Skip to content

Commit

Permalink
add configuration to skip node devDependencies (#2373)
Browse files Browse the repository at this point in the history 
* added configuration to skip node devDependencies per #1806

* updated documentation
  • Loading branch information
@jeremylong
jeremylong authored Dec 10, 2019
1 parent 974a8ff commit 23fa6e1
Show file tree
Hide file tree
Showing 12 changed files with 66 additions and 6 deletions.
24 changes: 24 additions & 0 deletions ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ public class Check extends Update {
* Sets whether or not the Node Audit Analyzer should use a local cache.
*/
private Boolean nodeAuditAnalyzerUseCache;
/**
* Sets whether or not the Node Audit Analyzer should use a local cache.
*/
private Boolean nodeAuditSkipDevDependencies;
/**
* Whether or not the RetireJS Analyzer is enabled.
*/
Expand Down Expand Up @@ -945,6 +949,25 @@ public void setNodeAuditAnalyzerUseCache(Boolean nodeAuditAnalyzerUseCache) {
this.nodeAuditAnalyzerUseCache = nodeAuditAnalyzerUseCache;
}

/**
* Get the value of nodeAuditSkipDevDependencies.
*
* @return the value of nodeAuditSkipDevDependencies
*/
public Boolean isNodeAuditAnalyzerSkipDevDependencies() {
return nodeAuditSkipDevDependencies;
}

/**
* Set the value of nodeAuditSkipDevDependencies.
*
* @param nodeAuditSkipDevDependencies new value of
nodeAuditSkipDevDependencies
*/
public void setNodeAuditSkipDevDependencies(Boolean nodeAuditSkipDevDependencies) {
this.nodeAuditSkipDevDependencies = nodeAuditSkipDevDependencies;
}

/**
* Get the value of retireJsAnalyzerEnabled.
*
Expand Down Expand Up @@ -1680,6 +1703,7 @@ protected void populateSettings() throws BuildException {
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, nodeAuditAnalyzerEnabled);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, nodeAuditAnalyzerUseCache);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_ENABLED, retireJsAnalyzerEnabled);
getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_URL, retireJsUrl);
getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FORCEUPDATE, retireJsAnalyzerForceUpdate);
Expand Down
1 change: 1 addition & 0 deletions ant/src/site/markdown/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ composerAnalyzerEnabled | Sets whether the [experimental](../analyze
nodeAnalyzerEnabled | Sets whether the [retired](../analyzers/index.html) Node.js Analyzer should be used. | true
nodeAuditAnalyzerEnabled | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection. | true
nodeAuditAnalyzerUseCache | Sets whether the Node Audit Analyzer will cache results. Cached results expire after 24 hours. | true
nodeAuditSkipDevDependencies | Sets whether the Node Audit Analyzer will skip devDependencies. | false
retireJsAnalyzerEnabled | Sets whether the RetireJS Analyzer should be used. | true
retirejsForceupdate | Sets whether the RetireJS Analyzer should update regardless of the `autoupdate` setting. | false
retirejsFilterNonVulnerable | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report. | false
Expand Down
1 change: 1 addition & 0 deletions cli/src/main/java/org/owasp/dependencycheck/App.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -482,6 +482,7 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, !cli.isNodeAuditDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, !cli.isNodeAuditCacheDisabled());
settings.setBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, cli.isNodeAuditSkipDevDependencies());
settings.setBoolean(Settings.KEYS.ANALYZER_RETIREJS_ENABLED, !cli.isRetireJSDisabled());
settings.setBooleanIfNotNull(Settings.KEYS.PRETTY_PRINT, cli.isPrettyPrint());
settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_URL, cli.getRetireJSUrl());
Expand Down
15 changes: 15 additions & 0 deletions cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -531,6 +531,8 @@ private void addAdvancedOptions(final Options options) {
.desc("Disable the Node Audit Analyzer.").build())
.addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NODE_AUDIT_CACHE)
.desc("Disallow the Node Audit Analyzer from caching results").build())
.addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NODE_AUDIT_SKIPDEV)
.desc("Configures the Node Audit Analyzer to skip devDependencies").build())
.addOption(Option.builder().longOpt(ARGUMENT.DISABLE_RETIRE_JS)
.desc("Disable the RetireJS Analyzer.").build())
.addOption(Option.builder().longOpt(ARGUMENT.RETIRE_JS_FORCEUPDATE)
Expand Down Expand Up @@ -903,6 +905,15 @@ public boolean isNodeAuditCacheDisabled() {
return hasDisableOption(ARGUMENT.DISABLE_NODE_AUDIT_CACHE, Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE);
}

