Add missing arguments to CLI

RELEASE_NOTES.md

@@ -2,6 +2,15 @@
 
 Please see the [dependency-check google group](https://groups.google.com/forum/#!forum/dependency-check) for the release notes on versions not listed below.
 
+## Pending Release
+
+### Changes
+
+- Added missing command line arguments per #3028 and #3035.
+- Added warning to the CLI if passwords are used via the command line - a properties file should be used instead (see PR #3048).
+- See the full listing of 
+  [changes](https://github.com/jeremylong/DependencyCheck/milestone/19?closed=1).
+
 ## [Version 6.0.4](https://github.com/jeremylong/DependencyCheck/releases/tag/v6.0.4) (2020-12-31)
 
 ### Changes

cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -430,7 +430,7 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
         settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME,
                 cli.getStringArgument(CliParser.ARGUMENT.PROXY_USERNAME));
         settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD,
-                cli.getStringArgument(CliParser.ARGUMENT.PROXY_PASSWORD));
+                cli.getStringArgument(CliParser.ARGUMENT.PROXY_PASSWORD, Settings.KEYS.PROXY_PASSWORD));
         settings.setStringIfNotEmpty(Settings.KEYS.PROXY_NON_PROXY_HOSTS,
                 cli.getStringArgument(CliParser.ARGUMENT.NON_PROXY_HOSTS));
         settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT,
@@ -456,6 +456,8 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
                 cli.hasOption(CliParser.ARGUMENT.RETIRE_JS_FORCEUPDATE));
         settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED,
                 !cli.hasDisableOption(CliParser.ARGUMENT.DISABLE_JAR, Settings.KEYS.ANALYZER_JAR_ENABLED));
+        settings.setBoolean(Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED,
+                !cli.hasDisableOption(CliParser.ARGUMENT.DISABLE_MSBUILD, Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED));
         settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED,
                 !cli.hasDisableOption(CliParser.ARGUMENT.DISABLE_ARCHIVE, Settings.KEYS.ANALYZER_ARCHIVE_ENABLED));
         settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED,
@@ -519,7 +521,7 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_USER,
                 cli.getStringArgument(CliParser.ARGUMENT.OSSINDEX_USERNAME));
         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD,
-                cli.getStringArgument(CliParser.ARGUMENT.OSSINDEX_PASSWORD));
+                cli.getStringArgument(CliParser.ARGUMENT.OSSINDEX_PASSWORD, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD));
         settings.setFloat(Settings.KEYS.JUNIT_FAIL_ON_CVSS,
                 cli.getFloatArgument(CliParser.ARGUMENT.FAIL_JUNIT_ON_CVSS, 0));
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED,
@@ -547,7 +549,7 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_USER,
                 cli.getStringArgument(CliParser.ARGUMENT.NEXUS_USERNAME));
         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_PASSWORD,
-                cli.getStringArgument(CliParser.ARGUMENT.NEXUS_PASSWORD));
+                cli.getStringArgument(CliParser.ARGUMENT.NEXUS_PASSWORD, Settings.KEYS.ANALYZER_NEXUS_PASSWORD));
         //TODO deprecate this in favor of non-proxy host
         final boolean nexusUsesProxy = cli.isNexusUsesProxy();
         settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
@@ -560,7 +562,7 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
         settings.setStringIfNotEmpty(Settings.KEYS.DB_USER,
                 cli.getStringArgument(CliParser.ARGUMENT.DB_NAME));
         settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD,
-                cli.getStringArgument(CliParser.ARGUMENT.DB_PASSWORD));
+                cli.getStringArgument(CliParser.ARGUMENT.DB_PASSWORD, Settings.KEYS.DB_PASSWORD));
         settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS,
                 cli.getStringArgument(CliParser.ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS));
         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_DOTNET_PATH,
@@ -569,6 +571,10 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
                 cli.getStringArgument(CliParser.ARGUMENT.CVE_BASE_URL));
         settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_JSON,
                 cli.getStringArgument(CliParser.ARGUMENT.CVE_MODIFIED_URL));
+        settings.setStringIfNotEmpty(Settings.KEYS.CVE_USER,
+                cli.getStringArgument(CliParser.ARGUMENT.CVE_USER));
+        settings.setStringIfNotEmpty(Settings.KEYS.CVE_PASSWORD,
+                cli.getStringArgument(CliParser.ARGUMENT.CVE_PASSWORD, Settings.KEYS.CVE_PASSWORD));
     }
 
