzers. If not enabled the experimental analyzers (see below) will not be loaded or used. | false | 73 | | dependencyCheckEnableRetired | Enable the retired analyzers. If not enabled retired analyzers will not be loaded or used. | false | 74 | 75 | #### Analyzer Configuration 76 | The following properties are used to configure the various file type analyzers. These properties can be used to turn off specific analyzers if it is not needed. Note, that specific analyzers will automatically disable themselves if no file types that they support are detected - so specifically disabling them may not be needed. 77 | For more information about the individual analyzers see the [DependencyCheck Analyzer documentation](https://jeremylong.github.io/DependencyCheck/analyzers/index.html). 78 | 79 | | Setting | Description | Default Value | 80 | |:---------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------| 81 | | dependencyCheckArchiveAnalyzerEnabled | Sets whether the Archive Analyzer will be used. | true | 82 | | dependencyCheckZipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | | 83 | | dependencyCheckJarAnalyzerEnabled | Sets whether Jar Analyzer will be used. | true | 84 | | dependencyCheckDartAnalyzerEnabled | Sets whether the experimental Dart analyzer is enabled. `dependencyCheckEnableExperimental` must be set to true. | true | 85 | | dependencyCheckKnownExploitedEnabled | Sets whether the Known Exploited Vulnerability update and analyzer are enabled. | true | 86 | | dependencyCheckKnownExploitedUrl | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed. | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | 87 | | dependencyCheckKnownExploitedValidForHours | Set the interval in hours until the next check for CISA Known Exploited Vulnerabilities JSON data feed is performed. | 24 | 88 | | dependencyCheckCentralAnalyzerEnabled | Sets whether Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | false | 89 | | dependencyCheckCentralAnalyzerUseCache | Sets whether the Central Analyer will cache results. Cached results expire after 30 days. | true | 90 | | dependencyCheckOSSIndexAnalyzerEnabled | Sets whether the OSS Index Analyzer will be enabled. | true | 91 | | dependencyCheckOSSIndexAnalyzerUrl | URL of the Sonatype OSS Index service. | https://ossindex.sonatype.org | 92 | | dependencyCheckOSSIndexAnalyzerUseCache | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours. | true | 93 | | dependencyCheckOSSIndexAnalyzerUsername | The optional username to use for the Sonatype OSS Index service. Note: an account with OSS Index is not required. | | 94 | | dependencyCheckOSSIndexAnalyzerPassword | The optional password to use for the Sonatype OSS Index service. | | 95 | | dependencyCheckOSSIndexWarnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false | 96 | | dependencyCheckNexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is superseded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | false | 97 | | dependencyCheckNexusUrl | Defines the Nexus Server’s web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. | | 98 | | dependencyCheckNexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true | 99 | | dependencyCheckNexusUser | The username to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection. | | 100 | | dependencyCheckNexusPassword | The password to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection. | | 101 | | dependencyCheckPyDistributionAnalyzerEnabled | Sets whether the _experimental_ Python Distribution Analyzer will be used. `dependencyCheckEnableExperimental` must be set to true. | true | 102 | | dependencyCheckPyPackageAnalyzerEnabled | Sets whether the _experimental_ Python Package Analyzer will be used. `dependencyCheckEnableExperimental` must be set to true. | true | 103 | | dependencyCheckRubygemsAnalyzerEnabled | Sets whether the _experimental_ Ruby Gemspec Analyzer will be used. `dependencyCheckEnableExperimental` must be set to true. | true | 104 | | dependencyCheckOpensslAnalyzerEnabled | Sets whether or not the openssl Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 105 | | dependencyCheckCmakeAnalyzerEnabled | Sets whether or not the _experimental_ CMake Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 106 | | dependencyCheckAutoconfAnalyzerEnabled | Sets whether or not the _experimental_ autoconf Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 107 | | dependencyCheckMavenInstallAnalyzerEnabled | Sets whether or not the Maven install Analyzer should be used. | true | 108 | | dependencyCheckPipAnalyzerEnabled | Sets whether or not the _experimental_ pip Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 109 | | dependencyCheckPipfileAnalyzerEnabled | Sets whether or not the _experimental_ Pipfile Analyzer should be used `dependencyCheckEnableExperimental` must be set to true. | true | 110 | | dependencyCheckPoetryAnalyzerEnabled | Sets whether or not the _experimental_ Poetry Analyzer should be used `dependencyCheckEnableExperimental` must be set to true. | true | 111 | | dependencyCheckComposerAnalyzerEnabled | Sets whether or not the _experimental_ PHP Composer Lock File Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 112 | | dependencyCheckCpanFileAnalyzerEnabled | Sets whether or not the _experimental_ Perl CPAN File Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 113 | | dependencyCheckNodeAnalyzerEnabled | Sets whether or not the _retired_ Node.js Analyzer should be used. | false | 114 | | dependencyCheckNodePackageSkipDevDependencies | Sets whether the Node.js Analyzer will skip devDependencies. | false | 115 | | dependencyCheckNodeAuditAnalyzerEnabled | Sets whether or not the Node Audit Analyzer should be used. | true | 116 | | dependencyCheckNodeAuditSkipDevDependencies | Sets whether the Node Audit Analyzer will skip devDependencies. | false | 117 | | dependencyCheckNodeAuditAnalyzerUrl | Sets the The Node Audit API URL for the Node Audit Analyzer. If not set uses default URL. | https://registry.npmjs.org/-/npm/v1/security/audits | 118 | | dependencyCheckNodeAuditAnalyzerUseCache | Sets whether the Node Audit Analyzer will cache results. Cached results expire after 24 hours. | true | 119 | | dependencyCheckNPMCPEAnalyzerEnabled | Sets whether the or not the _experimental_ NPM CPE Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 120 | | dependencyCheckYarnAuditAnalyzerEnabled | Sets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection. Use `dependencyCheckNodeAuditSkipDevDependencies` to skip dev dependencies. | true | 121 | | dependencyCheckPathToYarn | Sets the path to the Yarn executable. | | 122 | | dependencyCheckPNPMAuditAnalyzerEnabled | Sets whether the Pnpm Audit Analyzer is enabled. This analyzer requires pnpm and an internet connection. Use `nodeAuditSkipDevDependencies` to skip dev dependencies. | true | 123 | | dependencyCheckPathToPNPM | Sets the path to the `pnpm` executable. | | 124 | | dependencyCheckNuspecAnalyzerEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true | 125 | | dependencyCheckNugetConfAnalyzerEnabled | Sets whether the _experimental_ .NET Nuget packages.config Analyzer will be used. `dependencyCheckEnableExperimental` must be set to true. | false | 126 | | dependencyCheckCocoapodsEnabled | Sets whether or not the _experimental_ Cocoapods Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 127 | | dependencyCheckMixAuditAnalyzerEnabled | Sets whether or not the _experimental_ Mix Audit Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | tue | 128 | | dependencyCheckMixAuditPath | Sets the path to the mix_audit executable; only used if mix audit analyzer is enabled and experimental analyzers are enabled. | | 129 | | dependencyCheckSwiftEnabled | Sets whether or not the _experimental_ Swift Package Manager Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 130 | | dependencyCheckSwiftPackageResolvedAnalyzerEnabled | Sets whether or not the _experimental_ Swift Package Resolved Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 131 | | dependencyCheckBundleAuditEnabled | Sets whether or not the _experimental_ Ruby Bundle Audit Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 132 | | dependencyCheckPathToBundleAudit | The path to Ruby Bundle Audit. | | 133 | | dependencyCheckBundleAuditWorkingDirectory | Sets the path for the working directory that the Ruby Bundle Audit binary should be executed from. | | 134 | | dependencyCheckAssemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used. | true | 135 | | dependencyCheckMSBuildAnalyzerEnabled | Sets whether the MSBuild Analyzer should be used. | true | 136 | | dependencyCheckPathToDotNETCore | The path to .NET Core for .NET assembly analysis on non-windows systems. | | 137 | | dependencyCheckPEAnalyzerEnabled | Sets whether or not the _experimental_ PE Analyzer that reads the PE headers of DLL and EXE files should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 138 | | dependencyCheckRetireJSAnalyzerEnabled | Sets whether or not the RetireJS Analyzer should be used. | true | 139 | | dependencyCheckRetireJSForceUpdate | Sets whether the RetireJS Analyzer should update regardless of the ´dependencyCheckAutoUpdate´ setting. | true | 140 | | dependencyCheckRetireJSAnalyzerRepoJSUrl | Set the URL to the RetireJS repository. **Note** the file name must be `jsrepository.json` | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json | 141 | | dependencyCheckRetireJsAnalyzerRepoUser | Username for authentication to connect to RetireJS URL. || 142 | | dependencyCheckRetireJsAnalyzerRepoPassword | Password for authentication to connect to RetireJS URL. || 143 | | dependencyCheckRetireJsAnalyzerRepoValidFor | Set the interval in hours until the next check for CVEs updates is performed by the RetireJS analyzer | 24 | 144 | | dependencyCheckRetireJsAnalyzerFilters | Set one or more filters for the RetireJS analyzer. | | 145 | | dependencyCheckRetireJsAnalyzerFilterNonVulnerable | Sets whether or not the RetireJS analyzer should filter non-vulnerable dependencies | false | 146 | | dependencyCheckArtifactoryAnalyzerEnabled | Sets whether or not the JFrog Artifactory analyzer will be used | false | 147 | | dependencyCheckArtifactoryAnalyzerUrl | The Artifactory server URL. | | 148 | | dependencyCheckArtifactoryAnalyzerUseProxy | Sets whether Artifactory should be accessed through a proxy or not. | false | 149 | | dependencyCheckArtifactoryAnalyzerParallelAnalysis | Sets whether the Artifactory analyzer should be run in parallel or not. | true | 150 | | dependencyCheckArtifactoryAnalyzerUsername | The user name (only used with API token) to connect to Artifactory instance. | | 151 | | dependencyCheckArtifactoryAnalyzerApiToken | The API token to connect to Artifactory instance. __Note:__ These settings should not be added to your local `build.sbt` file and commited to your code repository for security reasons. They can be added to `~/.sbt//global.sbt` file instead | | 152 | | dependencyCheckArtifactoryAnalyzerBearerToken | The bearer token to connect to Artifactory instance. __Note:__ These settings should not be added to your local `build.sbt` file and commited to your code repository for security reasons. They can be added to `~/.sbt//global.sbt` file instead | | 153 | | dependencyCheckGolangDepEnabled | Sets whether or not the _experimental_ Golang Dependency Analyzer should be used. `dependencyCheckEnableExperimental` must be set to true. | true | 154 | | dependencyCheckGolangModEnabled | Sets whether or not the _experimental_ Golang Module Analyzer should be used. Requires `go` to be installed. `dependencyCheckEnableExperimental` must be set to true. | true | 155 | | dependencyCheckPathToGo | The path to the "go" runtime. | | 156 | 157 | #### Advanced Configuration 158 | The following properties can be configured in the plugin. However, they are less frequently changed. One exception may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. 159 | 160 | | Setting | Description | Default Value | 161 | |:-----------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------| 162 | | dependencyCheckCveUrlModified | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom `dependencyCheckCveUrlBase` is just a domain name change. | | 163 | | dependencyCheckCveUrlBase | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | | 164 | | dependencyCheckCveUser | The username used when connecting to the `dependencyCheckCveUrlBase`. | | 165 | | dependencyCheckCvePassword | The password used when connecting to the `dependencyCheckCveUrlBase`. | | 166 | | dependencyCheckCveWaitTime | The time in milliseconds to wait between downloads from the NVD. | 4000 | 167 | | dependencyCheckCveStartYear | The first year of NVD CVE data to download from the NVD. | 2002 | 168 | | dependencyCheckConnectionTimeout | Sets the URL Connection Timeout (in milliseconds) used when downloading external data. | | 169 | | dependencyCheckConnectionReadTimeout | Sets the URL Read Timeout (in milliseconds) used when downloading external data. | | 170 | | dependencyCheckDataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | [JAR]\data | 171 | | dependencyCheckDatabaseDriverName | The name of the database driver. Example: org.h2.Driver. | org.h2.Driver | 172 | | dependencyCheckDatabaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | | 173 | | dependencyCheckConnectionString | The connection string used to connect to the database, the %s will be replace with a name for the database | jdbc:h2:file:%s;AUTOCOMMIT=ON;MV_STORE=FALSE; | 174 | | dependencyCheckDatabaseUser | The username used when connecting to the database. | dcuser | 175 | | dependencyCheckDatabasePassword | The password used when connecting to the database. | | 176 | | dependencyCheckHostedSuppressionsEnabled | Whether the hosted suppression file will be used. | true | 177 | | dependencyCheckHostedSuppressionsForceUpdate | Whether the hosted suppressions file will update regardless of the `dependencyCheckAutoUpdate` setting. | false | 178 | | dependencyCheckHostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments. | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml | 179 | | dependencyCheckHostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates from the NVD. | 2 | 180 | 181 | ### Multi-Project setup 182 | 183 | Use either `Global` or `ThisBuild` scope if you want to define a setting for all projects. 184 | Define on the project level if you want to diverge from the default or Global/ThisBuild setting for a specific project. 185 | 186 | **build.sbt** 187 | ```Scala 188 | 189 | Global / dependencyCheckFormats := Seq("HTML", "JSON") 190 | 191 | lazy val root = (project in file(".")) 