-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
Settings.java
1506 lines (1446 loc) · 60.2 KB
/
Settings.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
* This file is part of dependency-check-utils.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright (c) 2012 Jeremy Long. All Rights Reserved.
*/
package org.owasp.dependencycheck.utils;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.ProtectionDomain;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.List;
import java.util.Properties;
import java.util.UUID;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
/**
* A simple settings container that wraps the dependencycheck.properties file.
*
* @author Jeremy Long
* @version $Id: $Id
*/
public final class Settings {
/**
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(Settings.class);
/**
* The properties file location.
*/
private static final String PROPERTIES_FILE = "dependencycheck.properties";
/**
* Array separator.
*/
private static final String ARRAY_SEP = ",";
/**
* The properties.
*/
private Properties props = null;
/**
* The collection of properties that should be masked when logged.
*/
private List<Predicate<String>> maskedKeys;
/**
* A reference to the temporary directory; used in case it needs to be
* deleted during cleanup.
*/
private File tempDirectory = null;
/**
* Reference to a utility class used to convert objects to json.
*/
private final ObjectMapper objectMapper = new ObjectMapper();
//<editor-fold defaultstate="collapsed" desc="KEYS used to access settings">
/**
* The collection of keys used within the properties file.
*/
//suppress hard-coded password rule
@SuppressWarnings("squid:S2068")
public static final class KEYS {
/**
* The key to obtain the application name.
*/
public static final String APPLICATION_NAME = "odc.application.name";
/**
* The key to obtain the application version.
*/
public static final String APPLICATION_VERSION = "odc.application.version";
/**
* The key to obtain the URL to retrieve the current release version
* from.
*/
public static final String ENGINE_VERSION_CHECK_URL = "engine.version.url";
/**
* The properties key indicating whether or not the cached data sources
* should be updated.
*/
public static final String AUTO_UPDATE = "odc.autoupdate";
/**
* The database driver class name. If this is not in the properties file
* the embedded database is used.
*/
public static final String DB_DRIVER_NAME = "data.driver_name";
/**
* The database driver class name. If this is not in the properties file
* the embedded database is used.
*/
public static final String DB_DRIVER_PATH = "data.driver_path";
/**
* The database connection string. If this is not in the properties file
* the embedded database is used.
*/
public static final String DB_CONNECTION_STRING = "data.connection_string";
/**
* The username to use when connecting to the database.
*/
public static final String DB_USER = "data.user";
/**
* The password to authenticate to the database.
*/
public static final String DB_PASSWORD = "data.password";
/**
* The base path to use for the data directory (for embedded db and
* other cached resources from the Internet).
*/
public static final String DATA_DIRECTORY = "data.directory";
/**
* The base path to use for the H2 data directory (for embedded db).
*/
public static final String H2_DATA_DIRECTORY = "data.h2.directory";
/**
* The database file name.
*/
public static final String DB_FILE_NAME = "data.file_name";
/**
* The database schema version.
*/
public static final String DB_VERSION = "data.version";
/**
* The starts with filter used to exclude CVE entries from the database.
* By default this is set to 'cpe:2.3:a:' which limits the CVEs imported
* to just those that are related to applications. If this were set to
* just 'cpe:2.3:' the OS, hardware, and application related CVEs would
* be imported.
*/
public static final String CVE_CPE_STARTS_WITH_FILTER = "cve.cpe.startswith.filter";
/**
* The NVD API Endpoint.
*/
public static final String NVD_API_ENDPOINT = "nvd.api.endpoint";
/**
* API Key for the NVD API.
*/
public static final String NVD_API_KEY = "nvd.api.key";
/**
* The delay between requests for the NVD API.
*/
public static final String NVD_API_DELAY = "nvd.api.delay";
/**
* The maximum number of retry requests for a single call to the NVD
* API.
*/
public static final String NVD_API_MAX_RETRY_COUNT = "nvd.api.max.retry.count";
/**
* The properties key to control the skipping of the check for NVD
* updates.
*/
public static final String NVD_API_VALID_FOR_HOURS = "nvd.api.check.validforhours";
/**
* The properties key that indicates how often the NVD API data feed
* needs to be updated before a full refresh is evaluated.