     /**

cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -307,6 +307,10 @@ private void addAdvancedOptions(final Options options) {
                         "Base URL for each year’s CVE files (json.gz), the %d will be replaced with the year."))
                 .addOption(newOptionWithArg(ARGUMENT.CVE_MODIFIED_URL, "url",
                         "URL for the modified CVE (json.gz)."))
+                .addOption(newOptionWithArg(ARGUMENT.CVE_USER, "user",
+                        "Credentials for basic authentication to the CVE data."))
+                .addOption(newOptionWithArg(ARGUMENT.CVE_PASSWORD, "password",
+                        "Credentials for basic authentication to the CVE data."))
                 .addOption(newOptionWithArg(ARGUMENT.PROXY_PORT, "port",
                         "The proxy port to use when downloading resources."))
                 .addOption(newOptionWithArg(ARGUMENT.PROXY_SERVER, "server",
@@ -391,6 +395,7 @@ private void addAdvancedOptions(final Options options) {
                 .addOption(newOptionWithArg(ARGUMENT.PATH_TO_CORE, "path", "The path to dotnet core."))
                 .addOption(newOptionWithArg(ARGUMENT.HINTS_FILE, "file", "The file path to the hints XML file."))
                 .addOption(newOption(ARGUMENT.RETIRED, "Enables the retired analyzers."))
+                .addOption(newOption(ARGUMENT.DISABLE_MSBUILD, "Disable the MS Build Analyzer."))
                 .addOption(newOption(ARGUMENT.DISABLE_JAR, "Disable the Jar Analyzer."))
                 .addOption(newOption(ARGUMENT.DISABLE_ARCHIVE, "Disable the Archive Analyzer."))
                 .addOption(newOption(ARGUMENT.DISABLE_ASSEMBLY, "Disable the .NET Assembly Analyzer."))
@@ -572,7 +577,24 @@ public Boolean getBooleanArgument(String argument) {
      * @return the value of the argument
      */
     public String getStringArgument(String option) {
+        return getStringArgument(option, null);
+    }
+
+    /**
+     * Returns the argument value for the given option.
+     *
+     * @param option the option
+     * @param key the dependency-check settings key for the option.
+     * @return the value of the argument
+     */
+    public String getStringArgument(String option, String key) {
         if (line != null && line.hasOption(option)) {
+            if (key != null && (option.toLowerCase().endsWith("password")
+                    || option.toLowerCase().endsWith("pass"))) {
+                LOGGER.warn("{} used on the command line, consider moving the password "
+                        + "to a properties file using the key `{}` and using the "
+                        + "--propertyfile argument instead", option, key);
+            }
             return line.getOptionValue(option);
         }
         return null;
@@ -1040,10 +1062,22 @@ public static class ARGUMENT {
          * checking for new updates from the NVD.
          */
         public static final String CVE_VALID_FOR_HOURS = "cveValidForHours";
+        /**
+         * The username for basic auth to the CVE data.
+         */
+        public static final String CVE_USER = "cveUser";
+        /**
+         * The password for basic auth to the CVE data.
+         */
+        public static final String CVE_PASSWORD = "cvePassword";
         /**
          * Disables the Jar Analyzer.
          */
         public static final String DISABLE_JAR = "disableJar";
+        /**
+         * Disable the MS Build Analyzer.
+         */
+        public static final String DISABLE_MSBUILD = "disableMSBuild";
         /**
          * Disables the Archive Analyzer.
          */

cli/src/main/resources/completion-for-dependency-check.sh

@@ -27,6 +27,8 @@ _odc_completions()
             --cveUrlBase
             --cveUrlModified
             --cveValidForHours
+            --cveUser <user>
+            --cvePassword <password>
         -d --data
             --dbDriverName
             --dbDriverPath
@@ -45,6 +47,7 @@ _odc_completions()
             --disableGolangMod
             --disableJar
             --disableMixAudit
+            --disableMSBuild
             --disableNodeAudit
             --disableNodeAuditCache
             --disableNodeJS