Skip to content

feat: add hostedSuppressionsAuthHeader option to provide credentials for the hosted suppression file #7268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ftiercelin wants to merge 10 commits into from
Closed

feat: add hostedSuppressionsAuthHeader option to provide credentials for the hosted suppression file #7268

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
9600117
add hostedSuppressionsAuthHeader option
ftiercelin Dec 22, 2024
f1185c0
lint
ftiercelin Dec 22, 2024
c0098b2
lint
ftiercelin Dec 22, 2024
7cadf78
Merge pull request #1 from ftiercelin/hostedSuppressionsAuthHeader
ftiercelin Dec 22, 2024
292eeff
refactor error messages
ftiercelin Dec 23, 2024
c520ae0
Merge pull request #2 from ftiercelin/hostedSuppressionsAuthHeader
ftiercelin Dec 23, 2024
aab3467
add javadoc for CredentialHelper
ftiercelin Dec 23, 2024
50560c7
Merge pull request #3 from ftiercelin/hostedSuppressionsAuthHeader
ftiercelin Dec 23, 2024
6299d37
lint
ftiercelin Dec 23, 2024
07c7116
Merge pull request #4 from ftiercelin/hostedSuppressionsAuthHeader
ftiercelin Dec 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,11 @@ public class Purge extends Task {
*/
private String hostedSuppressionsUrl = null;

/**
* The authorization header to hosted suppressions file with base FP suppressions.
*/
private String hostedSuppressionsAuthHeader = null;

/**
* Construct a new DependencyCheckTask.
*/
Expand Down Expand Up @@ -131,6 +136,24 @@ public void setHostedSuppressionsUrl(final String hostedSuppressionsUrl) {
this.hostedSuppressionsUrl = hostedSuppressionsUrl;
}

/**
* Get the value of hostedSuppressionsAuthHeader.
*
* @return the value of hostedSuppressionsAuthHeader
*/
public String getHostedSuppressionsAuthHeader() {
return hostedSuppressionsAuthHeader;
}

/**
* Set the value of hostedSuppressionsAuthHeader.
*
* @param hostedSuppressionsUrl new value of hostedSuppressionsAuthHeader
*/
public void setHostedSuppressionsAuthHeader(final String hostedSuppressionsAuthHeader) {
this.hostedSuppressionsAuthHeader = hostedSuppressionsAuthHeader;
}

/**
* Sets the
* {@link Thread#getContextClassLoader() Thread Context Class Loader} to the
Expand Down Expand Up @@ -214,6 +237,7 @@ protected void populateSettings() throws BuildException {
log(msg, ex, Project.MSG_WARN);
}
settings.setStringIfNotEmpty(Settings.KEYS.HOSTED_SUPPRESSIONS_URL, hostedSuppressionsUrl);
settings.setStringIfNotEmpty(Settings.KEYS.HOSTED_SUPPRESSIONS_AUTH_HEADER, hostedSuppressionsAuthHeader);
if (dataDirectory != null) {
settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
} else {
Expand Down
7 changes: 4 additions & 3 deletions ant/src/site/markdown/config-purge.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Advanced Configuration
====================
The following properties can be configured in the plugin. However, they are less frequently changed.

Property | Description | Default Value
----------------------|--------------------------------------------------------------------------------------------------|------------------
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
Property | Description | Default Value
-----------------------------|--------------------------------------------------------------------------------------------------|------------------
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsAuthHeader | The authorization header to a mirrored copy of the hosted suppressions file for internet-constrained environments |
1 change: 1 addition & 0 deletions ant/src/site/markdown/config-update.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,5 +51,6 @@ databaseUser | The username used when connecting to the database.
databasePassword | The password used when connecting to the database. |  
hostedSuppressionsEnabled | Whether the hosted suppression file will be used. | true
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsAuthHeader | The authorization header to a mirrored copy of the hosted suppressions file for internet-constrained environments |
hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file | 2
hostedSuppressionsForceUpdate | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings | false
1 change: 1 addition & 0 deletions ant/src/site/markdown/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,5 +164,6 @@ databaseUser | The username used when connecting to the database.
databasePassword | The password used when connecting to the database. |  
hostedSuppressionsEnabled | Whether the hosted suppression file will be used. | true
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsAuthHeader | The authorization header to a mirrored copy of the hosted suppressions file for internet-constrained environments |
hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file | 2
hostedSuppressionsForceUpdate | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings | false
10 changes: 9 additions & 1 deletion cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -530,7 +530,10 @@ private void addAdvancedOptions(final Options options) {
.addOption(newOptionWithArg(ARGUMENT.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, "hours",
"The number of hours to wait before checking for new updates of the the hosted suppressions file."))
.addOption(newOptionWithArg(ARGUMENT.HOSTED_SUPPRESSIONS_URL, "url",
"The URL for a mirrored hosted suppressions file"));
"The URL for a mirrored hosted suppressions file"))
.addOption(newOptionWithArg(ARGUMENT.HOSTED_SUPPRESSIONS_AUTH_HEADER, "authorization header",
"The authorization header for a mirrored hosted suppressions file"))
;

