owasp-pipeline 0.8.5 → 0.8.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bf5efee842fff5ee62a05d074fe47d057bc0dd1d
-  data.tar.gz: 417d5379d1b73b82a0a20561d5d78d50e907c020
+  metadata.gz: e0a8269dc146b2c043c1f82f86a181b69e1bf35e
+  data.tar.gz: e1f15cfe853e2d53b8e894033a9b665f4813ff26
 SHA512:
-  metadata.gz: 5c44a4dc6c22acacac6b6d3a4b6197da7427ed3373341b28f2c4b1d01064b9d7d3357ae59c9a4020bf7fc2bb462d913db3f353038bbed328d556f427c7d68c12
-  data.tar.gz: 4a8f15ac36f2533638c0d8fc2d695168bc6bfa3bac7e3d41429b712d6e2b2618cd8b7c068f5b9d5140eaaaab9b9694e3e7100aad1a522e5fb75eefb3780a1206
+  metadata.gz: c6ff7447583d96ca3b88da5d54f0c85663879017c3e6d4cc4119e5d1969bfd36e356ab5db1e5aaea5bda4df181a95f39f826acac174d72bd53226058b609c741
+  data.tar.gz: 7d811611176d44b8f9d7c3a7955c049430142907f1fb453771724c102617a6a2b49bb9589e6d40e5ba2b880abe08dca874f0039aaadb7ed169fd5e0032ea21a8

data/lib/pipeline/filters/zap_consdensing_filter.rb

@@ -0,0 +1,76 @@
+require 'pipeline/filters/base_filter'
+
+class Pipeline::ZAPCondensingFilter < Pipeline::BaseFilter
+  
+  Pipeline::Filters.add self
+  
+  def initialize
+    @name = "ZAP Condensing Filter"
+    @description = "Consolidate N ZAP warnings to one per issue type."
+  end
+
+  def filter tracker
+    Pipeline.debug "Have #{tracker.findings.count} items pre ZAP filter."
+    tracker.findings.each do |finding|
+      if zap? finding
+        if xframe? finding
+          record tracker,finding
+        elsif xcontenttypeoptions? finding
+          record tracker, finding
+        elsif dirbrowsing? finding
+          record tracker, finding
+        elsif xxssprotection? finding
+          record tracker, finding
+        end
+      end
+    end
+    Pipeline.debug "Have #{tracker.findings.count} items post ZAP filter."
+  end
+
+  def zap? finding
+    if finding.source =~ /\AZAP/
+      return true
+    end
+    return false
+  end
+
+  def xframe? finding
+    if finding.description == "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks."
+      return true
+    end
+    return false
+  end
+
+  def xcontenttypeoptions? finding
+    if finding.description == "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
+      return true
+    end
+    return false
+  end
+
+  def dirbrowsing? finding
+    if finding.description == "It is possible to view the directory listing.  Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information."
+      return true
+    end
+    return false
+  end
+
+  def xxssprotection? finding
+    if finding.description == "Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server"
+      return true
+    end
+    return false
+  end
+
+  # Is it always true that the findings will be on the same site?
+  # For now, we can assume that.
+  # Note that this may not be an efficient way to to do this, but it seems to work as a first pass.
+  def record tracker, finding
+    tracker.findings.delete_if do |to_delete|
+      to_delete.description == finding.description
+    end
+    finding.detail << "\n\t** Consolidated ** - Potentially identified in > 1 spot."  # Make sure to note that there were 
+    tracker.findings.push finding 
+  end
+
+end

data/lib/pipeline/options.rb

@@ -99,6 +99,13 @@ module Pipeline::Options
           options[:npm_registry] = url
         end
 
