Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add hostedSuppressionsAuthHeader option to provide credentials for the hosted suppression file #7268

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
24 changes: 24 additions & 0 deletions ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,11 @@ public class Purge extends Task {
*/
private String hostedSuppressionsUrl = null;

/**
* The authorization header to hosted suppressions file with base FP suppressions.
*/
private String hostedSuppressionsAuthHeader = null;

/**
* Construct a new DependencyCheckTask.
*/
Expand Down Expand Up @@ -131,6 +136,24 @@ public void setHostedSuppressionsUrl(final String hostedSuppressionsUrl) {
this.hostedSuppressionsUrl = hostedSuppressionsUrl;
}

/**
* Get the value of hostedSuppressionsAuthHeader.
*
* @return the value of hostedSuppressionsAuthHeader
*/
public String getHostedSuppressionsAuthHeader() {
return hostedSuppressionsAuthHeader;
}

/**
* Set the value of hostedSuppressionsAuthHeader.
*
* @param hostedSuppressionsUrl new value of hostedSuppressionsAuthHeader
*/
public void setHostedSuppressionsAuthHeader(final String hostedSuppressionsAuthHeader) {
this.hostedSuppressionsAuthHeader = hostedSuppressionsAuthHeader;
}

/**
* Sets the
* {@link Thread#getContextClassLoader() Thread Context Class Loader} to the
Expand Down Expand Up @@ -214,6 +237,7 @@ protected void populateSettings() throws BuildException {
log(msg, ex, Project.MSG_WARN);
}
settings.setStringIfNotEmpty(Settings.KEYS.HOSTED_SUPPRESSIONS_URL, hostedSuppressionsUrl);
settings.setStringIfNotEmpty(Settings.KEYS.HOSTED_SUPPRESSIONS_AUTH_HEADER, hostedSuppressionsAuthHeader);
if (dataDirectory != null) {
settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
} else {
Expand Down
7 changes: 4 additions & 3 deletions ant/src/site/markdown/config-purge.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Advanced Configuration
====================
The following properties can be configured in the plugin. However, they are less frequently changed.

Property | Description | Default Value
----------------------|--------------------------------------------------------------------------------------------------|------------------
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
Property | Description | Default Value
-----------------------------|--------------------------------------------------------------------------------------------------|------------------
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsAuthHeader | The authorization header to a mirrored copy of the hosted suppressions file for internet-constrained environments |
1 change: 1 addition & 0 deletions ant/src/site/markdown/config-update.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,5 +51,6 @@ databaseUser | The username used when connecting to the database.
databasePassword | The password used when connecting to the database. |  
hostedSuppressionsEnabled | Whether the hosted suppression file will be used. | true
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsAuthHeader | The authorization header to a mirrored copy of the hosted suppressions file for internet-constrained environments |
hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file | 2
hostedSuppressionsForceUpdate | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings | false
1 change: 1 addition & 0 deletions ant/src/site/markdown/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -164,5 +164,6 @@ databaseUser | The username used when connecting to the database.
databasePassword | The password used when connecting to the database. |  
hostedSuppressionsEnabled | Whether the hosted suppression file will be used. | true
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsAuthHeader | The authorization header to a mirrored copy of the hosted suppressions file for internet-constrained environments |
hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file | 2
hostedSuppressionsForceUpdate | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings | false
10 changes: 9 additions & 1 deletion cli/src/main/java/org/owasp/dependencycheck/CliParser.java
Original file line number Diff line number Diff line change
Expand Up @@ -530,7 +530,10 @@ private void addAdvancedOptions(final Options options) {
.addOption(newOptionWithArg(ARGUMENT.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, "hours",
"The number of hours to wait before checking for new updates of the the hosted suppressions file."))
.addOption(newOptionWithArg(ARGUMENT.HOSTED_SUPPRESSIONS_URL, "url",
"The URL for a mirrored hosted suppressions file"));
"The URL for a mirrored hosted suppressions file"))
.addOption(newOptionWithArg(ARGUMENT.HOSTED_SUPPRESSIONS_AUTH_HEADER, "authorization header",
"The authorization header for a mirrored hosted suppressions file"))
;

