All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.owasp.dependencycheck.maven.BaseDependencyCheckMojo Maven / Gradle / Ivy

Go to download

dependency-check-maven is a Maven Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.

There is a newer version: 11.1.1
Show newest version
/*
 * This file is part of dependency-check-maven.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 */
package org.owasp.dependencycheck.maven;

import com.github.packageurl.MalformedPackageURLException;
import com.github.packageurl.PackageURL.StandardTypes;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.artifact.DefaultArtifact;
import org.apache.maven.artifact.handler.DefaultArtifactHandler;
import org.apache.maven.artifact.versioning.ArtifactVersion;
import org.apache.maven.doxia.sink.Sink;
import org.apache.maven.execution.MavenSession;
import org.apache.maven.model.License;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.project.DefaultProjectBuildingRequest;
import org.apache.maven.project.MavenProject;
import org.apache.maven.project.ProjectBuildingRequest;
import org.apache.maven.reporting.MavenReport;
import org.apache.maven.reporting.MavenReportException;
import org.apache.maven.settings.Proxy;
import org.apache.maven.settings.Server;
import org.apache.maven.shared.transfer.artifact.DefaultArtifactCoordinate;
import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolver;
import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolverException;
import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResult;
import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolver;
import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolverException;
import org.eclipse.aether.artifact.ArtifactType;
import org.apache.maven.shared.artifact.filter.PatternExcludesArtifactFilter;
import org.apache.maven.shared.dependency.graph.DependencyGraphBuilder;
import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException;
import org.apache.maven.shared.dependency.graph.DependencyNode;
import org.apache.maven.shared.dependency.graph.filter.ArtifactDependencyNodeFilter;
import org.apache.maven.shared.dependency.graph.internal.DefaultDependencyNode;
import org.apache.maven.shared.model.fileset.FileSet;
import org.apache.maven.shared.model.fileset.util.FileSetManager;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.JarAnalyzer;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceType;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.exception.DependencyNotFoundException;
import org.owasp.dependencycheck.exception.ExceptionCollection;
import org.owasp.dependencycheck.exception.ReportException;
import org.owasp.dependencycheck.utils.Checksum;
import org.owasp.dependencycheck.utils.CveUrlParser;
import org.owasp.dependencycheck.utils.Filter;
import org.owasp.dependencycheck.utils.Settings;
import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
import org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException;

import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;

import org.apache.maven.artifact.resolver.filter.ExcludesArtifactFilter;
import org.apache.maven.artifact.versioning.InvalidVersionSpecificationException;
import org.apache.maven.artifact.versioning.Restriction;
import org.apache.maven.artifact.versioning.VersionRange;
import org.apache.maven.shared.dependency.graph.traversal.CollectingDependencyNodeVisitor;

import org.owasp.dependencycheck.agent.DependencyCheckScanAgent;
import org.owasp.dependencycheck.dependency.naming.GenericIdentifier;
import org.owasp.dependencycheck.dependency.naming.Identifier;
import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
import org.apache.maven.shared.dependency.graph.traversal.DependencyNodeVisitor;
import org.apache.maven.shared.dependency.graph.traversal.FilteringDependencyNodeVisitor;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.SeverityUtil;
import org.owasp.dependencycheck.xml.pom.Model;
import org.owasp.dependencycheck.xml.pom.PomUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.spi.LocationAwareLogger;

//CSOFF: FileLength
/**
 * @author Jeremy Long
 */
public abstract class BaseDependencyCheckMojo extends AbstractMojo implements MavenReport {

    //
    /**
     * The properties file location.
     */
    private static final String PROPERTIES_FILE = "mojo.properties";
    /**
     * System specific new line character.
     */
    private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
    /**
     * Pattern to include all files in a FileSet.
     */
    private static final String INCLUDE_ALL = "**/*";
    /**
     * A flag indicating whether or not the Maven site is being generated.
     */
    private boolean generatingSite = false;
    /**
     * The configured settings.
     */
    private Settings settings = null;
    /**
     * The list of files that have been scanned.
     */
    private final List scannedFiles = new ArrayList<>();
    //
    // 
    /**
     * Sets whether or not the mojo should fail if an error occurs.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "failOnError", defaultValue = "true", required = true)
    private boolean failOnError;

    /**
     * The Maven Project Object.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "project", required = true, readonly = true)
    private MavenProject project;
    /**
     * List of Maven project of the current build
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(readonly = true, required = true, property = "reactorProjects")
    private List reactorProjects;
    /**
     * The entry point towards a Maven version independent way of resolving
     * artifacts (handles both Maven 3.0 Sonatype and Maven 3.1+ eclipse Aether
     * implementations).
     */
    @SuppressWarnings("CanBeFinal")
    @Component
    private ArtifactResolver artifactResolver;
    /**
     * The entry point towards a Maven version independent way of resolving
     * dependencies (handles both Maven 3.0 Sonatype and Maven 3.1+ eclipse
     * Aether implementations). Contrary to the ArtifactResolver this resolver
     * also takes into account the additional repositories defined in the
     * dependency-path towards transitive dependencies.
     */
    @SuppressWarnings("CanBeFinal")
    @Component
    private DependencyResolver dependencyResolver;

