No functional change, updates and removes some now useless files
git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk@1782604 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/tools/security/dependency-check/NOTICE.txt b/tools/security/dependency-check/NOTICE.txt
index fde7427..6638101 100644
--- a/tools/security/dependency-check/NOTICE.txt
+++ b/tools/security/dependency-check/NOTICE.txt
@@ -1,8 +1,8 @@
-dependency-check-cli
+dependency-check
-Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
-The licenses for the software listed below can be found in the licenses.
+The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
diff --git a/tools/security/dependency-check/README.md b/tools/security/dependency-check/README.md
index 2c37d91..fab9438 100644
--- a/tools/security/dependency-check/README.md
+++ b/tools/security/dependency-check/README.md
@@ -1,24 +1,120 @@
-Dependency-Check Command Line
+Dependency-Check
================
-Dependency-Check Command Line can be used to check project dependencies for published security vulnerabilities. The checks
-performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
-vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
-Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
+
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/). Additionally, more information about the architecture and ways to extend dependency-check can be found on the [wiki].
+
+Current Releases
+-------------
+### Jenkins Plugin
+
+For instructions on the use of the Jenkins plugin please see the [OWASP Dependency-Check Plugin page](https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin).
+
+### Command Line
+
+More detailed instructions can be found on the
+[dependency-check github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/).
+The latest CLI can be downloaded from bintray's
+[dependency-check page](https://bintray.com/jeremy-long/owasp/dependency-check).
+
+On *nix
+```
+$ ./bin/dependency-check.sh -h
+$ ./bin/dependency-check.sh --app Testing --out . --scan [path to jar files to be scanned]
+```
+On Windows
+```
+> bin/dependency-check.bat -h
+> bin/dependency-check.bat --app Testing --out . --scan [path to jar files to be scanned]
+```
+On Mac with [Homebrew](http://brew.sh)
+```
+$ brew update && brew install dependency-check
+$ dependency-check -h
+$ dependency-check --app Testing --out . --scan [path to jar files to be scanned]
+```
+
+### Maven Plugin
+
+More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven).
+The plugin can be configured using the following:
+
+```xml
+<project>
+ <build>
+ <plugins>
+ ...
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ ...
+ </plugins>
+ ...
+ </build>
+ ...
+</project>
+```
+
+### Ant Task
+
+For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant).
+
+Development Usage
+-------------
+The following instructions outline how to compile and use the current snapshot. While every intention is to maintain a stable snapshot it is recommended
+that the release versions listed above be used.
+
+The repository has some large files due to test resources. The team has tried to cleanup the history as much as possible.
+However, it is recommended that you perform a shallow clone to save yourself time:
+
+```bash
+git clone --depth 1 git@github.com:jeremylong/DependencyCheck.git
+```
+
+On *nix
+```
+$ mvn install
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh -h
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh --app Testing --out . --scan ./src/test/resources
+```
+On Windows
+```
+> mvn install
+> dependency-check-cli/target/release/bin/dependency-check.bat -h
+> dependency-check-cli/target/release/bin/dependency-check.bat --app Testing --out . --scan ./src/test/resources
+```
+
+Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
Mailing List
------------
-Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
+Subscribe: [dependency-check+subscribe@googlegroups.com] [subscribe]
-Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
+Post: [dependency-check@googlegroups.com] [post]
+
+Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check)
Copyright & License
-------------
+-
-Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+Dependency-Check is Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
-Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
-Dependency-Check Command Line makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-cli/NOTICE.txt) file for more information.
+Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
+
+
+ [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
+ [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
+ [post]: mailto:dependency-check@googlegroups.com
+ [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
diff --git a/tools/security/dependency-check/README.txt b/tools/security/dependency-check/README.txt
index 8a6a98e..5981852 100644
--- a/tools/security/dependency-check/README.txt
+++ b/tools/security/dependency-check/README.txt
@@ -1,4 +1,2 @@
-This is only given as an example. It uses the https://www.owasp.org/index.php/OWASP_Dependency_Check command line option
-To have it working you must have the dependency-check command line option correctly installed.