*/
public static final String NVD_API_DATAFEED_VALID_FOR_DAYS = "nvd.api.datafeed.validfordays";
/**
* The URL for the NVD API Data Feed.
*/
public static final String NVD_API_DATAFEED_URL = "nvd.api.datafeed.url";
/**
* The username to use when connecting to the NVD Data feed.
*/
public static final String NVD_API_DATAFEED_USER = "nvd.api.datafeed.user";
/**
* The password to authenticate to the NVD Data feed.
*/
public static final String NVD_API_DATAFEED_PASSWORD = "nvd.api.datafeed.password";
/**
* The starting year for the NVD CVE Data feed cache.
*/
public static final String NVD_API_DATAFEED_START_YEAR = "nvd.api.datafeed.startyear";
//END NEW
/**
* The key to determine if the NVD CVE analyzer is enabled.
*/
public static final String ANALYZER_NVD_CVE_ENABLED = "analyzer.nvdcve.enabled";
/**
* The properties key that indicates how often the CPE data needs to be
* updated.
*/
public static final String CPE_MODIFIED_VALID_FOR_DAYS = "cpe.validfordays";
/**
* The properties key for the URL to retrieve the CPE.
*/
public static final String CPE_URL = "cpe.url";
/**
* The properties key for the URL to retrieve the Known Exploited
* Vulnerabilities..
*/
public static final String KEV_URL = "kev.url";
/**
* The properties key to control the skipping of the check for Known
* Exploited Vulnerabilities updates.
*/
public static final String KEV_CHECK_VALID_FOR_HOURS = "kev.check.validforhours";
/**
* Whether or not if using basic auth with a proxy the system setting
* 'jdk.http.auth.tunneling.disabledSchemes' should be set to an empty
* string.
*/
public static final String PROXY_DISABLE_SCHEMAS = "proxy.disableSchemas";
/**
* The properties key for the proxy server.
*/
public static final String PROXY_SERVER = "proxy.server";
/**
* The properties key for the proxy port - this must be an integer
* value.
*/
public static final String PROXY_PORT = "proxy.port";
/**
* The properties key for the proxy username.
*/
public static final String PROXY_USERNAME = "proxy.username";
/**
* The properties key for the proxy password.
*/
public static final String PROXY_PASSWORD = "proxy.password";
/**
* The properties key for the non proxy hosts.
*/
public static final String PROXY_NON_PROXY_HOSTS = "proxy.nonproxyhosts";
/**
* The properties key for the connection timeout.
*/
public static final String CONNECTION_TIMEOUT = "connection.timeout";
/**
* The properties key for the connection read timeout.
*/
public static final String CONNECTION_READ_TIMEOUT = "connection.read.timeout";
/**
* The location of the temporary directory.
*/
public static final String TEMP_DIRECTORY = "temp.directory";
/**
* The maximum number of threads to allocate when downloading files.
*/
public static final String MAX_DOWNLOAD_THREAD_POOL_SIZE = "max.download.threads";
/**
* The properties key for the analysis timeout.
*/
public static final String ANALYSIS_TIMEOUT = "odc.analysis.timeout";
/**
* The key for the suppression file.
*/
public static final String SUPPRESSION_FILE = "suppression.file";
/**
* The username used when connecting to the suppressionFiles.
*/
public static final String SUPPRESSION_FILE_USER = "suppression.file.user";
/**
* The password used when connecting to the suppressionFiles.
*/
public static final String SUPPRESSION_FILE_PASSWORD = "suppression.file.password";
/**
* The key for the whether the hosted suppressions file datasource is
* enabled.
*/
public static final String HOSTED_SUPPRESSIONS_ENABLED = "hosted.suppressions.enabled";
/**
* The key for the hosted suppressions file URL.
*/
public static final String HOSTED_SUPPRESSIONS_URL = "hosted.suppressions.url";
/**
* The properties key for defining whether the hosted suppressions file
* will be updated regardless of the autoupdate settings.
*/
public static final String HOSTED_SUPPRESSIONS_FORCEUPDATE = "hosted.suppressions.forceupdate";
/**
* The properties key to control the skipping of the check for hosted
* suppressions file updates.
