feat: Allow for HTTP auth settings for Retire JS respository (#5209)

jeremylong · Jan 8, 2023 · 175a00d · 175a00d
2 parents c6b6250 + ee7e98b
commit 175a00d
Show file tree

Hide file tree

Showing 10 changed files with 115 additions and 7 deletions.
diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
@@ -97,6 +97,14 @@ public class Check extends Update {
      * The URL to the RetireJS JSON data.
      */
     private String retireJsUrl;
+    /**
+     * The user to download URL to the RetireJS JSON data.
+     */
+    private String retireJsUrlUser;
+    /**
+     * The password to download URL to the RetireJS JSON data.
+     */
+    private String retireJsUrlPassword;
     /**
      * Whether or not the RetireJS Analyzer will be updated regardless of the
      * `autoupdate` settings. Defaults to false.
@@ -1251,6 +1259,42 @@ public void setRetireJsUrl(String retireJsUrl) {
         this.retireJsUrl = retireJsUrl;
     }
 
+    /**
+     * Get the value of User Retire JS repository URL.
+     *
+     * @return the value of retireJsUrlUser
+     */
+    public String getRetireJsUrlUser() {
+        return retireJsUrlUser;
+    }
+
+    /**
+     * Set the value of the User Retire JS repository URL.
+     *
+     * @param retireJsUrlUser new value of retireJsUrlUser
+     */
+    public void setRetireJsUrlUser(String retireJsUrlUser) {
+        this.retireJsUrlUser = retireJsUrlUser;
+    }
+
+    /**
+     * Get the value of Password Retire JS repository URL.
+     *
+     * @return the value of retireJsUrlPassword
+     */
+    public String getRetireJsUrlPassword() {
+        return retireJsUrlPassword;
+    }
+
+    /**
+     * Set the value of the Password Retire JS repository URL.
+     *
+     * @param retireJsUrlPassword new value of retireJsUrlPassword
+     */
+    public void setRetireJsUrlPassword(String retireJsUrlPassword) {
+        this.retireJsUrlPassword = retireJsUrlPassword;
+    }
+
     /**
      * Get the value of retireJsAnalyzerEnabled.
      *
@@ -2053,6 +2097,8 @@ protected void populateSettings() throws BuildException {
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_ENABLED, retireJsAnalyzerEnabled);
         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_URL, retireJsUrl);
+        getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_USER, retireJsUrlUser);
+        getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_PASSWORD, retireJsUrlPassword);      
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FORCEUPDATE, retireJsAnalyzerForceUpdate);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, retirejsFilterNonVulnerable);
         getSettings().setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, retirejsFilters);

diff --git a/cli/src/main/java/org/owasp/dependencycheck/App.java b/cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -496,6 +496,10 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
                 cli.hasOption(CliParser.ARGUMENT.PRETTY_PRINT));
         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_URL,
                 cli.getStringArgument(CliParser.ARGUMENT.RETIREJS_URL));
+        settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_USER,
+                cli.getStringArgument(CliParser.ARGUMENT.RETIREJS_URL_USER));
+        settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_PASSWORD,
+                cli.getStringArgument(CliParser.ARGUMENT.RETIREJS_URL_PASSWORD));                
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FORCEUPDATE,
                 cli.hasOption(CliParser.ARGUMENT.RETIRE_JS_FORCEUPDATE));
         settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED,