    /**
     * The Maven Session.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(defaultValue = "${session}", readonly = true, required = true)
    private MavenSession session;

    /**
     * Component within Maven to build the dependency graph.
     */
    @Component
    private DependencyGraphBuilder dependencyGraphBuilder;

    /**
     * The output directory. This generally maps to "target".
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(defaultValue = "${project.build.directory}", required = true, property = "odc.outputDirectory")
    private File outputDirectory;
    /**
     * This is a reference to the >reporting< sections
     * outputDirectory. This cannot be configured in the
     * dependency-check mojo directly. This generally maps to "target/site".
     */
    @Parameter(property = "project.reporting.outputDirectory", readonly = true)
    private File reportOutputDirectory;
    /**
     * Specifies if the build should be failed if a CVSS score above a specified
     * level is identified. The default is 11 which means since the CVSS scores
     * are 0-10, by default the build will never fail.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
    private float failBuildOnCVSS = 11f;
    /**
     * Specifies the CVSS score that is considered a "test" failure when
     * generating a jUnit style report. The default value is 0 - all
     * vulnerabilities are considered a failure.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "junitFailOnCVSS", defaultValue = "0", required = true)
    private float junitFailOnCVSS = 0;
    /**
     * Fail the build if any dependency has a vulnerability listed.
     *
     * @deprecated use {@link BaseDependencyCheckMojo#failBuildOnCVSS} with a
     * value of 0 instead
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "failBuildOnAnyVulnerability", defaultValue = "false", required = true)
    @Deprecated
    private boolean failBuildOnAnyVulnerability = false;
    /**
     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
     * recommended that this be turned to false. Default is true.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "autoUpdate")
    private Boolean autoUpdate;
    /**
     * Sets whether Experimental analyzers are enabled. Default is false.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "enableExperimental")
    private Boolean enableExperimental;
    /**
     * Sets whether retired analyzers are enabled. Default is false.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "enableRetired")
    private Boolean enableRetired;
    /**
     * Sets whether the Golang Dependency analyzer is enabled. Default is true.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "golangDepEnabled")
    private Boolean golangDepEnabled;
    /**
     * Sets whether Golang Module Analyzer is enabled; this requires `go` to be
     * installed. Default is true.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "golangModEnabled")
    private Boolean golangModEnabled;
    /**
     * Sets the path to `go`.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "pathToGo")
    private String pathToGo;

    /**
     * Sets the path to `yarn`.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "pathToYarn")
    private String pathToYarn;
    /**
     * Sets the path to `pnpm`.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "pathToPnpm")
    private String pathToPnpm;
    /**
     * Use pom dependency information for snapshot dependencies that are part of
     * the Maven reactor while aggregate scanning a multi-module project.
     */
    @Parameter(property = "dependency-check.virtualSnapshotsFromReactor", defaultValue = "true")
    private Boolean virtualSnapshotsFromReactor;
    /**
     * The report format to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS,
     * ALL). Multiple formats can be selected using a comma delineated list.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "format", defaultValue = "HTML", required = true)
    private String format = "HTML";

    /**
     * Whether or not the XML and JSON report formats should be pretty printed.
     * The default is false.
     */
    @Parameter(property = "prettyPrint")
    private Boolean prettyPrint;
    /**
     * The report format to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS,
     * ALL). Multiple formats can be selected using a comma delineated list.
     */
    @Parameter(property = "formats", required = true)
    private String[] formats;
    /**
     * The Maven settings.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "mavenSettings", defaultValue = "${settings}")
    private org.apache.maven.settings.Settings mavenSettings;

    /**
     * The maven settings proxy id.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "mavenSettingsProxyId")
    private String mavenSettingsProxyId;

    /**
     * The Connection Timeout.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "connectionTimeout")
    private String connectionTimeout;
    /**
     * The Read Timeout.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "readTimeout")
    private String readTimeout;
    /**
     * Sets whether dependency-check should check if there is a new version
     * available.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "versionCheckEnabled", defaultValue = "true")
    private boolean versionCheckEnabled;
    /**
     * The paths to the suppression files. The parameter value can be a local
     * file path, a URL to a suppression file, or even a reference to a file on
     * the class path (see
     * https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "suppressionFiles")
    private String[] suppressionFiles;
    /**
     * The paths to the suppression file. The parameter value can be a local
     * file path, a URL to a suppression file, or even a reference to a file on
     * the class path (see
     * https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "suppressionFile")
    private String suppressionFile;
    /**
     * The username used when connecting to the suppressionFiles.
     */
    @Parameter(property = "suppressionFileUser")
    private String suppressionFileUser;
    /**
     * The password used when connecting to the suppressionFiles.
     */
    @Parameter(property = "suppressionFilePassword")
    private String suppressionFilePassword;
    /**
     * The server id in the settings.xml; used to retrieve encrypted passwords
     * from the settings.xml for suppressionFile(s).
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "suppressionFileServerId")
    private String suppressionFileServerId;
    /**
     * The path to the hints file.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "hintsFile")
    private String hintsFile;

    /**
     * Flag indicating whether or not to show a summary in the output.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "showSummary", defaultValue = "true")
    private boolean showSummary = true;