+        opts.on "--exclude path1,path2,path3,etc", Array, "A list of paths to ignore when running recursive tasks (npm, retirejs, snyk, etc)" do |paths|
+          paths.each do |path|
+            options[:exclude_dirs] ||= Set.new
+            options[:exclude_dirs] << path
+          end
+        end
+
         opts.separator ""
         opts.separator "Output options:"
 

data/lib/pipeline/tasks/base_task.rb

@@ -43,6 +43,22 @@ class Pipeline::BaseTask
     @stage
   end
 
+  def directories_with? file, exclude_dirs = []
+    exclude_dirs = @tracker.options[:exclude_dirs] if exclude_dirs == [] and @tracker.options[:exclude_dirs]
+    results = []
+
+    Find.find(@trigger.path) do |path|
+      if FileTest.directory? path
+        Find.prune if exclude_dirs.include? File.basename(path) or exclude_dirs.include? File.basename(path) + '/'
+        next
+      end
+
+      Find.prune unless File.basename(path) == file
+
+      results << File.dirname(path)
+    end
+    return results
+  end
 
   def run
   end

data/lib/pipeline/tasks/brakeman.rb

@@ -17,7 +17,6 @@ class Pipeline::Brakeman < Pipeline::BaseTask
   end
 
   def run
-    # Pipeline.notify "#{@name}"
     rootpath = @trigger.path
     @result=runsystem(true, "brakeman", "-A", "-q", "-f", "json", "#{rootpath}")
   end
@@ -57,4 +56,3 @@ class Pipeline::Brakeman < Pipeline::BaseTask
   end
 
 end
-

data/lib/pipeline/tasks/bundle-audit.rb

@@ -13,14 +13,15 @@ class Pipeline::BundleAudit < Pipeline::BaseTask
     @description = "Dependency Checker analysis for Ruby"
     @stage = :code
     @labels << "code" << "ruby"
+    @results = {}
   end
 
   def run
-    # Pipeline.notify "#{@name}"
-    rootpath = @trigger.path
-    Pipeline.debug "Rootpath: #{rootpath}"
-    Dir.chdir("#{rootpath}") do
-      @result= runsystem(true, "bundle-audit", "check")
+    directories_with?('Gemfile.lock').each do |dir|
+      Pipeline.notify "#{@name} scanning: #{dir}"
+      Dir.chdir(dir) do
+        @results[dir] = runsystem(true, "bundle-audit", "check")
+      end
     end
   end
 
@@ -46,43 +47,45 @@ class Pipeline::BundleAudit < Pipeline::BaseTask
 
   private
   def get_warnings
-    detail, jem, source, sev, hash = '','',{},'',''
-    @result.each_line do | line |
+    @results.each do |dir, result|
+      detail, jem, source, sev, hash = '','',{},'',''
+      result.each_line do | line |
 
-      if /\S/ !~ line
-        # Signal section is over.  Reset variables and report.
-        if detail != ''
-          report "Gem #{jem} has known security issues.", detail, source, sev, fingerprint(hash)
-        end
+        if /\S/ !~ line
+          # Signal section is over.  Reset variables and report.
+          if detail != ''
+            report "Gem #{jem} has known security issues.", detail, source, sev, fingerprint(hash)
+          end
 
-        detail, jem, source, sev, hash = '','', {},'',''
-      end
+          detail, jem, source, sev, hash = '','', {},'',''
+        end
 
