Skip to content

Commit

Permalink
fix: allow hosted suppressions file to be disabled (#5509)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeremylong
jeremylong committed Feb 27, 2023
1 parent c0b2c0b commit b6c5ec3
Show file tree
Hide file tree
Showing 16 changed files with 82 additions and 23 deletions.
24 changes: 23 additions & 1 deletion ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,9 +109,13 @@ public class Update extends Purge {
*/
private Integer hostedSuppressionsValidForHours;
/**
* Whether or not the hosted suppressions file will be updated regardless of the `autoupdate` settings. Defaults to false.
* Whether the hosted suppressions file will be updated regardless of the `autoupdate` settings. Defaults to false.
*/
private Boolean hostedSuppressionsForceUpdate;
/**
* Whether the hosted suppressions file will be used. Defaults to true.
*/
private Boolean hostedSuppressionsEnabled;

/**
* Specify the first year of NVD CVE data to download; default is 2002.
Expand Down Expand Up @@ -475,6 +479,23 @@ public void setHostedSuppressionsForceUpdate(final Boolean hostedSuppressionsFor
this.hostedSuppressionsForceUpdate = hostedSuppressionsForceUpdate;
}

/**
* Get the value of hostedSuppressionsEnabled.
*
* @return the value of hostedSuppressionsEnabled
*/
public Boolean isHostedSuppressionsEnabled() {
return hostedSuppressionsEnabled;
}
/**
* Set the value of hostedSuppressionsEnabled.
*
* @param hostedSuppressionsEnabled new value of hostedSuppressionsEnabled
*/
public void setHostedSuppressionsEnabled(Boolean hostedSuppressionsEnabled) {
this.hostedSuppressionsEnabled = hostedSuppressionsEnabled;
}

/**
* Executes the update by initializing the settings, downloads the NVD XML
* data, and then processes the data storing it in the local database.
Expand Down Expand Up @@ -539,6 +560,7 @@ protected void populateSettings() throws BuildException {
getSettings().setIntIfNotNull(Settings.KEYS.CVE_START_YEAR, cveStartYear);
getSettings().setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, hostedSuppressionsValidForHours);
getSettings().setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, hostedSuppressionsForceUpdate);
getSettings().setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled);
if (cveValidForHours != null) {
if (cveValidForHours >= 0) {
getSettings().setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
Expand Down
5 changes: 3 additions & 2 deletions ant/src/site/markdown/config-update.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ databaseDriverPath | The path to the database driver JAR file; only used if th
connectionString | The connection string used to connect to the database. See using a [database server](../data/database.html). |  
databaseUser | The username used when connecting to the database. |  
databasePassword | The password used when connecting to the database. |  
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file | 2
hostedSuppressionsEnabled | Whether the hosted suppression file will be used. | true
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file | 2
hostedSuppressionsForceUpdate | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings | false
5 changes: 3 additions & 2 deletions ant/src/site/markdown/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,7 @@ databaseDriverPath | The path to the database driver JAR file; only used if th
connectionString | The connection string used to connect to the database. See using a [database server](../data/database.html). |  
databaseUser | The username used when connecting to the database. |  
databasePassword | The password used when connecting to the database. |  
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file | 2
hostedSuppressionsEnabled | Whether the hosted suppression file will be used. | true
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file | 2
hostedSuppressionsForceUpdate | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings | false
2 changes: 2 additions & 0 deletions cli/src/main/java/org/owasp/dependencycheck/App.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -663,6 +663,8 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {

settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_URL,
cli.getStringArgument(CliParser.ARGUMENT.HOSTED_SUPPRESSIONS_URL));
settings.setBoolean(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED,
!cli.isDisabled(CliParser.ARGUMENT.DISABLE_HOSTED_SUPPRESSIONS, Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED));
settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE,
cli.hasOption(CliParser.ARGUMENT.HOSTED_SUPPRESSIONS_FORCEUPDATE));
settings.setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS,
Expand Down
5 changes: 5 additions & 0 deletions cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,7 @@ private void addAdvancedOptions(final Options options) {
.addOption(newOption(ARGUMENT.ENABLE_NEXUS, "Enable the Nexus Analyzer."))
.addOption(newOption(ARGUMENT.ARTIFACTORY_ENABLED, "Whether the Artifactory Analyzer should be enabled."))
.addOption(newOption(ARGUMENT.PURGE_NVD, "Purges the local NVD data cache"))
.addOption(newOption(ARGUMENT.DISABLE_HOSTED_SUPPRESSIONS, "Disable the usage of the hosted suppressions file"))
.addOption(newOption(ARGUMENT.HOSTED_SUPPRESSIONS_FORCEUPDATE, "Force the hosted suppressions file to update even"
+ " if autoupdate is disabled"))
.addOption(newOptionWithArg(ARGUMENT.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, "hours",
Expand Down Expand Up @@ -1521,6 +1522,10 @@ public static class ARGUMENT {
* when generating the JUNIT report format.
*/
public static final String FAIL_JUNIT_ON_CVSS = "junitFailOnCVSS";
/**
* The CLI argument to set the number of hours to wait before re-checking hosted suppressions file for updates.
*/
public static final String DISABLE_HOSTED_SUPPRESSIONS = "disableHostedSuppressions";
/**
* The CLI argument to set the number of hours to wait before re-checking hosted suppressions file for updates.
*/
Expand Down
1 change: 1 addition & 0 deletions cli/src/main/resources/completion-for-dependency-check.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ _odc_completions()
--disableFileName
--disableGolangDep
--disableGolangMod
--disableHostedSuppressions
--disableJar
--disableMavenInstall
--disableMixAudit
Expand Down
7 changes: 4 additions & 3 deletions cli/src/site/markdown/arguments.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ Advanced Options
| | \-\-dbUser | \<user\> | The username used to connect to the database. | &nbsp; |
| \-d | \-\-data | \<path\> | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp; |
| | \-\-purge | | Delete the local copy of the NVD. This is used to force a refresh of the data. | &nbsp; |
| | \-\-hostedSuppressionsForceUpdate | | Whether the hosted suppressions file will update regardless of the `noupdate` argument. | false |
| | \-\-hostedSuppressionsValidForHours | \<hours\> | The number of hours to wait before checking for new updates of the hosted suppressions file | 2 |
| | \-\-hostedSuppressionsUrl | \<url\> | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
| | \-\-disableHostedSuppressions | | Whether the usage of the hosted suppressions file will be disabled. | false |
| | \-\-hostedSuppressionsForceUpdate | | Whether the hosted suppressions file will update regardless of the `noupdate` argument. | false |
| | \-\-hostedSuppressionsValidForHours | \<hours\> | The number of hours to wait before checking for new updates of the hosted suppressions file | 2 |
| | \-\-hostedSuppressionsUrl | \<url\> | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
4 changes: 4 additions & 0 deletions core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,10 @@ private void loadPackagedSuppressionBaseData(final SuppressionParser parser, fin
private void loadHostedSuppressionBaseData(final SuppressionParser parser, final Engine engine) {
final File repoFile;
boolean repoEmpty = false;
final boolean enabled = getSettings().getBoolean(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, true);
if (!enabled) {
return;
}
final boolean autoupdate = getSettings().getBoolean(Settings.KEYS.AUTO_UPDATE, true);
final boolean forceupdate = getSettings().getBoolean(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, false);

Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/org/owasp/dependencycheck/data/update/HostedSuppressionsDataSource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,8 @@ public boolean update(Engine engine) throws UpdateException {
final boolean forceupdate = settings.getBoolean(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, false);
final boolean cpeSuppressionEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_CPE_SUPPRESSION_ENABLED, true);
final boolean vulnSuppressionEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED, true);
final boolean enabled = cpeSuppressionEnabled || vulnSuppressionEnabled;
boolean enabled = settings.getBoolean(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, true);
enabled = enabled && (cpeSuppressionEnabled || vulnSuppressionEnabled);
try {
final URL url = new URL(configuredUrl);
final File filepath = new File(url.getPath());
Expand Down
4 changes: 4 additions & 0 deletions core/src/main/resources/dependencycheck.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,10 @@ database.batchinsert.maxsize=1000
analyzer.artifactory.enabled=false
odc.reports.pretty.print=false

hosted.suppressions.enabled=true
hosted.suppressions.url=https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hosted.suppressions.validforhours=2