192 | .aggregate(core) 193 | .settings( 194 | libraryDependencies += "com.github.t3hnar" %% "scala-bcrypt" % "2.6" % "test", 195 | dependencyCheckSkipTestScope := false 196 | ) 197 | 198 | lazy val util = (project in file("util")) 199 | .settings( 200 | libraryDependencies += "commons-beanutils" % "commons-beanutils" % "1.9.1" 201 | ) 202 | 203 | lazy val core = project.dependsOn(util) 204 | .settings( 205 | libraryDependencies += "org.apache.commons" % "commons-collections4" % "4.1" % "runtime", 206 | dependencyCheckSkip := true 207 | ) 208 | 209 | ``` 210 | 211 | Almost all settings are only evaluated for the project you are executing the task on, not for each individual sub-project. The exemption that are supported to work for `aggregate()` and `dependsOn()` projects, are the scope skipping settings: 212 | * `dependencyCheckSkip` 213 | * `dependencyCheckSkipTestScope` 214 | * `dependencyCheckSkipRuntimeScope` 215 | * `dependencyCheckSkipProvidedScope` 216 | * `dependencyCheckSkipOptionalScope` 217 | 218 | You should set these individually for each project if necessary. 219 | 220 | ### Changing Log Level 221 | Add the following to your `build.sbt` file to increase the log level from default `info` to e.g. `debug`. 222 | ``` 223 | logLevel in dependencyCheck := Level.Debug 224 | ``` 225 | and add `-Dlog4j2.level=debug` when running a check: 226 | ``` 227 | sbt -Dlog4j2.level=debug dependencyCheck 228 | ``` 229 | 230 | Replace `dependencyCheck` with the right [task name](#tasks) that you use for your project. 231 | 232 | 233 | ### Global Plugin Configuration 234 | If you want to apply some default configuration for all your SBT projects you can add them as Global Settings: 235 | 236 | 1. Add the plugin to `~/.sbt/1.0/plugins/sbt-dependency-check.sbt` 237 | ```Scala 238 | addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "5.1.0") 239 | ``` 240 | 241 | 1. Add settings at `~/.sbt/1.0/global.sbt` using their fully qualified name (including package and nested object structure). E.g. 242 | ```Scala 243 | net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin.autoImport.dependencyCheckFormat := "All" 244 | ``` 245 | 246 | For further information about global settings and plugins check the sbt documentation: https://www.scala-sbt.org/1.x/docs/Global-Settings.html 247 | 248 | ### Running behind a proxy 249 | SBT and `sbt-dependency-check` both honor the standard http and https proxy settings for the JVM. 250 | 251 | sbt -Dhttp.proxyHost=proxy.example.com \ 252 | -Dhttp.proxyPort=3218 \ 253 | -Dhttp.proxyUser=username \ 254 | -Dhttp.proxyPassword=password \ 255 | -DnoProxyHosts="localhost|http://www.google.com" \ 256 | dependencyCheck 257 | 258 | ## Development 259 | * Default h2 DB user and password can be found at [dependencycheck.properties](https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck.properties#L38). 260 | * To update ODC DB Schema for sbt scripted test case `purgeDeletesDatabase` run query `Update PUBLIC.PROPERTIES t SET t."VALUE"= '' WHERE t.ID = 'version'` 261 | 262 | ### Release 263 | Run `release` task and follow instructions. 264 | Verify that release reached [Maven Central](https://repo1.maven.org/maven2/net/vonbuchholtz/sbt-dependency-check_2.12_1.0/). It takes up to two additional hours to be indexed for https://search.maven.org. 265 | 266 | ## License 267 | Copyright (c) 2016-2022 Alexander Baron v. Buchholtz 268 | 269 | Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 270 | 271 | https://www.apache.org/licenses/LICENSE-2.0 272 | 273 | Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 274 | -------------------------------------------------------------------------------- /build.sbt: -------------------------------------------------------------------------------- 1 | import sbt.{Global, Project, _} 2 | import sbtrelease.ReleasePlugin.autoImport.ReleaseTransformations._ 3 | import sbtrelease.ReleasePlugin.autoImport._ 4 | import sbtrelease.ReleaseStateTransformations.setNextVersion 5 | 6 | 7 | organization := "net.vonbuchholtz" 8 | name := "sbt-dependency-check" 9 | 10 | val sbtDependencyCheck = (project in file(".")) 11 | .enablePlugins(SbtPlugin) 12 | .settings( 13 | libraryDependencies ++= Seq( 14 | "org.owasp" % "dependency-check-core" % "8.1.2" 15 | ), 16 | sbtPlugin := true, 17 | dependencyUpdatesFilter -= moduleFilter(organization = "org.scala-lang") | moduleFilter(organization = "org.scala-sbt"), 18 | dependencyUpdatesFailBuild := true, 19 | crossSbtVersions := Vector("1.2.8"), 20 | scriptedLaunchOpts ++= Seq("-Xmx1024M", "-Dplugin.version=" + version.value), 21 | scriptedBufferLog := false 22 | ) 23 | 24 | 25 | ThisBuild / dependencyCheckFailBuildOnCVSS := 11 26 | ThisBuild / dependencyCheckSkipProvidedScope := true 27 | ThisBuild / dependencyCheckFormat := "ALL" 28 | ThisBuild / dependencyCheckSuppressionFiles := Seq(new File("dependency-check-suppressions.xml")) 29 | ThisBuild / dependencyCheckAssemblyAnalyzerEnabled := Some(false) 30 | 31 | 32 | ThisBuild / publishTo := sonatypePublishToBundle.value 33 | ThisBuild / publishMavenStyle .withRank(KeyRanks.Invisible) := true 34 | sonatypeProfileName := "net.vonbuchholtz" 35 | 36 | // To sync with Maven central, you need to supply the following information: 37 | Global / pomExtra := { 38 | https://github.com/albuch/sbt-dependency-check 39 | 40 | 41 | Apache License Version 2.0 42 | https://www.apache.org/licenses/LICENSE-2.0.txt 43 | 44 | 45 | 46 | scm:git:github.com/albuch/sbt-dependency-check 47 | scm:git:git@github.com:albuch/sbt-dependency-check 48 | https://github.com/albuch/sbt-dependency-check 49 | 50 | 51 | 52 | albuch 53 | Alexander v. Buchholtz 54 | https://github.com/albuch/ 55 | 56 | 57 | } 58 | 59 | 60 | 61 | releaseProcess := Seq[ReleaseStep]( 62 | checkSnapshotDependencies, 63 | inquireVersions, 64 | runClean, 65 | releaseStepCommandAndRemaining("^ test"), 66 | releaseStepCommandAndRemaining("^ scripted"), 67 | setReleaseVersion, 68 | commitReleaseVersion, 69 | setReleaseVersionInReadme, 70 | tagRelease, 71 | releaseStepCommandAndRemaining("^ publishSigned"), 72 | releaseStepCommandAndRemaining("sonatypeBundleRelease"), 73 | setNextVersion, 74 | commitNextVersion 75 | //,pushChanges 76 | ) 77 | 78 | lazy val setReleaseVersionInReadme: ReleaseStep = ReleaseStep(action = { st: State => 79 | 80 | val extracted = Project.extract(st) 81 | val currentV = extracted.get(version) 82 | st.log.info("Setting version to '%s' in README." format currentV) 83 | val file: String = "README.md" 84 | var readme: String = read(file) 85 | readme = readme.replaceAll("(addSbtPlugin\\(\"net.vonbuchholtz\" % \"sbt-dependency-check\" % \")[^\"]+", "$1" + currentV) 86 | write(file, readme) 87 | st 88 | }) 89 | 90 | def write(path: String, txt: String): Unit = { 91 | import java.nio.charset.StandardCharsets 92 | import java.nio.file.{Files, Paths} 93 | 94 | Files.write(Paths.get(path), txt.getBytes(StandardCharsets.UTF_8)) 95 | } 96 | 97 | def read(path: String): String = { 98 | val source = scala.io.Source.fromFile(path, "UTF-8") 99 | val content = source.mkString 100 | source.close() 101 | content 102 | } 103 | -------------------------------------------------------------------------------- /dependency-check-suppressions.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 7 | ^pkg:maven/com\.h2database/h2@.*$ 8 | CVE-2022-45868 9 | CVE-2018-14335 10 | 11 | 12 | 15 | ^pkg:maven/org\.owasp/dependency\-check\-utils@.*$ 16 | cpe:/a:utils_project:utils 17 | 18 | 19 | 23 | ^pkg:maven/org\.yaml/snakeyaml@1.33$ 24 | CVE-2022-1471 25 | CVE-2022-3064 26 | CVE-2021-4235 27 | 28 | 29 | 32 | ^(?!pkg:maven/org\.json/json@).+$ 33 | cpe:/a:json-java_project:json-java 34 | 35 | 36 | 39 | ^pkg:maven/com\.google\.guava/guava@.*$ 40 | CVE-2020-8908 41 | 42 | -------------------------------------------------------------------------------- /project/build.properties: -------------------------------------------------------------------------------- 1 | sbt.version = 1.7.2 2 | -------------------------------------------------------------------------------- /project/plugins.sbt: -------------------------------------------------------------------------------- 1 | // https://github.com/rtimush/sbt-updates 2 | addSbtPlugin("com.timushev.sbt" % "sbt-updates" % "0.6.4") 3 | 4 | // https://github.com/jrudolph/sbt-dependency-graph 5 | addSbtPlugin("net.virtual-void" % "sbt-dependency-graph" % "0.10.0-RC1") 6 | 7 | 8 | Compile / unmanagedSourceDirectories += baseDirectory.value.getParentFile / "src" / "main" / "scala" 9 | libraryDependencies ++= Seq( 10 | "org.owasp" % "dependency-check-core" % "8.1.2", 11 | "org.slf4j" % "slf4j-simple" % "2.0.9" 12 | ) 13 | -------------------------------------------------------------------------------- /project/release.sbt: -------------------------------------------------------------------------------- 1 | // https://github.com/sbt/sbt-release 2 | addSbtPlugin("com.github.sbt" % "sbt-release" % "1.1.0") 3 | -------------------------------------------------------------------------------- /project/scripted.sbt: -------------------------------------------------------------------------------- 1 | libraryDependencies += { "org.scala-sbt" %% "scripted-plugin" % sbtVersion.value } 2 | -------------------------------------------------------------------------------- /project/sonatype.sbt: -------------------------------------------------------------------------------- 1 | // https://github.com/xerial/sbt-sonatype 2 | addSbtPlugin("org.xerial.sbt" % "sbt-sonatype" % "3.9.21") 3 | // http://www.scala-sbt.org/sbt-pgp/ 4 | addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.2.1") 5 | -------------------------------------------------------------------------------- /src/main/resources/META-INF/licenses/commons/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /src/main/resources/META-INF/licenses/dependency-check/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /src/main/resources/META-INF/licenses/dependency-check/NOTICE: -------------------------------------------------------------------------------- 1 | dependency-check 2 | 3 | Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved. 4 | 5 | The licenses for the software listed below can be found in the META-INF/licenses/[dependency name]. 6 | 7 | This product includes software developed by The Apache Software Foundation (http://www.apache.org/). 8 | 9 | This product includes software developed by Jquery.com (http://jquery.com/). 10 | 11 | This product includes software developed by Jonathan Hedley (jsoup.org) 12 | 13 | This software contains unmodified binary redistributions for H2 database engine (http://www.h2database.com/), which is dual licensed and available under a modified version of the MPL 1.1 (Mozilla Public License) or under the (unmodified) EPL 1.0 (Eclipse Public License). 14 | An original copy of the license agreement can be found at: http://www.h2database.com/html/license.html 15 | 16 | This product includes data from the Common Weakness Enumeration (CWE): http://cwe.mitre.org/ 17 | 18 | This product downloads and utilizes data from the National Vulnerability Database hosted by NIST: http://nvd.nist.gov/download.cfm -------------------------------------------------------------------------------- /src/main/scala/net/vonbuchholtz/sbt/dependencycheck/DependencyCheckKeys.scala: -------------------------------------------------------------------------------- 1 | package net.vonbuchholtz.sbt.dependencycheck 2 | 3 | import sbt.* 4 | 5 | trait DependencyCheckKeys { 6 | 7 | // Configuration 8 | lazy val dependencyCheckAutoUpdate = settingKey[Option[Boolean]]("Sets whether auto-updating of the NVD CVE/CPE, retireJS and hosted suppressions data is enabled. It is not recommended that this be turned to false.") 9 | lazy val dependencyCheckCveValidForHours = settingKey[Option[Int]]("Sets the number of hours to wait before checking for new updates from the NVD.") 10 | lazy val dependencyCheckFailBuildOnCVSS = settingKey[Float]("Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at https://nvd.nist.gov/vuln-metrics/cvss") 11 | lazy val dependencyCheckJUnitFailBuildOnCVSS = settingKey[Option[Float]]("If using the JUNIT report format the dependencyCheckJUnitFailOnCVSS sets the CVSS score threshold that is considered a failure.") 12 | lazy val dependencyCheckFormat = settingKey[String]("The report format to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS, ALL). This setting is ignored if dependencyCheckReportFormats is set.") 13 | lazy val dependencyCheckFormats = settingKey[Seq[String]]("A sequence of report formats to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS, ALL).") 14 | lazy val dependencyCheckOutputDirectory = settingKey[Option[File]]("The location to write the report(s).") 15 | lazy val dependencyCheckScanSet = settingKey[Seq[File]]("An optional sequence of files that specify additional files and/or directories to analyze as part of the scan. If not specified, defaults to standard scala conventions.") 16 | lazy val dependencyCheckSkip = settingKey[Boolean]("Skips the dependency-check analysis") 17 | lazy val dependencyCheckSkipTestScope = settingKey[Boolean]("Skips analysis for artifacts with Test Scope") 18 | lazy val dependencyCheckSkipRuntimeScope = settingKey[Boolean]("Skips analysis for artifacts with Runtime Scope") 19 | lazy val dependencyCheckSkipProvidedScope = settingKey[Boolean]("Skips analysis for artifacts with Provided Scope") 20 | lazy val dependencyCheckSkipOptionalScope = settingKey[Boolean]("Skips analysis for artifacts with Optional Scope") 21 | lazy val dependencyCheckSuppressionFile = settingKey[Option[File]]("The file path to the XML suppression file - used to suppress false positives. If you want to add multiple files use dependencyCheckSuppressionFiles instead.") 22 | lazy val dependencyCheckSuppressionFiles = settingKey[Seq[File]]("The sequence of file paths to the XML suppression files - used to suppress false positives") 23 | lazy val dependencyCheckCpeStartsWith = settingKey[Option[String]]("The starting String to identify the CPEs that are qualified to be imported.") 24 | lazy val dependencyCheckHintsFile = settingKey[Option[File]]("The file path to the XML hints file - used to resolve false negatives.") 25 | lazy val dependencyCheckUseSbtModuleIdAsGav = settingKey[Option[Boolean]]("Uses the SBT ModuleId as GAV (reduces dependency on Maven Central for resolving)") 26 | lazy val dependencyCheckAnalysisTimeout = settingKey[Option[Int]]("Set the analysis timeout in minutes.") 