    /**
     * Whether or not the Jar Analyzer is enabled.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "jarAnalyzerEnabled")
    private Boolean jarAnalyzerEnabled;

    /**
     * Sets whether the Dart analyzer is enabled. Default is true.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "dartAnalyzerEnabled")
    private Boolean dartAnalyzerEnabled;

    /**
     * Whether or not the Archive Analyzer is enabled.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "archiveAnalyzerEnabled")
    private Boolean archiveAnalyzerEnabled;

    /**
     * Sets whether the Python Distribution Analyzer will be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "pyDistributionAnalyzerEnabled")
    private Boolean pyDistributionAnalyzerEnabled;
    /**
     * Sets whether the Python Package Analyzer will be used.
     */
    @Parameter(property = "pyPackageAnalyzerEnabled")
    private Boolean pyPackageAnalyzerEnabled;
    /**
     * Sets whether the Ruby Gemspec Analyzer will be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "rubygemsAnalyzerEnabled")
    private Boolean rubygemsAnalyzerEnabled;
    /**
     * Sets whether or not the openssl Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "opensslAnalyzerEnabled")
    private Boolean opensslAnalyzerEnabled;
    /**
     * Sets whether or not the CMake Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "cmakeAnalyzerEnabled")
    private Boolean cmakeAnalyzerEnabled;
    /**
     * Sets whether or not the autoconf Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "autoconfAnalyzerEnabled")
    private Boolean autoconfAnalyzerEnabled;
    /**
     * Sets whether or not the Maven install Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "mavenInstallAnalyzerEnabled")
    private Boolean mavenInstallAnalyzerEnabled;
    /**
     * Sets whether or not the pip Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "pipAnalyzerEnabled")
    private Boolean pipAnalyzerEnabled;
    /**
     * Sets whether or not the pipfile Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "pipfileAnalyzerEnabled")
    private Boolean pipfileAnalyzerEnabled;
    /**
     * Sets whether or not the poetry Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "poetryAnalyzerEnabled")
    private Boolean poetryAnalyzerEnabled;
    /**
     * Sets whether or not the PHP Composer Lock File Analyzer should be used.
     */
    @Parameter(property = "composerAnalyzerEnabled")
    private Boolean composerAnalyzerEnabled;
    /**
     * Whether or not the Perl CPAN File Analyzer is enabled.
     */
    @Parameter(property = "cpanfileAnalyzerEnabled")
    private Boolean cpanfileAnalyzerEnabled;
    /**
     * Sets whether or not the Node.js Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "nodeAnalyzerEnabled")
    private Boolean nodeAnalyzerEnabled;
    /**
     * Sets whether or not the Node Audit Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "nodeAuditAnalyzerEnabled")
    private Boolean nodeAuditAnalyzerEnabled;

    /**
     * Sets whether or not the Yarn Audit Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "yarnAuditAnalyzerEnabled")
    private Boolean yarnAuditAnalyzerEnabled;

    /**
     * Sets whether or not the Pnpm Audit Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "pnpmAuditAnalyzerEnabled")
    private Boolean pnpmAuditAnalyzerEnabled;

    /**
     * Sets whether or not the Node Audit Analyzer should use a local cache.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "nodeAuditAnalyzerUseCache")
    private Boolean nodeAuditAnalyzerUseCache;
    /**
     * Sets whether or not the Node Audit Analyzer should skip devDependencies.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "nodeAuditSkipDevDependencies")
    private Boolean nodeAuditSkipDevDependencies;
    /**
     * Sets whether or not the Node Audit Analyzer should skip devDependencies.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "nodePackageSkipDevDependencies")
    private Boolean nodePackageSkipDevDependencies;
    /**
     * Sets whether or not the Retirejs Analyzer should be used.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "retireJsAnalyzerEnabled")
    private Boolean retireJsAnalyzerEnabled;
    /**
     * The Retire JS repository URL.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "retireJsUrl")
    private String retireJsUrl;
    /**
     * Whether the Retire JS repository will be updated regardless of the
     * `autoupdate` settings.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "retireJsForceUpdate")
    private Boolean retireJsForceUpdate;
    /**
     * Whether or not the .NET Assembly Analyzer is enabled.
     */
    @Parameter(property = "assemblyAnalyzerEnabled")
    private Boolean assemblyAnalyzerEnabled;
    /**
     * Whether or not the MS Build Analyzer is enabled.
     */
    @Parameter(property = "msbuildAnalyzerEnabled")
    private Boolean msbuildAnalyzerEnabled;
    /**
     * Whether or not the .NET Nuspec Analyzer is enabled.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "nuspecAnalyzerEnabled")
    private Boolean nuspecAnalyzerEnabled;

    /**
     * Whether or not the .NET packages.config Analyzer is enabled.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "nugetconfAnalyzerEnabled")
    private Boolean nugetconfAnalyzerEnabled;

    /**
     * Whether or not the Central Analyzer is enabled.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "centralAnalyzerEnabled")
    private Boolean centralAnalyzerEnabled;

    /**
     * Whether or not the Central Analyzer should use a local cache.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "centralAnalyzerUseCache")
    private Boolean centralAnalyzerUseCache;