## The following controls the max query limit used in the CPE searches for each ecosystem
odc.ecosystem.maxquerylimit.native=1000
odc.ecosystem.maxquerylimit.default=100
7 changes: 7 additions & 0 deletions maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -975,6 +975,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@SuppressWarnings("CanBeFinal")
@Parameter(property = "hostedSuppressionsForceUpdate")
private Boolean hostedSuppressionsForceUpdate;
/**
* Whether the hosted suppressions file will be used.
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "hostedSuppressionsEnabled")
private Boolean hostedSuppressionsEnabled;
/**
* Skip excessive hosted suppression file update checks for a designated
* duration in hours (defaults to 2 hours).
Expand Down Expand Up @@ -2318,6 +2324,7 @@ protected void populateSettings() {
settings.setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, hostedSuppressionsValidForHours);
settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_URL, hostedSuppressionsUrl);
settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, hostedSuppressionsForceUpdate);
settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled);
}

/**
Expand Down
13 changes: 7 additions & 6 deletions maven/src/site/markdown/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,12 +162,13 @@ connectionString | The connection string used to connect to the database
serverId | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information. | &nbsp; |
databaseUser | The username used when connecting to the database. | &nbsp; |
databasePassword | The password used when connecting to the database. | &nbsp; |
hostedSuppressionsForceUpdate | Whether the hosted suppressions file will update regardless of the `autoupdate` setting. | false
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments. | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates from the NVD. | 2
retireJsUrlServerId | The id of a server defined in the settings.xml to retrieve the credentials (username and password) to connect to RetireJS instance. | &nbsp;
retireJsUser | If you don't want register user/password in settings.xml, you can specify user. | &nbsp;
retireJsPassword | If you don't want register user/password in settings.xml, you can specify user. | &nbsp;
hostedSuppressionsEnabled | Whether the hosted suppressions file will be used. | true
hostedSuppressionsForceUpdate | Whether the hosted suppressions file will update regardless of the `autoupdate` setting. | false
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments. | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsValidForHours| Sets the number of hours to wait before checking for new updates from the NVD. | 2
retireJsUrlServerId | The id of a server defined in the settings.xml to retrieve the credentials (username and password) to connect to RetireJS instance. | &nbsp;
retireJsUser | If you don't want register user/password in settings.xml, you can specify user. | &nbsp;
retireJsPassword | If you don't want register user/password in settings.xml, you can specify user. | &nbsp;

Proxy Configuration
====================
Expand Down
4 changes: 2 additions & 2 deletions src/site/markdown/dependency-check-gradle/configuration-aggregate.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,10 +180,10 @@ ossIndex | password | The password or API token to connect to S
ossIndex | warnOnlyOnRemoteErrors| Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false
slack | enabled | Whether or not slack notifications are enabled. | false
slack | webhookUrl | The custom incoming webhook URL to receive notifications. | &nbsp;
hostedSuppressions | enabled | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2
hostedSuppressions | enabled | Whether the hosted suppressions file will be used. | true
hostedSuppressions | forceupdate | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting. | false
hostedSuppressions | url | The URL to the Retire JS repository. | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml

hostedSuppressions | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2

#### Example
```groovy
Expand Down
4 changes: 4 additions & 0 deletions src/site/markdown/dependency-check-gradle/configuration-update.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,10 @@ data | driverPath | The path to the database driver JAR file; onl
data | connectionString | The connection string used to connect to the database. See using a [database server](../data/database.html). | &nbsp; |
data | username | The username used when connecting to the database. | &nbsp; |
data | password | The password used when connecting to the database. | &nbsp; |
hostedSuppressions | enabled | Whether the hosted suppressions file will be used. | true
hostedSuppressions | forceupdate | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting. | false
hostedSuppressions | url | The URL to the Retire JS repository. | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressions | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2

#### Example
```groovy
Expand Down

0 comments on commit b6c5ec3

Please sign in to comment.