| Package | Description |
|---|---|
| org.owasp.dependencycheck |
Includes the main entry point for dependency-check.
|
| org.owasp.dependencycheck.agent |
The agent package holds an agent API that can be used by other applications that have information about dependencies; but would
rather implement something in their code directly rather then spawn a process to run the entire dependency-check engine.
|
| org.owasp.dependencycheck.analyzer |
Analyzers are used to inspect the identified dependencies, collect Evidence, and process the dependencies.
|
| org.owasp.dependencycheck.data.artifactory |
Contains classes related to searching Artifactory Maven repository.
These are used to abstractArtifactory searching away from OWASP Dependency Check so they can be reused elsewhere. |
| org.owasp.dependencycheck.data.golang |
Contains classes for working with the Go Lang project data.
|
| org.owasp.dependencycheck.dependency |
Contains the core Dependency implementation.
|
| org.owasp.dependencycheck.reporting |
Contains classes used to generate reports.
|
| org.owasp.dependencycheck.xml.pom |
This package contains classes used to parse pom.xml files.
|
| org.owasp.dependencycheck.xml.suppression |
Contains classes used to suppress findings.
|
| Modifier and Type | Method and Description |
|---|---|
Dependency[] |
Engine.getDependencies()
Returns a copy of the dependencies as an array.
|
protected Dependency |
Engine.scanFile(@NotNull File file)
Scans a specified file.
|
protected Dependency |
Engine.scanFile(@NotNull File file,
@Nullable String projectReference)
Scans a specified file.
|
| Modifier and Type | Method and Description |
|---|---|
List<Dependency> |
Engine.scan(Collection<File> files)
Scans a collection of files or directories.
|
List<Dependency> |
Engine.scan(Collection<File> files,
String projectReference)
Scans a collection of files or directories.
|
List<Dependency> |
Engine.scan(File file)
Scans a given file or directory.
|
List<Dependency> |
Engine.scan(File[] files)
Scans an array of files or directories.
|
List<Dependency> |
Engine.scan(File[] files,
String projectReference)
Scans an array of files or directories.
|
List<Dependency> |
Engine.scan(@NotNull String path)
Scans a given file or directory.
|
List<Dependency> |
Engine.scan(@NotNull String[] paths)
Scans an array of files or directories.
|
List<Dependency> |
Engine.scan(@NotNull String[] paths,
@Nullable String projectReference)
Scans an array of files or directories.
|
List<Dependency> |
Engine.scan(@NotNull String path,
String projectReference)
Scans a given file or directory.
|
protected List<Dependency> |
Engine.scanDirectory(File dir)
Recursively scans files and directories.
|
protected List<Dependency> |
Engine.scanDirectory(@NotNull File dir,
@Nullable String projectReference)
Recursively scans files and directories.
|
| Modifier and Type | Method and Description |
|---|---|
void |
Engine.addDependency(Dependency dependency)
Adds a dependency.
|
void |
Engine.removeDependency(@NotNull Dependency dependency)
Removes the dependency.
|
| Constructor and Description |
|---|
AnalysisTask(Analyzer analyzer,
Dependency dependency,
Engine engine,
List<Throwable> exceptions)
Creates a new analysis task.
|
| Modifier and Type | Method and Description |
|---|---|
List<Dependency> |
DependencyCheckScanAgent.getDependencies()
Returns a list of pre-determined dependencies.
|
| Modifier and Type | Method and Description |
|---|---|
static void |
DependencyCheckScanAgent.showSummary(Dependency[] dependencies)
Generates a warning message listing a summary of dependencies and their
associated CPE and CVE entries.
|
static void |
DependencyCheckScanAgent.showSummary(String projectName,
Dependency[] dependencies)
Generates a warning message listing a summary of dependencies and their
associated CPE and CVE entries.
|
| Modifier and Type | Method and Description |
|---|---|
void |
DependencyCheckScanAgent.setDependencies(List<Dependency> dependencies)
Sets the list of dependencies to scan.
|
| Modifier and Type | Method and Description |
|---|---|
protected Dependency |
AbstractNpmAnalyzer.createDependency(Dependency dependency,
String name,
String version,
String scope)
Construct a dependency object.
|
protected Dependency |
AbstractNpmAnalyzer.findDependency(Engine engine,
String name,
String version)
Locates the dependency from the list of dependencies that have been
scanned by the engine.
|
protected Dependency |
DependencyMergingAnalyzer.getMainAndroidDependency(Dependency dependency1,
Dependency dependency2)
Determines which of the android dependencies should be considered the
primary.
|
protected Dependency |
DependencyMergingAnalyzer.getMainDotnetDependency(Dependency dependency1,
Dependency dependency2)
Determines which of the dotnet dependencies should be considered the
primary.