27 | lazy val dependencyCheckEnableExperimental = settingKey[Option[Boolean]]("Enable the experimental analyzers. If not enabled the experimental analyzers (see below) will not be loaded or used.") 28 | lazy val dependencyCheckEnableRetired = settingKey[Option[Boolean]]("Enable the retired analyzers. If not enabled retired analyzers will not be loaded or used.") 29 | 30 | // Analyzer configuration 31 | lazy val dependencyCheckArchiveAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether the Archive Analyzer will be used.") 32 | lazy val dependencyCheckZipExtensions = settingKey[Option[String]]("A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.") 33 | lazy val dependencyCheckJarAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether Jar Analyzer will be used.") 34 | lazy val dependencyCheckDartAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether the experimental Dart analyzer is enabled. dependencyCheckEnableExperimental must be set to true.") 35 | lazy val dependencyCheckKnownExploitedEnabled = settingKey[Option[Boolean]]("Sets whether the Known Exploited Vulnerability update and analyzer are enabled.") 36 | lazy val dependencyCheckKnownExploitedUrl = settingKey[Option[URL]]("Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed.") 37 | lazy val dependencyCheckKnownExploitedValidForHours = settingKey[Option[Int]]("Set the interval in hours until the next check for CISA Known Exploited Vulnerabilities JSON data feed is performed.") 38 | lazy val dependencyCheckCentralAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below).") 39 | lazy val dependencyCheckCentralAnalyzerUseCache = settingKey[Option[Boolean]]("Sets whether the Central Analyzer will cache results.") 40 | lazy val dependencyCheckOSSIndexAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the OSS Index Analyzer should be used.") 41 | lazy val dependencyCheckOSSIndexAnalyzerUrl = settingKey[Option[URL]]("Sets the URL to the OSS Index repository.") 42 | lazy val dependencyCheckOSSIndexAnalyzerUseCache = settingKey[Option[Boolean]]("Sets whether the OSS Index Analyzer will cache results.") 43 | lazy val dependencyCheckOSSIndexWarnOnlyOnRemoteErrors = settingKey[Option[Boolean]]("Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution.") 44 | lazy val dependencyCheckOSSIndexAnalyzerUsername = settingKey[Option[String]]("The username to use for the Sonatype OSS Index service.") 45 | lazy val dependencyCheckOSSIndexAnalyzerPassword = settingKey[Option[String]]("The password to use for the Sonatype OSS Index service.") 46 | lazy val dependencyCheckNexusAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether Nexus Analyzer will be used. This analyzer is superseded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation.") 47 | lazy val dependencyCheckNexusUrl = settingKey[Option[URL]]("Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.") 48 | lazy val dependencyCheckNexusUsesProxy = settingKey[Option[Boolean]]("Whether or not the defined proxy should be used when connecting to Nexus.") 49 | lazy val dependencyCheckNexusUser = settingKey[Option[String]]("The username to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection.") 50 | lazy val dependencyCheckNexusPassword = settingKey[Option[String]]("The password to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection.") 51 | lazy val dependencyCheckPyDistributionAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether the experimental Python Distribution Analyzer will be used. dependencyCheckEnableExperimental must be set to true.") 52 | lazy val dependencyCheckPyPackageAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether the experimental Python Package Analyzer will be used. dependencyCheckEnableExperimental must be set to true.") 53 | lazy val dependencyCheckRubygemsAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether the experimental Ruby Gemspec Analyzer will be used. dependencyCheckEnableExperimental must be set to true.") 54 | lazy val dependencyCheckOpensslAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the openssl Analyzer should be used.") 55 | lazy val dependencyCheckCmakeAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental CMake Analyzer should be used. dependencyCheckEnableExperimental must be set to true.") 56 | lazy val dependencyCheckAutoconfAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental autoconf Analyzer should be used. dependencyCheckEnableExperimental must be set to true.") 57 | lazy val dependencyCheckMavenInstallAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the Maven install Analyzer should be used.") 58 | lazy val dependencyCheckPipAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether the experimental pip Analyzer should be used. dependencyCheckEnableExperimental must be set to true.") 59 | lazy val dependencyCheckPipfileAnalyzerEnabled = settingKey[Option[Boolean]](" Sets whether the experimental Pipfile Analyzer should be used. dependencyCheckEnableExperimental must be set to true.") 60 | lazy val dependencyCheckPoetryAnalyzerEnabled = settingKey[Option[Boolean]](" Sets whether or not the poetry Analyzer should be used.") 61 | lazy val dependencyCheckComposerAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental PHP Composer Lock File Analyzer should be used. dependencyCheckEnableExperimental must be set to true.") 62 | lazy val dependencyCheckCpanFileAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental Perl CPAN File Analyzer should be used. dependencyCheckEnableExperimental must be set to true.") 63 | lazy val dependencyCheckNodeAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the retired Node.js Analyzer should be used.") 64 | lazy val dependencyCheckNodePackageSkipDevDependencies = settingKey[Option[Boolean]]("Sets whether the retired Node.js Analyzer will skip devDependencies.") 65 | lazy val dependencyCheckNodeAuditAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the Node Audit Analyzer should be used.") 66 | lazy val dependencyCheckNodeAuditAnalyzerUrl = settingKey[Option[URL]]("Sets the URL to the NPM Audit API. If not set uses default URL.") 67 | lazy val dependencyCheckNodeAuditSkipDevDependencies = settingKey[Option[Boolean]]("Sets whether the Node.js Audit Analyzer will skip devDependencies.") 68 | lazy val dependencyCheckNodeAuditAnalyzerUseCache = settingKey[Option[Boolean]]("Sets whether the Node Audit Analyzer will cache results.") 69 | lazy val dependencyCheckNPMCPEAnalyzerEnabled = settingKey[Option[Boolean]](" Sets whether the or not the experimental NPM CPE Analyzer should be used.") 70 | lazy val dependencyCheckYarnAuditAnalyzerEnabled = settingKey[Option[Boolean]](" Sets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection. Use `dependencyCheckNodeAuditSkipDevDependencies` to skip dev dependencies.") 71 | lazy val dependencyCheckPathToYarn = settingKey[Option[File]]("Sets the path to the Yarn executable.") 72 | lazy val dependencyCheckPNPMAuditAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether the Pnpm Audit Analyzer is enabled. This analyzer requires pnpm and an internet connection. Use `nodeAuditSkipDevDependencies` to skip dev dependencies.") 73 | lazy val dependencyCheckPathToPNPM = settingKey[Option[File]]("Sets the path to pnpm.") 74 | lazy val dependencyCheckNuspecAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the .NET Nuget Nuspec Analyzer will be used.") 75 | lazy val dependencyCheckNugetConfAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether the experimental .NET Nuget packages.config Analyzer will be used. dependencyCheckEnableExperimental must be set to true.") 76 | lazy val dependencyCheckCocoapodsEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental Cocoapods Analyzer should be used. dependencyCheckEnableExperimental must be set to true.") 77 | lazy val dependencyCheckMixAuditAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental Elixir Mix Audit Analyzer should be used.") 78 | lazy val dependencyCheckMixAuditPath = settingKey[Option[File]]("Sets the path to the mix_audit executable; only used if Elixir Mix Audit Analyzer is enabled and experimental analyzers are enabled.") 79 | lazy val dependencyCheckSwiftEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental Swift Package Manager Analyzer should be used. dependencyCheckEnableExperimental must be set to true.") 80 | lazy val dependencyCheckSwiftPackageResolvedAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental Swift Package Resolved Analyzer should be used. dependencyCheckEnableExperimental must be set to true.") 81 | lazy val dependencyCheckBundleAuditEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental Ruby Bundle Audit Analyzer should be used. dependencyCheckEnableExperimental must be set to true.") 82 | lazy val dependencyCheckPathToBundleAudit = settingKey[Option[File]]("The path to Ruby Bundle Audit.") 83 | lazy val dependencyCheckBundleAuditWorkingDirectory = settingKey[Option[File]]("Sets the path for the working directory that the Ruby Bundle Audit binary should be executed from.") 84 | lazy val dependencyCheckAssemblyAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the .NET Assembly Analyzer should be used.") 85 | lazy val dependencyCheckMSBuildAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether the MSBuild Analyzer should be used.") 86 | lazy val dependencyCheckPEAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental PE Analyzer that reads the PE headers of DLL and EXE files should be used.") 87 | lazy val dependencyCheckPathToDotNETCore = settingKey[Option[File]]("The path to Core for .NET assembly analysis on non-windows systems.") 88 | lazy val dependencyCheckRetireJSAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not the RetireJS Analyzer should be used.") 89 | lazy val dependencyCheckRetireJSForceUpdate = settingKey[Option[Boolean]]("Sets whether the RetireJS Analyzer should update regardless of the dependencyCheckAutoUpdate setting.") 90 | lazy val dependencyCheckRetireJSAnalyzerRepoJSUrl = settingKey[Option[URL]]("Sets the URL to the RetireJS repository. Note: the file name must be 'jsrepository.json'") 91 | lazy val dependencyCheckRetireJsAnalyzerRepoUser = settingKey[Option[String]]("Username for authentication to connect to RetireJS URL.") 92 | lazy val dependencyCheckRetireJsAnalyzerRepoPassword = settingKey[Option[String]]("Password for authentication to connect to RetireJS URL.") 93 | lazy val dependencyCheckRetireJsAnalyzerRepoValidFor = settingKey[Option[Int]]("Set the interval in hours until the next check for CVEs updates is performed by the RetireJS analyzer.") 94 | lazy val dependencyCheckRetireJsAnalyzerFilters = settingKey[Seq[String]]("Set one or more filters for the RetireJS analyzer. ") 95 | lazy val dependencyCheckRetireJsAnalyzerFilterNonVulnerable = settingKey[Option[Boolean]]("Sets whether or not the RetireJS analyzer should filter non-vulnerable dependencies.") 96 | lazy val dependencyCheckArtifactoryAnalyzerEnabled = settingKey[Option[Boolean]]("Sets whether or not teh JFrog Artifactory Analyzer will be used.") 97 | lazy val dependencyCheckArtifactoryAnalyzerUrl = settingKey[Option[URL]]("The Artifactory server URL.") 98 | lazy val dependencyCheckArtifactoryAnalyzerUseProxy = settingKey[Option[Boolean]]("Sets whether Artifactory should be accessed through a proxy or not.") 99 | lazy val dependencyCheckArtifactoryAnalyzerParallelAnalysis = settingKey[Option[Boolean]]("Sets whether the Artifactory analyzer should be run in parallel or not.") 100 | lazy val dependencyCheckArtifactoryAnalyzerUsername = settingKey[Option[String]]("The user name (only used with API token) to connect to Artifactory instance.") 101 | lazy val dependencyCheckArtifactoryAnalyzerApiToken = settingKey[Option[String]]("The API token to connect to Artifactory instance.") 102 | lazy val dependencyCheckArtifactoryAnalyzerBearerToken = settingKey[Option[String]]("he bearer token to connect to Artifactory instance.") 103 | lazy val dependencyCheckGolangDepEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental Golang Dependency Analyzer should be used. dependencyCheckEnableExperimental must be set to true.") 104 | lazy val dependencyCheckGolangModEnabled = settingKey[Option[Boolean]]("Sets whether or not the experimental Golang Module Analyzer should be used. Requires `go` to be installed. dependencyCheckEnableExperimental must be set to true.") 105 | lazy val dependencyCheckPathToGo = settingKey[Option[File]]("The path to the \"go\" runtime.") 106 | 107 | // Advanced configuration 108 | lazy val dependencyCheckCveUrlModified = settingKey[Option[URL]]("URL for the modified CVE JSON data feed. Optional if your custom dependencyCheckCveUrlBase is just a domain name change.") 109 | lazy val dependencyCheckCveUrlBase = settingKey[Option[String]]("Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. ") 110 | lazy val dependencyCheckCveUser = settingKey[Option[String]]("The username used when connecting to the cveUrl. ") 111 | lazy val dependencyCheckCvePassword = settingKey[Option[String]]("The password used when connecting to the cveUrl. ") 112 | lazy val dependencyCheckCveWaitTime = settingKey[Option[Int]]("The time in milliseconds to wait between downloads from the NVD.") 113 | lazy val dependencyCheckCveStartYear = settingKey[Option[Int]]("The first year of NVD CVE data to download from the NVD.") 114 | lazy val dependencyCheckConnectionTimeout = settingKey[Option[Int]]("Sets the URL Connection Timeout (in milliseconds) used when downloading external data. ") 115 | lazy val dependencyCheckConnectionReadTimeout = settingKey[Option[Int]]("Sets the URL Connection Read Timeout (in milliseconds) used when downloading external data. ") 116 | lazy val dependencyCheckDataDirectory = settingKey[Option[File]]("Sets the data directory to hold SQL CVEs contents. This should generally not be changed. ") 117 | lazy val dependencyCheckDatabaseDriverName = settingKey[Option[String]]("The name of the database driver. Example: org.h2.Driver. ") 118 | lazy val dependencyCheckDatabaseDriverPath = settingKey[Option[File]]("The path to the database driver JAR file; only used if the driver is not in the class path. ") 119 | lazy val dependencyCheckConnectionString = settingKey[Option[String]]("The connection string used to connect to the database. ") 120 | lazy val dependencyCheckDatabaseUser = settingKey[Option[String]]("The username used when connecting to the database. ") 121 | lazy val dependencyCheckDatabasePassword = settingKey[Option[String]]("The password used when connecting to the database. ") 122 | lazy val dependencyCheckHostedSuppressionsForceUpdate = settingKey[Option[Boolean]]("Whether the hosted suppressions file will update regardless of the `dependencyCheckAutoUpdate` setting.") 