*/
public static final String HOSTED_SUPPRESSIONS_VALID_FOR_HOURS = "hosted.suppressions.validforhours";
/**
* The key for the hint file.
*/
public static final String HINTS_FILE = "hints.file";
/**
* The key for the property that controls what CVSS scores are
* considered failing test cases for the JUNIT repor.
*/
public static final String JUNIT_FAIL_ON_CVSS = "junit.fail.on.cvss";
/**
* The properties key for whether the Jar Analyzer is enabled.
*/
public static final String ANALYZER_JAR_ENABLED = "analyzer.jar.enabled";
/**
* The properties key for whether the Known Exploited Vulnerability
* Analyzer is enabled.
*/
public static final String ANALYZER_KNOWN_EXPLOITED_ENABLED = "analyzer.knownexploited.enabled";
/**
* The properties key for whether experimental analyzers are loaded.
*/
public static final String ANALYZER_EXPERIMENTAL_ENABLED = "analyzer.experimental.enabled";
/**
* The properties key for whether experimental analyzers are loaded.
*/
public static final String ANALYZER_RETIRED_ENABLED = "analyzer.retired.enabled";
/**
* The properties key for whether the Archive analyzer is enabled.
*/
public static final String ANALYZER_ARCHIVE_ENABLED = "analyzer.archive.enabled";
/**
* The properties key for whether the node.js package analyzer is
* enabled.
*/
public static final String ANALYZER_NODE_PACKAGE_ENABLED = "analyzer.node.package.enabled";
/**
* The properties key for configure whether the Node Package analyzer
* should skip devDependencies.
*/
public static final String ANALYZER_NODE_PACKAGE_SKIPDEV = "analyzer.node.package.skipdev";
/**
* The properties key for whether the Node Audit analyzer is enabled.
*/
public static final String ANALYZER_NODE_AUDIT_ENABLED = "analyzer.node.audit.enabled";
/**
* The properties key for whether the Yarn Audit analyzer is enabled.
*/
public static final String ANALYZER_YARN_AUDIT_ENABLED = "analyzer.yarn.audit.enabled";
/**
* The properties key for whether the Pnpm Audit analyzer is enabled.
*/
public static final String ANALYZER_PNPM_AUDIT_ENABLED = "analyzer.pnpm.audit.enabled";
/**
* The properties key for supplying the URL to the Node Audit API.
*/
public static final String ANALYZER_NODE_AUDIT_URL = "analyzer.node.audit.url";
/**
* The properties key for configure whether the Node Audit analyzer
* should skip devDependencies.
*/
public static final String ANALYZER_NODE_AUDIT_SKIPDEV = "analyzer.node.audit.skipdev";
/**
* The properties key for whether node audit analyzer results will be
* cached.
*/
public static final String ANALYZER_NODE_AUDIT_USE_CACHE = "analyzer.node.audit.use.cache";
/**
* The properties key for whether the RetireJS analyzer is enabled.
*/
public static final String ANALYZER_RETIREJS_ENABLED = "analyzer.retirejs.enabled";
/**
* The properties key for whether the RetireJS analyzer file content
* filters.
*/
public static final String ANALYZER_RETIREJS_FILTERS = "analyzer.retirejs.filters";
/**
* The properties key for whether the RetireJS analyzer should filter
* out non-vulnerable dependencies.
*/
public static final String ANALYZER_RETIREJS_FILTER_NON_VULNERABLE = "analyzer.retirejs.filternonvulnerable";
/**
* The properties key for defining the URL to the RetireJS repository.
*/
public static final String ANALYZER_RETIREJS_REPO_JS_URL = "analyzer.retirejs.repo.js.url";
/**
* The properties key for the Nexus search credentials username.
*/
public static final String ANALYZER_RETIREJS_REPO_JS_USER = "analyzer.retirejs.repo.js.username";
/**
* The properties key for the Nexus search credentials password.
*/
public static final String ANALYZER_RETIREJS_REPO_JS_PASSWORD = "analyzer.retirejs.repo.js.password";
/**
* The properties key for defining whether the RetireJS repository will
* be updated regardless of the autoupdate settings.