-      name, value = line.chomp.split(':')
-      case name
-      when 'Name'
-        jem << value
-        hash << value
-      when 'Version'
-        jem << value
-        hash << value
-      when 'Advisory'
-        source = { :scanner => @name, :file => 'Gemfile.lock', :line => nil, :code => nil }
-        hash << value
-      when 'Criticality'
-        sev = severity(value)
-        hash << sev
-      when 'URL'
-        detail += line.chomp.split('URL:').last
-      when 'Title'
-        detail += ",#{value}"
-      when 'Solution'
-        detail += ": #{value}"
-      when 'Insecure Source URI found'
-        report "Insecure GEM Source", "#{line.chomp} - use git or https", {:scanner => @name, :file => 'Gemfile.lock', :line => nil, :code =>  nil}, severity('high'), fingerprint("bundlerauditgemsource#{line.chomp}")
-      else
-        if line =~ /\S/ and line !~ /Unpatched versions found/
-          Pipeline.debug "Not sure how to handle line: #{line}"
+        name, value = line.chomp.split(':')
+        case name
+        when 'Name'
+          jem << value
+          hash << value
+        when 'Version'
+          jem << value
+          hash << value
+        when 'Advisory'
+          source = { :scanner => @name, :file => "#{relative_path(dir, @trigger.path)}/Gemfile.lock", :line => nil, :code => nil }
+          hash << value
+        when 'Criticality'
+          sev = severity(value)
+          hash << sev
+        when 'URL'
+          detail += line.chomp.split('URL:').last
+        when 'Title'
+          detail += ",#{value}"
+        when 'Solution'
+          detail += ": #{value}"
+        when 'Insecure Source URI found'
+          report "Insecure GEM Source", "#{line.chomp} - use git or https", {:scanner => @name, :file => 'Gemfile.lock', :line => nil, :code =>  nil}, severity('high'), fingerprint("bundlerauditgemsource#{line.chomp}")
+        else
+          if line =~ /\S/ and line !~ /Unpatched versions found/
+            Pipeline.debug "Not sure how to handle line: #{line}"
+          end
         end
       end
     end
@@ -90,4 +93,3 @@ class Pipeline::BundleAudit < Pipeline::BaseTask
 
 
 end
-

data/lib/pipeline/tasks/checkmarx.rb

@@ -16,7 +16,6 @@ class Pipeline::Checkmarx < Pipeline::BaseTask
   end
 
   def run
-    Pipeline.notify "#{@name}"
     rootpath = @trigger.path
     runsystem(true, "runCxConsole.sh", "scan", "-v",
       "-CxUser", "#{@tracker.options[:checkmarx_user]}",

data/lib/pipeline/tasks/dawnscanner.rb

@@ -16,7 +16,6 @@ class Pipeline::DawnScanner < Pipeline::BaseTask
   end
 
   def run
-    Pipeline.notify "#{@name}"
     Dir.chdir("#{@trigger.path}") do
       @results_file = Tempfile.new(['dawnresults', 'xml'])
       runsystem(true, "dawn", "-F", "#{@results_file.path}", "-j", ".")

data/lib/pipeline/tasks/eslint.rb

@@ -16,7 +16,6 @@ class Pipeline::ESLint < Pipeline::BaseTask
   end
 
   def run
-    Pipeline.notify "#{@name}"
     rootpath = @trigger.path
     currentpath = File.expand_path File.dirname(__FILE__)
     Pipeline.debug "ESLint Config Path: #{currentpath}"
@@ -68,4 +67,3 @@ class Pipeline::ESLint < Pipeline::BaseTask
   end
 
 end
-

data/lib/pipeline/tasks/fim.rb

@@ -17,7 +17,6 @@ class Pipeline::FIM < Pipeline::BaseTask
   end
 
   def run
-    Pipeline.notify "#{@name}"
     rootpath = @trigger.path
     if File.exists?("/area81/tmp/#{rootpath}/filehash")
       Pipeline.notify "File Hashes found, comparing to file system"

data/lib/pipeline/tasks/findsecbugs.rb

@@ -20,14 +20,23 @@ class Pipeline::FindSecurityBugs < Pipeline::BaseTask
   end
 
   def run
-    Pipeline.notify "#{@name}"
     @results_file = Tempfile.new(['findsecbugs','xml'])
 
-    Dir.chdir("#{@trigger.path}") do
-      runsystem(true, "mvn", "compile", "-fn")
+    unless File.exist?("#{@trigger.path}/.git/config")
+      Dir.chdir(@trigger.path) do
+        system("git", "init")
+        system("git", "add", "*")
+        system("git", "commit", "-am", "fake commit for mvn compile")
+      end
+    end
+
+    directories_with?('pom.xml').each do |dir|
+      Dir.chdir(dir) do
+        runsystem(true, "mvn", "compile", "-fn")
+      end
     end
 