123 | lazy val dependencyCheckHostedSuppressionsEnabled = settingKey[Option[Boolean]]("Whether the hosted suppression file will be used.") 124 | lazy val dependencyCheckHostedSuppressionsUrl = settingKey[Option[URL]]("The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.") 125 | lazy val dependencyCheckHostedSuppressionsValidForHours = settingKey[Option[Int]]("Sets the number of hours to wait before checking for new updates from the NVD.") 126 | 127 | // TaskKeys 128 | lazy val dependencyCheck = TaskKey[Unit]("dependencyCheck", "Runs dependency-check against the project and generates a report per sub project.") 129 | lazy val dependencyCheckAggregate = TaskKey[Unit]("dependencyCheckAggregate", "Runs dependency-check against project aggregates and combines the results into a single report.") 130 | lazy val dependencyCheckAnyProject = TaskKey[Unit]("dependencyCheckAnyProject", "Runs dependency-check against all projects and combines the results into a single report.") 131 | lazy val dependencyCheckUpdateOnly = TaskKey[Unit]("dependencyCheckUpdateOnly", "Updates the local cache of the NVD data from NIST.") 132 | lazy val dependencyCheckPurge = TaskKey[Unit]("dependencyCheckPurge", "Deletes the local copy of the NVD. This is used to force a refresh of the data.") 133 | lazy val dependencyCheckListSettings = TaskKey[Unit]("dependencyCheckListSettings", "List the settings of the plugin") 134 | } 135 | -------------------------------------------------------------------------------- /src/main/scala/net/vonbuchholtz/sbt/dependencycheck/DependencyCheckListSettingsTask.scala: -------------------------------------------------------------------------------- 1 | package net.vonbuchholtz.sbt.dependencycheck 2 | 3 | import java.io.File 4 | 5 | import org.owasp.dependencycheck.utils.Settings 6 | import org.owasp.dependencycheck.utils.Settings.KEYS.* 7 | import sbt.Logger 8 | 9 | object DependencyCheckListSettingsTask { 10 | def logSettings(settings: Settings, failBuildOnCVSS: Float, formats: Seq[String], outputDirectory: String, scanSet: Seq[sbt.File], 11 | skip: Boolean, skipRuntime: Boolean, skipTest: Boolean, skipProvided: Boolean, skipOptional: Boolean, 12 | useSbtModuleIdAsGav: Boolean, log: Logger): Unit = { 13 | def logBooleanSetting(key: String, setting: String, log: Logger): Unit = { 14 | log.info(s"\t$setting: ${settings.getBoolean(key)}") 15 | } 16 | 17 | def logFloatSetting(key: String, setting: String, log: Logger): Unit = { 18 | log.info(s"\t$setting: ${settings.getFloat(key, 0)}") 19 | } 20 | 21 | def logStringSetting(key: String, setting: String, log: Logger): Unit = { 22 | log.info(s"\t$setting: ${if(key.contains("assword")) "******" else settings.getString(key)}") 23 | } 24 | 25 | def logFileSetting(key: String, setting: String, log: Logger): Unit = { 26 | val someFile: Option[File] = Option(settings.getFile(key)) 27 | log.info(s"\t$setting: ${someFile.getOrElse(new File("")).getPath}") 28 | } 29 | 30 | def logUrlSetting(key: String, setting: String, log: Logger): Unit = { 31 | log.info(s"\t$setting: ${settings.getString(key)}") 32 | } 33 | 34 | logBooleanSetting(AUTO_UPDATE, "dependencyCheckAutoUpdate", log) 35 | logStringSetting(CVE_CHECK_VALID_FOR_HOURS, "dependencyCheckCveValidForHours", log) 36 | log.info(s"\tdependencyCheckFailBuildOnCVSS: ${failBuildOnCVSS.toString}") 37 | logFloatSetting(JUNIT_FAIL_ON_CVSS, "dependencyCheckJUnitFailBuildOnCVSS", log) 38 | log.info(s"\tdependencyCheckFormats (combined with dependencyCheckFormat): ${formats.mkString(", ")}") 39 | log.info(s"\tdependencyCheckOutputDirectory: $outputDirectory") 40 | log.info(s"\tdependencyCheckScanSet: ${scanSet.map(f => f.getAbsolutePath).mkString(", ")}") 41 | log.info(s"\tdependencyCheckSkip: ${skip.toString}") 42 | log.info(s"\tdependencyCheckSkipTestScope: ${skipTest.toString}") 43 | log.info(s"\tdependencyCheckSkipRuntimeScope: ${skipRuntime.toString}") 44 | log.info(s"\tdependencyCheckSkipProvidedScope: ${skipProvided.toString}") 45 | log.info(s"\tdependencyCheckSkipOptionalScope: ${skipOptional.toString}") 46 | logFileSetting(SUPPRESSION_FILE, "dependencyCheckSuppressionFile/s", log) 47 | logFileSetting(HINTS_FILE, "dependencyCheckHintsFile", log) 48 | logStringSetting(ANALYSIS_TIMEOUT, "dependencyCheckAnalysisTimeout", log) 49 | logBooleanSetting(ANALYZER_EXPERIMENTAL_ENABLED, "dependencyCheckEnableExperimental", log) 50 | logBooleanSetting(ANALYZER_RETIRED_ENABLED, "dependencyCheckEnableRetired", log) 51 | 52 | // Analyzer Configuration 53 | logBooleanSetting(ANALYZER_ARCHIVE_ENABLED, "dependencyCheckArchiveAnalyzerEnabled", log) 54 | logStringSetting(ADDITIONAL_ZIP_EXTENSIONS, "dependencyCheckZipExtensions", log) 55 | logBooleanSetting(ANALYZER_JAR_ENABLED, "dependencyCheckJarAnalyzer", log) 56 | logBooleanSetting(ANALYZER_DART_ENABLED, "dependencyCheckDartAnalyzerEnabled", log) 57 | logBooleanSetting(ANALYZER_KNOWN_EXPLOITED_ENABLED,"dependencyCheckKnownExploitedEnabled", log) 58 | logUrlSetting(KEV_URL, "dependencyCheckKnownExploitedUrl", log) 59 | logStringSetting(KEV_CHECK_VALID_FOR_HOURS, "dependencyCheckKnownExploitedValidForHours", log) 60 | logBooleanSetting(ANALYZER_CENTRAL_ENABLED, "dependencyCheckCentralAnalyzerEnabled", log) 61 | logBooleanSetting(ANALYZER_CENTRAL_USE_CACHE, "dependencyCheckCentralAnalyzerUseCache", log) 62 | logBooleanSetting(ANALYZER_OSSINDEX_ENABLED, "dependencyCheckOSSIndexAnalyzerEnabled", log) 63 | logUrlSetting(ANALYZER_OSSINDEX_URL, "dependencyCheckOSSIndexAnalyzerUrl", log) 64 | logBooleanSetting(ANALYZER_OSSINDEX_USE_CACHE, "dependencyCheckOSSIndexAnalyzerUseCache", log) 65 | logBooleanSetting(ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, "dependencyCheckOSSIndexWarnOnlyOnRemoteErrors", log) 66 | logStringSetting(ANALYZER_OSSINDEX_USER, "dependencyCheckOSSIndexAnalyzerUsername", log) 67 | logStringSetting(ANALYZER_OSSINDEX_PASSWORD, "dependencyCheckOSSIndexAnalyzerPassword", log) 68 | logBooleanSetting(ANALYZER_NEXUS_ENABLED, "dependencyCheckNexusAnalyzerEnabled", log) 69 | logUrlSetting(ANALYZER_NEXUS_URL, "dependencyCheckNexusUrl", log) 70 | logBooleanSetting(ANALYZER_NEXUS_USES_PROXY, "dependencyCheckNexusUsesProxy", log) 71 | logStringSetting(ANALYZER_NEXUS_USER, "dependencyCheckNexusUser", log) 72 | logStringSetting(ANALYZER_NEXUS_PASSWORD, "dependencyCheckNexusPassword", log) 73 | logBooleanSetting(ANALYZER_PYTHON_DISTRIBUTION_ENABLED, "dependencyCheckPyDistributionAnalyzerEnabled", log) 74 | logBooleanSetting(ANALYZER_PYTHON_PACKAGE_ENABLED, "dependencyCheckPyPackageAnalyzerEnabled", log) 75 | logBooleanSetting(ANALYZER_RUBY_GEMSPEC_ENABLED, "dependencyCheckRubygemsAnalyzerEnabled", log) 76 | logBooleanSetting(ANALYZER_OPENSSL_ENABLED, "dependencyCheckOpensslAnalyzerEnabled", log) 77 | logBooleanSetting(ANALYZER_CMAKE_ENABLED, "dependencyCheckCmakeAnalyzerEnabled", log) 78 | logBooleanSetting(ANALYZER_AUTOCONF_ENABLED, "dependencyCheckAutoconfAnalyzerEnabled", log) 79 | logBooleanSetting(ANALYZER_MAVEN_INSTALL_ENABLED, "dependencyCheckMavenInstallAnalyzerEnabled", log) 80 | logBooleanSetting(ANALYZER_PIP_ENABLED, "dependencyCheckPipAnalyzerEnabled", log) 81 | logBooleanSetting(ANALYZER_PIPFILE_ENABLED, "dependencyCheckPipfileAnalyzerEnabled", log) 82 | logBooleanSetting(ANALYZER_POETRY_ENABLED, "dependencyCheckPoetryAnalyzerEnabled", log) 83 | logBooleanSetting(ANALYZER_COMPOSER_LOCK_ENABLED, "dependencyCheckComposerAnalyzerEnabled", log) 84 | logBooleanSetting(ANALYZER_CPANFILE_ENABLED, "dependencyCheckCpanFileAnalyzerEnabled", log) 85 | logBooleanSetting(ANALYZER_NODE_PACKAGE_ENABLED, "dependencyCheckNodeAnalyzerEnabled", log) 86 | logBooleanSetting(ANALYZER_NODE_PACKAGE_SKIPDEV, "dependencyCheckNodePackageSkipDevDependencies", log) 87 | logBooleanSetting(ANALYZER_NODE_AUDIT_ENABLED, "dependencyCheckNodeAuditAnalyzerEnabled", log) 88 | logUrlSetting(ANALYZER_NODE_AUDIT_URL, "dependencyCheckNodeAuditAnalyzerUrl", log) 89 | logBooleanSetting(ANALYZER_NODE_AUDIT_SKIPDEV, "dependencyCheckNodeAuditSkipDevDependencies" , log) 90 | logBooleanSetting(ANALYZER_NODE_AUDIT_USE_CACHE, "dependencyCheckNodeAuditAnalyzerUseCache", log) 91 | logBooleanSetting(ANALYZER_NPM_CPE_ENABLED, "dependencyCheckNPMCPEAnalyzerEnabled", log) 92 | logBooleanSetting(ANALYZER_YARN_AUDIT_ENABLED, "dependencyCheckYarnAuditAnalyzerEnabled", log) 93 | logFileSetting(ANALYZER_YARN_PATH, "dependencyCheckPathToYarn", log) 94 | logBooleanSetting(ANALYZER_PNPM_AUDIT_ENABLED, "dependencyCheckPNPMAuditAnalyzerEnabled", log) 95 | logFileSetting(ANALYZER_PNPM_PATH, "dependencyCheckPathToPNPM", log) 96 | logBooleanSetting(ANALYZER_NUSPEC_ENABLED, "dependencyCheckNuspecAnalyzerEnabled", log) 97 | logBooleanSetting(ANALYZER_NUGETCONF_ENABLED, "dependencyCheckNugetConfAnalyzerEnabled", log) 98 | logBooleanSetting(ANALYZER_COCOAPODS_ENABLED, "dependencyCheckCocoapodsEnabled", log) 99 | logBooleanSetting(ANALYZER_MIX_AUDIT_ENABLED, "dependencyCheckMixAuditAnalyzerEnabled", log) 100 | logFileSetting(ANALYZER_MIX_AUDIT_PATH, "dependencyCheckMixAuditPath", log) 101 | logBooleanSetting(ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, "dependencyCheckSwiftEnabled", log) 102 | logBooleanSetting(ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, "dependencyCheckSwiftPackageResolvedAnalyzerEnabled", log) 103 | logBooleanSetting(ANALYZER_BUNDLE_AUDIT_ENABLED, "dependencyCheckBundleAuditEnabled", log) 104 | logFileSetting(ANALYZER_BUNDLE_AUDIT_PATH, "dependencyCheckPathToBundleAudit", log) 105 | logStringSetting(ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, "dependencyCheckBundleAuditWorkingDirectory", log) 106 | logBooleanSetting(ANALYZER_ASSEMBLY_ENABLED, "dependencyCheckAssemblyAnalyzerEnabled", log) 107 | logBooleanSetting(ANALYZER_MSBUILD_PROJECT_ENABLED, "dependencyCheckMSBuildAnalyzerEnabled", log) 108 | logBooleanSetting(ANALYZER_PE_ENABLED, "dependencyCheckPEAnalyzerEnabled", log) 109 | logFileSetting(ANALYZER_ASSEMBLY_DOTNET_PATH, "dependencyCheckPathToDotNETCore", log) 110 | logStringSetting(CVE_CPE_STARTS_WITH_FILTER, "dependencyCheckCpeStartsWith", log) 111 | logBooleanSetting(ANALYZER_RETIREJS_ENABLED, "dependencyCheckRetireJSAnalyzerEnabled", log) 112 | logBooleanSetting(ANALYZER_RETIREJS_FORCEUPDATE, "dependencyCheckRetireJSForceUpdate", log) 113 | logUrlSetting(ANALYZER_RETIREJS_REPO_JS_URL, "dependencyCheckRetireJSAnalyzerRepoJSUrl", log) 114 | logStringSetting(ANALYZER_RETIREJS_REPO_JS_USER, "dependencyCheckRetireJsAnalyzerRepoUser", log) 115 | logStringSetting(ANALYZER_RETIREJS_REPO_JS_PASSWORD, "dependencyCheckRetireJsAnalyzerRepoPassword", log) 116 | logStringSetting(ANALYZER_RETIREJS_REPO_VALID_FOR_HOURS, "dependencyCheckRetireJsAnalyzerRepoValidFor", log) 117 | logStringSetting(ANALYZER_RETIREJS_FILTERS, "dependencyCheckRetireJsAnalyzerFilters", log) 118 | logBooleanSetting(ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, "dependencyCheckRetireJsAnalyzerFilterNonVulnerable", log) 119 | logBooleanSetting(ANALYZER_ARTIFACTORY_ENABLED, "dependencyCheckArtifactoryAnalyzerEnabled", log) 120 | logUrlSetting(ANALYZER_ARTIFACTORY_URL, "dependencyCheckArtifactoryAnalyzerUrl", log) 121 | logBooleanSetting(ANALYZER_ARTIFACTORY_USES_PROXY, "dependencyCheckArtifactoryAnalyzerUseProxy", log) 122 | logBooleanSetting(ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS, "dependencyCheckArtifactoryAnalyzerParallelAnalysis", log) 123 | logStringSetting(ANALYZER_ARTIFACTORY_API_USERNAME, "dependencyCheckArtifactoryAnalyzerUsername", log) 124 | logStringSetting(ANALYZER_ARTIFACTORY_API_TOKEN, "dependencyCheckArtifactoryAnalyzerApiToken", log) 125 | logStringSetting(ANALYZER_ARTIFACTORY_BEARER_TOKEN, "dependencyCheckArtifactoryAnalyzerBearerToken", log) 126 | logBooleanSetting(ANALYZER_GOLANG_DEP_ENABLED, "dependencyCheckGolangDepEnabled", log) 127 | logBooleanSetting(ANALYZER_GOLANG_MOD_ENABLED, "dependencyCheckGolangModEnabled", log) 128 | logFileSetting(ANALYZER_GOLANG_PATH, "dependencyCheckPathToGo", log) 129 | 130 | // Advanced Configuration 131 | logUrlSetting(CVE_MODIFIED_JSON, "dependencyCheckCveUrlModified", log) 132 | logStringSetting(CVE_BASE_JSON, "dependencyCheckCveUrlBase", log) 133 | logStringSetting(CVE_USER, "dependencyCheckCveUser", log) 134 | logStringSetting(CVE_PASSWORD, "dependencyCheckCvePassword", log) 135 | logStringSetting(CVE_DOWNLOAD_WAIT_TIME, "dependencyCheckCveWaitTime", log) 136 | logStringSetting(CVE_START_YEAR, "dependencyCheckCveStartYear", log) 137 | logStringSetting(CONNECTION_TIMEOUT, "dependencyCheckConnectionTimeout", log) 138 | logStringSetting(CONNECTION_READ_TIMEOUT, "dependencyCheckConnectionReadTimeout", log) 139 | logStringSetting(DB_FILE_NAME, "dependencyCheckDatabaseFileName", log) 140 | logStringSetting(DB_VERSION, "dependencyCheckDatabaseVersion", log) 141 | logFileSetting(DATA_DIRECTORY, "dependencyCheckDataDirectory", log) 142 | logStringSetting(DB_DRIVER_NAME, "dependencyCheckDatabaseDriverName", log) 143 | logFileSetting(DB_DRIVER_PATH, "dependencyCheckDatabaseDriverPath", log) 144 | logStringSetting(DB_CONNECTION_STRING, "dependencyCheckConnectionString", log) 145 | logStringSetting(DB_USER, "dependencyCheckDatabaseUser", log) 146 | logStringSetting(DB_PASSWORD, "dependencyCheckDatabasePassword", log) 147 | logBooleanSetting(HOSTED_SUPPRESSIONS_FORCEUPDATE, "dependencyCheckHostedSuppressionsForceUpdate", log) 148 | logBooleanSetting(HOSTED_SUPPRESSIONS_ENABLED, "dependencyCheckHostedSuppressionsEnabled", log) 149 | logUrlSetting(HOSTED_SUPPRESSIONS_URL, "dependencyCheckHostedSuppressionsUrl", log) 150 | logStringSetting(HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, "dependencyCheckHostedSuppressionsValidForHours", log) 151 | 152 | log.info(s"\tdependencyCheckUseSbtModuleIdAsGav: ${useSbtModuleIdAsGav.toString}") 153 | } 154 | } 155 | -------------------------------------------------------------------------------- /src/main/scala/net/vonbuchholtz/sbt/dependencycheck/DependencyCheckPlugin.scala: -------------------------------------------------------------------------------- 1 | package net.vonbuchholtz.sbt.dependencycheck 2 | 3 | import org.apache.commons.logging.LogFactory 4 | import org.owasp.dependencycheck.Engine 5 | import org.owasp.dependencycheck.agent.DependencyCheckScanAgent 6 | import org.owasp.dependencycheck.data.nexus.MavenArtifact 7 | import org.owasp.dependencycheck.dependency.naming.{GenericIdentifier, Identifier, PurlIdentifier} 8 | import org.owasp.dependencycheck.dependency.{Confidence, Dependency, EvidenceType} 9 | import org.owasp.dependencycheck.exception.ExceptionCollection 10 | import org.owasp.dependencycheck.utils.