Skip to content

Commit

Permalink
feat: Add support for failBuildOnUnusedSuppressionRule (#430)
Browse files Browse the repository at this point in the history 
Signed-off-by: Chad Wilson <[email protected]>
  • Loading branch information
@chadlwilson
chadlwilson authored Jan 15, 2025
1 parent e74cc96 commit 64f0551
Show file tree
Hide file tree
Showing 16 changed files with 80 additions and 79 deletions.
4 changes: 4 additions & 0 deletions src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,10 @@ class DependencyCheckExtension {
* is 0.0 which means all identified vulnerabilities would be considered a failure.
*/
Float junitFailOnCVSS = 0.0f
/**
* Specifies that if any unused suppression rule is found, the build will fail.
*/
Boolean failBuildOnUnusedSuppressionRule = false
/**
* Displays a summary of the findings. Defaults to true.
*/
Expand Down
1 change: 1 addition & 0 deletions src/main/groovy/org/owasp/dependencycheck/gradle/tasks/ConfiguredTask.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ abstract class ConfiguredTask extends DefaultTask {

settings.setBooleanIfNotNull(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp)
settings.setFloat(JUNIT_FAIL_ON_CVSS, config.junitFailOnCVSS)
settings.setBooleanIfNotNull(FAIL_ON_UNUSED_SUPPRESSION_RULE, config.failBuildOnUnusedSuppressionRule)
settings.setBooleanIfNotNull(HOSTED_SUPPRESSIONS_ENABLED, config.hostedSuppressions.enabled)
settings.setBooleanIfNotNull(HOSTED_SUPPRESSIONS_FORCEUPDATE, config.hostedSuppressions.forceupdate)
settings.setStringIfNotNull(HOSTED_SUPPRESSIONS_URL, config.hostedSuppressions.url)
Expand Down
14 changes: 14 additions & 0 deletions ...vy/org/owasp/dependencycheck/gradle/DependencyCheckConfigurationSelectionIntegSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,20 @@ class DependencyCheckConfigurationSelectionIntegSpec extends Specification {
result.task(":$ANALYZE_TASK").outcome == SUCCESS
}

def "analysis fails when unused suppression rule is present"() {
given:
copyBuildFileIntoProjectDir('suppressionFilesFailOnUnusedRule.gradle')
copyResourceFileIntoProjectDir('suppressions.xml', 'suppressions.xml')

when:
def result = executeTaskAndGetResult(ANALYZE_TASK, false)

then:
result.task(":$ANALYZE_TASK").outcome == FAILED
result.output.contains('Suppression Rule had zero matches')
result.output.contains('commons-collections')
}


private void copyBuildFileIntoProjectDir(String buildFileName) {
copyResourceFileIntoProjectDir(buildFileName, 'build.gradle')
Expand Down
65 changes: 25 additions & 40 deletions src/test/groovy/org/owasp/dependencycheck/gradle/DependencyCheckGradlePluginSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,46 +97,31 @@ class DependencyCheckGradlePluginSpec extends Specification {
def slackWebhookUrl = 'https://slack.com/webhook'
when:
project.dependencyCheck {
proxy {
server = '127.0.0.1'
port = 3128
username = 'proxyUsername'
password = 'proxyPassword'
nonProxyHosts = ['localhost']
}
nvd {
apiKey = 'apiKey'
delay = 5000
maxRetryCount = 20
}

hostedSuppressions {
url = 'suppressionsurl'
validForHours = 5
forceupdate = true
}

slack {
enabled = true
webhookUrl = slackWebhookUrl
}

analyzers {
artifactory {
enabled = true
url = 'https://example.com/artifacgtory'
bearerToken = 'abc123=='
}
kev {
enabled = false
url = "https://example.com"
validForHours = 12
}
retirejs {
filters = ['filter1', 'filter2']
filterNonVulnerable = true
}
}
proxy.server = '127.0.0.1'
proxy.port = 3128
proxy.username = 'proxyUsername'
proxy.password = 'proxyPassword'
proxy.nonProxyHosts = ['localhost']

nvd.apiKey = 'apiKey'
nvd.delay = 5000
nvd.maxRetryCount = 20

hostedSuppressions.url = 'suppressionsurl'
hostedSuppressions.validForHours = 5
hostedSuppressions.forceupdate = true

