Conduct scan without existence of files

[stevespringett]

If metadata (evidence of a libraries vendor, name, version, etc) has already been obtained by other means and stored elsewhere, dependency-check should be able to leverage existing evidence and easily provide scanning capabilities without having physical access to the filesystem where the libraries are stored.

[jeremylong]

I completely agree. I'm thinking we could probably use the XML results...
I think this feature will be needed for the report aggregation requested
several months ago for the Maven plugin. I just haven't gotten to it as
other bugs/enhancements have seemed slightly higher priority. But I think
this will come to the top of my list soon.

--Jeremy

On Thu, Mar 20, 2014 at 3:21 PM, Steve Springett
notifications@github.comwrote:

If metadata (evidence of a libraries vendor, name, version, etc) has
already been obtained by other means and stored elsewhere, dependency-check
should be able to leverage existing evidence and easily provide scanning
capabilities without having physical access to the filesystem where the
libraries are stored.

Reply to this email directly or view it on GitHubhttps://github.com//issues/96
.

[jeremylong]

Just realized you submitted a PR for this ;)

I scanned the PR quickly and might have missed this - but where is the data
being loaded from? I really think we could read the XML report..

--Jeremy

On Thu, Mar 20, 2014 at 9:30 PM, Jeremy Long jeremy.long@gmail.com wrote:

I completely agree. I'm thinking we could probably use the XML results...
I think this feature will be needed for the report aggregation requested
several months ago for the Maven plugin. I just haven't gotten to it as
other bugs/enhancements have seemed slightly higher priority. But I think
this will come to the top of my list soon.

--Jeremy

On Thu, Mar 20, 2014 at 3:21 PM, Steve Springett <notifications@github.com

wrote:

If metadata (evidence of a libraries vendor, name, version, etc) has
already been obtained by other means and stored elsewhere, dependency-check
should be able to leverage existing evidence and easily provide scanning
capabilities without having physical access to the filesystem where the
libraries are stored.

Reply to this email directly or view it on GitHubhttps://github.com//issues/96
.

[stevespringett]

Yeah sorry for creating two issues. I didn't realize a PR would create
another one. Thought I could tie it into an existing issue.

Anyway, DependencyCheckScanAgent and the few minor changes to the core to
support it, is meant for people who want to use DC as a library, rather
than directly like people do now.

For example, Dependency-Track will use the scan agent in the following
manner:

List dependencies = new ArrayList();
// Iterate through the database to get all dependencies and create a
// new dependency object for each. Then add it to the list
Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
dependency.getProductEvidence().addEvidence("dependency-track", "name",
"Jetty", Confidence.HIGH);
dependency.getVersionEvidence().addEvidence("dependency-track", "version",
"5.1.10", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("dependency-track", "vendor",
"mortbay", Confidence.HIGH);
dependencies.add(dependency);

DependencyCheckScanAgent scan = new DependencyCheckScanAgent();
scan.setDependencies(dependencies);
scan.setReportFormat(ReportGenerator.Format.XML);
scan.execute();

This will allow any application, whether it's Dependency-Track, or some
other asset management system, the ability to use the data that is already
in the system as the sole source of evidence and still conduct a scan
without having to worry about the low level implementation details of using
the Engine directly.

And yes, if you wanted to use a spreadsheet, an XML file or some other type
of datasource as the sole source of evidence, it would be extremely simple
to do using DependencyCheckScanAgent.

[stevespringett]

Thought I would attach the reports that are generated from the above sample
code. So the goal is with a minimal amount of code, and with knowing the
evidence in advance, a user can easily generate useable reports with little
effort, and without worrying about changes in Engine implementation details.

I haven't tested this on Windows. It should work, but I don't know for sure.

On Thu, Mar 20, 2014 at 9:33 PM, Steve Springett steve@springett.us wrote:

Yeah sorry for creating two issues. I didn't realize a PR would create
another one. Thought I could tie it into an existing issue.

Anyway, DependencyCheckScanAgent and the few minor changes to the core to
support it, is meant for people who want to use DC as a library, rather
than directly like people do now.

For example, Dependency-Track will use the scan agent in the following
manner:

List dependencies = new ArrayList();
// Iterate through the database to get all dependencies and create a
// new dependency object for each. Then add it to the list
Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
dependency.getProductEvidence().addEvidence("dependency-track", "name",
"Jetty", Confidence.HIGH);
dependency.getVersionEvidence().addEvidence("dependency-track", "version",
"5.1.10", Confidence.HIGH);
dependency.getVendorEvidence().addEvidence("dependency-track", "vendor",
"mortbay", Confidence.HIGH);
dependencies.add(dependency);

DependencyCheckScanAgent scan = new DependencyCheckScanAgent();
scan.setDependencies(dependencies);
scan.setReportFormat(ReportGenerator.Format.XML);
scan.execute();

---

This will allow any application, whether it's Dependency-Track, or some
other asset management system, the ability to use the data that is already
in the system as the sole source of evidence and still conduct a scan
without having to worry about the low level implementation details of using
the Engine directly.

And yes, if you wanted to use a spreadsheet, an XML file or some other
type of datasource as the sole source of evidence, it would be extremely
simple to do using DependencyCheckScanAgent.

--Steve

On Thu, Mar 20, 2014 at 8:41 PM, Jeremy Long notifications@github.comwrote:

Just realized you submitted a PR for this ;)

I scanned the PR quickly and might have missed this - but where is the
data
being loaded from? I really think we could read the XML report..

--Jeremy

On Thu, Mar 20, 2014 at 9:30 PM, Jeremy Long jeremy.long@gmail.com
wrote:

I completely agree. I'm thinking we could probably use the XML
results...
I think this feature will be needed for the report aggregation requested
several months ago for the Maven plugin. I just haven't gotten to it as
other bugs/enhancements have seemed slightly higher priority. But I
think
this will come to the top of my list soon.

--Jeremy

On Thu, Mar 20, 2014 at 3:21 PM, Steve Springett <
notifications@github.com

wrote:

If metadata (evidence of a libraries vendor, name, version, etc) has
already been obtained by other means and stored elsewhere,
dependency-check
should be able to leverage existing evidence and easily provide
scanning
capabilities without having physical access to the filesystem where the
libraries are stored.

Reply to this email directly or view it on GitHub<
https://github.com/jeremylong/DependencyCheck/issues/96>
.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/96#issuecomment-38240580
.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.