{Settings, SeverityUtil} 11 | import org.owasp.dependencycheck.utils.Settings.KEYS.* 12 | import sbt.Keys.* 13 | import sbt.plugins.JvmPlugin 14 | import sbt.{Def, File, ScopeFilter, *} 15 | 16 | import scala.collection.JavaConverters.* 17 | import scala.util.{Failure, Success, Try} 18 | import scala.util.control.NonFatal 19 | import java.io.{PrintWriter, StringWriter} 20 | 21 | object DependencyCheckPlugin extends sbt.AutoPlugin { 22 | 23 | object autoImport extends DependencyCheckKeys 24 | 25 | import autoImport.* 26 | 27 | override def requires = JvmPlugin 28 | 29 | override def trigger: PluginTrigger = allRequirements 30 | 31 | override lazy val globalSettings = Seq( 32 | dependencyCheckFormat := "HTML", 33 | dependencyCheckFormats := Seq(), 34 | dependencyCheckAutoUpdate := None, 35 | dependencyCheckCveValidForHours := None, 36 | dependencyCheckFailBuildOnCVSS := 11, 37 | dependencyCheckJUnitFailBuildOnCVSS := None, 38 | dependencyCheckSkip := false, 39 | dependencyCheckSkipTestScope := true, 40 | dependencyCheckSkipRuntimeScope := false, 41 | dependencyCheckSkipProvidedScope := false, 42 | dependencyCheckSkipOptionalScope := false, 43 | dependencyCheckSuppressionFile := None, 44 | dependencyCheckSuppressionFiles := Seq(), 45 | dependencyCheckCpeStartsWith := None, 46 | dependencyCheckHintsFile := None, 47 | dependencyCheckAnalysisTimeout := None, 48 | dependencyCheckEnableExperimental := None, 49 | dependencyCheckEnableRetired := None, 50 | 51 | // Analyzer configuration 52 | dependencyCheckArchiveAnalyzerEnabled := None, 53 | dependencyCheckZipExtensions := None, 54 | dependencyCheckJarAnalyzerEnabled := None, 55 | dependencyCheckDartAnalyzerEnabled := None, 56 | dependencyCheckKnownExploitedEnabled := None, 57 | dependencyCheckKnownExploitedUrl := None, 58 | dependencyCheckKnownExploitedValidForHours := None, 59 | dependencyCheckCentralAnalyzerEnabled := Some(false), 60 | dependencyCheckCentralAnalyzerUseCache := None, 61 | dependencyCheckOSSIndexAnalyzerEnabled := None, 62 | dependencyCheckOSSIndexAnalyzerUrl := None, 63 | dependencyCheckOSSIndexAnalyzerUseCache := None, 64 | dependencyCheckOSSIndexWarnOnlyOnRemoteErrors := None, 65 | dependencyCheckOSSIndexAnalyzerUsername := None, 66 | dependencyCheckOSSIndexAnalyzerPassword := None, 67 | dependencyCheckNexusAnalyzerEnabled := None, 68 | dependencyCheckNexusUrl := None, 69 | dependencyCheckNexusUsesProxy := None, 70 | dependencyCheckNexusUser := None, 71 | dependencyCheckNexusPassword := None, 72 | dependencyCheckPyDistributionAnalyzerEnabled := None, 73 | dependencyCheckPyPackageAnalyzerEnabled := None, 74 | dependencyCheckRubygemsAnalyzerEnabled := None, 75 | dependencyCheckOpensslAnalyzerEnabled := None, 76 | dependencyCheckCmakeAnalyzerEnabled := None, 77 | dependencyCheckAutoconfAnalyzerEnabled := None, 78 | dependencyCheckMavenInstallAnalyzerEnabled := None, 79 | dependencyCheckPipAnalyzerEnabled := None, 80 | dependencyCheckPipfileAnalyzerEnabled := None, 81 | dependencyCheckPoetryAnalyzerEnabled := None, 82 | dependencyCheckComposerAnalyzerEnabled := None, 83 | dependencyCheckCpanFileAnalyzerEnabled := None, 84 | dependencyCheckNodeAnalyzerEnabled := None, 85 | dependencyCheckNodePackageSkipDevDependencies := None, 86 | dependencyCheckNodeAuditAnalyzerEnabled := None, 87 | dependencyCheckNodeAuditAnalyzerUrl := None, 88 | dependencyCheckNodeAuditSkipDevDependencies := None, 89 | dependencyCheckNodeAuditAnalyzerUseCache := None, 90 | dependencyCheckNPMCPEAnalyzerEnabled := None, 91 | dependencyCheckYarnAuditAnalyzerEnabled := None, 92 | dependencyCheckPathToYarn := None, 93 | dependencyCheckPNPMAuditAnalyzerEnabled := None, 94 | dependencyCheckPathToPNPM := None, 95 | dependencyCheckNuspecAnalyzerEnabled := None, 96 | dependencyCheckNugetConfAnalyzerEnabled := None, 97 | dependencyCheckCocoapodsEnabled := None, 98 | dependencyCheckMixAuditAnalyzerEnabled := None, 99 | dependencyCheckMixAuditPath := None, 100 | dependencyCheckSwiftEnabled := None, 101 | dependencyCheckSwiftPackageResolvedAnalyzerEnabled := None, 102 | dependencyCheckBundleAuditEnabled := None, 103 | dependencyCheckPathToBundleAudit := None, 104 | dependencyCheckBundleAuditWorkingDirectory := None, 105 | dependencyCheckAssemblyAnalyzerEnabled := None, 106 | dependencyCheckMSBuildAnalyzerEnabled := None, 107 | dependencyCheckPEAnalyzerEnabled := None, 108 | dependencyCheckPathToDotNETCore := None, 109 | dependencyCheckRetireJSAnalyzerEnabled := None, 110 | dependencyCheckRetireJSForceUpdate := None, 111 | dependencyCheckRetireJSAnalyzerRepoJSUrl := None, 112 | dependencyCheckRetireJsAnalyzerRepoUser := None, 113 | dependencyCheckRetireJsAnalyzerRepoPassword := None, 114 | dependencyCheckRetireJsAnalyzerRepoValidFor := None, 115 | dependencyCheckRetireJsAnalyzerFilters := Seq(), 116 | dependencyCheckRetireJsAnalyzerFilterNonVulnerable := None, 117 | dependencyCheckArtifactoryAnalyzerEnabled := None, 118 | dependencyCheckArtifactoryAnalyzerUrl := None, 119 | dependencyCheckArtifactoryAnalyzerUseProxy := None, 120 | dependencyCheckArtifactoryAnalyzerParallelAnalysis := None, 121 | dependencyCheckArtifactoryAnalyzerUsername := None, 122 | dependencyCheckArtifactoryAnalyzerApiToken := None, 123 | dependencyCheckArtifactoryAnalyzerBearerToken := None, 124 | dependencyCheckGolangDepEnabled := None, 125 | dependencyCheckGolangModEnabled := None, 126 | dependencyCheckPathToGo := None, 127 | 128 | // Advanced configuration 129 | dependencyCheckCveUrlModified := None, 130 | dependencyCheckCveUrlBase := None, 131 | dependencyCheckCveUser := None, 132 | dependencyCheckCvePassword := None, 133 | dependencyCheckCveWaitTime := None, 134 | dependencyCheckCveStartYear := None, 135 | dependencyCheckConnectionTimeout := None, 136 | dependencyCheckConnectionReadTimeout := None, 137 | dependencyCheckDataDirectory := None, 138 | dependencyCheckDatabaseDriverName := None, 139 | dependencyCheckDatabaseDriverPath := None, 140 | dependencyCheckConnectionString := None, 141 | dependencyCheckDatabaseUser := None, 142 | dependencyCheckDatabasePassword := None, 143 | dependencyCheckHostedSuppressionsForceUpdate := None, 144 | dependencyCheckHostedSuppressionsEnabled := None, 145 | dependencyCheckHostedSuppressionsUrl := None, 146 | dependencyCheckHostedSuppressionsValidForHours := None, 147 | dependencyCheckUseSbtModuleIdAsGav := None 148 | ) 149 | //noinspection TypeAnnotation 150 | override lazy val projectSettings = Seq( 151 | dependencyCheckOutputDirectory := Some(crossTarget.value), 152 | dependencyCheckScanSet := Seq(baseDirectory.value / "src/main/resources"), 153 | dependencyCheck := checkTask.value, 154 | dependencyCheckAggregate := aggregateTask.value, 155 | dependencyCheckAnyProject := anyProjectTask.value, 156 | dependencyCheckUpdateOnly := updateTask.value, 157 | dependencyCheckPurge := purgeTask.value, 158 | dependencyCheckListSettings := listSettingsTask.value, 159 | dependencyCheckAggregate / aggregate := false, 160 | dependencyCheckAnyProject / aggregate := false, 161 | dependencyCheckUpdateOnly / aggregate := false, 162 | dependencyCheckPurge / aggregate := false, 163 | dependencyCheckListSettings / aggregate := false, 164 | Global / concurrentRestrictions += Tags.exclusive(NonParallel) 165 | ) 166 | 167 | private val NonParallel = Tags.Tag("NonParallel") 168 | 169 | private[this] lazy val initializeSettings: Def.Initialize[Task[Settings]] = Def.task { 170 | val settings = new Settings() 171 | 172 | def setBooleanSetting(key: String, b: Option[Boolean]): Unit = { 173 | settings.setBooleanIfNotNull(key, b.map(b => b: java.lang.Boolean).orNull) 174 | } 175 | 176 | def setIntSetting(key: String, i: Option[Int]): Unit = { 177 | settings.setIntIfNotNull(key, i.map(i => i: java.lang.Integer).orNull) 178 | } 179 | 180 | def setFloatSetting(key: String, f: Option[Float]): Unit = { 181 | f.foreach(fl => settings.setFloat(key, fl)) 182 | } 183 | 184 | def setStringSetting(key: String, s: Option[String]): Unit = { 185 | settings.setStringIfNotEmpty(key, s.orNull) 186 | } 187 | 188 | def setFileSetting(key: String, file: Option[File]): Unit = { 189 | settings.setStringIfNotEmpty(key, file match { case Some(f) => f.getAbsolutePath case None => null }) 190 | } 191 | 192 | def setFileSequenceSetting(key: String, files: Seq[File]): Unit = { 193 | val filePaths: Seq[String] = files map { file => file.getAbsolutePath } 194 | settings.setArrayIfNotEmpty(key, filePaths.toArray) 195 | } 196 | 197 | def setUrlSetting(key: String, url: Option[URL]): Unit = { 198 | settings.setStringIfNotEmpty(key, url match { case Some(u) => u.toExternalForm case None => null }) 199 | } 200 | 201 | def initProxySettings(): Unit = { 202 | val httpsProxyHost = sys.props.get("https.proxyHost") 203 | val httpsProxyPort = sys.props.get("https.proxyPort") 204 | if (httpsProxyHost.isDefined && httpsProxyPort.isDefined) { 205 | setStringSetting(PROXY_SERVER, httpsProxyHost) 206 | setIntSetting(PROXY_PORT, httpsProxyPort.map(_.toInt)) 207 | setStringSetting(PROXY_USERNAME, sys.props.get("https.proxyUser")) 208 | setStringSetting(PROXY_PASSWORD, sys.props.get("https.proxyPassword")) 209 | } else { 210 | setStringSetting(PROXY_SERVER, sys.props.get("http.proxyHost")) 211 | setIntSetting(PROXY_PORT, sys.props.get("http.proxyPort").map(_.toInt)) 212 | setStringSetting(PROXY_USERNAME, sys.props.get("http.proxyUser")) 213 | setStringSetting(PROXY_PASSWORD, sys.props.get("http.proxyPassword")) 214 | } 215 | setStringSetting(PROXY_NON_PROXY_HOSTS, sys.props.get("nonProxyHosts")) 216 | } 217 | 218 | val log: Logger = streams.value.log 219 | 220 | log.info("Applying project settings to DependencyCheck settings") 221 | 222 | setBooleanSetting(AUTO_UPDATE, dependencyCheckAutoUpdate.value) 223 | setIntSetting(CVE_CHECK_VALID_FOR_HOURS, dependencyCheckCveValidForHours.value) 224 | setFloatSetting(JUNIT_FAIL_ON_CVSS, dependencyCheckJUnitFailBuildOnCVSS.value) 225 | 226 | settings.setStringIfNotEmpty(APPLICATION_NAME, name.value) 227 | val suppressionFiles = dependencyCheckSuppressionFiles.value ++ Seq(dependencyCheckSuppressionFile.value).flatten 228 | setFileSequenceSetting(SUPPRESSION_FILE, suppressionFiles) 229 | setFileSetting(HINTS_FILE, dependencyCheckHintsFile.value) 230 | setIntSetting(ANALYSIS_TIMEOUT, dependencyCheckAnalysisTimeout.value) 231 | setBooleanSetting(ANALYZER_EXPERIMENTAL_ENABLED, dependencyCheckEnableExperimental.value) 232 | setBooleanSetting(ANALYZER_RETIRED_ENABLED, dependencyCheckEnableRetired.value) 233 | 234 | // Analyzer Configuration 235 | setBooleanSetting(ANALYZER_ARCHIVE_ENABLED, dependencyCheckArchiveAnalyzerEnabled.value) 236 | setStringSetting(ADDITIONAL_ZIP_EXTENSIONS, dependencyCheckZipExtensions.value) 237 | setBooleanSetting(ANALYZER_JAR_ENABLED, dependencyCheckJarAnalyzerEnabled.value) 238 | setBooleanSetting(ANALYZER_DART_ENABLED, dependencyCheckDartAnalyzerEnabled.value) 239 | setBooleanSetting(ANALYZER_KNOWN_EXPLOITED_ENABLED, dependencyCheckKnownExploitedEnabled.value) 240 | setUrlSetting(KEV_URL, dependencyCheckKnownExploitedUrl.value) 241 | setIntSetting(KEV_CHECK_VALID_FOR_HOURS, dependencyCheckKnownExploitedValidForHours.value) 242 | setBooleanSetting(ANALYZER_CENTRAL_ENABLED, dependencyCheckCentralAnalyzerEnabled.value) 243 | setBooleanSetting(ANALYZER_CENTRAL_USE_CACHE, dependencyCheckCentralAnalyzerUseCache.value) 244 | setBooleanSetting(ANALYZER_OSSINDEX_ENABLED, dependencyCheckOSSIndexAnalyzerEnabled.value) 245 | setUrlSetting(ANALYZER_OSSINDEX_URL, dependencyCheckOSSIndexAnalyzerUrl.value) 246 | setBooleanSetting(ANALYZER_OSSINDEX_USE_CACHE, dependencyCheckOSSIndexAnalyzerUseCache.value) 247 | setBooleanSetting(ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, dependencyCheckOSSIndexWarnOnlyOnRemoteErrors.value) 248 | setStringSetting(ANALYZER_OSSINDEX_USER, dependencyCheckOSSIndexAnalyzerUsername.value) 249 | setStringSetting(ANALYZER_OSSINDEX_PASSWORD, dependencyCheckOSSIndexAnalyzerPassword.value) 250 | setBooleanSetting(ANALYZER_NEXUS_ENABLED, dependencyCheckNexusAnalyzerEnabled.value) 251 | setUrlSetting(ANALYZER_NEXUS_URL, dependencyCheckNexusUrl.value) 252 | setStringSetting(ANALYZER_NEXUS_USER, dependencyCheckNexusUser.value) 253 | setStringSetting(ANALYZER_NEXUS_PASSWORD, dependencyCheckNexusPassword.value) 254 | setBooleanSetting(ANALYZER_NEXUS_USES_PROXY, dependencyCheckNexusUsesProxy.value) 255 | setBooleanSetting(ANALYZER_PYTHON_DISTRIBUTION_ENABLED, dependencyCheckPyDistributionAnalyzerEnabled.value) 256 | setBooleanSetting(ANALYZER_PYTHON_PACKAGE_ENABLED, dependencyCheckPyPackageAnalyzerEnabled.value) 257 | setBooleanSetting(ANALYZER_RUBY_GEMSPEC_ENABLED, dependencyCheckRubygemsAnalyzerEnabled.value) 258 | setBooleanSetting(ANALYZER_OPENSSL_ENABLED, dependencyCheckOpensslAnalyzerEnabled.value) 259 | setBooleanSetting(ANALYZER_CMAKE_ENABLED, dependencyCheckCmakeAnalyzerEnabled.value) 260 | setBooleanSetting(ANALYZER_AUTOCONF_ENABLED, dependencyCheckAutoconfAnalyzerEnabled.value) 261 | setBooleanSetting(ANALYZER_MAVEN_INSTALL_ENABLED, dependencyCheckMavenInstallAnalyzerEnabled.value) 262 | setBooleanSetting(ANALYZER_PIP_ENABLED, dependencyCheckPipAnalyzerEnabled.value) 263 | setBooleanSetting(ANALYZER_PIPFILE_ENABLED, dependencyCheckPipfileAnalyzerEnabled.value) 264 | setBooleanSetting(ANALYZER_POETRY_ENABLED, dependencyCheckPoetryAnalyzerEnabled.value) 265 | setBooleanSetting(ANALYZER_COMPOSER_LOCK_ENABLED, dependencyCheckComposerAnalyzerEnabled.value) 266 | setBooleanSetting(ANALYZER_CPANFILE_ENABLED, dependencyCheckCpanFileAnalyzerEnabled.value) 267 | setBooleanSetting(ANALYZER_NODE_PACKAGE_ENABLED, dependencyCheckNodeAnalyzerEnabled.value) 268 | setBooleanSetting(ANALYZER_NODE_PACKAGE_SKIPDEV, dependencyCheckNodePackageSkipDevDependencies.value) 269 | setBooleanSetting(ANALYZER_NODE_AUDIT_ENABLED, dependencyCheckNodeAuditAnalyzerEnabled.value) 270 | setBooleanSetting(ANALYZER_NODE_AUDIT_USE_CACHE, dependencyCheckNodeAuditAnalyzerUseCache.value) 271 | setUrlSetting(ANALYZER_NODE_AUDIT_URL, dependencyCheckNodeAuditAnalyzerUrl.value) 272 | setBooleanSetting(ANALYZER_NODE_AUDIT_SKIPDEV, dependencyCheckNodeAuditSkipDevDependencies.value) 273 | setBooleanSetting(ANALYZER_NPM_CPE_ENABLED, dependencyCheckNPMCPEAnalyzerEnabled.value) 274 | setBooleanSetting(ANALYZER_YARN_AUDIT_ENABLED, dependencyCheckYarnAuditAnalyzerEnabled.value) 275 | setFileSetting(ANALYZER_YARN_PATH, dependencyCheckPathToYarn.value) 276 | setBooleanSetting(ANALYZER_PNPM_AUDIT_ENABLED, dependencyCheckPNPMAuditAnalyzerEnabled.value) 277 | setFileSetting(ANALYZER_PNPM_PATH, dependencyCheckPathToPNPM.value) 