    /**
     * Whether or not the Artifactory Analyzer is enabled.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "artifactoryAnalyzerEnabled")
    private Boolean artifactoryAnalyzerEnabled;
    /**
     * The serverId inside the settings.xml containing the username and token to
     * access artifactory
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "artifactoryAnalyzerServerId")
    private String artifactoryAnalyzerServerId;
    /**
     * The username (only used with API token) to connect to Artifactory
     * instance
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "artifactoryAnalyzerUsername")
    private String artifactoryAnalyzerUsername;
    /**
     * The API token to connect to Artifactory instance
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "artifactoryAnalyzerApiToken")
    private String artifactoryAnalyzerApiToken;
    /**
     * The bearer token to connect to Artifactory instance
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "artifactoryAnalyzerBearerToken")
    private String artifactoryAnalyzerBearerToken;
    /**
     * The Artifactory URL for the Artifactory analyzer.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "artifactoryAnalyzerUrl")
    private String artifactoryAnalyzerUrl;
    /**
     * Whether Artifactory should be accessed through a proxy or not
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "artifactoryAnalyzerUseProxy")
    private Boolean artifactoryAnalyzerUseProxy;
    /**
     * Whether the Artifactory analyzer should be run in parallel or not.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "artifactoryAnalyzerParallelAnalysis", defaultValue = "true")
    private Boolean artifactoryAnalyzerParallelAnalysis;
    /**
     * Whether or not the Nexus Analyzer is enabled.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "nexusAnalyzerEnabled")
    private Boolean nexusAnalyzerEnabled;

    /**
     * Whether or not the Sonatype OSS Index analyzer is enabled.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "ossindexAnalyzerEnabled")
    private Boolean ossindexAnalyzerEnabled;
    /**
     * Whether or not the Sonatype OSS Index analyzer should cache results.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "ossindexAnalyzerUseCache")
    private Boolean ossindexAnalyzerUseCache;
    /**
     * URL of the Sonatype OSS Index service.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "ossindexAnalyzerUrl")
    private String ossindexAnalyzerUrl;

    /**
     * The id of a server defined in the settings.xml that configures the
     * credentials (username and password) for a OSS Index service.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "ossIndexServerId")
    private String ossIndexServerId;

    /**
     * Whether we should only warn about Sonatype OSS Index remote errors
     * instead of failing the goal completely.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "ossIndexWarnOnlyOnRemoteErrors")
    private Boolean ossIndexWarnOnlyOnRemoteErrors;

    /**
     * Whether or not the Elixir Mix Audit Analyzer is enabled.
     */
    @Parameter(property = "mixAuditAnalyzerEnabled")
    private Boolean mixAuditAnalyzerEnabled;

    /**
     * Sets the path for the mix_audit binary.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "mixAuditPath")
    private String mixAuditPath;

    /**
     * Whether or not the Ruby Bundle Audit Analyzer is enabled.
     */
    @Parameter(property = "bundleAuditAnalyzerEnabled")
    private Boolean bundleAuditAnalyzerEnabled;

    /**
     * Sets the path for the bundle-audit binary.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "bundleAuditPath")
    private String bundleAuditPath;

    /**
     * Sets the path for the working directory that the bundle-audit binary
     * should be executed from.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "bundleAuditWorkingDirectory")
    private String bundleAuditWorkingDirectory;

    /**
     * Whether or not the CocoaPods Analyzer is enabled.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "cocoapodsAnalyzerEnabled")
    private Boolean cocoapodsAnalyzerEnabled;

    /**
     * Whether or not the Swift package Analyzer is enabled.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "swiftPackageManagerAnalyzerEnabled")
    private Boolean swiftPackageManagerAnalyzerEnabled;
    /**
     * Whether or not the Swift package resolved Analyzer is enabled.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "swiftPackageResolvedAnalyzerEnabled")
    private Boolean swiftPackageResolvedAnalyzerEnabled;
    /**
     * The URL of a Nexus server's REST API end point
     * (http://domain/nexus/service/local).
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "nexusUrl")
    private String nexusUrl;
    /**
     * The id of a server defined in the settings.xml that configures the
     * credentials (username and password) for a Nexus server's REST API end
     * point. When not specified the communication with the Nexus server's REST
     * API will be unauthenticated.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "nexusServerId")
    private String nexusServerId;
    /**
     * Whether or not the configured proxy is used to connect to Nexus.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "nexusUsesProxy")
    private Boolean nexusUsesProxy;
    /**
     * The database connection string.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "connectionString")
    private String connectionString;