/**
* Returns whether or not the nodeAuditSkipDevDependencies was specified.
*
* @return whether or not the nodeAuditSkipDevDependencies was specified
*/
public boolean isNodeAuditSkipDevDependencies() {
return hasArgument(ARGUMENT.DISABLE_NODE_AUDIT_SKIPDEV);
}

/**
* Returns true if the disableRetireJS command line argument was specified.
*
Expand Down Expand Up @@ -1804,6 +1815,10 @@ public static class ARGUMENT {
* Disables the Node Audit Analyzer's ability to cache results locally.
*/
public static final String DISABLE_NODE_AUDIT_CACHE = "disableNodeAuditCache";
/**
* Configures the Node Audit Analyzer to skip the dev dependencies.
*/
public static final String DISABLE_NODE_AUDIT_SKIPDEV = "nodeAuditSkipDevDependencies";
/**
* Disables the RetireJS Analyzer.
*/
Expand Down
1 change: 1 addition & 0 deletions cli/src/site/markdown/arguments.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ Advanced Options
| | \-\-disableNodeJS | | Sets whether the Node.js Package Analyzer will be used. |   |
| | \-\-disableNodeAudit | | Sets whether the Node Audit Analyzer will be used. This analyzer requires an internet connection. |   |
| | \-\-disableNodeAuditCache | | When the argument is present the Node Audit Analyzer will not cache results. By default the results are cached for 24 hours. |   |
| | \-\-nodeAuditSkipDevDependencies | | Configures the Node Audit Analyzer to skip devDependencies.
| | \-\-disableRetireJS | | Sets whether the RetireJS Analyzer will be used. |   |
| | \-\-retireJsForceUpdate | | Sets whether the RetireJS Analyzer will update regardless of the `noupdate` argument. | false |
| | \-\-retireJsUrl | \<url\> | The URL to the Retire JS repository. | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json |
Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,8 @@ private List<Advisory> analyzePackage(final File lockFile, final File packageFil
final JsonObject packageJson = packageReader.readObject();

// Modify the payload to meet the NPM Audit API requirements
final JsonObject payload = NpmPayloadBuilder.build(lockJson, packageJson, dependencyMap);
final JsonObject payload = NpmPayloadBuilder.build(lockJson, packageJson, dependencyMap,
getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, false));

// Submits the package payload to the nsp check service
return searcher.submitPackage(payload);
Expand Down
6 changes: 4 additions & 2 deletions core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NpmPayloadBuilder.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,11 @@ private NpmPayloadBuilder() {
* @param packageJson the package.json
* @param dependencyMap a collection of module/version pairs that is
* populated while building the payload
* @param skipDevDependencies whether devDependencies should be skipped
* @return the npm audit API payload
*/
public static JsonObject build(JsonObject lockJson, JsonObject packageJson, Map<String, String> dependencyMap) {
public static JsonObject build(JsonObject lockJson, JsonObject packageJson,
Map<String, String> dependencyMap, boolean skipDevDependencies) {
final JsonObjectBuilder payloadBuilder = Json.createObjectBuilder();
addProjectInfo(packageJson, payloadBuilder);

Expand All @@ -73,7 +75,7 @@ public static JsonObject build(JsonObject lockJson, JsonObject packageJson, Map<
});
}