-    Dir.chdir("#{@tracker.options[:findsecbugs_path]}") do
+    Dir.chdir(@tracker.options[:findsecbugs_path]) do
       runsystem(true, "/bin/sh", "#{@tracker.options[:findsecbugs_path]}/findsecbugs.sh", "-effort:max", "-quiet", "-xml:withMessages", "-output", "#{@results_file.path}", "#{@trigger.path}")
       @results = Nokogiri::XML(File.read(@results_file)).xpath '//BugInstance'
     end

data/lib/pipeline/tasks/npm.rb

@@ -0,0 +1,58 @@
+require 'pipeline/tasks/base_task'
+require 'pipeline/util'
+require 'find'
+require 'pry'
+
+class Pipeline::Npm < Pipeline::BaseTask
+
+  Pipeline::Tasks.add self
+  include Pipeline::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "NPM"
+    @description = "Node Package Manager"
+    @stage = :file
+    @labels << "file" << "javascript"
+    @results = []
+  end
+
+  def run
+    exclude_dirs = ['node_modules','bower_components']
+    exclude_dirs = exclude_dirs.concat(@tracker.options[:exclude_dirs]).uniq if @tracker.options[:exclude_dirs]
+    directories_with?('package.json', exclude_dirs).each do |dir|
+      Pipeline.notify "#{@name} scanning: #{dir}"
+      Dir.chdir(dir) do
+        if @tracker.options.has_key?(:npm_registry)
+          registry = "--registry #{@tracker.options[:npm_registry]}"
+        else
+          registry = nil
+        end
+        @command = "npm install --ignore-scripts #{registry}"
+        @results << system(@command)
+      end
+    end
+  end
+
+  def analyze
+    begin
+      if @results.include? false
+        Pipeline.warn 'Error installing javascript dependencies with #{@command}'
+      end
+    rescue Exception => e
+      Pipeline.warn e.message
+      Pipeline.warn e.backtrace
+    end
+  end
+
+  def supported?
+    supported = find_executable0('npm')
+    unless supported
+      Pipeline.notify "Install npm: https://nodejs.org/en/download/"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/pipeline/tasks/nsp.rb

@@ -12,31 +12,37 @@ class Pipeline::NodeSecurityProject < Pipeline::BaseTask
     @description = "Node Security Project"
     @stage = :code
     @labels << "code"
+    @results = []
   end
 
   def run
-    Pipeline.notify "#{@name}"
-    rootpath = @trigger.path
-    Dir.chdir("#{rootpath}") do
-      @results = JSON.parse `nsp check --output json 2>&1`
+    exclude_dirs = ['node_modules','bower_components']
+    exclude_dirs = exclude_dirs.concat(@tracker.options[:exclude_dirs]).uniq if @tracker.options[:exclude_dirs]
+    directories_with?('package.json', exclude_dirs).each do |dir|
+      Pipeline.notify "#{@name} scanning: #{dir}"
+      Dir.chdir(dir) do
+        @results << JSON.parse(`nsp check --output json 2>&1`)
+      end
     end
   end
 