*/
public static final String ANALYZER_RETIREJS_FORCEUPDATE = "analyzer.retirejs.forceupdate";
/**
* The properties key to control the skipping of the check for CVE
* updates.
*/
public static final String ANALYZER_RETIREJS_REPO_VALID_FOR_HOURS = "analyzer.retirejs.repo.validforhours";
/**
* The properties key for whether the PHP composer lock file analyzer is
* enabled.
*/
public static final String ANALYZER_COMPOSER_LOCK_ENABLED = "analyzer.composer.lock.enabled";
/**
* The properties key for whether the Perl CPAN file file analyzer is
* enabled.
*/
public static final String ANALYZER_CPANFILE_ENABLED = "analyzer.cpanfile.enabled";
/**
* The properties key for whether the Python Distribution analyzer is
* enabled.
*/
public static final String ANALYZER_PYTHON_DISTRIBUTION_ENABLED = "analyzer.python.distribution.enabled";
/**
* The properties key for whether the Python Package analyzer is
* enabled.
*/
public static final String ANALYZER_PYTHON_PACKAGE_ENABLED = "analyzer.python.package.enabled";
/**
* The properties key for whether the Elixir mix audit analyzer is
* enabled.
*/
public static final String ANALYZER_MIX_AUDIT_ENABLED = "analyzer.mix.audit.enabled";
/**
* The path to mix_audit, if available.
*/
public static final String ANALYZER_MIX_AUDIT_PATH = "analyzer.mix.audit.path";
/**
* The properties key for whether the Golang Mod analyzer is enabled.
*/
public static final String ANALYZER_GOLANG_MOD_ENABLED = "analyzer.golang.mod.enabled";
/**
* The path to go, if available.
*/
public static final String ANALYZER_GOLANG_PATH = "analyzer.golang.path";
/**
* The path to go, if available.
*/
public static final String ANALYZER_YARN_PATH = "analyzer.yarn.path";
/**
* The path to pnpm, if available.
*/
public static final String ANALYZER_PNPM_PATH = "analyzer.pnpm.path";
/**
* The properties key for whether the Golang Dep analyzer is enabled.
*/
public static final String ANALYZER_GOLANG_DEP_ENABLED = "analyzer.golang.dep.enabled";
/**
* The properties key for whether the Ruby Gemspec Analyzer is enabled.
*/
public static final String ANALYZER_RUBY_GEMSPEC_ENABLED = "analyzer.ruby.gemspec.enabled";
/**
* The properties key for whether the Autoconf analyzer is enabled.
*/
public static final String ANALYZER_AUTOCONF_ENABLED = "analyzer.autoconf.enabled";
/**
* The properties key for whether the maven_install.json analyzer is
* enabled.
*/
public static final String ANALYZER_MAVEN_INSTALL_ENABLED = "analyzer.maveninstall.enabled";
/**
* The properties key for whether the pip analyzer is enabled.
*/
public static final String ANALYZER_PIP_ENABLED = "analyzer.pip.enabled";
/**
* The properties key for whether the pipfile analyzer is enabled.
*/
public static final String ANALYZER_PIPFILE_ENABLED = "analyzer.pipfile.enabled";
/**
* The properties key for whether the Poetry analyzer is enabled.
*/
public static final String ANALYZER_POETRY_ENABLED = "analyzer.poetry.enabled";
/**
* The properties key for whether the CMake analyzer is enabled.
*/
public static final String ANALYZER_CMAKE_ENABLED = "analyzer.cmake.enabled";
/**
* The properties key for whether the Ruby Bundler Audit analyzer is
* enabled.
*/
public static final String ANALYZER_BUNDLE_AUDIT_ENABLED = "analyzer.bundle.audit.enabled";
/**
* The properties key for whether the .NET Assembly analyzer is enabled.
*/
public static final String ANALYZER_ASSEMBLY_ENABLED = "analyzer.assembly.enabled";
/**
* The properties key for whether the .NET Nuspec analyzer is enabled.
*/
public static final String ANALYZER_NUSPEC_ENABLED = "analyzer.nuspec.enabled";
/**
* The properties key for whether the .NET Nuget packages.config
* analyzer is enabled.
*/
public static final String ANALYZER_NUGETCONF_ENABLED = "analyzer.nugetconf.enabled";
/**
* The properties key for whether the Libman analyzer is enabled.