if (packageJson.containsKey("devDependencies")) {
if (!skipDevDependencies && packageJson.containsKey("devDependencies")) {
packageJson.getJsonObject("devDependencies").entrySet()
.stream()
.collect(Collectors.toMap(
Expand Down
7 changes: 7 additions & 0 deletions maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,6 +394,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@SuppressWarnings("CanBeFinal")
@Parameter(property = "nodeAuditAnalyzerUseCache")
private Boolean nodeAuditAnalyzerUseCache;
/**
* Sets whether or not the Node Audit Analyzer should skip devDependencies.
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "nodeAuditSkipDevDependencies")
private Boolean nodeAuditSkipDevDependencies;
/**
* Sets whether or not the Retirejs Analyzer should be used.
*/
Expand Down Expand Up @@ -1740,6 +1746,7 @@ protected void populateSettings() {
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, nodeAuditAnalyzerEnabled);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, nodeAuditAnalyzerUseCache);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_ENABLED, retireJsAnalyzerEnabled);
settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_URL, retireJsUrl);
settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FORCEUPDATE, retireJsForceUpdate);
Expand Down
1 change: 1 addition & 0 deletions maven/src/site/markdown/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ composerAnalyzerEnabled | Sets whether the [experimental](../analyzers/ind
nodeAnalyzerEnabled | Sets whether the [retired](../analyzers/index.html) Node.js Analyzer should be used. | true
nodeAuditAnalyzerEnabled | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection. | true
nodeAuditAnalyzerUseCache | Sets whether the Node Audit Analyzer will cache results. Cached results expire after 24 hours. | true
nodeAuditSkipDevDependencies | Sets whether the Node Audit Analyzer will skip devDependencies. | false
retireJsAnalyzerEnabled | Sets whether the RetireJS Analyzer should be used. | true
retirejsForceupdate | Sets whether the RetireJS Analyzer should update regardless of the `autoupdate` setting. | false
retireJsUrl | The URL to the Retire JS repository. **Note** the file name must be `jsrepository.json`. | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
Expand Down
5 changes: 3 additions & 2 deletions src/site/markdown/dependency-check-gradle/configuration-aggregate.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,6 @@ analyzers | archiveEnabled | Sets whether the Archive Analyzer will be
analyzers | zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
analyzers | jarEnabled | Sets whether Jar Analyzer will be used. | true
analyzers | centralEnabled | Sets whether Central Analyzer will be used; by default in the Maven plugin this analyzer is disabled as all information gained from Central is already available in the build. | false
analyzers | ossIndexEnabled | This configuration has been deprecated; please use `ossIndex` instead. Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection. | true
analyzers | nexusEnabled | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
analyzers | nexusUrl | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
analyzers | nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
Expand All @@ -132,7 +131,6 @@ analyzers | cmakeEnabled | Sets whether or not the [experimental](..
analyzers | autoconfEnabled | Sets whether or not the [experimental](../analyzers/index.html) autoconf Analyzer should be used. | true
analyzers | composerEnabled | Sets whether or not the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. | true
analyzers | nodeEnabled | Sets whether or not the Node.js Analyzer should be used. | true
analyzers | nodeAuditEnabled | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection. | true
analyzers | cocoapodsEnabled | Sets whether or not the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. | true
analyzers | swiftEnabled | Sets whether or not the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. | true
analyzers | bundleAuditEnabled | Sets whether or not the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. | true
Expand All @@ -152,6 +150,9 @@ artifactory | parallelAnalysis | Whether the Artifactory analyzer should b
artifactory | username | The user name (only used with API token) to connect to Artifactory instance. | &nbsp;
artifactory | apiToken | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken | &nbsp;
artifactory | bearerToken | The bearer token to connect to Artifactory instance. | &nbsp;
nodeAudit | enabled | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection. | true
nodeAudit | useCache | Sets whether the Node Audit Analyzer should cache results locally. | true
nodeAudit | skipDevDependencies | Sets whether the Node Audit Analyzer should skip devDependencies. | false
retirejs | enabled | Sets whether the RetireJS Analyzer should be used. | true
retirejs | forceupdate | Sets whether the RetireJS Analyzer should update regardless of the `autoupdate` setting. | false
retirejs | retireJsUrl | The URL to the Retire JS repository. | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
Expand Down
4 changes: 3 additions & 1 deletion src/site/markdown/dependency-check-gradle/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,6 @@ analyzers | archiveEnabled | Sets whether the Archive Analyzer will be
analyzers | zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
analyzers | jarEnabled | Sets whether Jar Analyzer will be used. | true
analyzers | centralEnabled | Sets whether Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true
analyzers | ossIndexEnabled | This configuration has been deprecated; please use `ossIndex` instead. Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. | true
analyzers | nexusEnabled | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
analyzers | nexusUrl | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
analyzers | nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true
Expand Down Expand Up @@ -151,6 +150,9 @@ artifactory | parallelAnalysis | Whether the Artifactory analyzer should b
artifactory | username | The user name (only used with API token) to connect to Artifactory instance. | &nbsp;
artifactory | apiToken | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken | &nbsp;
artifactory | bearerToken | The bearer token to connect to Artifactory instance | &nbsp;
nodeAudit | enabled | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection. | true
nodeAudit | useCache | Sets whether the Node Audit Analyzer should cache results locally. | true
nodeAudit | skipDevDependencies | Sets whether the Node Audit Analyzer should skip devDependencies. | false
retirejs | enabled | Sets whether the RetireJS Analyzer should be used. | true
retirejs | forceupdate | Sets whether the RetireJS Analyzer should update regardless of the `autoupdate` setting. | false
retirejs | retireJsUrl | The URL to the Retire JS repository. | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
Expand Down
Loading

0 comments on commit 23fa6e1

Please sign in to comment.