You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/02/11 13:23:20 UTC
svn commit: r1782604 - in /ofbiz/trunk/tools/security/dependency-check:
NOTICE.txt README.md README.txt check.bat suppress.xml
Author: jleroux
Date: Sat Feb 11 13:23:20 2017
New Revision: 1782604
URL: http://svn.apache.org/viewvc?rev=1782604&view=rev
Log:
No functional change, updates and removes some now useless files
Removed:
ofbiz/trunk/tools/security/dependency-check/check.bat
ofbiz/trunk/tools/security/dependency-check/suppress.xml
Modified:
ofbiz/trunk/tools/security/dependency-check/NOTICE.txt
ofbiz/trunk/tools/security/dependency-check/README.md
ofbiz/trunk/tools/security/dependency-check/README.txt
Modified: ofbiz/trunk/tools/security/dependency-check/NOTICE.txt
URL: http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/dependency-check/NOTICE.txt?rev=1782604&r1=1782603&r2=1782604&view=diff
==============================================================================
--- ofbiz/trunk/tools/security/dependency-check/NOTICE.txt (original)
+++ ofbiz/trunk/tools/security/dependency-check/NOTICE.txt Sat Feb 11 13:23:20 2017
@@ -1,8 +1,8 @@
-dependency-check-cli
+dependency-check
-Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
-The licenses for the software listed below can be found in the licenses.
+The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
Modified: ofbiz/trunk/tools/security/dependency-check/README.md
URL: http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/dependency-check/README.md?rev=1782604&r1=1782603&r2=1782604&view=diff
==============================================================================
--- ofbiz/trunk/tools/security/dependency-check/README.md (original)
+++ ofbiz/trunk/tools/security/dependency-check/README.md Sat Feb 11 13:23:20 2017
@@ -1,24 +1,120 @@
-Dependency-Check Command Line
+Dependency-Check
================
-Dependency-Check Command Line can be used to check project dependencies for published security vulnerabilities. The checks
-performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
-vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
-Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
+
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/). Additionally, more information about the architecture and ways to extend dependency-check can be found on the [wiki].
+
+Current Releases
+-------------
+### Jenkins Plugin
+
+For instructions on the use of the Jenkins plugin please see the [OWASP Dependency-Check Plugin page](https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin).
+
+### Command Line
+
+More detailed instructions can be found on the
+[dependency-check github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/).
+The latest CLI can be downloaded from bintray's
+[dependency-check page](https://bintray.com/jeremy-long/owasp/dependency-check).
+
+On *nix
+```
+$ ./bin/dependency-check.sh -h
+$ ./bin/dependency-check.sh --app Testing --out . --scan [path to jar files to be scanned]
+```
+On Windows
+```
+> bin/dependency-check.bat -h
+> bin/dependency-check.bat --app Testing --out . --scan [path to jar files to be scanned]
+```
+On Mac with [Homebrew](http://brew.sh)
+```
+$ brew update && brew install dependency-check
+$ dependency-check -h
+$ dependency-check --app Testing --out . --scan [path to jar files to be scanned]
+```
+
+### Maven Plugin
+
+More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven).
+The plugin can be configured using the following:
+
+```xml
+<project>
+ <build>
+ <plugins>
+ ...
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ ...
+ </plugins>
+ ...
+ </build>
+ ...
+</project>
+```
+
+### Ant Task
+
+For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant).
+
+Development Usage
+-------------
+The following instructions outline how to compile and use the current snapshot. While every intention is to maintain a stable snapshot it is recommended
+that the release versions listed above be used.
+
+The repository has some large files due to test resources. The team has tried to cleanup the history as much as possible.
+However, it is recommended that you perform a shallow clone to save yourself time:
+
+```bash
+git clone --depth 1 git@github.com:jeremylong/DependencyCheck.git
+```
+
+On *nix
+```
+$ mvn install
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh -h
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh --app Testing --out . --scan ./src/test/resources
+```
+On Windows
+```
+> mvn install
+> dependency-check-cli/target/release/bin/dependency-check.bat -h
+> dependency-check-cli/target/release/bin/dependency-check.bat --app Testing --out . --scan ./src/test/resources
+```
+
+Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
Mailing List
------------
-Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
+Subscribe: [dependency-check+subscribe@googlegroups.com] [subscribe]
+
+Post: [dependency-check@googlegroups.com] [post]
-Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
+Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check)
Copyright & License
-------------
+-
+
+Dependency-Check is Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
+
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
-Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
-Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
-Dependency-Check Command Line makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-cli/NOTICE.txt) file for more information.
+ [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
+ [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
+ [post]: mailto:dependency-check@googlegroups.com
+ [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
Modified: ofbiz/trunk/tools/security/dependency-check/README.txt
URL: http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/dependency-check/README.txt?rev=1782604&r1=1782603&r2=1782604&view=diff
==============================================================================
--- ofbiz/trunk/tools/security/dependency-check/README.txt (original)
+++ ofbiz/trunk/tools/security/dependency-check/README.txt Sat Feb 11 13:23:20 2017
@@ -1,4 +1,2 @@
-This is only given as an example. It uses the https://www.owasp.org/index.php/OWASP_Dependency_Check command line option
-To have it working you must have the dependency-check command line option correctly installed.
-
+This is only given as an example. It uses the Gradle dependency check gradle plugin. https://plugins.gradle.org/plugin/dependency.check
In any cases be sure to check https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
\ No newline at end of file