slack.enabled = true
slack.webhookUrl = slackWebhookUrl

analyzers.artifactory.enabled = true
analyzers.artifactory.url = 'https://example.com/artifacgtory'
analyzers.artifactory.bearerToken = 'abc123=='
analyzers.kev.enabled = false
analyzers.kev.url = "https://example.com"
analyzers.kev.validForHours = 12
analyzers.retirejs.filters = ['filter1', 'filter2']
analyzers.retirejs.filterNonVulnerable = true

outputDirectory = 'outputDirectory'
quickQueryTimestamp = false
Expand Down
8 changes: 2 additions & 6 deletions src/test/groovy/org/owasp/dependencycheck/gradle/DependencyCheckPluginIntegSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,7 @@ class DependencyCheckPluginIntegSpec extends Specification {
implementation group: 'commons-collections', name: 'commons-collections', version: '3.2'
}
dependencyCheck {
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
""".stripIndent()
}
Expand Down Expand Up @@ -100,9 +98,7 @@ class DependencyCheckPluginIntegSpec extends Specification {
implementation group: 'commons-collections', name: 'commons-collections', version: '3.2'
}
dependencyCheck {
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
""".stripIndent()
}
Expand Down
4 changes: 1 addition & 3 deletions src/test/resources/aggregateParent.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,7 @@ plugins {
dependencyCheck {
failOnError=true
format="HTML"
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}

subprojects {
Expand Down
4 changes: 1 addition & 3 deletions src/test/resources/blacklistCustomConfiguration.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,5 @@ dependencies {
dependencyCheck {
failBuildOnCVSS = 0
skipConfigurations = ['foo']
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
4 changes: 1 addition & 3 deletions src/test/resources/noSkipTestGroups.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,5 @@ dependencies {
dependencyCheck {
failBuildOnCVSS = 0
skipTestGroups = false
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
4 changes: 1 addition & 3 deletions src/test/resources/outputDir.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,5 @@ dependencies {
}

dependencyCheck {
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
4 changes: 1 addition & 3 deletions src/test/resources/scanAdditionalCpesConfiguration.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,5 @@ dependencyCheck {
cpe = "cpe:2.3:a:apache:commons_fileupload:1.3.1:*:*:*:*:*:*:*"
}
}
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
4 changes: 1 addition & 3 deletions src/test/resources/scanCustomConfiguration.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,5 @@ dependencies {

dependencyCheck {
failBuildOnCVSS = 0
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
4 changes: 1 addition & 3 deletions src/test/resources/skipCustomConfigurationViaWhitelist.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,5 @@ dependencies {
dependencyCheck {
failBuildOnCVSS = 0
scanConfigurations = ['runtime']
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
4 changes: 1 addition & 3 deletions src/test/resources/skipGroups.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,5 @@ dependencies {
dependencyCheck {
skipGroups = ['commons-collections', 'commons-httpclient', 'commons-io', 'commons-file']
failBuildOnCVSS = 0
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
4 changes: 1 addition & 3 deletions src/test/resources/skipTestGroups.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,5 @@ dependencies {

dependencyCheck {
failBuildOnCVSS = 0
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
9 changes: 3 additions & 6 deletions src/test/resources/suppressionFiles.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,9 @@ dependencies {
}

dependencyCheck {
analyzers {
ossIndexEnabled = false
}
analyzers.ossIndexEnabled = false

failBuildOnCVSS = 0
suppressionFiles = ["${project.rootDir}/suppressions.xml"]
nvd {
datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}
22 changes: 22 additions & 0 deletions src/test/resources/suppressionFilesFailOnUnusedRule.gradle
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
plugins {
id 'org.owasp.dependencycheck'
}
apply plugin: 'java'

repositories {
mavenLocal()
mavenCentral()
}

dependencies {
implementation 'commons-lang:commons-lang:2.6' // EOL dependency which has no vulnerabilities and unlikely to obtain any
}

dependencyCheck {
analyzers.ossIndexEnabled = false

failBuildOnCVSS = 0
suppressionFiles = ["${project.rootDir}/suppressions.xml"]
failBuildOnUnusedSuppressionRule = true
nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
}

0 comments on commit 64f0551

Please sign in to comment.