278 | setBooleanSetting(ANALYZER_NUSPEC_ENABLED, dependencyCheckNuspecAnalyzerEnabled.value) 279 | setBooleanSetting(ANALYZER_NUGETCONF_ENABLED, dependencyCheckNugetConfAnalyzerEnabled.value) 280 | setBooleanSetting(ANALYZER_ASSEMBLY_ENABLED, dependencyCheckAssemblyAnalyzerEnabled.value) 281 | setBooleanSetting(ANALYZER_MSBUILD_PROJECT_ENABLED, dependencyCheckMSBuildAnalyzerEnabled.value) 282 | setFileSetting(ANALYZER_ASSEMBLY_DOTNET_PATH, dependencyCheckPathToDotNETCore.value) 283 | setBooleanSetting(ANALYZER_PE_ENABLED, dependencyCheckPEAnalyzerEnabled.value) 284 | setBooleanSetting(ANALYZER_COCOAPODS_ENABLED, dependencyCheckCocoapodsEnabled.value) 285 | setBooleanSetting(ANALYZER_MIX_AUDIT_ENABLED, dependencyCheckMixAuditAnalyzerEnabled.value) 286 | setFileSetting(ANALYZER_MIX_AUDIT_PATH, dependencyCheckMixAuditPath.value) 287 | setBooleanSetting(ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, dependencyCheckSwiftEnabled.value) 288 | setBooleanSetting(ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, dependencyCheckSwiftPackageResolvedAnalyzerEnabled.value) 289 | setBooleanSetting(ANALYZER_BUNDLE_AUDIT_ENABLED, dependencyCheckBundleAuditEnabled.value) 290 | setFileSetting(ANALYZER_BUNDLE_AUDIT_PATH, dependencyCheckPathToBundleAudit.value) 291 | setFileSetting(ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, dependencyCheckBundleAuditWorkingDirectory.value) 292 | setBooleanSetting(ANALYZER_RETIREJS_ENABLED, dependencyCheckRetireJSAnalyzerEnabled.value) 293 | setBooleanSetting(ANALYZER_RETIREJS_FORCEUPDATE, dependencyCheckRetireJSForceUpdate.value) 294 | setUrlSetting(ANALYZER_RETIREJS_REPO_JS_URL, dependencyCheckRetireJSAnalyzerRepoJSUrl.value) 295 | setStringSetting(ANALYZER_RETIREJS_REPO_JS_USER, dependencyCheckRetireJsAnalyzerRepoUser.value) 296 | setStringSetting(ANALYZER_RETIREJS_REPO_JS_PASSWORD, dependencyCheckRetireJsAnalyzerRepoPassword.value) 297 | setIntSetting(ANALYZER_RETIREJS_REPO_VALID_FOR_HOURS, dependencyCheckRetireJsAnalyzerRepoValidFor.value) 298 | settings.setArrayIfNotEmpty(ANALYZER_RETIREJS_FILTERS, dependencyCheckRetireJsAnalyzerFilters.value.toArray) 299 | setBooleanSetting(ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, dependencyCheckRetireJsAnalyzerFilterNonVulnerable.value) 300 | setBooleanSetting(ANALYZER_ARTIFACTORY_ENABLED, dependencyCheckArtifactoryAnalyzerEnabled.value) 301 | setUrlSetting(ANALYZER_ARTIFACTORY_URL, dependencyCheckArtifactoryAnalyzerUrl.value) 302 | setBooleanSetting(ANALYZER_ARTIFACTORY_USES_PROXY, dependencyCheckArtifactoryAnalyzerUseProxy.value) 303 | setBooleanSetting(ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS, dependencyCheckArtifactoryAnalyzerParallelAnalysis.value) 304 | setStringSetting(ANALYZER_ARTIFACTORY_API_USERNAME, dependencyCheckArtifactoryAnalyzerUsername.value) 305 | setStringSetting(ANALYZER_ARTIFACTORY_API_TOKEN, dependencyCheckArtifactoryAnalyzerApiToken.value) 306 | setStringSetting(ANALYZER_ARTIFACTORY_BEARER_TOKEN, dependencyCheckArtifactoryAnalyzerBearerToken.value) 307 | 308 | // Advanced Configuration 309 | setUrlSetting(CVE_MODIFIED_JSON, dependencyCheckCveUrlModified.value) 310 | setStringSetting(CVE_BASE_JSON, dependencyCheckCveUrlBase.value) 311 | setStringSetting(CVE_USER, dependencyCheckCveUser.value) 312 | setStringSetting(CVE_PASSWORD, dependencyCheckCvePassword.value) 313 | setIntSetting(CVE_DOWNLOAD_WAIT_TIME, dependencyCheckCveWaitTime.value) 314 | setIntSetting(CVE_START_YEAR, dependencyCheckCveStartYear.value.map(_.max(2002))) 315 | setIntSetting(CONNECTION_TIMEOUT, dependencyCheckConnectionTimeout.value) 316 | setIntSetting(CONNECTION_READ_TIMEOUT, dependencyCheckConnectionReadTimeout.value) 317 | setFileSetting(DATA_DIRECTORY, dependencyCheckDataDirectory.value) 318 | setStringSetting(DB_DRIVER_NAME, dependencyCheckDatabaseDriverName.value) 319 | setFileSetting(DB_DRIVER_PATH, dependencyCheckDatabaseDriverPath.value) 320 | setStringSetting(DB_CONNECTION_STRING, dependencyCheckConnectionString.value) 321 | setStringSetting(DB_USER, dependencyCheckDatabaseUser.value) 322 | setStringSetting(DB_PASSWORD, dependencyCheckDatabasePassword.value) 323 | setStringSetting(CVE_CPE_STARTS_WITH_FILTER, dependencyCheckCpeStartsWith.value) 324 | setBooleanSetting(HOSTED_SUPPRESSIONS_FORCEUPDATE, dependencyCheckHostedSuppressionsForceUpdate.value) 325 | setBooleanSetting(HOSTED_SUPPRESSIONS_ENABLED, dependencyCheckHostedSuppressionsEnabled.value) 326 | setUrlSetting(HOSTED_SUPPRESSIONS_URL, dependencyCheckHostedSuppressionsUrl.value) 327 | setIntSetting(HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, dependencyCheckHostedSuppressionsValidForHours.value) 328 | 329 | initProxySettings() 330 | 331 | settings 332 | } 333 | 334 | private def checkTask: Def.Initialize[Task[Unit]] = Def.taskDyn { 335 | val log: Logger = streams.value.log 336 | muteJCS(log) 337 | 338 | if (!dependencyCheckSkip.value) { 339 | Def.task { 340 | log.info(s"Running check for ${name.value}") 341 | 342 | val outputDir: File = dependencyCheckOutputDirectory.value.getOrElse(crossTarget.value) 343 | val reportFormat: String = dependencyCheckFormat.value 344 | val reportFormats: Seq[String] = dependencyCheckFormats.value 345 | val cvssScore: Float = dependencyCheckFailBuildOnCVSS.value 346 | val useSbtModuleIdAsGav: Boolean = dependencyCheckUseSbtModuleIdAsGav.value.getOrElse(false) 347 | 348 | val checkDependencies = scala.collection.mutable.Set[Attributed[File]]() 349 | checkDependencies ++= logAddDependencies((Compile / externalDependencyClasspath).value, Compile, log) 350 | 351 | val skipRuntimeScope = dependencyCheckSkipRuntimeScope.value 352 | val skipTestScope = dependencyCheckSkipTestScope.value 353 | val skipProvidedScope = dependencyCheckSkipProvidedScope.value 354 | val skipOptionalScope = dependencyCheckSkipOptionalScope.value 355 | 356 | val runtimeClasspath = (Runtime / externalDependencyClasspath).value 357 | val testClasspath = (Test / externalDependencyClasspath).value 358 | val classpathTypeValue = classpathTypes.value 359 | val updateValue = update.value 360 | 361 | if (skipProvidedScope) { 362 | checkDependencies --= logRemoveDependencies(Classpaths.managedJars(Provided, classpathTypeValue, updateValue), Provided, log) 363 | } 364 | if (!skipRuntimeScope) { 365 | checkDependencies ++= logAddDependencies(runtimeClasspath, Runtime, log) 366 | } 367 | if (!skipTestScope) { 368 | checkDependencies ++= logAddDependencies(testClasspath, Test, log) 369 | } 370 | if (skipOptionalScope) { 371 | checkDependencies --= logRemoveDependencies(Classpaths.managedJars(Optional, classpathTypeValue, updateValue), Optional, log) 372 | } 373 | 374 | val scanSet: Seq[File] = getScanSet.value 375 | 376 | withEngine(initializeSettings.value) { engine => 377 | try { 378 | createReport(engine, checkDependencies.toSet, scanSet, outputDir, getFormats(Some(reportFormat), reportFormats), useSbtModuleIdAsGav, log) 379 | determineTaskFailureStatus(cvssScore, engine, name.value) 380 | } catch { case NonFatal(e) => 381 | logFailure(log, e) 382 | throw e 383 | } 384 | } 385 | 386 | } tag NonParallel 387 | } 388 | else { 389 | Def.task { 390 | log.info(s"Skipping dependency check for ${name.value}") 391 | } 392 | } 393 | } tag NonParallel 394 | 395 | 396 | private def aggregateTask: Def.Initialize[Task[Unit]] = Def.task { 397 | val log: Logger = streams.value.log 398 | muteJCS(log) 399 | log.info(s"Running aggregate check for ${name.value}") 400 | 401 | val outputDir: File = dependencyCheckOutputDirectory.value.getOrElse(crossTarget.value) 402 | val reportFormat: String = dependencyCheckFormat.value 403 | val reportFormats: Seq[String] = dependencyCheckFormats.value 404 | val cvssScore: Float = dependencyCheckFailBuildOnCVSS.value 405 | val useSbtModuleIdAsGav: Boolean = dependencyCheckUseSbtModuleIdAsGav.value.getOrElse(false) 406 | 407 | val dependencies = scala.collection.mutable.Set[Attributed[File]]() 408 | dependencies ++= logAddDependencies(aggregateCompileFilter.value.flatten, Compile, log) 409 | dependencies --= logRemoveDependencies(aggregateProvidedFilter.value.flatten, Provided, log) 410 | dependencies ++= logAddDependencies(aggregateRuntimeFilter.value.flatten, Runtime, log) 411 | dependencies ++= logAddDependencies(aggregateTestFilter.value.flatten, Test, log) 412 | dependencies --= logRemoveDependencies(aggregateOptionalFilter.value.flatten, Optional, log) 413 | 414 | log.info("Scanning following dependencies: ") 415 | dependencies.foreach(f => log.info("\t" + f.data.getName)) 416 | 417 | val scanSet: Seq[File] = getScanSet.value 418 | 419 | withEngine(initializeSettings.value) { engine => 420 | try { 421 | createReport(engine, dependencies.toSet, scanSet, outputDir, getFormats(Some(reportFormat), reportFormats), useSbtModuleIdAsGav, log) 422 | determineTaskFailureStatus(cvssScore, engine, name.value) 423 | } catch { case NonFatal(e) => 424 | logFailure(log, e) 425 | throw e 426 | } 427 | } 428 | } 429 | 430 | private def anyProjectTask: Def.Initialize[Task[Unit]] = Def.task { 431 | val log: Logger = streams.value.log 432 | muteJCS(log) 433 | log.info(s"Running anyProject check for ${name.value}") 434 | 435 | val outputDir: File = dependencyCheckOutputDirectory.value.getOrElse(crossTarget.value) 436 | val reportFormat: String = dependencyCheckFormat.value 437 | val reportFormats: Seq[String] = dependencyCheckFormats.value 438 | val cvssScore: Float = dependencyCheckFailBuildOnCVSS.value 439 | val useSbtModuleIdAsGav: Boolean = dependencyCheckUseSbtModuleIdAsGav.value.getOrElse(false) 440 | 441 | val dependencies = scala.collection.mutable.Set[Attributed[File]]() 442 | dependencies ++= logAddDependencies(anyCompileFilter.value.flatten, Compile, log) 443 | dependencies --= logRemoveDependencies(anyProvidedFilter.value.flatten, Provided, log) 444 | dependencies ++= logAddDependencies(anyRuntimeFilter.value.flatten, Runtime, log) 445 | dependencies ++= logAddDependencies(anyTestFilter.value.flatten, Test, log) 446 | dependencies --= logRemoveDependencies(anyOptionalFilter.value.flatten, Optional, log) 447 | 448 | log.info("Scanning following dependencies: ") 449 | dependencies.foreach(f => log.info("\t" + f.data.getName)) 450 | 451 | val scanSet: Seq[File] = getScanSet.value 452 | 453 | withEngine(initializeSettings.value) { engine => 454 | try { 455 | createReport(engine, dependencies.toSet, scanSet, outputDir, getFormats(Some(reportFormat), reportFormats), useSbtModuleIdAsGav, log) 456 | determineTaskFailureStatus(cvssScore, engine, name.value) 457 | } catch { case NonFatal(e) => 458 | logFailure(log, e) 459 | throw e 460 | } 461 | } 462 | } 463 | 464 | private def getScanSet: Def.Initialize[Task[Seq[File]]] = Def.task { 465 | (dependencyCheckScanSet.value.map { 466 | _ ** "*" 467 | } reduceLeft (_ +++ _) filter { 468 | _.isFile 469 | }).get 470 | } 471 | 472 | private lazy val anyCompileFilter = Def.settingDyn { compileDependenciesTask.all(ScopeFilter(inAnyProject, inConfigurations(Compile))) } 473 | private lazy val anyRuntimeFilter = Def.settingDyn { runtimeDependenciesTask.all(ScopeFilter(inAnyProject, inConfigurations(Runtime))) } 474 | private lazy val anyTestFilter = Def.settingDyn { testDependenciesTask.all(ScopeFilter(inAnyProject, inConfigurations(Test))) } 475 | private lazy val anyProvidedFilter = Def.settingDyn { providedDependenciesTask.all(ScopeFilter(inAnyProject, inConfigurations(Provided))) } 476 | private lazy val anyOptionalFilter = Def.settingDyn { optionalDependenciesTask.all(ScopeFilter(inAnyProject, inConfigurations(Optional))) } 477 | private lazy val aggregateCompileFilter = Def.settingDyn { compileDependenciesTask.all(ScopeFilter(inAggregates(thisProjectRef.value), inConfigurations(Compile))) } 478 | private lazy val aggregateRuntimeFilter = Def.settingDyn { runtimeDependenciesTask.all(ScopeFilter(inAggregates(thisProjectRef.value), inConfigurations(Runtime))) } 479 | private lazy val aggregateTestFilter = Def.settingDyn { testDependenciesTask.all(ScopeFilter(inAggregates(thisProjectRef.value), inConfigurations(Test))) } 480 | private lazy val aggregateProvidedFilter = Def.settingDyn { providedDependenciesTask.all(ScopeFilter(inAggregates(thisProjectRef.value), inConfigurations(Provided))) } 481 | private lazy val aggregateOptionalFilter = Def.settingDyn { optionalDependenciesTask.all(ScopeFilter(inAggregates(thisProjectRef.value), inConfigurations(Optional))) } 482 | 483 | private lazy val compileDependenciesTask: Def.Initialize[Task[Seq[Attributed[File]]]] = Def.taskDyn { 484 | if (!thisProject.value.autoPlugins.contains(JvmPlugin) || (dependencyCheckSkip ?? false).value) 485 | Def.task { Seq.empty } 486 | else 487 | Def.task { 488 | (configuration / externalDependencyClasspath).value 489 | } 490 | } 491 | private lazy val runtimeDependenciesTask: Def.Initialize[Task[Seq[Attributed[File]]]] = Def.taskDyn { 492 | if (!thisProject.value.autoPlugins.contains(JvmPlugin) || (dependencyCheckSkip ?? false).value || (dependencyCheckSkipRuntimeScope ?? false).value) 493 | Def.task { Seq.empty } 494 | else 495 | Def.task { 496 | (configuration / externalDependencyClasspath).value 497 | } 498 | } 499 | private lazy val testDependenciesTask: Def.Initialize[Task[Seq[Attributed[File]]]] = Def.taskDyn { 500 | if (!thisProject.value.autoPlugins.contains(JvmPlugin) || (dependencyCheckSkip ?? false).value || (dependencyCheckSkipTestScope ?? true).value) 501 | Def.task { Seq.empty } 502 | else 503 | Def.task { 504 | (configuration / externalDependencyClasspath).value 505 | } 506 | } 507 | private lazy val providedDependenciesTask: Def.Initialize[Task[Seq[Attributed[File]]]] = Def.taskDyn { 508 | if (!thisProject.value.autoPlugins.contains(JvmPlugin) || (dependencyCheckSkip ?? false).value || !(dependencyCheckSkipProvidedScope ?? false).value) 509 | Def.task { Seq.empty } 510 | else 511 | Def.task { 512 | Classpaths.managedJars(configuration.value, classpathTypes.value, update.value) 513 | } 514 | } 515 | private lazy val optionalDependenciesTask: Def.Initialize[Task[Seq[Attributed[File]]]] = Def.taskDyn { 516 | if (!thisProject.value.autoPlugins.contains(JvmPlugin) || (dependencyCheckSkip ?? false).value || !