}

Expand Down Expand Up @@ -1600,5 +1603,10 @@ public static class ARGUMENT {
* suppressions file .
*/
public static final String HOSTED_SUPPRESSIONS_URL = "hostedSuppressionsUrl";
/**
* The CLI argument to set the location of a mirrored hosted
* suppressions file authorization header.
*/
public static final String HOSTED_SUPPRESSIONS_AUTH_HEADER = "hostedSuppressionsAuthHeader";
}
}
1 change: 1 addition & 0 deletions cli/src/main/resources/completion-for-dependency-check.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ _odc_completions()
--hostedSuppressionsForceUpdate
--hostedSuppressionsValidForHours <hours>
--hostedSuppressionsUrl <url>
--hostedSuppressionsAuthHeader <authorization header>
--junitFailOnCVSS <score>
-l --log
-n --noupdate
Expand Down
1 change: 1 addition & 0 deletions cli/src/site/markdown/arguments.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,3 +130,4 @@ Advanced Options
| | \-\-hostedSuppressionsForceUpdate | | Whether the hosted suppressions file will update regardless of the `noupdate` argument. | false |
| | \-\-hostedSuppressionsValidForHours | \<hours\> | The number of hours to wait before checking for new updates of the hosted suppressions file | 2 |
| | \-\-hostedSuppressionsUrl | \<url\> | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
| | \-\-hostedSuppressionsAuthHeader | \<authorization header\> | The authorization header to a mirrored copy of the hosted suppressions file for internet-constrained environments | |
6 changes: 5 additions & 1 deletion core/src/main/java/org/owasp/dependencycheck/data/update/HostedSuppressionsDataSource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,11 @@ private void fetchHostedSuppressions(Settings settings, URL repoUrl, File repoFi
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Hosted Suppressions URL: {}", repoUrl.toExternalForm());
}
Downloader.getInstance().fetchFile(repoUrl, repoFile);
LOGGER.trace("Downloading Hosted Suppressions file from '{}'", repoUrl);
Downloader.getInstance().fetchFile(repoUrl, repoFile,
settings.useProxy(),
Settings.KEYS.HOSTED_SUPPRESSIONS_USER, Settings.KEYS.HOSTED_SUPPRESSIONS_PASSWORD,
Downloader.NO_PROPERTY_DEFINED, Settings.KEYS.HOSTED_SUPPRESSIONS_AUTH_HEADER);
} catch (IOException | TooManyRequestsException | ResourceNotFoundException | WriteLockException ex) {
throw new UpdateException("Failed to update the hosted suppressions file", ex);
}
Expand Down
7 changes: 7 additions & 0 deletions maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1026,6 +1026,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@SuppressWarnings("CanBeFinal")
@Parameter(property = "hostedSuppressionsUrl")
private String hostedSuppressionsUrl;
/**
* The hosted suppressions authorization header.
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "hostedSuppressionsAuthHeader")
private String hostedSuppressionsAuthHeader;
/**
* Whether the hosted suppressions file will be updated regardless of the
* `autoupdate` settings.
Expand Down Expand Up @@ -2379,6 +2385,7 @@ protected void populateSettings() {
}
settings.setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, hostedSuppressionsValidForHours);
settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_URL, hostedSuppressionsUrl);
settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_AUTH_HEADER, hostedSuppressionsAuthHeader);
settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, hostedSuppressionsForceUpdate);
settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled);
}
Expand Down
1 change: 1 addition & 0 deletions maven/src/site/markdown/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ databasePassword | The password used when connecting to the database.
hostedSuppressionsEnabled | Whether the hosted suppressions file will be used. | true
hostedSuppressionsForceUpdate | Whether the hosted suppressions file will update regardless of the `autoupdate` setting. | false
hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments. | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hostedSuppressionsAuthHeader | The authorization header to a mirrored copy of the hosted suppressions file for internet-constrained environments. |
hostedSuppressionsValidForHours| Sets the number of hours to wait before checking for new updates from the NVD. | 2
retireJsUrlServerId | The id of a server defined in the settings.xml to retrieve the credentials (username and password) to connect to RetireJS instance. | &nbsp;
retireJsUser | If you don't want register user/password in settings.xml, you can specify user. | &nbsp;
Expand Down
Loading
Loading