   def analyze
     begin
-      # This block iterates through each package name found and selects the unique nsp advisories
-      # regardless of version, and builds a pipeline finding hash for each unique package/advisory combo.
-      @results.uniq {|finding| finding['module']}.each do |package|
-        @results.select {|f| f['module'] == package['module']}.uniq {|m| m['advisory']}.each do |unique_finding|
-          description = "#{unique_finding['module']} - #{unique_finding['title']}"
-          detail = "Upgrade to versions: #{unique_finding['patched_versions']}\n#{unique_finding['advisory']}"
-          source = {
-            :scanner => 'NodeSecurityProject',
-            :file => "#{unique_finding['module']} - #{unique_finding['vulnerable_versions']}",
-            :line => nil,
-            :code => nil
-          }
-          report description, detail, source, 'medium', fingerprint("#{description}#{detail}#{source}")
+      @results.each do |dir_result|
+        # This block iterates through each package name found and selects the unique nsp advisories
+        # regardless of version, and builds a pipeline finding hash for each unique package/advisory combo.
+        dir_result.uniq {|finding| finding['module']}.each do |package|
+          dir_result.select {|f| f['module'] == package['module']}.uniq {|m| m['advisory']}.each do |unique_finding|
+            description = "#{unique_finding['module']} - #{unique_finding['title']}"
+            detail = "Upgrade to versions: #{unique_finding['patched_versions']}\n#{unique_finding['advisory']}"
+            source = {
+              :scanner => 'NodeSecurityProject',
+              :file => "#{unique_finding['module']} - #{unique_finding['vulnerable_versions']}",
+              :line => nil,
+              :code => nil
+            }
+            report description, detail, source, 'medium', fingerprint("#{description}#{detail}#{source}")
+          end
         end
       end
     rescue Exception => e
@@ -56,4 +62,3 @@ class Pipeline::NodeSecurityProject < Pipeline::BaseTask
   end
 
 end
-

data/lib/pipeline/tasks/pmd.rb

@@ -17,7 +17,6 @@ class Pipeline::PMD < Pipeline::BaseTask
   end
 
   def run
-    Pipeline.notify "#{@name}"
     @tracker.options[:pmd_checks] ||= "java-basic,java-sunsecure"
     Dir.chdir @tracker.options[:pmd_path] do
       @results = Nokogiri::XML(`bin/run.sh pmd -d #{@trigger.path} -f xml -R #{@tracker.options[:pmd_checks]}`).xpath('//file')

data/lib/pipeline/tasks/retirejs.rb

@@ -3,6 +3,7 @@ require 'json'
 require 'pipeline/util'
 require 'jsonpath'
 require 'pathname'
+require 'pry'
 
 class Pipeline::RetireJS < Pipeline::BaseTask
 
@@ -15,28 +16,26 @@ class Pipeline::RetireJS < Pipeline::BaseTask
     @description = "Dependency analysis for JavaScript"
     @stage = :code
     @labels << "code" << "javascript"
+    @results = []
   end
 
   def run
-    rootpath = @trigger.path
-    Pipeline.debug "Retire rootpath: #{rootpath}"
-    Dir.chdir("#{rootpath}") do
-      if @tracker.options.has_key?(:npm_registry)
-        registry = "--registry #{@tracker.options[:npm_registry]}"
-      else
-        registry = nil
-      end
-      @result = `npm install --ignore-scripts #{registry}`  # Need this even though it is slow to get full dependency analysis.
+    exclude_dirs = ['node_modules','bower_components']
+    exclude_dirs = exclude_dirs.concat(@tracker.options[:exclude_dirs]).uniq if @tracker.options[:exclude_dirs]
+    directories_with?('package.json', exclude_dirs).each do |dir|
+      Pipeline.notify "#{@name} scanning: #{dir}"
+      @results << `retire -c --outputformat json --path #{dir} 2>&1`
     end
-    @result = `retire -c --outputformat json --path #{rootpath} 2>&1`
   end
 
   def analyze
     begin
-      vulnerabilities = parse_retire_json(JSON.parse(@result))
+      @results.each do |result|
+        vulnerabilities = parse_retire_json(JSON.parse(result))
 
-      vulnerabilities.each do |vuln|
-        report "Package #{vuln[:package]} has known security issues", vuln[:detail], vuln[:source], vuln[:severity], fingerprint("#{vuln[:package]}#{vuln[:source]}#{vuln[:severity]}")
+        vulnerabilities.each do |vuln|
+          report "Package #{vuln[:package]} has known security issues", vuln[:detail], vuln[:source], vuln[:severity], fingerprint("#{vuln[:package]}#{vuln[:source]}#{vuln[:severity]}")
+        end
       end
     rescue Exception => e
       Pipeline.warn e.message
@@ -84,7 +83,7 @@ class Pipeline::RetireJS < Pipeline::BaseTask
     result.select { |r| !r['file'].nil? }.each do |file_result|
       JsonPath.on(file_result, '$..component').uniq.each do |comp|
         JsonPath.on(file_result, "$..results[?(@.component == \'#{comp}\')].version").uniq.each do |version|
-          source_path = Pathname.new(file_result['file']).relative_path_from Pathname.new(@trigger.path)
+          source_path = relative_path(file_result['file'], @trigger.path)
           vulnerabilities.select { |v| v[:package] == "#{comp}-#{version}" }.first[:source] = { :scanner => @name, :file => source_path.to_s, :line => nil, :code => nil }
         end
       end
@@ -103,4 +102,3 @@ class Pipeline::RetireJS < Pipeline::BaseTask
   end
 