}

Expand Down Expand Up @@ -1600,5 +1603,10 @@ public static class ARGUMENT {
* suppressions file .
*/
public static final String HOSTED_SUPPRESSIONS_URL = "hostedSuppressionsUrl";
/**
* The CLI argument to set the location of a mirrored hosted
* suppressions file authorization header.
*/
public static final String HOSTED_SUPPRESSIONS_AUTH_HEADER = "hostedSuppressionsAuthHeader";
}
}
1 change: 1 addition & 0 deletions cli/src/main/resources/completion-for-dependency-check.sh
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ _odc_completions()
--hostedSuppressionsForceUpdate
--hostedSuppressionsValidForHours <hours>
--hostedSuppressionsUrl <url>
--hostedSuppressionsAuthHeader <authorization header>
--junitFailOnCVSS <score>
-l --log
-n --noupdate
Expand Down
1 change: 1 addition & 0 deletions cli/src/site/markdown/arguments.md
Original file line number Diff line number Diff line change
Expand Up @@ -130,3 +130,4 @@ Advanced Options
| | \-\-hostedSuppressionsForceUpdate | | Whether the hosted suppressions file will update regardless of the `noupdate` argument. | false |
| | \-\-hostedSuppressionsValidForHours | \<hours\> | The number of hours to wait before checking for new updates of the hosted suppressions file | 2 |
| | \-\-hostedSuppressionsUrl | \<url\> | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
| | \-\-hostedSuppressionsAuthHeader | \<authorization header\> | The authorization header to a mirrored copy of the hosted suppressions file for internet-constrained environments | |
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,11 @@ private void fetchHostedSuppressions(Settings settings, URL repoUrl, File repoFi
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Hosted Suppressions URL: {}", repoUrl.toExternalForm());
}
Downloader.getInstance().fetchFile(repoUrl, repoFile);
LOGGER.trace("Downloading Hosted Suppressions file from '{}'", repoUrl);
Downloader.getInstance().fetchFile(repoUrl, repoFile,
settings.useProxy(),
Settings.KEYS.HOSTED_SUPPRESSIONS_USER, Settings.KEYS.HOSTED_SUPPRESSIONS_PASSWORD,
Downloader.NO_PROPERTY_DEFINED, Settings.KEYS.HOSTED_SUPPRESSIONS_AUTH_HEADER);
} catch (IOException | TooManyRequestsException | ResourceNotFoundException | WriteLockException ex) {
throw new UpdateException("Failed to update the hosted suppressions file", ex);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1026,6 +1026,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@SuppressWarnings("CanBeFinal")
@Parameter(property = "hostedSuppressionsUrl")
private String hostedSuppressionsUrl;
/**
* The hosted suppressions authorization header.
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "hostedSuppressionsAuthHeader")
private String hostedSuppressionsAuthHeader;
/**
* Whether the hosted suppressions file will be updated regardless of the
* `autoupdate` settings.
Expand Down Expand Up @@ -2379,6 +2385,7 @@ protected void populateSettings() {
}
settings.setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, hostedSuppressionsValidForHours);
settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_URL, hostedSuppressionsUrl);
settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_AUTH_HEADER, hostedSuppressionsAuthHeader);
settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, hostedSuppressionsForceUpdate);
settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled);
}
Expand Down
1 change: 1 addition & 0 deletions maven/src/site/markdown/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ databasePassword | The password used when connecting to the database.
hostedSuppressionsEnabled | Whether the hosted suppressions file will be used. | true
hostedSuppressionsForceUpdate | Whether the hosted suppressions file will update regardless of the `autoupdate` setting. | false
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments. | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsAuthHeader | The authorization header to a mirrored copy of the hosted suppressions file for internet-constrained environments. |
hostedSuppressionsValidForHours| Sets the number of hours to wait before checking for new updates from the NVD. | 2
retireJsUrlServerId | The id of a server defined in the settings.xml to retrieve the credentials (username and password) to connect to RetireJS instance. | &nbsp;
retireJsUser | If you don't want register user/password in settings.xml, you can specify user. | &nbsp;
Expand Down
Loading
Loading