-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
/
dependencycheck.properties
174 lines (149 loc) · 6.67 KB
/
dependencycheck.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
odc.application.name=${pom.name}
odc.application.version=${pom.version}
odc.autoupdate=true
# the url to obtain the current engine version from
engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt
#temp.directory defaults to System.getProperty("java.io.tmpdir")
#temp.directory=[path to temp directory]
# the path to the data directory; the [JAR] signifies to use the relative path
# to the dependency-check-core JAR file. This path is only used to construct
# the connection string for the H2 driver (or other drivers that require a file path
# to be supplied. If you are using another database (MySQL, Oracle, etc.) this property
# will not be used. The data.directory will be resolved and if the connection string
# below contains a %s then the data.directory will replace the %s.
data.directory=[JAR]/data/9.0
#if the filename has a %s it will be replaced with the current expected version
data.file_name=odc.mv.db
### if you increment the DB version then you must increment the database file path
### in the mojo.properties, task.properties (maven and ant respectively), and
### the gradle PurgeDataExtension.
data.version=5.5
#The analysis timeout in minutes
odc.analysis.timeout=180
# define which settings are masked when logged
odc.settings.mask=.*password.*,.*token.*,.*api.key.*
data.connection_string=jdbc:h2:file:%s;AUTOCOMMIT=ON;CACHE_SIZE=65536;RETENTION_TIME=1000;MAX_COMPACT_TIME=10000;
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
# user name and password for the database connection. The inherent case is to use H2.
# As such, this unsecure username/password exist.
data.user=dcuser
data.password=DC-Pass1337!
# The following are only used if the DB Driver is not JDBC4 compliant and/or the driver
# is not in the current classpath. Setting these properties will add the give path(s) to
# the class loader and then register the driver with the DriverManager. If the class is
# not in the path you must specify both the driver name (aka the fully qualified driver name)
# and the driver path. The driver path can be a semi-colon separated list of files/directories
# to ensure any and all needed files can be added to the classpath to load the driver.
# For non-JDBC4 drivers in the classpath only the driver_name needs to be set.
# For MOST situations these properties likely do not need to be set.
data.driver_name=org.h2.Driver
#data.driver_path=
# the class name of the write lock shutdown hook
data.writelock.shutdownhook=org.owasp.dependencycheck.utils.WriteLockCleanupHook
proxy.disableSchemas=true
nvd.api.check.validforhours=4
nvd.api.datafeed.validfordays=7
nvd.api.max.retry.count=10
nvd.api.delay=0
#nvd.api.datafeed.url=https://example.com/nvd-cache/
#nvd.api.datafeed.user=
#nvd.api.datafeed.password=
cve.cpe.startswith.filter=cpe:2.3:a:
max.download.threads=1
#Known Exploited Vulnerabilities
kev.url=https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
kev.check.validforhours=24
cpe.validfordays=30
cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
# the URL for searching Nexus for SHA-1 hashes
analyzer.nexus.url=https://repository.sonatype.org/service/local/
# the URL for searching search.maven.org for SHA-1
analyzer.central.url=https://search.maven.org/solrsearch/select
# Note - the central query is used in a String.format(query, url, sha1)).analyzer.jar.enabled
# As such, it must have two %s and any other % must be escapped by doubling it
analyzer.central.query=%s?q=1:%s&wt=xml
analyzer.central.retry.count=7
analyzer.central.parallel.analysis=false
analyzer.central.use.cache=true
central.content.url=https://search.maven.org/remotecontent?filepath=
analyzer.ossindex.enabled=true
analyzer.ossindex.url=https://ossindex.sonatype.org
analyzer.ossindex.use.cache=true
# the URL for searching NPM Audit API
analyzer.node.audit.url=https://registry.npmjs.org/-/npm/v1/security/audits
analyzer.node.audit.use.cache=true
# the number of nested archives that will be searched.
archive.scan.depth=3
# use HEAD (default) or GET as HTTP request method for query timestamp
downloader.quick.query.timestamp=true
downloader.tls.protocols=TLSv1.1,TLSv1.2,TLSv1.3
junit.fail.on.cvss=0
# defines if the experimental and retired analyzers can be enabled
analyzer.experimental.enabled=false
analyzer.retired.enabled=false
analyzer.jar.enabled=true
analyzer.knownexploited.enabled=true
analyzer.archive.enabled=true
analyzer.cpanfile.enabled=true
analyzer.node.package.enabled=true
analyzer.node.audit.enabled=true
analyzer.yarn.audit.enabled=true
analyzer.pnpm.audit.enabled=true
analyzer.golang.dep.enabled=true
analyzer.retirejs.enabled=true
analyzer.retirejs.repo.validforhours=24
analyzer.retirejs.repo.js.url=https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
analyzer.retirejs.filternonvulnerable=false
analyzer.golang.mod.enabled=true
analyzer.mix.audit.enabled=true
analyzer.composer.lock.enabled=true
analyzer.python.distribution.enabled=true
analyzer.python.package.enabled=true
analyzer.ruby.gemspec.enabled=true
analyzer.bundle.audit.enabled=true
analyzer.autoconf.enabled=true
analyzer.maveninstall.enabled=true
analyzer.pip.enabled=true
analyzer.pipfile.enabled=true
analyzer.poetry.enabled=true
analyzer.cmake.enabled=true
analyzer.assembly.enabled=true
analyzer.nuspec.enabled=true
analyzer.nugetconf.enabled=true
analyzer.msbuildproject.enabled=true
analyzer.openssl.enabled=true
analyzer.central.enabled=true
analyzer.nexus.enabled=false
analyzer.cocoapods.enabled=true
analyzer.carthage.enabled=true
analyzer.swift.package.manager.enabled=true
analyzer.swift.package.resolved.enabled=true
#whether the nexus analyzer uses the proxy
analyzer.nexus.proxy=true
analyzer.cpe.enabled=true
analyzer.npm.cpe.enabled=true
analyzer.cpesuppression.enabled=true
analyzer.dependencybundling.enabled=true
analyzer.dependencymerging.enabled=true
analyzer.falsepositive.enabled=true
analyzer.filename.enabled=true
analyzer.pe.enabled=true
analyzer.hint.enabled=true
analyzer.nvdcve.enabled=true
analyzer.vulnerabilitysuppression.enabled=true
analyzer.dart.enabled=true
updater.nvdcve.enabled=true
updater.versioncheck.enabled=true
analyzer.versionfilter.enabled=true
ecosystem.skip.cpeanalyzer=npm
database.batchinsert.enabled=true
database.batchinsert.maxsize=1000
analyzer.artifactory.enabled=false
analyzer.libman.enabled=true
odc.reports.pretty.print=false
hosted.suppressions.enabled=true
hosted.suppressions.url=https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
hosted.suppressions.validforhours=2
## The following controls the max query limit used in the CPE searches for each ecosystem
odc.ecosystem.maxquerylimit.native=1000
odc.ecosystem.maxquerylimit.default=100