From f1a187126192e795e08cfd59cee9296ac125f05f Mon Sep 17 00:00:00 2001
From: Bob <bob@bobthesecurityguy.com>
Date: Tue, 9 Apr 2019 15:57:27 +0000
Subject: [PATCH] Enabled external database support in OWASP Dependency Check.
 Updated OWASP Dependency Check task to parse options for external CVE
 database. Added PostgreSQL plugin to docker image to allow use of external
 Postgres databases if glue is spun up in a CI pipeline.

---
 docker/glue/Dockerfile            |  4 ++++
 lib/glue/options.rb               | 19 +++++++++++++++++++
 lib/glue/tasks/owasp-dep-check.rb | 16 ++++++++++++++++
 3 files changed, 39 insertions(+)

diff --git a/docker/glue/Dockerfile b/docker/glue/Dockerfile
index 027393f..db6917b 100644
--- a/docker/glue/Dockerfile
+++ b/docker/glue/Dockerfile
@@ -71,6 +71,10 @@ WORKDIR /home/glue/tools/
 RUN curl -L http://dl.bintray.com/jeremy-long/owasp/dependency-check-1.4.3-release.zip --output owasp-dep-check.zip
 RUN unzip owasp-dep-check.zip
 
+# PostgreSQL JDBC Plugin (for external database)
+#
+RUN curl -L https://jdbc.postgresql.org/download/postgresql-42.2.5.jar --output /home/glue/tools/dependency-check/plugins/postgresql.jar
+
 # Maven
 RUN sudo apt-get install -y maven
 
diff --git a/lib/glue/options.rb b/lib/glue/options.rb
index eae0338..fd9f605 100644
--- a/lib/glue/options.rb
+++ b/lib/glue/options.rb
@@ -258,6 +258,25 @@ def get_options args, destructive = false
           options[:owasp_dep_check_suppression] = path
         end
 
+        opts.on "--owasp-db-driver-name NAME", "The Java class name for the OWASP Dependency Check external database driver" do |driver_name|
+          Glue.debug "Setting OWASP DB Driver name to #{driver_name}"
+          options[:owasp_dep_check_db_driver_name] = driver_name
+        end
+
+        opts.on "--owasp-db-connection-string URL", "The connection string for the OWASP Dependency Check external database" do |db_conn_string|
+          Glue.debug "Setting OWASP DB connection string to #{db_conn_string}"
+          options[:owasp_dep_check_db_conn_string] = db_conn_string
+        end
+
+        opts.on "--owasp-db-user USER", "The user for the OWASP Dependency Check external database" do |db_user|
+          Glue.debug "Setting OWASP DB user to #{db_user}"
+          options[:owasp_dep_check_db_user] = db_user
+        end
+
+        opts.on "--owasp-db-password PASSWORD", "The password for the OWASP Dependency Check external database" do |db_password|
+          options[:owasp_dep_check_db_pass] = db_password
+        end
+
         opts.on "--sbt-path PATH", "The full path to sbt (optional)" do |path|
           options[:sbt_path] = path
         end
diff --git a/lib/glue/tasks/owasp-dep-check.rb b/lib/glue/tasks/owasp-dep-check.rb
index 5960b8e..68646eb 100644
--- a/lib/glue/tasks/owasp-dep-check.rb
+++ b/lib/glue/tasks/owasp-dep-check.rb
@@ -128,6 +128,22 @@ def run
       run_args << [ "--suppression", "#{@tracker.options[:owasp_dep_check_suppression]}" ]
     end
 
+    if @tracker.options[:owasp_dep_check_db_driver_name]
+      run_args << [ "--dbDriverName", "#{@tracker.options[:owasp_dep_check_db_driver_name]}" ]
+    end
+
+    if @tracker.options[:owasp_dep_check_db_conn_string]
+      run_args << [ "--connectionString", "#{@tracker.options[:owasp_dep_check_db_conn_string]}" ]
+    end
+
+    if @tracker.options[:owasp_dep_check_db_user]
+      run_args << [ "--dbUser", "#{@tracker.options[:owasp_dep_check_db_user]}" ]
+    end
+
+    if @tracker.options[:owasp_dep_check_db_pass]
+      run_args << [ "--dbPassword", "#{@tracker.options[:owasp_dep_check_db_pass]}" ]
+    end
+
     run_args << [ "-out", "#{rootpath}", "-s", "#{rootpath}" ] unless @scala_project || @gradle_project || @maven_project
 
     initial_dir = Dir.pwd