-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
dependencycheck.properties
149 lines (126 loc) · 6.14 KB
/
dependencycheck.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
odc.application.name=${pom.name}
odc.application.version=${pom.version}
odc.autoupdate=true
# the url to obtain the current engine version from
engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt
#temp.directory defaults to System.getProperty("java.io.tmpdir")
#temp.directory=[path to temp directory]
# the path to the data directory; the [JAR] signifies to use the relative path
# to the dependency-check-core JAR file. This path is only used to construct
# the connection string for the H2 driver (or other drivers that require a file path
# to be supplied. If you are using another database (MySQL, Oracle, etc.) this property
# will not be used. The data.directory will be resolved and if the connection string
# below contains a %s then the data.directory will replace the %s.
data.directory=[JAR]/data
#if the filename has a %s it will be replaced with the current expected version
data.file_name=0dc.mv.db
data.version=5.3
#The analysis timeout in minutes
odc.analysis.timeout=20
# define which settings are masked when logged
odc.settings.mask=.*password.*,.*token.*
data.connection_string=jdbc:h2:file:%s;AUTOCOMMIT=ON;CACHE_SIZE=65536;
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
# user name and password for the database connection. The inherent case is to use H2.
# As such, this unsecure username/password exist.
data.user=dcuser
data.password=DC-Pass1337!
# The following are only used if the DB Driver is not JDBC4 compliant and/or the driver
# is not in the current classpath. Setting these properties will add the give path(s) to
# the class loader and then register the driver with the DriverManager. If the class is
# not in the path you must specify both the driver name (aka the fully qualified driver name)
# and the driver path. The driver path can be a semi-colon separated list of files/directories
# to ensure any and all needed files can be added to the classpath to load the driver.
# For non-JDBC4 drivers in the classpath only the driver_name needs to be set.
# For MOST situations these properties likely do not need to be set.
data.driver_name=org.h2.Driver
data.driver_path=
# the class name of the write lock shutdown hook
data.writelock.shutdownhook=org.owasp.dependencycheck.utils.WriteLockCleanupHook
proxy.disableSchemas=true
# the number of days that the modified nvd cve data holds data for. We don't need
# to update the other files if we are within this timespan. Per NIST this file
# holds 8 days of updates, we are using 7 just to be safe.
cve.url.modified.validfordays=7
# the number of hours to wait before checking if updates are available from the NVD.
cve.check.validforhours=0
#first year to pull data from the URLs below
cve.startyear=2014
#the original URL and modified URL should be the same; this is used to detect if we are using an internal NVD CVE copy
cve.url.original=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
cve.url.modified=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
cve.url.base=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz
cve.cpe.startswith.filter=cpe:2.3:a:
nvd.newyear.grace.period=10
max.download.threads=2
cpe.validfordays=30
cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.url=https://repository.sonatype.org/service/local/
# If set to true, the proxy will still ONLY be used if the proxy properties (proxy.url, proxy.port)
# are configured
# the URL for searching search.maven.org for SHA-1 and whether it's enabled
analyzer.central.enabled=true
analyzer.central.url=https://search.maven.org/solrsearch/select
central.content.url=https://search.maven.org/remotecontent?filepath=
# Note - the central query is used in a String.format(query, url, sha1)).
# As such, it must have two %s and any other % must be escapped by doubling it
analyzer.central.query=%s?q=1:%s&wt=xml
analyzer.central.retry.count=7
analyzer.central.parallel.analysis=false
# the URL for searching NPM Audit API
analyzer.node.audit.url=https://registry.npmjs.org/-/npm/v1/security/audits
analyzer.retirejs.enabled=true
analyzer.retirejs.repo.validforhours=24
analyzer.retirejs.repo.js.url=https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
# the number of nested archives that will be searched.
archive.scan.depth=3
# use HEAD (default) or GET as HTTP request method for query timestamp
downloader.quick.query.timestamp=true
downloader.tls.protocols=TLSv1.1,TLSv1.2,TLSv1.3
# defines if the experimental and retired analyzers can be enabled
analyzer.experimental.enabled=false
analyzer.retired.enabled=false
analyzer.jar.enabled=true
analyzer.archive.enabled=true
analyzer.node.package.enabled=true
analyzer.node.audit.enabled=true
analyzer.composer.lock.enabled=true
analyzer.golang.mod.enabled=true
analyzer.mix.audit.enabled=true
analyzer.python.distribution.enabled=true
analyzer.python.package.enabled=true
analyzer.ruby.gemspec.enabled=true
analyzer.autoconf.enabled=true
analyzer.cmake.enabled=true
analyzer.assembly.enabled=true
analyzer.nuspec.enabled=true
analyzer.nugetconf.enabled=true
analyzer.openssl.enabled=true
analyzer.nexus.enabled=false
analyzer.cocoapods.enabled=true
analyzer.swift.package.manager.enabled=true
#whether the nexus analyzer uses the proxy
analyzer.nexus.proxy=true
#Use your own bundle-audit install directory.
analyzer.bundle.audit.path=/usr/local/bin/bundle-audit
analyzer.cpe.enabled=true
analyzer.npm.cpe.enabled=true
analyzer.cpesuppression.enabled=true
analyzer.dependencybundling.enabled=true
analyzer.dependencymerging.enabled=true
analyzer.falsepositive.enabled=true
analyzer.filename.enabled=true
analyzer.pe.enabled=true
analyzer.hint.enabled=true
analyzer.nvdcve.enabled=true
analyzer.vulnerabilitysuppression.enabled=true
analyzer.dart.enabled=true
updater.nvdcve.enabled=true
updater.versioncheck.enabled=true
ecosystem.skip.cpeanalyzer=npm
database.batchinsert.enabled=true
database.batchinsert.maxsize=1000
## The following controls the max query limit used in the CPE searches for each ecosystem
odc.ecosystem.maxquerylimit.native=1000
odc.ecosystem.maxquerylimit.default=100