    /**
     * The database driver name. An example would be org.h2.Driver.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "databaseDriverName")
    private String databaseDriverName;
    /**
     * The path to the database driver if it is not on the class path.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "databaseDriverPath")
    private String databaseDriverPath;
    /**
     * The server id in the settings.xml; used to retrieve encrypted passwords
     * from the settings.xml.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "serverId")
    private String serverId;
    /**
     * A reference to the settings.xml settings.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(defaultValue = "${settings}", readonly = true, required = true)
    private org.apache.maven.settings.Settings settingsXml;
    /**
     * The security dispatcher that can decrypt passwords in the settings.xml.
     */
    @Component(role = SecDispatcher.class, hint = "default")
    private SecDispatcher securityDispatcher;
    /**
     * The database user name.
     */
    @Parameter(property = "databaseUser")
    private String databaseUser;
    /**
     * The password to use when connecting to the database.
     */
    @Parameter(property = "databasePassword")
    private String databasePassword;
    /**
     * A comma-separated list of file extensions to add to analysis next to jar,
     * zip, ....
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "zipExtensions")
    private String zipExtensions;
    /**
     * Skip Dependency Check altogether.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "dependency-check.skip", defaultValue = "false")
    private boolean skip = false;
    /**
     * Skip Analysis for Test Scope Dependencies.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "skipTestScope", defaultValue = "true")
    private boolean skipTestScope = true;
    /**
     * Skip Analysis for Runtime Scope Dependencies.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "skipRuntimeScope", defaultValue = "false")
    private boolean skipRuntimeScope = false;
    /**
     * Skip Analysis for Provided Scope Dependencies.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "skipProvidedScope", defaultValue = "false")
    private boolean skipProvidedScope = false;

    /**
     * Skip Analysis for System Scope Dependencies.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "skipSystemScope", defaultValue = "false")
    private boolean skipSystemScope = false;

    /**
     * Skip Analysis for dependencyManagement section.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "skipDependencyManagement", defaultValue = "true")
    private boolean skipDependencyManagement = true;

    /**
     * Skip analysis for dependencies which type matches this regular
     * expression. This filters on the `type` of dependency as defined in the
     * dependency section: jar, pom, test-jar, etc.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "skipArtifactType")
    private String skipArtifactType;

    /**
     * The data directory, hold DC SQL DB.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "dataDirectory")
    private String dataDirectory;

    /**
     * The name of the DC DB.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "dbFilename")
    private String dbFilename;

    /**
     * Data Mirror URL for CVE 1.2.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "cveUrlModified")
    private String cveUrlModified;
    /**
     * Base Data Mirror URL for CVE 1.2.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "cveUrlBase")
    private String cveUrlBase;
    /**
     * The wait timeout between downloading from the NVD.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "cveWaitTime")
    private String cveWaitTime;
    /**
     * The username to use when connecting to the CVE-URL.
     */
    @Parameter(property = "cveUser")
    private String cveUser;
    /**
     * The password to authenticate to the CVE-URL.
     */
    @Parameter(property = "cvePassword")
    private String cvePassword;
    /**
     * The server id in the settings.xml; used to retrieve encrypted passwords
     * from the settings.xml for cve-URLs.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "cveServerId")
    private String cveServerId;
    /**
     * Optionally skip excessive CVE update checks for a designated duration in
     * hours.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "cveValidForHours")
    private Integer cveValidForHours;

    /**
     * Specify the first year of NVD CVE data to download; default is 2002.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "cveStartYear")
    private Integer cveStartYear;

    /**
     * The path to dotnet core.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "pathToCore")
    private String pathToCore;