(dependencyCheckSkipOptionalScope ?? false).value) 517 | Def.task { Seq.empty } 518 | else 519 | Def.task { 520 | Classpaths.managedJars(configuration.value, classpathTypes.value, update.value) 521 | } 522 | } 523 | 524 | //noinspection MutatorLikeMethodIsParameterless 525 | private def updateTask: Def.Initialize[Task[Unit]] = Def.task { 526 | val log: Logger = streams.value.log 527 | muteJCS(log) 528 | log.info(s"Running update-only for ${name.value}") 529 | 530 | withEngine(initializeSettings.value) { engine => 531 | DependencyCheckUpdateTask.update(engine, log) 532 | } 533 | } 534 | 535 | private def purgeTask: Def.Initialize[Task[Unit]] = Def.task { 536 | val log: Logger = streams.value.log 537 | muteJCS(log) 538 | log.info(s"Running purge for ${name.value}") 539 | withEngine(initializeSettings.value) { engine => 540 | DependencyCheckPurgeTask.purge(dependencyCheckConnectionString.value, engine.getSettings, log) 541 | } 542 | } 543 | 544 | private def listSettingsTask: Def.Initialize[Task[Unit]] = Def.task { 545 | val log: Logger = streams.value.log 546 | muteJCS(log) 547 | log.info(s"Running list-settings for ${name.value}") 548 | 549 | withEngine(initializeSettings.value) { engine => 550 | DependencyCheckListSettingsTask.logSettings(engine.getSettings, dependencyCheckFailBuildOnCVSS.value, 551 | getFormats(Some(dependencyCheckFormat.value), dependencyCheckFormats.value), 552 | dependencyCheckOutputDirectory.value.getOrElse(new File(".")).getPath, dependencyCheckScanSet.value, dependencyCheckSkip.value, 553 | dependencyCheckSkipRuntimeScope.value, dependencyCheckSkipTestScope.value, dependencyCheckSkipProvidedScope.value, 554 | dependencyCheckSkipOptionalScope.value, dependencyCheckUseSbtModuleIdAsGav.value.getOrElse(false), log) 555 | } 556 | } 557 | 558 | private def addDependencies(checkClasspath: Set[Attributed[File]], engine: Engine, useSbtModuleIdAsGav: Boolean, log: Logger): Unit = { 559 | checkClasspath.foreach( 560 | attributed => 561 | attributed.get(Keys.moduleID.key) match { 562 | case Some(moduleId) => 563 | log.debug(s"Scanning ${moduleId.name} ${moduleId.revision}") 564 | if (attributed.data != null) { 565 | val dependencies = engine.scan { 566 | new File(attributed.data.getAbsolutePath) 567 | } 568 | if (dependencies != null && !dependencies.isEmpty) { 569 | val dependency: Dependency = dependencies.get(0) 570 | if (dependency != null) 571 | addEvidence(moduleId, dependency, useSbtModuleIdAsGav) 572 | } 573 | } 574 | case None => 575 | // unmanaged JAR, just scan the file 576 | engine.scan { 577 | new File(attributed.data.getAbsolutePath) 578 | } 579 | } 580 | ) 581 | } 582 | 583 | private def logAddDependencies(classpath: Seq[Attributed[File]], configuration: Configuration, log: Logger): Seq[Attributed[File]] = { 584 | logDependencies(log, classpath, configuration, "Adding") 585 | } 586 | 587 | private def logRemoveDependencies(classpath: Seq[Attributed[File]], configuration: Configuration, log: Logger): Seq[Attributed[File]] = { 588 | logDependencies(log, classpath, configuration, "Removing") 589 | } 590 | 591 | private def logDependencies(log: Logger, classpath: Seq[Attributed[File]], configuration: Configuration, action: String): Seq[Attributed[File]] = { 592 | log.info(s"$action ${configuration.name} dependencies to check.") 593 | classpath.foreach(f => log.info("\t" + f.data.getName)) 594 | classpath 595 | } 596 | 597 | private def addEvidence(moduleId: ModuleID, dependency: Dependency, useSbtModuleIdAsGav: Boolean): Unit = { 598 | val artifact: MavenArtifact = new MavenArtifact(moduleId.organization, moduleId.name, moduleId.revision) 599 | dependency.addAsEvidence("sbt", artifact, Confidence.HIGHEST) 600 | if (useSbtModuleIdAsGav) { 601 | val id = getIdentifier(artifact, moduleId) 602 | dependency.addSoftwareIdentifier(id) 603 | } 604 | moduleId.configurations match { 605 | case Some(configurations) => 606 | dependency.addEvidence(EvidenceType.VENDOR, "sbt", "configuration", configurations, Confidence.HIGHEST) 607 | case None => 608 | } 609 | } 610 | 611 | private def getIdentifier(artifact: MavenArtifact, moduleId: ModuleID): Identifier = { 612 | Try { 613 | new PurlIdentifier("sbt", artifact.getGroupId, artifact.getArtifactId, artifact.getVersion, Confidence.HIGHEST) 614 | } match { 615 | case Success(id) => id 616 | case Failure(_) => new GenericIdentifier(String.format("sbt:%s:%s:%s", moduleId.organization, moduleId.name, moduleId.revision), Confidence.HIGHEST) 617 | } 618 | } 619 | 620 | private def createReport(engine: Engine, checkClasspath: Set[Attributed[File]], scanSet: Seq[File], outputDir: File, reportFormats: Seq[String], useSbtModuleIdAsGav: Boolean, log: Logger): Unit = { 621 | addDependencies(checkClasspath, engine, useSbtModuleIdAsGav, log) 622 | scanSet.foreach(file => engine.scan(file)) 623 | 624 | engine.analyzeDependencies() 625 | reportFormats.foreach(reportFormat => engine.writeReports(engine.getSettings.getString(APPLICATION_NAME), outputDir, reportFormat, null)) 626 | } 627 | 628 | private def determineTaskFailureStatus(failCvssScore: Float, engine: Engine, name: String): Unit = { 629 | if (failBuildOnCVSS(engine.getDependencies, failCvssScore)) { 630 | DependencyCheckScanAgent.showSummary(name, engine.getDependencies) 631 | throw new VulnerabilityFoundException(s"Vulnerability with CVSS score higher $failCvssScore found. Failing build.") 632 | } 633 | } 634 | 635 | def failBuildOnCVSS(dependencies: Array[Dependency], cvssScore: Float): Boolean = dependencies.exists(p => { 636 | p.getVulnerabilities.asScala.exists(v => { 637 | (v.getCvssV2 != null && v.getCvssV2.getScore >= cvssScore) || (v.getCvssV3 != null && v.getCvssV3.getBaseScore >= cvssScore || (v.getUnscoredSeverity != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity) >= cvssScore)) || (cvssScore <= 0.0f) 638 | }) 639 | }) 640 | 641 | private[this] def withEngine(settings: Settings)(fn: Engine => Any): Unit = { 642 | val oldClassLoader = Thread.currentThread().getContextClassLoader 643 | val newClassLoader = classOf[Engine].getClassLoader 644 | val engine: Engine = new Engine(newClassLoader, settings) 645 | try { 646 | Thread.currentThread().setContextClassLoader(newClassLoader) 647 | fn(engine) 648 | () 649 | } finally { 650 | engine.close() 651 | engine.getSettings.cleanup(true) 652 | Thread.currentThread().setContextClassLoader(oldClassLoader) 653 | } 654 | } 655 | 656 | private[this] def getFormats(format: Option[String], formats: Seq[String]): Seq[String] = { 657 | val upperCaseFormats: Seq[String] = formats.map(f => f.toUpperCase) 658 | format.filter(_ => upperCaseFormats.isEmpty ).foldLeft(upperCaseFormats)(_ :+ _) 659 | } 660 | 661 | private def logFailure(log: Logger, ex: Throwable): Unit = ex match { 662 | case e: VulnerabilityFoundException => 663 | log.error(s"${e.getLocalizedMessage}") 664 | case e: ExceptionCollection => 665 | val prettyMessage = ( 666 | "Failed creating report:" +: 667 | e.getExceptions.asScala.toVector.flatMap { t => 668 | s" ${t.getLocalizedMessage}" +: 669 | Option(t.getCause).map { cause => 670 | s" - ${cause.getLocalizedMessage}" 671 | }.toVector 672 | } 673 | ).mkString("\n") 674 | log.error(prettyMessage) 675 | 676 | // We have to log the full stacktraces here, since SBT doesn't use `printStackTrace` 677 | // when logging exceptions. 678 | // See https://github.com/albuch/sbt-dependency-check/issues/98 679 | e.getExceptions.asScala.foreach { _ => 680 | val sw = new StringWriter 681 | e.printStackTrace(new PrintWriter(sw, true)) 682 | log.error(sw.toString) 683 | } 684 | case e => 685 | log.error(s"Failed creating report: ${e.getLocalizedMessage}") 686 | } 687 | 688 | private def muteJCS(log: Logger): Unit = { 689 | val noisyClasses = List( 690 | "org.apache.commons.jcs.auxiliary.disk.AbstractDiskCache", 691 | "org.apache.commons.jcs.engine.memory.AbstractMemoryCache", 692 | "org.apache.commons.jcs.engine.control.CompositeCache", 693 | "org.apache.commons.jcs.auxiliary.disk.indexed.IndexedDiskCache", 694 | "org.apache.commons.jcs.engine.control.CompositeCache", 695 | "org.apache.commons.jcs.engine.memory.AbstractMemoryCache", 696 | "org.apache.commons.jcs.engine.control.event.ElementEventQueue", 697 | "org.apache.commons.jcs.engine.memory.AbstractDoubleLinkedListMemoryCache", 698 | "org.apache.commons.jcs.auxiliary.AuxiliaryCacheConfigurator", 699 | "org.apache.commons.jcs.engine.control.CompositeCacheManager", 700 | "org.apache.commons.jcs.utils.threadpool.ThreadPoolManager", 701 | "org.apache.commons.jcs.engine.control.CompositeCacheConfigurator" 702 | ) 703 | noisyClasses.foreach(className => { 704 | val log = java.util.logging.Logger.getLogger(className) 705 | log.setLevel(java.util.logging.Level.SEVERE) 706 | // Calling Apache Commons LogFactory seems to be needed to propagate the Log Level setting 707 | LogFactory.getLog(className) 708 | }) 709 | } 710 | } 711 | -------------------------------------------------------------------------------- /src/main/scala/net/vonbuchholtz/sbt/dependencycheck/DependencyCheckPurgeTask.scala: -------------------------------------------------------------------------------- 1 | package net.vonbuchholtz.sbt.dependencycheck 2 | 3 | import java.io.{File, IOException} 4 | 5 | import org.owasp.dependencycheck.utils.Settings 6 | import sbt.* 7 | 8 | object DependencyCheckPurgeTask { 9 | def purge(connectionString: Option[String], settings: Settings, log: Logger): Unit = { 10 | if(connectionString.isDefined) { 11 | throw new IllegalStateException("Unable to purge the local NVD when using a non-default connection string") 12 | } 13 | 14 | try { 15 | val db: File = new File(settings.getDataDirectory, settings.getString(Settings.KEYS.DB_FILE_NAME)) 16 | if (db.exists()) { 17 | if (db.delete) { 18 | log.info("Database file purged; local copy of the NVD has been removed") 19 | } else { 20 | log.error(s"Unable to delete '${db.getAbsolutePath}'; please delete the file manually") 21 | } 22 | } else { 23 | log.error(s"Unable to delete '${db.getAbsolutePath}'; the database file does not exists") 24 | } 25 | } catch { 26 | case e: IOException => 27 | log.error(s"Can't purge NVD database: ${e.getLocalizedMessage}") 28 | throw e 29 | } finally { 30 | settings.cleanup() 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /src/main/scala/net/vonbuchholtz/sbt/dependencycheck/DependencyCheckUpdateTask.scala: -------------------------------------------------------------------------------- 1 | package net.vonbuchholtz.sbt.dependencycheck 2 | 3 | import org.owasp.dependencycheck.Engine 4 | import sbt.Logger 5 | 6 | import scala.util.control.NonFatal 7 | 8 | object DependencyCheckUpdateTask { 9 | def update(engine: Engine, log: Logger): Unit = { 10 | try { 11 | engine.doUpdates() 12 | } catch { 13 | case e: Exception if NonFatal(e) => 14 | log.error(s"An exception occurred connecting to the local database: ${e.getLocalizedMessage}") 15 | throw e 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /src/main/scala/net/vonbuchholtz/sbt/dependencycheck/VulnerabilityFoundException.scala: -------------------------------------------------------------------------------- 1 | package net.vonbuchholtz.sbt.dependencycheck 2 | 3 | class VulnerabilityFoundException(s:String) extends IllegalStateException(s:String) 4 | -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateException/build.sbt: -------------------------------------------------------------------------------- 1 | // See https://github.com/albuch/sbt-dependency-check/issues/95 2 | 3 | name := "dependency-check-repro" 4 | 5 | version := "0.1" 6 | 7 | scalaVersion := "2.11.12" 8 | 9 | 10 | lazy val root = (project in file(".")) 11 | .aggregate(inscope, alsoinscope) 12 | 13 | 14 | lazy val inscope = (project in file("inscope")) 15 | 16 | lazy val alsoinscope = (project in file("alsoinscope")) 17 | 18 | lazy val outofscope = (project in file("outofscope")).settings(update := { 19 | throw new RuntimeException 20 | }) 21 | -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateException/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateException/test: -------------------------------------------------------------------------------- 1 | > dependencyCheckAggregate -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateMetaProject/build.sbt: -------------------------------------------------------------------------------- 1 | lazy val root = (project in file(".")) 2 | .aggregate(meta) 3 | 4 | lazy val meta = project 5 | .disablePlugins(DependencyCheckPlugin) 6 | -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateMetaProject/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateMetaProject/test: -------------------------------------------------------------------------------- 1 | > reload -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateNonJVMPluginProject/build.sbt: -------------------------------------------------------------------------------- 1 | // See https://github.com/albuch/sbt-dependency-check/issues/145 2 | 3 | name := "dependency-check-repro" 4 | 5 | version := "0.1" 6 | 7 | scalaVersion := "2.11.12" 8 | 9 | dependencyCheckAutoUpdate := Some(false) 10 | 11 | val foo = project 12 | .disablePlugins(sbt.plugins.JvmPlugin) 13 | .settings( 14 | dependencyCheckSkip := false, 15 | Compile / products := Nil 16 | ) 17 | -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateNonJVMPluginProject/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateNonJVMPluginProject/test: -------------------------------------------------------------------------------- 1 | > dependencyCheckAggregate -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateProject/build.sbt: -------------------------------------------------------------------------------- 1 | lazy val commonSettings = Seq( 2 | organization := "net.vonbuchholtz", 3 | version := "0.1.0", 4 | scalaVersion := "2.10.7" 5 | ) 6 | 7 | lazy val root = (project in file(".")) 8 | .aggregate(core) 9 | .settings(commonSettings: _*) 10 | .settings( 11 | libraryDependencies += "org.eclipse.jetty" % "jetty-runner" % "9.2.4.v20141103" % "provided", 12 | libraryDependencies += "commons-collections" % "commons-collections" % "3.2.1" % "optional", 13 | dependencyCheckSkipTestScope := true, 14 | dependencyCheckSkipProvidedScope := true, 15 | dependencyCheckSkipOptionalScope := true, 16 | dependencyCheckFailBuildOnCVSS := 0 17 | ) 18 | 19 | lazy val util = (project in file("util")) 20 | .settings(commonSettings: _*) 21 | .settings( 22 | libraryDependencies ++= Seq("commons-beanutils" % "commons-beanutils" % "1.9.1" % "test", 23 | "org.springframework.security" % "spring-security-web" % "5.1.4.RELEASE" % "test") 24 | ) 25 | 26 | lazy val core = project.dependsOn(util) 27 | .settings(commonSettings: _*) 28 | .settings( 29 | libraryDependencies += "org.apache.commons" % "commons-collections4" % "4.1" 30 | ) 31 | 32 | lazy val ignore = (project in file("ignore")) 33 | .settings(commonSettings: _*) 34 | .settings( 35 | libraryDependencies += "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9" 36 | ) -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateProject/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/aggregateProject/test: -------------------------------------------------------------------------------- 1 | > dependencyCheckAggregate 2 | $ exists target/scala-2.10/dependency-check-report.html 3 | -$ exists core/target/scala-2.10/dependency-check-report.html -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/anyProject/build.sbt: -------------------------------------------------------------------------------- 1 | lazy val commonSettings = Seq( 2 | organization := "net.vonbuchholtz", 3 | version := "0.1.0", 4 | scalaVersion := "2.10.7" 5 | ) 6 | 7 | lazy val root = (project in file(".")) 