Created attachment 191000 [details] owasp-dependency-check-3.1.1 Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. My use case is audit of NPM/NodeJS module dependencies, but many more analyzers are supported[0]. See also my proposal to solve NPM module audit on ports level[1]. Even though there was no interest, this tool is helpful by itself without a complex FreeBSD infrastructure around it. It can easily be added to any CI since it's a command-line tool. Since the build requires a maven repository, it must be provided in distfiles when committing. It works like in archivers/snappy-java. I could provide help or a script to easily create the repository from scratch, if wanted by the committer. [0] https://jeremylong.github.io/DependencyCheck/analyzers/index.html [1] https://lists.freebsd.org/pipermail/freebsd-ports/2018-February/112425.html
Created attachment 191001 [details] portlint -A There's a warning about potentially abused absolute path. Maybe there is a better way to handle this.
Created attachment 191002 [details] Poudriere testport log (10.3-RELEASE amd64)
Created attachment 191003 [details] Poudriere testport log (11.1-RELEASE amd64)
testbuilds@work
please note: the shar file is not valid, it does not extract. One needs to remove the .git files included from the .shar before it extracts.
port fails to fetch distfiles, see for example: http://people.freebsd.org/~pi/logs/security__owasp-dependency-check-cur-1522435556.txt
The maven repo is an additional tarball containing Java dependencies. For committing the port (or any version update of it), you need to create that tarball and store it where the port build can find it. My Makefile has: MASTER_SITES= LOCAL/andidog/security/${PORTNAME}/:source2 DISTFILES+= FreeBSD-owasp-dependency-check-${PORTVERSION}-maven-repository.tar.gz:source2 The "LOCAL" config defines where to find the file online. bsd.sites.mk lists some distcache.freebsd.org mirror for that purpose. Example URL for port archivers/snappy-java and user jgh@: http://distcache.FreeBSD.org/local-distfiles/jgh/archivers/snappy/FreeBSD-snappy-1.0.4.1-maven-repository.tar.gz. Since I'm not a committer and do not have a FreeBSD cluster account, you would need to change it to "LOCAL/pi/where/you/want/it" and upload the tarball in addition to committing the port skeleton. A little complicated, but it ensures the distfiles are the same for every build. Small script to create the maven repo tarball: #!/bin/sh set -e VERSION=3.1.1 FILENAME="FreeBSD-owasp-dependency-check-$VERSION-maven-repository.tar.gz" [ -d /tmp/DependencyCheck ] || git clone https://github.com/jeremylong/DependencyCheck.git cd DependencyCheck git checkout v$VERSION [ -z "$(git status -s)" ] || { >&2 echo "Repo dirty"; exit 1; } mkdir -p repository # This takes a while to download and build mvn -Dmaven.repo.local=$(pwd)/repository -DskipTests clean install env GZIP=-9 tar -czf "$FILENAME" repository # These steps are to put the tarball into my FreeBSD poudriere build host, please adapt: cat "$FILENAME" | ssh porttesting -- sudo tee "/var/ports/distfiles/$FILENAME" "/pdr/ports/default/distfiles/$FILENAME" >/dev/null ssh porttesting -- 'cd /pdr/ports/default/security/owasp-dependency-check && sudo rm -f distinfo && sudo make makesum' Please suggest if we should take that existing solution (I have it from archivers/snappy-java) or whether you have other ideas. On a different note: we may want to wait for a fixed upstream version before committing the port: NIST changed their CVE URLs :( and now DependencyCheck has to fix that (https://github.com/jeremylong/DependencyCheck/issues/1171). P.S. shar creation problem fixed on my side. Will upload a correct one right now (else unchanged).
Created attachment 191995 [details] owasp-dependency-check-3.1.1.shar
Thanks for the download script. 1) For future such scripts: add them as attachments to the PR, not inline, it takes more effort to extract it from the comment 8-} 2) I tried it, the download ends with: [ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M1:enforce (enforce-maven-3) on project dependency-check-parent: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException I guess this is fatal, so what went wrong ? Ah, I had maven 3.0.5 installed, but it requires 3.1+. Next attempt @work.
I read through the issue with the new URLs. What about adding the new URL parameters to owasp-dependency-check.in like this: --cveUrl12Base "https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-%d.xml.gz" --cveUrl20Base "https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz" --cveUrl12Modified "https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz" --cveUrl20Modified "https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz"
Created attachment 192005 [details] owasp-dependency-check-3.1.1.shar I added the `--cve*` URLs to the command line arguments. To be removed once upstream is fixed. Successfully tested the application again.
Committed, thanks!
A commit references this bug: Author: pi Date: Sun Apr 1 14:37:27 UTC 2018 New revision: 466161 URL: https://svnweb.freebsd.org/changeset/ports/466161 Log: New port: security/owasp-dependency-check Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. WWW: https://github.com/jeremylong/DependencyCheck WWW: https://www.owasp.org/index.php/OWASP_Dependency_Check WWW: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/ WWW: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html PR: 226206 Submitted by: Andreas Sommer <andreas.sommer87@googlemail.com> Changes: head/security/owasp-dependency-check/ head/security/owasp-dependency-check/Makefile head/security/owasp-dependency-check/distinfo head/security/owasp-dependency-check/files/ head/security/owasp-dependency-check/files/owasp-dependency-check.in head/security/owasp-dependency-check/files/patch-dependency--check--cli-pom.xml head/security/owasp-dependency-check/pkg-descr
A commit references this bug: Author: pi Date: Sun Apr 1 15:13:49 UTC 2018 New revision: 466165 URL: https://svnweb.freebsd.org/changeset/ports/466165 Log: security/owasp-dependency-check: add missing security/Makefile entry PR: 226206 Reported by: antoine Changes: head/security/Makefile
Thank you :)