    /**
     * The RetireJS Analyzer configuration:
     * 
     *   filters: an array of filter patterns that are used to exclude JS files that contain a match
     *   filterNonVulnerable: a boolean that when true will remove non-vulnerable JS from the report
     *
     * Example:
     *   <retirejs>
     *     <filters>
     *       <filter>copyright 2018\(c\) Jeremy Long</filter>
     *     </filters>
     *     <filterNonVulnerable>true</filterNonVulnerable>
     *   </retirejs>
     * 
*/ @SuppressWarnings("CanBeFinal") @Parameter(property = "retirejs") private Retirejs retirejs; /** * The list of artifacts (and their transitive dependencies) to exclude from * the check. */ @Parameter(property = "odc.excludes") private List excludes; /** * The artifact scope filter. */ private Filter artifactScopeExcluded; /** * Filter for artifact type. */ private Filter artifactTypeExcluded; /** * An collection of fileSets that specify additional files * and/or directories (from the basedir) to analyze as part of the scan. If * not specified, defaults to Maven conventions of: src/main/resources, * src/main/filters, and src/main/webapp. Note, this cannot be set via the * command line - use `scanDirectory` instead. */ @Parameter private List scanSet; /** * A list of directories to scan. Note, this should only be used via the * command line - if configuring the directories to scan consider using the * `scanSet` instead. */ @Parameter(property = "scanDirectory") private List scanDirectory; //
// /** * Determines if the groupId, artifactId, and version of the Maven * dependency and artifact match. * * @param d the Maven dependency * @param a the Maven artifact * @return true if the groupId, artifactId, and version match */ private static boolean artifactsMatch(org.apache.maven.model.Dependency d, Artifact a) { return isEqualOrNull(a.getArtifactId(), d.getArtifactId()) && isEqualOrNull(a.getGroupId(), d.getGroupId()) && isEqualOrNull(a.getVersion(), d.getVersion()); } /** * Compares two strings for equality; if both strings are null they are * considered equal. * * @param left the first string to compare * @param right the second string to compare * @return true if the strings are equal or if they are both null; otherwise * false. */ private static boolean isEqualOrNull(String left, String right) { return (left != null && left.equals(right)) || (left == null && right == null); } /** * Executes dependency-check. * * @throws MojoExecutionException thrown if there is an exception executing * the mojo * @throws MojoFailureException thrown if dependency-check failed the build */ @Override public void execute() throws MojoExecutionException, MojoFailureException { generatingSite = false; final boolean shouldSkip = Boolean.parseBoolean(System.getProperty("dependency-check.skip", Boolean.toString(skip))); if (shouldSkip) { getLog().info("Skipping " + getName(Locale.US)); } else { project.setContextValue("dependency-check-output-dir", this.outputDirectory); runCheck(); } } /** * Generates the Dependency-Check Site Report. * * @param sink the sink to write the report to * @param locale the locale to use when generating the report * @throws MavenReportException if a maven report exception occurs * @deprecated use * {@link #generate(org.apache.maven.doxia.sink.Sink, java.util.Locale)} * instead. */ @Deprecated public final void generate(@SuppressWarnings("deprecation") org.codehaus.doxia.sink.Sink sink, Locale locale) throws MavenReportException { generate((Sink) sink, locale); } /** * Returns true if the Maven site is being generated. * * @return true if the Maven site is being generated */ protected boolean isGeneratingSite() { return generatingSite; } /** * Returns the connection string. * * @return the connection string */ protected String getConnectionString() { return connectionString; } /** * Returns if the mojo should fail the build if an exception occurs. * * @return whether or not the mojo should fail the build */ protected boolean isFailOnError() { return failOnError; } /** * Generates the Dependency-Check Site Report. * * @param sink the sink to write the report to * @param locale the locale to use when generating the report * @throws MavenReportException if a maven report exception occurs */ public void generate(Sink sink, Locale locale) throws MavenReportException { final boolean shouldSkip = Boolean.parseBoolean(System.getProperty("dependency-check.skip", Boolean.toString(skip))); if (shouldSkip) { getLog().info("Skipping report generation " + getName(Locale.US)); return; } generatingSite = true; project.setContextValue("dependency-check-output-dir", getReportOutputDirectory()); try { runCheck(); } catch (MojoExecutionException ex) { throw new MavenReportException(ex.getMessage(), ex); } catch (MojoFailureException ex) { getLog().warn("Vulnerabilities were identifies that exceed the CVSS threshold for failing the build"); } } /** * Returns the correct output directory depending on if a site is being * executed or not. * * @return the directory to write the report(s) * @throws MojoExecutionException thrown if there is an error loading the * file path */ protected File getCorrectOutputDirectory() throws MojoExecutionException { return getCorrectOutputDirectory(this.project); } /** * Returns the correct output directory depending on if a site is being * executed or not. * * @param current the Maven project to get the output directory from * @return the directory to write the report(s) */ protected File getCorrectOutputDirectory(MavenProject current) { final Object obj = current.getContextValue("dependency-check-output-dir"); if (obj != null && obj instanceof File) { return (File) obj; } //else we guess File target = new File(current.getBuild().getDirectory()); if (target.getParentFile() != null && "target".equals(target.getParentFile().getName())) { target = target.getParentFile(); } return target; } /** * Scans the project's artifacts and adds them to the engine's dependency * list. * * @param project the project to scan the dependencies of * @param engine the engine to use to scan the dependencies * @return a collection of exceptions that may have occurred while resolving * and scanning the dependencies */ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine) { return scanArtifacts(project, engine, false); } /** * Scans the project's artifacts and adds them to the engine's dependency * list. * * @param project the project to scan the dependencies of * @param engine the engine to