|
protected Dependency |
DependencyMergingAnalyzer.getMainGemspecDependency(Dependency dependency1,
Dependency dependency2)
Ruby gems installed by "bundle install" can have zero or more *.gemspec
files, all of which have the same packagePath and should be grouped.
|
protected Dependency |
DependencyMergingAnalyzer.getMainSwiftDependency(Dependency dependency1,
Dependency dependency2)
Determines which of the swift dependencies should be considered the
primary.
|
| Modifier and Type | Method and Description |
|---|---|
static String |
JarAnalyzer.addDescription(Dependency dependency,
String description,
String source,
String key)
Adds a description to the given dependency.
|
protected static void |
JarAnalyzer.addMatchingValues(List<JarAnalyzer.ClassNameInformation> classes,
String value,
Dependency dep,
EvidenceType type)
Cycles through the collection of class name information to see if parts
of the package names are contained in the provided value.
|
protected static void |
AssemblyAnalyzer.addMatchingValues(List<String> packages,
String value,
Dependency dep,
EvidenceType type)
Cycles through the collection of class name information to see if parts
of the package names are contained in the provided value.
|
void |
AbstractAnalyzer.analyze(Dependency dependency,
Engine engine)
Analyzes a given dependency.
|
void |
Analyzer.analyze(Dependency dependency,
Engine engine)
Analyzes the given dependency.
|
void |
JarAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Loads a specified JAR file and collects information from the manifest and
checksums to identify the correct CPE information.
|
void |
NexusAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Performs the analysis.
|
protected void |
FileNameAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Collects information about the file name.
|
protected void |
AbstractDependencyComparingAnalyzer.analyzeDependency(Dependency ignore,
Engine engine)
Analyzes a set of dependencies.
|
protected void |
NodeAuditAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
CMakeAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes python packages and adds evidence to the dependency.
|
void |
ArtifactoryAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Performs the analysis.
|
protected void |
ElixirMixAuditAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Determines if the analyzer can analyze the given file type.
|
void |
ArchiveAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes a given dependency.
|
protected void |
OpenSSLAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes python packages and adds evidence to the dependency.
|
protected void |
RubyBundleAuditAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Determines if the analyzer can analyze the given file type.
|
protected void |
AutoconfAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
VersionFilterAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
The HintAnalyzer uses knowledge about a dependency to add additional
information to help in identification of identifiers or vulnerabilities.
|
protected void |
RubyBundlerAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
CocoaPodsAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
FalsePositiveAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes the dependencies and removes bad/incorrect CPE associations
based on various heuristics.
|
void |
CentralAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Performs the analysis.
|
protected void |
ComposerLockAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Entry point for the analyzer.
|
void |
NuspecAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Performs the analysis.
|
protected void |
MSBuildProjectAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
PythonDistributionAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
OssIndexAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
PipAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
SwiftPackageManagerAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
NvdCveAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes a dependency and attempts to determine if there are any CPE
identifiers for this dependency.
|
protected void |
CPEAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes a dependency and attempts to determine if there are any CPE
identifiers for this dependency.
|
protected abstract void |
AbstractAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes a given dependency.
|
void |
NugetconfAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Performs the analysis.
|
protected void |
NpmCPEAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes a dependency and attempts to determine if there are any CPE
identifiers for this dependency.
|
protected void |
AbstractSuppressionAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
HintAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
The HintAnalyzer uses knowledge about a dependency to add additional
information to help in identification of identifiers or vulnerabilities.
|
protected void |
PEAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Collects information about the file name.
|
protected void |
GolangDepAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes go packages and adds evidence to the dependency.
|
protected void |
NodePackageAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
GolangModAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes go packages and adds evidence to the dependency.
|
void |
RetireJsAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes the specified JavaScript file.
|
void |
AssemblyAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Performs the analysis on a single Dependency.
|
protected void |
RubyGemspecAnalyzer.analyzeDependency(Dependency dependency,
Engine engine) |
protected void |
PythonPackageAnalyzer.analyzeDependency(Dependency dependency,
Engine engine)
Analyzes python packages and adds evidence to the dependency.
|
protected void |
JarAnalyzer.analyzePackageNames(List<JarAnalyzer.ClassNameInformation> classNames,
Dependency dependency,
boolean addPackagesAsEvidence)
Analyzes the path information of the classes contained within the
JarAnalyzer to try and determine possible vendor or product names.
|
protected boolean |
JarAnalyzer.analyzePOM(Dependency dependency,
List<JarAnalyzer.ClassNameInformation> classes,
Engine engine)
Attempts to find a pom.xml within the JAR file.
|
protected List<JarAnalyzer.ClassNameInformation> |
JarAnalyzer.collectClassNames(Dependency dependency)
Cycles through an enumeration of JarEntries, contained within the
dependency, and returns a list of the class names.
