OFBiz OFBiz - Commits

svn commit: r1782604 - in /ofbiz/trunk/tools/security/dependency-check: NOTICE.txt README.md README.txt check.bat suppress.xml

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

svn commit: r1782604 - in /ofbiz/trunk/tools/security/dependency-check: NOTICE.txt README.md README.txt check.bat suppress.xml

jleroux@apache.org
Author: jleroux
Date: Sat Feb 11 13:23:20 2017
New Revision: 1782604

URL: http://svn.apache.org/viewvc?rev=1782604&view=rev
Log:
No functional change, updates and removes some now useless files

Removed:
    ofbiz/trunk/tools/security/dependency-check/check.bat
    ofbiz/trunk/tools/security/dependency-check/suppress.xml
Modified:
    ofbiz/trunk/tools/security/dependency-check/NOTICE.txt
    ofbiz/trunk/tools/security/dependency-check/README.md
    ofbiz/trunk/tools/security/dependency-check/README.txt

Modified: ofbiz/trunk/tools/security/dependency-check/NOTICE.txt
URL: http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/dependency-check/NOTICE.txt?rev=1782604&r1=1782603&r2=1782604&view=diff
==============================================================================
--- ofbiz/trunk/tools/security/dependency-check/NOTICE.txt (original)
+++ ofbiz/trunk/tools/security/dependency-check/NOTICE.txt Sat Feb 11 13:23:20 2017
@@ -1,8 +1,8 @@
-dependency-check-cli
+dependency-check
 
-Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
 
-The licenses for the software listed below can be found in the licenses.
+The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
 
 This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
 

Modified: ofbiz/trunk/tools/security/dependency-check/README.md
URL: http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/dependency-check/README.md?rev=1782604&r1=1782603&r2=1782604&view=diff
==============================================================================
--- ofbiz/trunk/tools/security/dependency-check/README.md (original)
+++ ofbiz/trunk/tools/security/dependency-check/README.md Sat Feb 11 13:23:20 2017
@@ -1,24 +1,120 @@
-Dependency-Check Command Line
+Dependency-Check
 ================
-Dependency-Check Command Line can be used to check project dependencies for published security vulnerabilities. The checks
-performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
-vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
-Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
 
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
+
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/). Additionally, more information about the architecture and ways to extend dependency-check can be found on the [wiki].
+
+Current Releases
+-------------
+### Jenkins Plugin
+
+For instructions on the use of the Jenkins plugin please see the [OWASP Dependency-Check Plugin page](https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin).
+
+### Command Line
+
+More detailed instructions can be found on the
+[dependency-check github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/).
+The latest CLI can be downloaded from bintray's
+[dependency-check page](https://bintray.com/jeremy-long/owasp/dependency-check).
+
+On *nix
+```
+$ ./bin/dependency-check.sh -h
+$ ./bin/dependency-check.sh --app Testing --out . --scan [path to jar files to be scanned]
+```
+On Windows
+```
+> bin/dependency-check.bat -h
+> bin/dependency-check.bat --app Testing --out . --scan [path to jar files to be scanned]
+```
+On Mac with [Homebrew](http://brew.sh)
+```
+$ brew update && brew install dependency-check
+$ dependency-check -h
+$ dependency-check --app Testing --out . --scan [path to jar files to be scanned]
+```
+
+### Maven Plugin
+
+More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven).
+The plugin can be configured using the following:
+
+```xml
+<project>
+    <build>
+        <plugins>
+            ...
+            <plugin>
+              <groupId>org.owasp</groupId>
+              <artifactId>dependency-check-maven</artifactId>
+              <executions>
+                  <execution>
+                      <goals>
+                          <goal>check</goal>
+                      </goals>
+                  </execution>
+              </executions>
+            </plugin>
+            ...
+        </plugins>
+        ...
+    </build>
+    ...
+</project>
+```
+
+### Ant Task
+
+For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant).
+
+Development Usage
+-------------
+The following instructions outline how to compile and use the current snapshot. While every intention is to maintain a stable snapshot it is recommended
+that the release versions listed above be used.
+
+The repository has some large files due to test resources. The team has tried to cleanup the history as much as possible.
+However, it is recommended that you perform a shallow clone to save yourself time:
+
+```bash
+git clone --depth 1 [hidden email]:jeremylong/DependencyCheck.git
+```
+
+On *nix
+```
+$ mvn install
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh -h
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh --app Testing --out . --scan ./src/test/resources
+```
+On Windows
+```
+> mvn install
+> dependency-check-cli/target/release/bin/dependency-check.bat -h
+> dependency-check-cli/target/release/bin/dependency-check.bat --app Testing --out . --scan ./src/test/resources
+```
+
+Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
 
 Mailing List
 ------------
 
-Subscribe: [[hidden email]](mailto:[hidden email])
+Subscribe: [[hidden email]] [subscribe]
+
+Post: [[hidden email]] [post]
 
-Post: [[hidden email]](mailto:[hidden email])
+Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check)
 
 Copyright & License
-------------
+-
+
+Dependency-Check is Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
+
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
 
-Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
 
-Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 
-Dependency-Check Command Line makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-cli/NOTICE.txt) file for more information.
+  [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
+  [subscribe]: mailto:[hidden email]
+  [post]: mailto:[hidden email]
+  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt

Modified: ofbiz/trunk/tools/security/dependency-check/README.txt
URL: http://svn.apache.org/viewvc/ofbiz/trunk/tools/security/dependency-check/README.txt?rev=1782604&r1=1782603&r2=1782604&view=diff
==============================================================================
--- ofbiz/trunk/tools/security/dependency-check/README.txt (original)
+++ ofbiz/trunk/tools/security/dependency-check/README.txt Sat Feb 11 13:23:20 2017
@@ -1,4 +1,2 @@
-This is only given as an example. It uses the https://www.owasp.org/index.php/OWASP_Dependency_Check command line option
-To have it working you must have the dependency-check command line option correctly installed.
-
+This is only given as an example. It uses the Gradle dependency check gradle plugin. https://plugins.gradle.org/plugin/dependency.check
 In any cases be sure to check https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
\ No newline at end of file


Free forum by Nabble Edit this page