*/
public static final String ANALYZER_LIBMAN_ENABLED = "analyzer.libman.enabled";
/**
* The properties key for whether the .NET MSBuild Project analyzer is
* enabled.
*/
public static final String ANALYZER_MSBUILD_PROJECT_ENABLED = "analyzer.msbuildproject.enabled";
/**
* The properties key for whether the Nexus analyzer is enabled.
*/
public static final String ANALYZER_NEXUS_ENABLED = "analyzer.nexus.enabled";
/**
* The properties key for the Nexus search URL.
*/
public static final String ANALYZER_NEXUS_URL = "analyzer.nexus.url";
/**
* The properties key for the Nexus search credentials username.
*/
public static final String ANALYZER_NEXUS_USER = "analyzer.nexus.username";
/**
* The properties key for the Nexus search credentials password.
*/
public static final String ANALYZER_NEXUS_PASSWORD = "analyzer.nexus.password";
/**
* The properties key for using the proxy to reach Nexus.
*/
public static final String ANALYZER_NEXUS_USES_PROXY = "analyzer.nexus.proxy";
/**
* The properties key for whether the Artifactory analyzer is enabled.
*/
public static final String ANALYZER_ARTIFACTORY_ENABLED = "analyzer.artifactory.enabled";
/**
* The properties key for the Artifactory search URL.
*/
public static final String ANALYZER_ARTIFACTORY_URL = "analyzer.artifactory.url";
/**
* The properties key for the Artifactory username.
*/
public static final String ANALYZER_ARTIFACTORY_API_USERNAME = "analyzer.artifactory.api.username";
/**
* The properties key for the Artifactory API token.
*/
public static final String ANALYZER_ARTIFACTORY_API_TOKEN = "analyzer.artifactory.api.token";
/**
* The properties key for the Artifactory bearer token
* (https://www.jfrog.com/confluence/display/RTF/Access+Tokens). It can
* be generated using:
* <pre>curl -u yourUserName -X POST \
* "https://artifactory.techno.ingenico.com/artifactory/api/security/token" \
* -d "username=yourUserName"</pre>.
*/
public static final String ANALYZER_ARTIFACTORY_BEARER_TOKEN = "analyzer.artifactory.bearer.token";
/**
* The properties key for using the proxy to reach Artifactory.
*/
public static final String ANALYZER_ARTIFACTORY_USES_PROXY = "analyzer.artifactory.proxy";
/**
* The properties key for whether the Artifactory analyzer should use
* parallel processing.
*/
public static final String ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS = "analyzer.artifactory.parallel.analysis";
/**
* The properties key for whether the Central analyzer is enabled.
*/
public static final String ANALYZER_CENTRAL_ENABLED = "analyzer.central.enabled";
/**
* Key for the path to the local Maven repository.
*/
public static final String MAVEN_LOCAL_REPO = "odc.maven.local.repo";
/**
* Key for the URL to obtain content from Maven Central.
*/
public static final String CENTRAL_CONTENT_URL = "central.content.url";
/**
* The properties key for whether the Central analyzer should use
* parallel processing.
*/
public static final String ANALYZER_CENTRAL_PARALLEL_ANALYSIS = "analyzer.central.parallel.analysis";
/**
* The properties key for whether the Central analyzer should use
* parallel processing.
*/
public static final String ANALYZER_CENTRAL_RETRY_COUNT = "analyzer.central.retry.count";
/**
* The properties key for whether the OpenSSL analyzer is enabled.
*/
public static final String ANALYZER_OPENSSL_ENABLED = "analyzer.openssl.enabled";
/**
* The properties key for whether the cocoapods analyzer is enabled.
*/
public static final String ANALYZER_COCOAPODS_ENABLED = "analyzer.cocoapods.enabled";
/**
* The properties key for whether the SWIFT package manager analyzer is
* enabled.
*/
public static final String ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED = "analyzer.swift.package.manager.enabled";
/**
* The properties key for whether the SWIFT package resolved analyzer is
* enabled.
*/
public static final String ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED = "analyzer.swift.package.resolved.enabled";
/**
* The properties key for the Central search URL.