8 | .aggregate(core) 9 | .settings(commonSettings: _*) 10 | .settings( 11 | dependencyCheckFailBuildOnCVSS := 0 12 | ) 13 | 14 | lazy val core = (project in file("core")) 15 | .settings(commonSettings: _*) 16 | .settings( 17 | libraryDependencies += "org.apache.commons" % "commons-collections4" % "4.1" 18 | ) 19 | 20 | lazy val inScope = (project in file("inScope")) 21 | .settings(commonSettings: _*) 22 | .settings( 23 | libraryDependencies += "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9" 24 | ) -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/anyProject/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/anyProject/test: -------------------------------------------------------------------------------- 1 | -> dependencyCheckAnyProject 2 | $ exists target/scala-2.10/dependency-check-report.html 3 | -$ exists core/target/scala-2.10/dependency-check-report.html 4 | -$ exists util/target/scala-2.10/dependency-check-report.html 5 | -$ exists inScope/target/scala-2.10/dependency-check-report.html -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/buildFailsForCVSS/build.sbt: -------------------------------------------------------------------------------- 1 | version := "0.1" 2 | lazy val root = project in file(".") 3 | scalaVersion := "2.10.7" 4 | 5 | libraryDependencies ++= Seq( 6 | "org.eclipse.jetty" % "jetty-runner" % "9.2.4.v20141103" 7 | ) 8 | 9 | dependencyCheckFailBuildOnCVSS := 1 -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/buildFailsForCVSS/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/buildFailsForCVSS/test: -------------------------------------------------------------------------------- 1 | -> dependencyCheck 2 | -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/check-suppression-file/build.sbt: -------------------------------------------------------------------------------- 1 | version := "0.1" 2 | lazy val root = project in file(".") 3 | scalaVersion := "2.10.7" 4 | 5 | libraryDependencies ++= Seq( 6 | "org.eclipse.jetty" % "jetty-runner" % "9.2.4.v20141103" 7 | ) 8 | 9 | dependencyCheckFailBuildOnCVSS := 1 10 | dependencyCheckSuppressionFiles := Seq(new File("suppressions.xml")) -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/check-suppression-file/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/check-suppression-file/suppressions.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 7 | 10.0 8 | 9 | -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/check-suppression-file/test: -------------------------------------------------------------------------------- 1 | > dependencyCheck 2 | $ exists target/scala-2.10/dependency-check-report.html 3 | -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/check/build.sbt: -------------------------------------------------------------------------------- 1 | version := "0.1" 2 | lazy val root = project in file(".") 3 | scalaVersion := "2.10.7" 4 | 5 | libraryDependencies ++= Seq( 6 | "commons-beanutils" % "commons-beanutils" % "1.9.1" % "test", 7 | "org.eclipse.jetty" % "jetty-runner" % "9.2.4.v20141103" % "provided", 8 | "com.github.t3hnar" % "scala-bcrypt_2.10" % "2.6" % "runtime", 9 | "org.apache.commons" % "commons-collections4" % "4.1", 10 | "com.google.oauth-client" % "google-oauth-client" % "1.22.0" % "optional" 11 | ) 12 | 13 | dependencyCheckSkipTestScope := false 14 | dependencyCheckSkipProvidedScope := true 15 | dependencyCheckSkipRuntimeScope := false -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/check/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/check/test: -------------------------------------------------------------------------------- 1 | > dependencyCheck 2 | $ exists target/scala-2.10/dependency-check-report.html -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/checkMultiProject/build.sbt: -------------------------------------------------------------------------------- 1 | lazy val commonSettings = Seq( 2 | organization := "net.vonbuchholtz", 3 | version := "0.1.0", 4 | scalaVersion := "2.10.7" 5 | ) 6 | 7 | lazy val root = (project in file(".")) 8 | .aggregate(core) 9 | .settings(commonSettings: _*) 10 | .settings( 11 | libraryDependencies += "org.eclipse.jetty" % "jetty-runner" % "9.2.4.v20141103" % "provided", 12 | dependencyCheckSkipTestScope := false 13 | ) 14 | 15 | lazy val util = (project in file("util")) 16 | .settings(commonSettings: _*) 17 | .settings( 18 | libraryDependencies += "commons-beanutils" % "commons-beanutils" % "1.9.1" % "test" 19 | ) 20 | 21 | lazy val core = project.dependsOn(util) 22 | .settings(commonSettings: _*) 23 | .settings( 24 | libraryDependencies += "org.apache.commons" % "commons-collections4" % "4.1" 25 | ) 26 | -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/checkMultiProject/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/checkMultiProject/test: -------------------------------------------------------------------------------- 1 | > dependencyCheck 2 | $ exists target/scala-2.10/dependency-check-report.html 3 | $ exists core/target/scala-2.10/dependency-check-report.html -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/checkScanSet/build.sbt: -------------------------------------------------------------------------------- 1 | version := "0.1" 2 | lazy val root = project in file(".") 3 | scalaVersion := "2.10.7" 4 | 5 | dependencyCheckFailBuildOnCVSS := 0 6 | dependencyCheckScanSet := Seq(baseDirectory.value / "src/main/customDir") -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/checkScanSet/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/checkScanSet/src/main/customDir/jetty-runner-9.2.4.v20141103.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/albuch/sbt-dependency-check/ccf1818af44952266eae7e23d705c230a76748de/src/sbt-test/sbt-dependency-check/checkScanSet/src/main/customDir/jetty-runner-9.2.4.v20141103.jar -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/checkScanSet/test: -------------------------------------------------------------------------------- 1 | -> dependencyCheck 2 | $ exists target/scala-2.10/dependency-check-report.html -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/customDataDirectoryWithNewDatabase/build.sbt: -------------------------------------------------------------------------------- 1 | import sbt.File 2 | 3 | version := "0.1" 4 | lazy val root = project in file(".") 5 | scalaVersion := "2.10.7" 6 | 7 | dependencyCheckDataDirectory := Some(new File(baseDirectory.value + "/tmp/sbt-dependency-check")) 8 | 9 | -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/customDataDirectoryWithNewDatabase/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/customDataDirectoryWithNewDatabase/test: -------------------------------------------------------------------------------- 1 | $ mkdir /tmp/sbt-dependency-check/data 2 | > dependencyCheck 3 | $ exists /tmp/sbt-dependency-check/odc.mv.db -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/formatsSetting/build.sbt: -------------------------------------------------------------------------------- 1 | version := "0.1" 2 | lazy val root = project in file(".") 3 | scalaVersion := "2.10.7" 4 | 5 | libraryDependencies ++= Seq( 6 | "commons-beanutils" % "commons-beanutils" % "1.9.1" % "test", 7 | "org.eclipse.jetty" % "jetty-runner" % "9.2.4.v20141103" % "provided", 8 | "com.github.t3hnar" % "scala-bcrypt_2.10" % "2.6" % "runtime", 9 | "org.apache.commons" % "commons-collections4" % "4.1", 10 | "com.google.oauth-client" % "google-oauth-client" % "1.22.0" % "optional" 11 | ) 12 | 13 | dependencyCheckFormats := Seq("XML", "JSON") 14 | dependencyCheckFormat := "HTML" -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/formatsSetting/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/formatsSetting/test: -------------------------------------------------------------------------------- 1 | > dependencyCheck 2 | $ exists target/scala-2.10/dependency-check-report.json 3 | $ exists target/scala-2.10/dependency-check-report.xml 4 | -$ exists target/scala-2.10/dependency-check-report.html -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/globalAndProjectSettings/build.sbt: -------------------------------------------------------------------------------- 1 | // See https://github.com/albuch/sbt-dependency-check/issues/95 2 | 3 | name := "global-and-project-settings" 4 | version := "0.1" 5 | scalaVersion := "2.11.12" 6 | 7 | Global / dependencyCheckCvePassword := Some("Global") 8 | Global / dependencyCheckCveUser := Some("Global") 9 | ThisBuild / dependencyCheckCveUser := Some("ThisBuild") 10 | 11 | lazy val root = (project in file(".")) 12 | .aggregate(inscope, alsoinscope) 13 | .settings( 14 | dependencyCheckCvePassword := Some("root"), 15 | ) 16 | 17 | lazy val inscope = (project in file("inscope")).settings( 18 | dependencyCheckCvePassword := Some("inscope") 19 | ) 20 | lazy val alsoinscope = (project in file("alsoinscope")).settings( 21 | TaskKey[Unit]("depCheckAssert") := { 22 | val thisBuildUser = dependencyCheckCveUser.value 23 | assert( thisBuildUser.contains("ThisBuild") ) 24 | val thisBuildPassword = dependencyCheckCvePassword.value 25 | assert( thisBuildPassword.contains("Global") ) 26 | } 27 | ) 28 | 29 | TaskKey[Unit]("depCheckAssert") := { 30 | val rootPassword = dependencyCheckCvePassword.value 31 | val rootInThisBuildUser = ( ThisBuild / dependencyCheckCveUser).value 32 | val rootInThisBuildPassword = (ThisBuild / dependencyCheckCvePassword).value 33 | val inscopePassword = (inscope / dependencyCheckCvePassword).value 34 | val alsoinscopePassword = (alsoinscope / dependencyCheckCvePassword).value 35 | assert( rootPassword.contains("root") ) 36 | assert( rootInThisBuildUser.contains("ThisBuild") ) 37 | assert( rootInThisBuildPassword.contains("Global") ) 38 | assert( inscopePassword.contains("inscope") ) 39 | assert( alsoinscopePassword.contains("Global") ) 40 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/globalAndProjectSettings/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/globalAndProjectSettings/test: -------------------------------------------------------------------------------- 1 | > depCheckAssert 2 | > alsoinscope / depCheckAssert -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/listSettings/build.sbt: -------------------------------------------------------------------------------- 1 | version := "0.1" 2 | lazy val root = project in file(".") 3 | scalaVersion := "2.10.7" 4 | 5 | dependencyCheckSuppressionFiles := Seq(baseDirectory.value / "src/main/resources", baseDirectory.value / "src/app/") -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/listSettings/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/listSettings/test: -------------------------------------------------------------------------------- 1 | > dependencyCheckListSettings -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/purgeCustomConnectionString/build.sbt: -------------------------------------------------------------------------------- 1 | version := "0.1" 2 | lazy val root = project in file(".") 3 | scalaVersion := "2.10.7" 4 | 5 | dependencyCheckConnectionString := Some("db123") 6 | 7 | -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/purgeCustomConnectionString/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/purgeCustomConnectionString/test: -------------------------------------------------------------------------------- 1 | -> dependencyCheckPurge -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/purgeDeletesDatabase/build.sbt: -------------------------------------------------------------------------------- 1 | import sbt.File 2 | 3 | version := "0.1" 4 | lazy val root = project in file(".") 5 | scalaVersion := "2.10.7" 6 | 7 | dependencyCheckAutoUpdate := Some(false) 8 | dependencyCheckDataDirectory := Some(new File(baseDirectory.value + "/tmp/sbt-dependency-check")) 9 | 10 | -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/purgeDeletesDatabase/data/odc.mv.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/albuch/sbt-dependency-check/ccf1818af44952266eae7e23d705c230a76748de/src/sbt-test/sbt-dependency-check/purgeDeletesDatabase/data/odc.mv.db -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/purgeDeletesDatabase/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error("""|The system property 'plugin.version' is not defined. 4 | |Specify this property using the scriptedLaunchOpts -D.""".stripMargin) 5 | } -------------------------------------------------------------------------------- /src/sbt-test/sbt-dependency-check/purgeDeletesDatabase/test: -------------------------------------------------------------------------------- 1 | $ mkdir /tmp/sbt-dependency-check/data 2 | $ copy-file data/odc.mv.db /tmp/sbt-dependency-check/odc.mv.db 3 | > dependencyCheck 4 | $ exists /tmp/sbt-dependency-check/odc.mv.db 5 | > dependencyCheckPurge 6 | $ absent /tmp/sbt-dependency-check/odc.mv.db -------------------------------------------------------------------------------- /testProject/build.sbt: -------------------------------------------------------------------------------- 1 | version := "0.1" 2 | lazy val root = project in file(".") 3 | scalaVersion := "2.12.17" 4 | 5 | resolvers += Resolver.mavenLocal -------------------------------------------------------------------------------- /testProject/project/plugins.sbt: -------------------------------------------------------------------------------- 1 | sys.props.get("plugin.version") match { 2 | case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x) 3 | case _ => sys.error( 4 | """|The system property 'plugin.version' is not defined. 5 | |Specify this property using the sbt parameter -D.""".stripMargin) 6 | } 7 | -------------------------------------------------------------------------------- /version.sbt: -------------------------------------------------------------------------------- 1 | ThisBuild / version := "5.1.1-SNAPSHOT" 2 | --------------------------------------------------------------------------------