diff --git a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java
@@ -403,6 +403,10 @@ private void addAdvancedOptions(final Options options) {
                         + "even if autoupdate is disabled"))
                 .addOption(newOptionWithArg(ARGUMENT.RETIREJS_URL, "url",
                         "The Retire JS Respository URL"))
+                .addOption(newOptionWithArg(ARGUMENT.RETIREJS_URL_USER, "username",
+                        "The password to authenticate to Retire JS Respository URL"))
+                .addOption(newOptionWithArg(ARGUMENT.RETIREJS_URL_PASSWORD, "password",
+                        "The password to authenticate to Retire JS Respository URL"))
                 .addOption(newOption(ARGUMENT.RETIREJS_FILTER_NON_VULNERABLE, "Specifies that the Retire JS "
                         + "Analyzer should filter out non-vulnerable JS files from the report."))
                 .addOption(newOptionWithArg(ARGUMENT.ARTIFACTORY_PARALLEL_ANALYSIS, "true/false",
@@ -1368,6 +1372,14 @@ public static class ARGUMENT {
          * The URL to the retire JS repository.
          */
         public static final String RETIREJS_URL = "retireJsUrl";
+        /**
+         * The username to the retire JS repository.
+         */
+        public static final String RETIREJS_URL_USER = "retireJsUrlUser";
+        /**
+         * The password to the retire JS repository.
+         */
+        public static final String RETIREJS_URL_PASSWORD = "retireJsUrlPass";
         /**
          * The URL of the nexus server.
          */

diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md
@@ -55,6 +55,8 @@ Advanced Options
 |       | \-\-retireJsUrl                       | \<url\>         | The URL to the Retire JS repository.                                                                                                                                                                   | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json |
 |       | \-\-retirejsFilter                    | \<pattern\>     | The RetireJS Analyzers content filter used to exclude JS files when the content contains the given regular expression; this option can be specified multiple times.                                    | &nbsp; |
 |       | \-\-retirejsFilterNonVulnerable       |                 | Specifies that the Retire JS Analyzer should filter out non-vulnerable JS files from the report.                                                                                                       | &nbsp; |
+|       | \-\-retirejsUser                           | \<username\>    | Credentials used for basic authentication for the RetireJS data.                                                                                                                                            | &nbsp; |
+|       | \-\-retirejsPassword                       | \<password\>    | Credentials used for basic authentication for the RetireJS data.                                                                                                                                            | &nbsp; |
 |       | \-\-disableRubygems                   |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used.                                                                                                           | &nbsp; |
 |       | \-\-disableBundleAudit                |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used.                                                                                                     | &nbsp; |
 |       | \-\-disableCocoapodsAnalyzer          |                 | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used.                                                                                                              | &nbsp; |

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/update/RetireJSDataSource.java b/core/src/main/java/org/owasp/dependencycheck/data/update/RetireJSDataSource.java
@@ -136,7 +136,7 @@ private void initializeRetireJsRepo(Settings settings, URL repoUrl, File repoFil
         try (WriteLock lock = new WriteLock(settings, true, repoFile.getName() + ".lock")) {
             LOGGER.debug("RetireJS Repo URL: {}", repoUrl.toExternalForm());
             final Downloader downloader = new Downloader(settings);
-            downloader.fetchFile(repoUrl, repoFile);
+            downloader.fetchFile(repoUrl, repoFile, Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_USER, Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_PASSWORD);
         } catch (IOException | TooManyRequestsException | ResourceNotFoundException | WriteLockException ex) {
             throw new UpdateException("Failed to initialize the RetireJS repo", ex);
         }

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -544,6 +544,23 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     @SuppressWarnings("CanBeFinal")
     @Parameter(property = "retireJsUrl")
     private String retireJsUrl;
+    /**
+     * The username to use when connecting to the CVE-URL.
+     */
+    @Parameter(property = "retireJsUser")
+    private String retireJsUser;
+    /**
+     * The password to authenticate to the CVE-URL.
+     */
+    @Parameter(property = "retireJsPassword")
+    private String retireJsPassword;
+    /**
+     * The server id in the settings.xml; used to retrieve encrypted passwords
+     * from the settings.xml for cve-URLs.
+     */
+    @SuppressWarnings("CanBeFinal")
+    @Parameter(property = "retireJsUrlServerId")
+    private String retireJsUrlServerId;
     /**
      * Whether the Retire JS repository will be updated regardless of the
      * `autoupdate` settings.
@@ -2169,9 +2186,18 @@ protected void populateSettings() {
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies);
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED, yarnAuditAnalyzerEnabled);
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PNPM_AUDIT_ENABLED, pnpmAuditAnalyzerEnabled);
+
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_ENABLED, retireJsAnalyzerEnabled);
         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_URL, retireJsUrl);
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FORCEUPDATE, retireJsForceUpdate);
+
+        if (retireJsUser == null && retireJsPassword == null && retireJsUrlServerId != null) {
+            configureServerCredentials(retireJsUrlServerId, Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_USER, Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_PASSWORD);
+        } else {
+            settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_USER, retireJsUser);
+            settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_PASSWORD, retireJsPassword);
+        }
+
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED, mixAuditAnalyzerEnabled);
         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_PATH, mixAuditPath);
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);

diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md
@@ -158,6 +158,9 @@ connectionString         | The connection string used to connect to the database
 serverId                 | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information. | &nbsp; |
 databaseUser             | The username used when connecting to the database.                                                                                         | &nbsp;                                                              |
 databasePassword         | The password used when connecting to the database.                                                                                         | &nbsp;                                                              |
+retireJsUrlServerId      | The id of a server defined in the settings.xml to retrieve the credentials (username and password) to connect to RetireJS instance. | &nbsp;
+retireJsUser          | If you don't want register user/password in settings.xml, you can specify user. | &nbsp;
+retireJsPassword         | If you don't want register user/password in settings.xml, you can specify user. | &nbsp;
 
 Proxy Configuration
 ====================

diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -362,6 +362,14 @@ public static final class KEYS {
          * The properties key for defining the URL to the RetireJS repository.
          */
         public static final String ANALYZER_RETIREJS_REPO_JS_URL = "analyzer.retirejs.repo.js.url";
+        /**
+         * The properties key for the Nexus search credentials username.
+         */
+        public static final String ANALYZER_RETIREJS_REPO_JS_USER = "analyzer.retirejs.repo.js.username";
+        /**
+         * The properties key for the Nexus search credentials password.
+         */
+        public static final String ANALYZER_RETIREJS_REPO_JS_PASSWORD = "analyzer.retirejs.repo.js.password";
         /**
          * The properties key for defining whether the RetireJS repository will
          * be updated regardless of the autoupdate settings.

diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java b/utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
@@ -167,12 +167,19 @@ public void addBasicAuthentication(HttpURLConnection conn, String userKey, Strin
                 && StringUtils.isNotEmpty(settings.getString(passwordKey))) {
             final String user = settings.getString(userKey);
             final String password = settings.getString(passwordKey);
-            final String userColonPassword = user + ":" + password;
-            final String basicAuth = "Basic " + Base64.getEncoder().encodeToString(userColonPassword.getBytes(UTF_8));
-            if (LOGGER.isDebugEnabled()) {
-                LOGGER.debug("Adding user/pw from settings.xml as basic authorization");
+
+            if (user.isEmpty() || password.isEmpty()) {
+                if (LOGGER.isDebugEnabled()) {
+                    LOGGER.debug("Skip authentication as user and/or password is empty");
+                }
+            } else {
+                final String userColonPassword = user + ":" + password;
+                final String basicAuth = "Basic " + Base64.getEncoder().encodeToString(userColonPassword.getBytes(UTF_8));
+                if (LOGGER.isDebugEnabled()) {
+                    LOGGER.debug("Adding user/password from settings.xml as basic authorization");
+                }
+                conn.addRequestProperty("Authorization", basicAuth);
             }
-            conn.addRequestProperty("Authorization", basicAuth);
         }
     }
 

diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/BaseTest.java b/utils/src/test/java/org/owasp/dependencycheck/utils/BaseTest.java
@@ -57,7 +57,7 @@ protected Settings getSettings() {
         return settings;
     }
 
-        /**
+    /**
      * Returns the given resource as a File using the object's class loader. The
      * org.junit.Assume API is used so that test cases are skipped if the
      * resource is not available.