*/
public static final String ANALYZER_CENTRAL_URL = "analyzer.central.url";
/**
* The properties key for the Central search query.
*/
public static final String ANALYZER_CENTRAL_QUERY = "analyzer.central.query";
/**
* The properties key for whether Central search results will be cached.
*/
public static final String ANALYZER_CENTRAL_USE_CACHE = "analyzer.central.use.cache";
/**
* The path to dotnet core, if available.
*/
public static final String ANALYZER_ASSEMBLY_DOTNET_PATH = "analyzer.assembly.dotnet.path";
/**
* The path to bundle-audit, if available.
*/
public static final String ANALYZER_BUNDLE_AUDIT_PATH = "analyzer.bundle.audit.path";
/**
* The path to bundle-audit, if available.
*/
public static final String ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY = "analyzer.bundle.audit.working.directory";
/**
* The additional configured zip file extensions, if available.
*/
public static final String ADDITIONAL_ZIP_EXTENSIONS = "extensions.zip";
/**
* The key to obtain the path to the VFEED data file.
*/
public static final String VFEED_DATA_FILE = "vfeed.data_file";
/**
* The key to obtain the VFEED connection string.
*/
public static final String VFEED_CONNECTION_STRING = "vfeed.connection_string";
/**
* The key to obtain the base download URL for the VFeed data file.
*/
public static final String VFEED_DOWNLOAD_URL = "vfeed.download_url";
/**
* The key to obtain the download file name for the VFeed data.
*/
public static final String VFEED_DOWNLOAD_FILE = "vfeed.download_file";
/**
* The key to obtain the VFeed update status.
*/
public static final String VFEED_UPDATE_STATUS = "vfeed.update_status";
/**
* The key to the HTTP request method for query last modified date.
*/
public static final String DOWNLOADER_QUICK_QUERY_TIMESTAMP = "downloader.quick.query.timestamp";
/**
* The key to HTTP protocol list to use.
*/
public static final String DOWNLOADER_TLS_PROTOCOL_LIST = "downloader.tls.protocols";
/**
* The key to determine if the CPE analyzer is enabled.
*/
public static final String ANALYZER_CPE_ENABLED = "analyzer.cpe.enabled";
/**
* The key to determine if the NPM CPE analyzer is enabled.
*/
public static final String ANALYZER_NPM_CPE_ENABLED = "analyzer.npm.cpe.enabled";
/**
* The key to determine if the CPE Suppression analyzer is enabled.
*/
public static final String ANALYZER_CPE_SUPPRESSION_ENABLED = "analyzer.cpesuppression.enabled";
/**
* The key to determine if the Dependency Bundling analyzer is enabled.
*/
public static final String ANALYZER_DEPENDENCY_BUNDLING_ENABLED = "analyzer.dependencybundling.enabled";
/**
* The key to determine if the Dependency Merging analyzer is enabled.
*/
public static final String ANALYZER_DEPENDENCY_MERGING_ENABLED = "analyzer.dependencymerging.enabled";
/**
* The key to determine if the False Positive analyzer is enabled.
*/
public static final String ANALYZER_FALSE_POSITIVE_ENABLED = "analyzer.falsepositive.enabled";
/**
* The key to determine if the File Name analyzer is enabled.
*/
public static final String ANALYZER_FILE_NAME_ENABLED = "analyzer.filename.enabled";
/**
* The key to determine if the File Version analyzer is enabled.
*/
public static final String ANALYZER_PE_ENABLED = "analyzer.pe.enabled";
/**
* The key to determine if the Hint analyzer is enabled.
*/
public static final String ANALYZER_HINT_ENABLED = "analyzer.hint.enabled";
/**
* The key to determine if the Version Filter analyzer is enabled.
*/
public static final String ANALYZER_VERSION_FILTER_ENABLED = "analyzer.versionfilter.enabled";
/**
* The key to determine if the Vulnerability Suppression analyzer is
* enabled.
*/
public static final String ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED = "analyzer.vulnerabilitysuppression.enabled";
/**
* The key to determine if the NVD CVE updater should be enabled.
*/
public static final String UPDATE_NVDCVE_ENABLED = "updater.nvdcve.enabled";
/**
* The key to determine if dependency-check should check if there is a
* new version available.