|
protected Dependency |
AbstractNpmAnalyzer.createDependency(Dependency dependency,
String name,
String version,
String scope)
Construct a dependency object.
|
protected void |
CPEAnalyzer.determineCPE(Dependency dependency)
Searches the data store of CPE entries, trying to identify the CPE for
the given dependency based on the evidence contained within.
|
protected boolean |
CPEAnalyzer.determineIdentifiers(Dependency dependency,
String vendor,
String product,
Confidence currentConfidence)
Retrieves a list of CPE values from the CveDB based on the vendor and
product passed in.
|
protected abstract boolean |
AbstractDependencyComparingAnalyzer.evaluateDependencies(Dependency dependency,
Dependency nextDependency,
Set<Dependency> dependenciesToRemove)
Evaluates the dependencies
|
protected boolean |
DependencyMergingAnalyzer.evaluateDependencies(Dependency dependency,
Dependency nextDependency,
Set<Dependency> dependenciesToRemove)
Evaluates the dependencies
|
protected boolean |
DependencyBundlingAnalyzer.evaluateDependencies(Dependency dependency,
Dependency nextDependency,
Set<Dependency> dependenciesToRemove)
Evaluates the dependencies
|
static void |
JarAnalyzer.extractLicense(Model pom,
Dependency dependency)
Extracts the license information from the pom and adds it to the
dependency.
|
protected List<MavenArtifact> |
CentralAnalyzer.fetchMavenArtifacts(Dependency dependency)
Downloads the corresponding list of MavenArtifacts of the given
dependency from MavenCentral.
|
void |
AbstractNpmAnalyzer.gatherEvidence(javax.json.JsonObject json,
Dependency dependency)
Collects evidence from the given JSON for the associated dependency.
|
protected Dependency |
DependencyMergingAnalyzer.getMainAndroidDependency(Dependency dependency1,
Dependency dependency2)
Determines which of the android dependencies should be considered the
primary.
|
protected Dependency |
DependencyMergingAnalyzer.getMainDotnetDependency(Dependency dependency1,
Dependency dependency2)
Determines which of the dotnet dependencies should be considered the
primary.
|
protected Dependency |
DependencyMergingAnalyzer.getMainGemspecDependency(Dependency dependency1,
Dependency dependency2)
Ruby gems installed by "bundle install" can have zero or more *.gemspec
files, all of which have the same packagePath and should be grouped.
|
protected Dependency |
DependencyMergingAnalyzer.getMainSwiftDependency(Dependency dependency1,
Dependency dependency2)
Determines which of the swift dependencies should be considered the
primary.
|
protected boolean |
DependencyBundlingAnalyzer.isCore(Dependency left,
Dependency right)
This is likely a very broken attempt at determining if the 'left'
dependency is the 'core' library in comparison to the 'right' library.
|
protected boolean |
DependencyMergingAnalyzer.isSameRubyGem(Dependency dependency1,
Dependency dependency2)
Bundling Ruby gems that are identified from different .gemspec files but
denote the same package path.
|
protected boolean |
DependencyMergingAnalyzer.isSameSwiftPackage(Dependency dependency1,
Dependency dependency2)
Bundling same swift dependencies with the same packagePath but identified
by different file type analyzers.
|
protected boolean |
DependencyBundlingAnalyzer.isShadedJar(Dependency dependency,
Dependency nextDependency)
Determines if the jar is shaded and the created pom.xml identified the
same CPE as the jar - if so, the pom.xml dependency should be removed.
|
protected boolean |
DependencyBundlingAnalyzer.isWebJar(Dependency dependency,
Dependency nextDependency)
Determines if a JS file is from a webjar dependency.
|
static void |
DependencyMergingAnalyzer.mergeDependencies(Dependency dependency,
Dependency relatedDependency,
Set<Dependency> dependenciesToRemove)
Adds the relatedDependency to the dependency's related dependencies.
|
static void |
DependencyBundlingAnalyzer.mergeDependencies(Dependency dependency,
Dependency relatedDependency,
Set<Dependency> dependenciesToRemove)
Adds the relatedDependency to the dependency's related dependencies.
|
static void |
DependencyBundlingAnalyzer.mergeDependencies(Dependency dependency,
Dependency relatedDependency,
Set<Dependency> dependenciesToRemove,
boolean copyVulnsAndIds)
Adds the relatedDependency to the dependency's related dependencies.
|
protected boolean |
JarAnalyzer.parseManifest(Dependency dependency,
List<JarAnalyzer.ClassNameInformation> classInformation)
Reads the manifest from the JAR file and collects the entries.