use to scan the dependencies * @param aggregate whether the scan is part of an aggregate build * @return a collection of exceptions that may have occurred while resolving * and scanning the dependencies */ protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine, boolean aggregate) { try { final List filterItems = Collections.singletonList(String.format("%s:%s", project.getGroupId(), project.getArtifactId())); final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project); //For some reason the filter does not filter out the project being analyzed //if we pass in the filter below instead of null to the dependencyGraphBuilder final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(buildingRequest, null); final CollectingDependencyNodeVisitor collectorVisitor = new CollectingDependencyNodeVisitor(); // exclude artifact by pattern and its dependencies final DependencyNodeVisitor transitiveFilterVisitor = new FilteringDependencyTransitiveNodeVisitor(collectorVisitor, new ArtifactDependencyNodeFilter(new PatternExcludesArtifactFilter(getExcludes()))); // exclude exact artifact but not its dependencies, this filter must be appied on the root for first otherwise // in case the exclude has the same groupId of the current bundle its direct dependencies are not visited final DependencyNodeVisitor artifactFilter = new FilteringDependencyNodeVisitor(transitiveFilterVisitor, new ArtifactDependencyNodeFilter(new ExcludesArtifactFilter(filterItems))); dn.accept(artifactFilter); //collect dependencies with the filter - see comment above. final List nodes = new ArrayList<>(collectorVisitor.getNodes()); return collectDependencies(engine, project, nodes, buildingRequest, aggregate); } catch (DependencyGraphBuilderException ex) { final String msg = String.format("Unable to build dependency graph on project %s", project.getName()); getLog().debug(msg, ex); return new ExceptionCollection(ex); } } /** * Converts the dependency to a dependency node object. * * @param nodes the list of dependency nodes * @param buildingRequest the Maven project building request * @param parent the parent node * @param dependency the dependency to convert * @return the resulting dependency node * @throws ArtifactResolverException thrown if the artifact could not be * retrieved */ private DependencyNode toDependencyNode(List nodes, ProjectBuildingRequest buildingRequest, DependencyNode parent, org.apache.maven.model.Dependency dependency) throws ArtifactResolverException { final DefaultArtifactCoordinate coordinate = new DefaultArtifactCoordinate(); coordinate.setGroupId(dependency.getGroupId()); coordinate.setArtifactId(dependency.getArtifactId()); String version = null; final VersionRange vr; try { vr = VersionRange.createFromVersionSpec(dependency.getVersion()); } catch (InvalidVersionSpecificationException ex) { throw new ArtifactResolverException("Invalid version specification: " + dependency.getGroupId() + ":" + dependency.getArtifactId() + ":" + dependency.getVersion(), ex); } if (vr.hasRestrictions()) { version = findVersion(nodes, dependency.getGroupId(), dependency.getArtifactId()); if (version == null) { //TODO - this still may fail if the restriction is not a valid version number (i.e. only 2.9 instead of 2.9.1) //need to get available versions and filter on the restrictions. if (vr.getRecommendedVersion() != null) { version = vr.getRecommendedVersion().toString(); } else if (vr.hasRestrictions()) { for (Restriction restriction : vr.getRestrictions()) { if (restriction.getLowerBound() != null) { version = restriction.getLowerBound().toString(); } if (restriction.getUpperBound() != null) { version = restriction.getUpperBound().toString(); } } } else { version = vr.toString(); } } } if (version == null) { version = dependency.getVersion(); } coordinate.setVersion(version); final ArtifactType type = session.getRepositorySession().getArtifactTypeRegistry().get(dependency.getType()); coordinate.setExtension(type.getExtension()); coordinate.setClassifier((null == dependency.getClassifier() || dependency.getClassifier().isEmpty()) ? type.getClassifier() : dependency.getClassifier()); final Artifact artifact = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact(); artifact.setScope(dependency.getScope()); return new DefaultDependencyNode(parent, artifact, dependency.getVersion(), dependency.getScope(), null); } /** * Returns the version from the list of nodes that match the given groupId * and artifactID. * * @param nodes the nodes to search * @param groupId the group id to find * @param artifactId the artifact id to find * @return the version from the list of nodes that match the given groupId * and artifactID; otherwise null is returned */ private String findVersion(List nodes, String groupId, String artifactId) { final Optional f = nodes.stream().filter(p -> groupId.equals(p.getArtifact().getGroupId()) && artifactId.equals(p.getArtifact().getArtifactId())).findFirst(); if (f.isPresent()) { return f.get().getArtifact().getVersion(); } return null; } /** * Collect dependencies from the dependency management section. * * @param engine reference to the ODC engine * @param buildingRequest the Maven project building request * @param project the project being analyzed * @param nodes the list of dependency nodes * @param aggregate whether or not this is an aggregate analysis * @return a collection of exceptions if any occurred; otherwise * null */ private ExceptionCollection collectDependencyManagementDependencies(Engine engine, ProjectBuildingRequest buildingRequest, MavenProject project, List nodes, boolean aggregate) { if (skipDependencyManagement || project.getDependencyManagement() == null) { return null; } ExceptionCollection exCol = null; for (org.apache.maven.model.Dependency dependency : project.getDependencyManagement().getDependencies()) { try { nodes.add(toDependencyNode(nodes, buildingRequest, null, dependency)); } catch (ArtifactResolverException ex) { getLog().debug(String.format("Aggregate : %s", aggregate)); boolean addException = true; //CSOFF: EmptyBlock if (!aggregate) { // do nothing, exception is to be reported } else if (addReactorDependency(engine, new DefaultArtifact(dependency.getGroupId(), dependency.getArtifactId(), dependency.getVersion(), dependency.getScope(), dependency.getType(), dependency.getClassifier(), new DefaultArtifactHandler()), project)) { addException = false; } //CSON: EmptyBlock if (addException) { if (exCol == null) { exCol = new