Date: Sun, 1 Apr 2018 14:37:26 +0000 (UTC) From: Kurt Jaeger <pi@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r466161 - in head/security/owasp-dependency-check: . files Message-ID: <201804011437.w31EbQUf071802@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pi Date: Sun Apr 1 14:37:26 2018 New Revision: 466161 URL: https://svnweb.freebsd.org/changeset/ports/466161 Log: New port: security/owasp-dependency-check Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. WWW: https://github.com/jeremylong/DependencyCheck WWW: https://www.owasp.org/index.php/OWASP_Dependency_Check WWW: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/ WWW: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html PR: 226206 Submitted by: Andreas Sommer <andreas.sommer87@googlemail.com> Added: head/security/owasp-dependency-check/ head/security/owasp-dependency-check/Makefile (contents, props changed) head/security/owasp-dependency-check/distinfo (contents, props changed) head/security/owasp-dependency-check/files/ head/security/owasp-dependency-check/files/owasp-dependency-check.in (contents, props changed) head/security/owasp-dependency-check/files/patch-dependency--check--cli-pom.xml (contents, props changed) head/security/owasp-dependency-check/pkg-descr (contents, props changed) Added: head/security/owasp-dependency-check/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/owasp-dependency-check/Makefile Sun Apr 1 14:37:26 2018 (r466161) @@ -0,0 +1,46 @@ +# $FreeBSD$ + +# Note to committers: +# With each version update, a new maven repository must be created and distributed +# so build is repeatable and cluster-safe. + +PORTNAME= owasp-dependency-check +PORTVERSION= 3.1.1 +DISTVERSIONPREFIX= v +CATEGORIES= security java +MASTER_SITES= LOCAL/pi/:source2 +DISTFILES+= owasp-dependency-check-${PORTVERSION}-maven-repository.tar.gz:source2 + +MAINTAINER= andreas.sommer87@googlemail.com +COMMENT= Detects publicly disclosed vulnerabilities in project dependencies + +LICENSE= APACHE20 + +BUILD_DEPENDS= ${LOCALBASE}/share/java/maven/bin/mvn:devel/maven + +USE_GITHUB= yes +GH_ACCOUNT= jeremylong +GH_PROJECT= DependencyCheck + +USE_JAVA= yes +JAVA_VERSION= 1.7+ + +NO_ARCH= yes + +SUB_FILES= owasp-dependency-check +SUB_LIST= PORTVERSION=${PORTVERSION} +PLIST_DIRS= /var/cache/owasp-dependency-check +PLIST_FILES= bin/owasp-dependency-check \ + ${JAVAJARDIR}/owasp-dependency-check-${PORTVERSION}-jar-with-dependencies.jar + +do-build: + cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${LOCALBASE}/share/java/maven/bin/mvn \ + --batch-mode -Dmaven.repo.local=${WRKDIR}/repository -DskipTests --offline package + +do-install: + ${INSTALL_DATA} ${WRKSRC}/dependency-check-cli/target/dependency-check-${PORTVERSION}-jar-with-dependencies.jar \ + ${STAGEDIR}${JAVAJARDIR}/owasp-dependency-check-${PORTVERSION}-jar-with-dependencies.jar + ${INSTALL_SCRIPT} ${WRKDIR}/${PORTNAME} ${STAGEDIR}${PREFIX}/bin + ${MKDIR} ${STAGEDIR}/var/cache/owasp-dependency-check + +.include <bsd.port.mk> Added: head/security/owasp-dependency-check/distinfo ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/owasp-dependency-check/distinfo Sun Apr 1 14:37:26 2018 (r466161) @@ -0,0 +1,5 @@ +TIMESTAMP = 1522498032 +SHA256 (owasp-dependency-check-3.1.1-maven-repository.tar.gz) = 27d27cfa9659c0c4b03dc311e994570641caa2b5db558731bea2a1904fca31b9 +SIZE (owasp-dependency-check-3.1.1-maven-repository.tar.gz) = 110896009 +SHA256 (jeremylong-DependencyCheck-v3.1.1_GH0.tar.gz) = 63c89d2263a5dd01f7cc44e22b1172989192b928ff1b650277ffec13e5d168eb +SIZE (jeremylong-DependencyCheck-v3.1.1_GH0.tar.gz) = 70973557 Added: head/security/owasp-dependency-check/files/owasp-dependency-check.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/owasp-dependency-check/files/owasp-dependency-check.in Sun Apr 1 14:37:26 2018 (r466161) @@ -0,0 +1,21 @@ +#!/bin/sh +# +# $FreeBSD$ + +# By default, this writes to /var/cache/owasp-dependency-check/data/dc.h2.db to cache vulnerability databases. +# Both read and write access to the cached database requires an exclusive lock file inside the same directory +# (even with `--noupdate`), so it's recommended to specify `--data PATH_TO_DATA_DIRECTORY` to ensure usability +# of the database by non-root users. Without the parameter, it defaults to write files into +# /var/cache/owasp-dependency-check/data. +# +# `--cve*` arguments fix https://github.com/jeremylong/DependencyCheck/issues/1171 until the changed URLs +# get released. +JAVA_VERSION="%%JAVA_VERSION%%" \ + "%%LOCALBASE%%/bin/java" \ + -Dbasedir="/var/cache/owasp-dependency-check" \ + -jar "%%JAVAJARDIR%%/owasp-dependency-check-%%PORTVERSION%%-jar-with-dependencies.jar" \ + --cveUrl12Base "https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-%d.xml.gz" \ + --cveUrl20Base "https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz" \ + --cveUrl12Modified "https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz" \ + --cveUrl20Modified "https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz" \ + "$@" Added: head/security/owasp-dependency-check/files/patch-dependency--check--cli-pom.xml ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/owasp-dependency-check/files/patch-dependency--check--cli-pom.xml Sun Apr 1 14:37:26 2018 (r466161) @@ -0,0 +1,18 @@ +--- dependency-check-cli/pom.xml.orig 2018-01-29 03:12:27 UTC ++++ dependency-check-cli/pom.xml +@@ -91,7 +91,15 @@ Copyright (c) 2012 - Jeremy Long. All Ri + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-assembly-plugin</artifactId> + <configuration> ++ <archive> ++ <manifest> ++ <mainClass>org.owasp.dependencycheck.App</mainClass> ++ </manifest> ++ </archive> + <attach>false</attach> <!-- don't install/deploy this archive --> ++ <descriptorRefs> ++ <descriptorRef>jar-with-dependencies</descriptorRef> ++ </descriptorRefs> + </configuration> + <executions> + <execution> Added: head/security/owasp-dependency-check/pkg-descr ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/owasp-dependency-check/pkg-descr Sun Apr 1 14:37:26 2018 (r466161) @@ -0,0 +1,10 @@ +Dependency-Check is a utility that attempts to detect publicly disclosed +vulnerabilities contained within project dependencies. It does this by +determining if there is a Common Platform Enumeration (CPE) identifier +for a given dependency. If found, it will generate a report linking to +the associated CVE entries. + +WWW: https://github.com/jeremylong/DependencyCheck +WWW: https://www.owasp.org/index.php/OWASP_Dependency_Check +WWW: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/ +WWW: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804011437.w31EbQUf071802>