-
+This is only given as an example. It uses the Gradle dependency check gradle plugin. https://plugins.gradle.org/plugin/dependency.check
In any cases be sure to check https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
\ No newline at end of file
diff --git a/tools/security/dependency-check/check.bat b/tools/security/dependency-check/check.bat
deleted file mode 100644
index f1d3f15..0000000
--- a/tools/security/dependency-check/check.bat
+++ /dev/null
@@ -1,22 +0,0 @@
-@echo off
-rem #####################################################################
-rem Licensed to the Apache Software Foundation (ASF) under one
-rem or more contributor license agreements. See the NOTICE file
-rem distributed with this work for additional information
-rem regarding copyright ownership. The ASF licenses this file
-rem to you under the Apache License, Version 2.0 (the
-rem "License"); you may not use this file except in compliance
-rem with the License. You may obtain a copy of the License at
-rem
-rem http://www.apache.org/licenses/LICENSE-2.0
-rem
-rem Unless required by applicable law or agreed to in writing,
-rem software distributed under the License is distributed on an
-rem "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-rem KIND, either express or implied. See the License for the
-rem specific language governing permissions and limitations
-rem under the License.
-rem #####################################################################
-@echo %time%
-dependency-check -project OFBiz -scan C:\projectASF-Mars\ofbiz --suppression C:\tools\dependency-check\suppress.xml
-@echo %time%
\ No newline at end of file
diff --git a/tools/security/dependency-check/suppress.xml b/tools/security/dependency-check/suppress.xml
deleted file mode 100644
index ea3a8e9..0000000
--- a/tools/security/dependency-check/suppress.xml
+++ /dev/null
@@ -1,161 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
- <!-- Good examples here: https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
-
- <!-- To check the comments yourself, simply comment out the block/s you are interested in and use Dependency Check to get the related CVE/s -->
-
- <!-- OFBiz uses a more recent Tomcat version -->
- <suppress>
- <notes><![CDATA[
- file name: annotations-api-3.0.jar
- ]]></notes>
- <sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1>
- <cpe>cpe:/a:apache:tomcat:3.0</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: annotations-api-3.0.jar
- ]]></notes>
- <sha1>87925e57a90c75bd60e2fe4c3fdbcef592c00e48</sha1>
- <cpe>cpe:/a:apache:tomcat:7.0.54</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: el-api-3.0.jar
- ]]></notes>
- <sha1>794cf8e8d615c6ac136835867aef2fee125bc74b</sha1>
- <cpe>cpe:/a:apache:tomcat:3.0</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: jsp-api-2.3.jar
- ]]></notes>
- <filePath regex="true">.*\\base\\lib\\j2eespecs\\.*\.jar</filePath>
- <cve>CVE-2013-2185</cve>
- <cve>CVE-2009-2696</cve>
- <cve>CVE-2007-5461</cve>
- <cve>CVE-2002-0493</cve>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: servlet-api-3.1.jar
- ]]></notes>
- <sha1>cc2becc4bf29a7bfd0d7a4055552683d421859c5</sha1>
- <cpe>cpe:/a:apache:tomcat:3.1</cpe>
- </suppress>
-
- <!-- These CVEs don't concern current Tomcat versions -->
- <suppress>
- <notes><![CDATA[
- This suppresses specific Tomcat CVEs
- ]]></notes>
- <filePath regex="true">.*\\catalina\\lib\\.*\.jar</filePath>
- <cve>CVE-2013-2185</cve>
- <cve>CVE-2009-2696</cve>
- <cve>CVE-2007-5461</cve>
- <cve>CVE-2002-0493</cve>
- </suppress>
-
- <suppress><!-- This concerns Wordpress only-->
- <notes><![CDATA[
