search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.42k stars 1.28k forks source link

Option to rename outputfiles:dependency-check-report #2634

Open ChristianFehlinger opened 4 years ago

ChristianFehlinger commented 4 years ago

I am using the command-line scanner in a ci-pipeline. (Used version Dependency-Check Core version 5.3.0) I was searching for parameter to rename the output-files, but was not able to find something.
For example from dependency-check-report.xml to dependency-check-app1.xml

After a quick look into ReportGenerator.java, it looks like it is static.

    public static File getReportFile(String outputLocation, Format format) {
        File outFile = new File(outputLocation);
        if (outFile.getParentFile() == null) {
            outFile = new File(".", outputLocation);
        }
        final String pathToCheck = outputLocation.toLowerCase();
        if (format == Format.XML && !pathToCheck.endsWith(".xml")) {
            return new File(outFile, "dependency-check-report.xml");
        }
        if (format == Format.HTML && !pathToCheck.endsWith(".html") && !pathToCheck.endsWith(".htm")) {
            return new File(outFile, "dependency-check-report.html");
        }
        if (format == Format.JSON && !pathToCheck.endsWith(".json")) {
            return new File(outFile, "dependency-check-report.json");
        }
        if (format == Format.CSV && !pathToCheck.endsWith(".csv")) {
            return new File(outFile, "dependency-check-report.csv");
        }
        if (format == Format.JUNIT && !pathToCheck.endsWith(".xml")) {
            return new File(outFile, "dependency-check-junit.xml");
        }
        return outFile;
    }

Could it be a option to add a variable to the Settings.java? So it would be possible to overwrite it with a properties.file.

jeremylong commented 4 years ago

If you are generating a single report format you can already rename the output file by using:

$ dependency-check.sh --out ./report.xml --format XML --scan ./path
ChristianFehlinger commented 4 years ago

Thanks for that tip. At the moment i am generating XML and HTML, but i think i could drop the HTML part.

But in generell i think it would be nice to define a name.

jeremylong commented 4 years ago

I'd agree, the option to specify the filename should be added. We accept PRs...

majoba commented 3 years ago

I am using the mvn plugin and would be happy, if the option would be available to specify the report filename (eg including the version number for a better traceability...). Is there any progress?

timonzi commented 1 year ago

Same here. I would like to define the name using a Maven property, respectively a -D parameter.