 end
-

data/lib/pipeline/tasks/snyk.rb

@@ -0,0 +1,81 @@
+require 'pipeline/tasks/base_task'
+require 'pipeline/util'
+require 'redcarpet'
+
+class Pipeline::Snyk < Pipeline::BaseTask
+
+  Pipeline::Tasks.add self
+  include Pipeline::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "Snyk"
+    @description = "Snyk.io JS dependency checker"
+    @stage = :code
+    @labels << "code" << "javascript"
+    @results = []
+  end
+
+  def run
+    exclude_dirs = ['node_modules','bower_components']
+    exclude_dirs = exclude_dirs.concat(@tracker.options[:exclude_dirs]).uniq if @tracker.options[:exclude_dirs]
+    directories_with?('package.json', exclude_dirs).each do |dir|
+      Pipeline.notify "#{@name} scanning: #{dir}"
+      Dir.chdir(dir) do
+        @results << JSON.parse(runsystem(true, "snyk", "test", "--json"))["vulnerabilities"]
+      end
+    end
+  end
+
+  def analyze
+    begin
+      markdown = Redcarpet::Markdown.new Redcarpet::Render::HTML.new(link_attributes: {target: "_blank"}), autolink: true, tables: true
+
+      @results.each do |dir_result|
+        # We build a single finding for each uniq result ID, adding the unique info (upgrade path and files) as a list
+        dir_result.uniq {|r| r['id']}.each do |result|
+          description = "#{result['name']}@#{result['version']} - #{result['title']}"
+
+          # Use Redcarpet to render the Markdown details to something pretty for web display
+          detail = markdown.render(result['description']).gsub('h2>','strong>').gsub('h3>', 'strong>')
+          upgrade_paths = [ "Upgrade Path:\n" ]
+          files = []
+
+          # Pull the list of files and upgrade paths from all results matching this ID
+          # This uses the same form as the retirejs task so it all looks nice together
+          dir_result.select{|r| r['id'] == result['id']}.each do |res|
+            res['upgradePath'].each_with_index do |upgrade, i|
+              upgrade_paths << "#{res['from'][i]} -> #{upgrade}"
+            end
+            files << res['from'].join('->')
+          end
+
+          source = {
+            :scanner => @name,
+            :file => files.join('<br>'),
+            :line => nil,
+            :code => upgrade_paths.uniq.join("\n"),
+          }
+          sev = severity(result['severity'])
+          fprint = fingerprint("#{description}#{detail}#{source}#{sev}")
+
+          report description, detail, source, sev, fprint
+        end
+      end
+    rescue Exception => e
+      Pipeline.warn e.message
+      Pipeline.warn e.backtrace
+    end
+  end
+
+  def supported?
+    supported = find_executable0('snyk')
+    unless supported
+      Pipeline.notify "Install Snyk: 'npm install -g snyk'"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/pipeline/tasks/zap.rb

@@ -24,7 +24,10 @@ class Pipeline::Zap < Pipeline::BaseTask
     context = SecureRandom.uuid
 