|
protected void |
AbstractNpmAnalyzer.processPackage(Engine engine,
Dependency dependency,
javax.json.JsonArray jsonArray,
String depType)
Processes a part of package.json (as defined by JsonArray) and update the
specified dependency with relevant info.
|
protected void |
AbstractNpmAnalyzer.processPackage(Engine engine,
Dependency dependency,
javax.json.JsonObject jsonObject,
String depType)
Processes a part of package.json (as defined by JsonObject) and update
the specified dependency with relevant info.
|
protected void |
FalsePositiveAnalyzer.removeBadMatches(Dependency dependency)
Removes bad CPE matches for a dependency.
|
static boolean |
JarAnalyzer.setPomEvidence(Dependency dependency,
Model pom,
List<JarAnalyzer.ClassNameInformation> classes,
boolean isMainPom)
Sets evidence from the pom on the supplied dependency.
|
| Modifier and Type | Method and Description |
|---|---|
protected abstract boolean |
AbstractDependencyComparingAnalyzer.evaluateDependencies(Dependency dependency,
Dependency nextDependency,
Set<Dependency> dependenciesToRemove)
Evaluates the dependencies
|
protected boolean |
DependencyMergingAnalyzer.evaluateDependencies(Dependency dependency,
Dependency nextDependency,
Set<Dependency> dependenciesToRemove)
Evaluates the dependencies
|
protected boolean |
DependencyBundlingAnalyzer.evaluateDependencies(Dependency dependency,
Dependency nextDependency,
Set<Dependency> dependenciesToRemove)
Evaluates the dependencies
|
static void |
DependencyMergingAnalyzer.mergeDependencies(Dependency dependency,
Dependency relatedDependency,
Set<Dependency> dependenciesToRemove)
Adds the relatedDependency to the dependency's related dependencies.
|
static void |
DependencyBundlingAnalyzer.mergeDependencies(Dependency dependency,
Dependency relatedDependency,
Set<Dependency> dependenciesToRemove)
Adds the relatedDependency to the dependency's related dependencies.
|
static void |
DependencyBundlingAnalyzer.mergeDependencies(Dependency dependency,
Dependency relatedDependency,
Set<Dependency> dependenciesToRemove,
boolean copyVulnsAndIds)
Adds the relatedDependency to the dependency's related dependencies.
|
| Modifier and Type | Method and Description |
|---|---|
protected List<MavenArtifact> |
ArtifactorySearch.processResponse(Dependency dependency,
HttpURLConnection conn)
Process the Artifactory response.
|
List<MavenArtifact> |
ArtifactorySearch.search(Dependency dependency)
Searches the configured Central URL for the given hash (MD5, SHA1 and
SHA256).
|
| Modifier and Type | Method and Description |
|---|---|
Dependency |
GoModDependency.toDependency(Dependency parentDependency)
Converts the GoModDependency into a Dependency object.
|
| Modifier and Type | Method and Description |
|---|---|
Dependency |
GoModDependency.toDependency(Dependency parentDependency)
Converts the GoModDependency into a Dependency object.
|
| Modifier and Type | Method and Description |
|---|---|
Set<Dependency> |
Dependency.getRelatedDependencies()
Get the unmodifiable set of
relatedDependencies. |
| Modifier and Type | Method and Description |
|---|---|
void |
Dependency.addRelatedDependency(Dependency dependency)
Adds a related dependency.
|
void |
Dependency.removeRelatedDependencies(Dependency dependency)
Removes a related dependency.
|
| Constructor and Description |
|---|
ReportGenerator(String applicationName,
List<Dependency> dependencies,
List<Analyzer> analyzers,
DatabaseProperties properties,
Settings settings)
|
ReportGenerator(String applicationName,
List<Dependency> dependencies,
List<Analyzer> analyzers,
DatabaseProperties properties,
Settings settings,
ExceptionCollection exceptions)
Constructs a new ReportGenerator.
|
ReportGenerator(String applicationName,
String groupID,
String artifactID,
String version,
List<Dependency> dependencies,
List<Analyzer> analyzers,
DatabaseProperties properties,
Settings settings)
|
ReportGenerator(String applicationName,
String groupID,
String artifactID,
String version,
List<Dependency> dependencies,
List<Analyzer> analyzers,
DatabaseProperties properties,
Settings settings,
ExceptionCollection exceptions)
Constructs a new ReportGenerator.
|
| Modifier and Type | Method and Description |
|---|---|
static void |
PomUtils.analyzePOM(Dependency dependency,
File pomFile)
Reads in the pom file and adds elements as evidence to the given
dependency.
|
| Modifier and Type | Method and Description |
|---|---|
void |
SuppressionRule.process(Dependency dependency)
Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS
scores should be suppressed.
|
Copyright © 2012–2020 OWASP. All rights reserved.