Add the ability to manually specify addtional CPE entries to be checked.

dependency-check / dependency-check-gradle

The dependency-check gradle plugin is a Software Composition Analysis (SCA) tool that allows projects to monitor dependent libraries for known, published vulnerabilities.

http://jeremylong.github.io/DependencyCheck/

Apache License 2.0

361 stars 93 forks source link

Add the ability to manually specify addtional CPE entries to be checked. #361

Closed gordoninnes closed 6 months ago

gordoninnes commented 10 months ago

This change allows adding CPEs to be included in analysis for dependencies that might not be picked up during scans.

For example to add in a dependency on PostgresSQL:

dependencyCheck {
  additionalCpes {
    postgreSql {
      description = "PostgreSQL"
      cpe = "cpe:2.3:a:postgresql:postgresql:${postgresqlVersion}:*:*:*:*:*:*:*"
     }
  }
}

jeremylong commented 10 months ago

I have some larger work to complete in the core library before I can review this PR.

gordoninnes commented 10 months ago

No worries! I appreciate you having a look. I've used these changes locally but would be nice not to have to maintain our own separate build. Hopefully it's a useful feature for others.

gordoninnes commented 8 months ago

Thanks. I've committed those changes.

gordoninnes commented 8 months ago

Had to push a fix to get your changes in properly 😞 Can you review again please?

jeremylong commented 6 months ago

sorry about the delay - this is being released today. I've unfortunately had a ton of other work outside of my OSS contributions consuming my time. Thanks again for the PR.