*/
public static final String UPDATE_VERSION_CHECK_ENABLED = "updater.versioncheck.enabled";
/**
* The key to determine which ecosystems should skip the CPE analysis.
*/
public static final String ECOSYSTEM_SKIP_CPEANALYZER = "ecosystem.skip.cpeanalyzer";
/**
* Adds capabilities to batch insert. Tested on PostgreSQL and H2.
*/
public static final String ENABLE_BATCH_UPDATES = "database.batchinsert.enabled";
/**
* Size of database batch inserts.
*/
public static final String MAX_BATCH_SIZE = "database.batchinsert.maxsize";
/**
* The key that specifies the class name of the Write Lock shutdown
* hook.
*/
public static final String WRITELOCK_SHUTDOWN_HOOK = "data.writelock.shutdownhook";
/**
* The properties key for whether the Sonatype OSS Index analyzer is
* enabled.
*/
public static final String ANALYZER_OSSINDEX_ENABLED = "analyzer.ossindex.enabled";
/**
* The properties key for whether the Sonatype OSS Index should use a
* local cache.
*/
public static final String ANALYZER_OSSINDEX_USE_CACHE = "analyzer.ossindex.use.cache";
/**
* The properties key for the Sonatype OSS Index URL.
*/
public static final String ANALYZER_OSSINDEX_URL = "analyzer.ossindex.url";
/**
* The properties key for the Sonatype OSS Index user.
*/
public static final String ANALYZER_OSSINDEX_USER = "analyzer.ossindex.user";
/**
* The properties key for the Sonatype OSS Index password.
*/
public static final String ANALYZER_OSSINDEX_PASSWORD = "analyzer.ossindex.password";
/**
* The properties key for the Sonatype OSS batch-size.
*/
public static final String ANALYZER_OSSINDEX_BATCH_SIZE = "analyzer.ossindex.batch.size";
/**
* The properties key for the Sonatype OSS Request Delay. Amount of time
* in seconds to wait before executing a request against the Sonatype
* OSS Rest API
*/
public static final String ANALYZER_OSSINDEX_REQUEST_DELAY = "analyzer.ossindex.request.delay";
/**
* The properties key for only warning about Sonatype OSS Index remote
* errors instead of failing the request.
*/
public static final String ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS = "analyzer.ossindex.remote-error.warn-only";
/**
* The properties key setting whether or not the JSON and XML reports
* will be pretty printed.
*/
/**
* The properties key for whether the Dart analyzer is enabled.
*/
public static final String ANALYZER_DART_ENABLED = "analyzer.dart.enabled";
/**
* The properties key for whether to pretty print the XML/JSON reports.
*/
public static final String PRETTY_PRINT = "odc.reports.pretty.print";
/**
* The properties key setting which other keys should be considered
* sensitive and subsequently masked when logged.
*/
public static final String MASKED_PROPERTIES = "odc.settings.mask";
/**
* The properties key for the default max query size for Lucene query
* results.
*/
public static final String MAX_QUERY_SIZE_DEFAULT = "odc.ecosystem.maxquerylimit.default";
/**
* The properties key prefix for the default max query size for Lucene
* query results; append the ecosystem to obtain the default query size.
*/
public static final String MAX_QUERY_SIZE_PREFIX = "odc.ecosystem.maxquerylimit.";
/**
* private constructor because this is a "utility" class containing
* constants
*/
private KEYS() {
//do nothing
}
}
//</editor-fold>
/**
* Initialize the settings object.
*/
public Settings() {
initialize(PROPERTIES_FILE);
}
/**
* Initialize the settings object using the given properties.
*
* @param properties the properties to be used with this Settings instance
* @since 4.0.3
*/
public Settings(final Properties properties) {
props = properties;
logProperties("Properties loaded", props);
}
/**
* Initialize the settings object using the given properties file.
*
* @param propertiesFilePath the path to the base properties file to load
*/
public Settings(@NotNull final String propertiesFilePath) {
initialize(propertiesFilePath);
}
/**
* Initializes the settings object from the given file.