- This suppresses a specific fontbox cve
- ]]></notes>
- <filePath regex="true">.*\bfontbox-1.8.11\.jar</filePath>
- <cve>CVE-2015-7683</cve>
- </suppress>
-
- <suppress><!-- The classes OFBiz uses are not concerned (no UI) -->
- <notes><![CDATA[
- file name: geronimo-j2ee-connector_1.5_spec-2.0.0.jar
- ]]></notes>
- <sha1>1da837af8f5bf839ab48352f3dbfd6c4ecedc232</sha1>
- <cpe>cpe:/a:apache:geronimo:2.0</cpe>
- </suppress>
-
- <suppress><!-- OFBiz only uses com.sun.mail.smtp.SMTPAddressFailedException: not concerned -->
- <notes><![CDATA[
- file name: mail-1.5.1.jar
- ]]></notes>
- <sha1>9724dd44f1abbba99c9858aa05fc91d53f59e7a5</sha1>
- <cpe>cpe:/a:sun:javamail:1.5.1</cpe>
- </suppress>
-
- <suppress><!-- This concerns the UI/XSS and init script in whole Geronimo, OFBiz only uses this class => not concerned. Moreover IBM no longer supports Geronimo so I don't see the point of upgrading as long as it works-->
- <notes><![CDATA[
- file name: geronimo-jaxr_1.0_spec-1.0.jar
- ]]></notes>
- <sha1>f6a3b80feb6badbe12c21c8a51ede7fcd6e91e5f</sha1>
- <cpe>cpe:/a:apache:geronimo:1.0</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: geronimo-jms_1.1_spec-1.1.1.jar
- ]]></notes>
- <sha1>c872b46c601d8dc03633288b81269f9e42762cea</sha1>
- <cpe>cpe:/a:apache:geronimo:1.1.1</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: geronimo-saaj_1.3_spec-1.1.jar
- ]]></notes>
- <sha1>be6e6fc49ca84631f7c47a04d5438e193db54d7c</sha1>
- <cpe>cpe:/a:apache:geronimo:1.1</cpe>
- </suppress>
-
- <suppress><!-- This concerns the init script in whole Geronimo, OFBiz only uses this class => not concerned. Moreover IBM no longer supports Geronimo so I don't see the point of upgrading as long as it works-->
- <notes><![CDATA[
- file name: geronimo-transaction-3.1.1.jar
- ]]></notes>
- <sha1>1cfdfcff3cd6a805be401946ab14213b0bad9cb4</sha1>
- <cpe>cpe:/a:apache:geronimo:3.1.1</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: geronimo-jaxrpc_1.1_spec-1.0.jar
- ]]></notes>
- <sha1>c581838de2339f61f1965db0ff912ff2ac1c4b30</sha1>
- <cpe>cpe:/a:apache:geronimo:1.0</cpe>
-</suppress>
- <suppress>
- <notes><![CDATA[
- file name: geronimo-jta_1.1_spec-1.1.1.jar
- ]]></notes>
- <sha1>aabab3165b8ea936b9360abbf448459c0d04a5a4</sha1>
- <cpe>cpe:/a:apache:geronimo:1.1.1</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: geronimo-activation_1.0.2_spec-1.0.jar
- ]]></notes>
- <sha1>6dc4b0c7d3358ae4752cf9cc0f97f98358ea7656</sha1>
- <cpe>cpe:/a:apache:geronimo:1.0</cpe>
- </suppress>
-
- <!-- About Axis 1.6.3 (start with axis2-kernel-1.6.3.jar):1.6.3 is the higher version anyway, so we can't do more here -->
-
- <suppress><!-- This has been handled with r1557462 for OFBIZ-5409 . Anyway nowaydays modern browsers protect from that-->
- <notes><![CDATA[
- file name: package.json
- ]]></notes>
- <sha1>cfe99f497ed35573d7dfc291068d742399a0eee0</sha1>
- <cpe>cpe:/a:jquery:jquery:1.10.0</cpe>
- </suppress>
-
- <!-- all cpe:/a:apache:axis:1.4 can be neglected because they are related to Birt which with latest version (4.5.0) still uses Axis 1.4. So are neglected all cpe:/a:eclipse:birt: -->
-
- <suppress><!-- Not an issue for OFBiz. See http://seclists.org/oss-sec/2014/q2/508: "This flaw only affects Apache Zookeeper used in conjunction with [redhat] Fuse Fabric". -->
- <notes><![CDATA[
- file name: zookeeper-3.4.6.jar
- ]]></notes>
- <sha1>01b2502e29da1ebaade2357cd1de35a855fa3755</sha1>
- <cpe>cpe:/a:apache:zookeeper:3.4.6</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: zookeeper-3.4.6.jar
- ]]></notes>
- <sha1>01b2502e29da1ebaade2357cd1de35a855fa3755</sha1>
- <cve>CVE-2014-0085</cve>
- </suppress>
-
-</suppressions>