     Pipeline.debug "Running ZAP on: #{rootpath} from #{base} with #{context}"
-    
+
+    # Create a new session so that the findings will be new.
+    Curl.get("#{base}/JSON/core/action/newSession/?zapapiformat=JSON&apikey=#{apikey}&name=&overwrite=")
+
     # Set up Context
     Curl.get("#{base}/JSON/context/action/newContext/?&apikey=#{apikey}&contextName=#{context}")
     Curl.get("#{base}/JSON/context/action/includeInContext/?apikey=#{apikey}&contextName=#{context}&regex=#{rootpath}.*")
@@ -85,10 +88,10 @@ class Pipeline::Zap < Pipeline::BaseTask
   def supported?
     base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}"
     supported=JSON.parse(Curl.get("#{base}/JSON/core/view/version/").body_str)
-    if supported["version"] == "2.4.3"
+    if supported["version"] =~ /2.(4|5).\d+/
       return true
     else
-      Pipeline.notify "Install ZAP from owasp.org and ensure that the configuration to connect is correct."
+      Pipeline.notify "Install ZAP from owasp.org and ensure that the configuration to connect is correct.  Supported versions = 2.4.0 and up - got #{supported['version']}"
       return false
     end
   end

data/lib/pipeline/tasks.rb

@@ -60,8 +60,8 @@ class Pipeline::Tasks
 
       #Run or don't run task based on options
       #Now case-insensitive specifiers:  nodesecurityproject = Pipeline::NodeSecurityProject
-      
-      if tracker.options[:skip_tasks] 
+
+      if tracker.options[:skip_tasks]
         skip_tasks = tracker.options[:skip_tasks].map {|task| task.downcase}
       end
       if (tracker.options[:run_tasks])
@@ -73,9 +73,9 @@ class Pipeline::Tasks
 
         task = c.new(trigger, tracker)
         begin
-          if task.supported? and task.stage == stage  
-            if task.labels.intersect? tracker.options[:labels] or          # Only run tasks with labels 
-                 ( run_tasks and run_tasks.include? task_name.downcase )   # or that are explicitly requested. 
+          if task.supported? and task.stage == stage
+            if task.labels.intersect? tracker.options[:labels] or          # Only run tasks with labels
+                 ( run_tasks and run_tasks.include? task_name.downcase )   # or that are explicitly requested.
               Pipeline.notify "#{stage} - #{task_name} - #{task.labels}"
               task.run
               task.analyze

data/lib/pipeline/version.rb

@@ -1,3 +1,3 @@
 module Pipeline
-  Version = "0.8.5"
+  Version = "0.8.6"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: owasp-pipeline
 version: !ruby/object:Gem::Version
-  version: 0.8.5
+  version: 0.8.6
 platform: ruby
 authors:
 - Matt Konda
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-07 00:00:00.000000000 Z
+date: 2016-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: terminal-table
@@ -166,6 +166,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.6.0
+- !ruby/object:Gem::Dependency
+  name: redcarpet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -211,6 +225,7 @@ files:
 - lib/pipeline/filters/base_filter.rb
 - lib/pipeline/filters/jira_one_time_filter.rb
 - lib/pipeline/filters/remove_all_filter.rb
+- lib/pipeline/filters/zap_consdensing_filter.rb
 - lib/pipeline/finding.rb
 - lib/pipeline/mounters.rb
 - lib/pipeline/mounters/base_mounter.rb
@@ -237,6 +252,7 @@ files:
 - lib/pipeline/tasks/eslint.rb
 - lib/pipeline/tasks/fim.rb
 - lib/pipeline/tasks/findsecbugs.rb
+- lib/pipeline/tasks/npm.rb
 - lib/pipeline/tasks/nsp.rb
 - lib/pipeline/tasks/owasp-dep-check.rb
 - lib/pipeline/tasks/patterns.json
@@ -245,6 +261,7 @@ files:
 - lib/pipeline/tasks/scanjs-eslintrc
 - lib/pipeline/tasks/scanjs.rb
 - lib/pipeline/tasks/sfl.rb
+- lib/pipeline/tasks/snyk.rb
 - lib/pipeline/tasks/test.rb
 - lib/pipeline/tasks/zap.rb
 - lib/pipeline/tracker.rb