*
* @param propertiesFilePath the path to the settings property file
*/
private void initialize(@NotNull final String propertiesFilePath) {
props = new Properties();
try (InputStream in = FileUtils.getResourceAsStream(propertiesFilePath)) {
props.load(in);
} catch (NullPointerException ex) {
LOGGER.error("Did not find settings file '{}'.", propertiesFilePath);
LOGGER.debug("", ex);
} catch (IOException ex) {
LOGGER.error("Unable to load settings from '{}'.", propertiesFilePath);
LOGGER.debug("", ex);
}
logProperties("Properties loaded", props);
}
/**
* Cleans up resources to prevent memory leaks.
*/
public void cleanup() {
cleanup(true);
}
/**
* Cleans up resources to prevent memory leaks.
*
* @param deleteTemporary flag indicating whether any temporary directories
* generated should be removed
*/
public synchronized void cleanup(boolean deleteTemporary) {
if (deleteTemporary && tempDirectory != null && tempDirectory.exists()) {
LOGGER.debug("Deleting ALL temporary files from `{}`", tempDirectory.toString());
FileUtils.delete(tempDirectory);
tempDirectory = null;
}
}
/**
* Check if a given key is considered to have a value with sensitive data.
*
* @param key the key to determine if the property should be masked
* @return <code>true</code> if the key is for a sensitive property value;
* otherwise <code>false</code>
*/
private boolean isKeyMasked(@NotNull String key) {
if (maskedKeys == null || maskedKeys.isEmpty()) {
initMaskedKeys();
}
return maskedKeys.stream().anyMatch(maskExp -> maskExp.test(key));
}
/**
* Obtains the printable/loggable value for a given key/value pair. This
* will mask some values so as to not leak sensitive information.
*
* @param key the property key
* @param value the property value
* @return the printable value
*/
String getPrintableValue(@NotNull String key, String value) {
String printableValue = null;
if (value != null) {
printableValue = isKeyMasked(key) ? "********" : value;
}
return printableValue;
}
/**
* Initializes the masked keys collection. This is done outside of the
* {@link #initialize(java.lang.String)} method because a caller may use the
* {@link #mergeProperties(java.io.File)} to add additional properties after
* the call to initialize.
*/
void initMaskedKeys() {
final String[] masked = getArray(Settings.KEYS.MASKED_PROPERTIES);
if (masked == null) {
maskedKeys = new ArrayList<>();
} else {
maskedKeys = Arrays.stream(masked)
.map(v -> Pattern.compile(v).asPredicate())
.collect(Collectors.toList());
}
}
/**
* Logs the properties. This will not log any properties that contain
* 'password' in the key.
*
* @param header the header to print with the log message
* @param properties the properties to log
*/
private void logProperties(@NotNull final String header, @NotNull final Properties properties) {
if (LOGGER.isDebugEnabled()) {
initMaskedKeys();
final StringWriter sw = new StringWriter();
try (PrintWriter pw = new PrintWriter(sw)) {
pw.format("%s:%n%n", header);
final Enumeration<?> e = properties.propertyNames();
while (e.hasMoreElements()) {
final String key = (String) e.nextElement();
final String value = getPrintableValue(key, properties.getProperty(key));
if (value != null) {
pw.format("%s='%s'%n", key, value);
}
}
pw.flush();
LOGGER.debug(sw.toString());
}
}
}
/**
* Sets a property value.
*
* @param key the key for the property
* @param value the value for the property
*/
public void setString(@NotNull final String key, @NotNull final String value) {
props.setProperty(key, value);
LOGGER.debug("Setting: {}='{}'", key, getPrintableValue(key, value));
}
/**
* Sets a property value only if the value is not null.
*
* @param key the key for the property
* @param value the value for the property
*/
public void setStringIfNotNull(@NotNull final String key, @Nullable final String value) {
if (null != value) {
setString(key, value);
}
}
/**
* Sets a property value only if the value is not null and not empty.
*
* @param key the key for the property
* @param value the value for the property
*/
public void setStringIfNotEmpty(@NotNull final String key, @Nullable final String value) {
if (null != value && !value.isEmpty()) {
setString(key, value);
}
}
/**
* Sets a property value only if the array value is not null and not empty.
*
* @param key the key for the property
* @param value the value for the property