ExceptionCollection(); } exCol.addException(ex); } } } return exCol; } /** * Resolves the projects artifacts using Aether and scans the resulting * dependencies. * * @param engine the core dependency-check engine * @param project the project being scanned * @param nodes the list of dependency nodes, generally obtained via the * DependencyGraphBuilder * @param buildingRequest the Maven project building request * @param aggregate whether the scan is part of an aggregate build * @return a collection of exceptions that may have occurred while resolving * and scanning the dependencies */ //CSOFF: OperatorWrap private ExceptionCollection collectMavenDependencies(Engine engine, MavenProject project, List nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) { ExceptionCollection exCol = collectDependencyManagementDependencies(engine, buildingRequest, project, nodes, aggregate); final List allResolvedDeps = new ArrayList<>(); for (DependencyNode dependencyNode : nodes) { if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope()) || artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) { continue; } boolean isResolved = false; File artifactFile = null; String artifactId = null; String groupId = null; String version = null; List availableVersions = null; if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) { final Artifact a = dependencyNode.getArtifact(); if (a.isResolved() && a.getFile().isFile()) { artifactFile = a.getFile(); isResolved = artifactFile.isFile(); groupId = a.getGroupId(); artifactId = a.getArtifactId(); version = a.getVersion(); availableVersions = a.getAvailableVersions(); } else { for (org.apache.maven.model.Dependency d : project.getDependencies()) { if (d.getSystemPath() != null && artifactsMatch(d, a)) { artifactFile = new File(d.getSystemPath()); isResolved = artifactFile.isFile(); groupId = a.getGroupId(); artifactId = a.getArtifactId(); version = a.getVersion(); availableVersions = a.getAvailableVersions(); break; } } } if (!isResolved) { getLog().error("Unable to resolve system scoped dependency: " + dependencyNode.toNodeString()); if (exCol == null) { exCol = new ExceptionCollection(); } exCol.addException(new DependencyNotFoundException("Unable to resolve system scoped dependency: " + dependencyNode.toNodeString())); } } else { final Artifact dependencyArtifact = dependencyNode.getArtifact(); final Artifact result; if (dependencyArtifact.isResolved()) { //All transitive dependencies, excluding reactor and dependencyManagement artifacts should //have been resolved by Maven prior to invoking the plugin - resolving the dependencies //manually is unnecessary, and does not work in some cases (issue-1751) getLog().debug(String.format("Skipping artifact %s, already resolved", dependencyArtifact.getArtifactId())); result = dependencyArtifact; } else { try { if (allResolvedDeps.isEmpty()) { // no (partially successful) resolution attempt done try { final List dependencies = project.getDependencies(); final List managedDependencies = project.getDependencyManagement() == null ? null : project.getDependencyManagement() .getDependencies(); final Iterable allDeps = dependencyResolver.resolveDependencies(buildingRequest, dependencies, managedDependencies, null); allDeps.forEach(allResolvedDeps::add); } catch (DependencyResolverException dre) { if (dre.getCause() instanceof org.eclipse.aether.resolution.DependencyResolutionException) { final List successResults = Mshared998Util.getResolutionResults( (org.eclipse.aether.resolution.DependencyResolutionException) dre.getCause()); allResolvedDeps.addAll(successResults); } else { throw dre; } } } result = findInAllDeps(allResolvedDeps, dependencyNode.getArtifact(), project); } catch (DependencyNotFoundException | DependencyResolverException ex) { getLog().debug(String.format("Aggregate : %s", aggregate)); boolean addException = true; //CSOFF: EmptyBlock if (!aggregate) { // do nothing - the exception is to be reported } else if (addReactorDependency(engine, dependencyNode.getArtifact(), project)) { // successfully resolved as a reactor dependency - swallow the exception addException = false; } if (addException) { if (exCol == null) { exCol = new ExceptionCollection(); } exCol.addException(ex); } continue; } } if (aggregate && virtualSnapshotsFromReactor && dependencyNode.getArtifact().isSnapshot() && addSnapshotReactorDependency(engine, dependencyNode.getArtifact(), project)) { continue; } isResolved = result.isResolved(); artifactFile = result.getFile(); groupId = result.getGroupId(); artifactId = result.getArtifactId(); version = result.getVersion(); availableVersions = result.getAvailableVersions(); } if (isResolved && artifactFile != null) { final List deps = engine.scan(artifactFile.getAbsoluteFile(), createProjectReferenceName(project, dependencyNode)); if (deps != null) { scannedFiles.add(artifactFile); Dependency d = null; if (deps.size() == 1) { d = deps.get(0); } else { for (Dependency possible : deps) { if (artifactFile.getAbsoluteFile().equals(possible.getActualFile())) { d = possible; break; } } } if (d != null) { final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version); d.addAsEvidence("pom", ma, Confidence.HIGHEST); if (availableVersions != null) { for (ArtifactVersion av : availableVersions) { d.addAvailableVersion(av.toString()); } } getLog().debug(String.format("Adding project reference %s on dependency %s", project.getName(), d.getDisplayFileName())); } else if (getLog().isDebugEnabled()) { final String msg = String.format("More than 1 dependency was identified in first pass scan of '%s' in project %s", dependencyNode.getArtifact().getId(), project.getName()); getLog().debug(msg); } } else if ("import".equals(dependencyNode.getArtifact().getScope())) { final String msg = String.format("Skipping '%s:%s' in project %s as it uses an `import` scope", dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName()); getLog().debug(msg); } else if ("pom".equals(dependencyNode.getArtifact().getType())) { try { final Dependency d = new Dependency(artifactFile.getAbsoluteFile()); final Model pom = PomUtils.readPom(artifactFile.getAbsoluteFile()); JarAnalyzer.setPomEvidence(d, pom, null, true); engine.addDependency(d); } catch (AnalysisException ex) { if (exCol == null) { exCol = new ExceptionCollection(); } exCol.addException(ex); getLog().debug("Error reading pom " + artifactFile.getAbsoluteFile(), ex); } } else { if (!scannedFiles.contains(artifactFile)) { final String msg = String.format("No analyzer could be found or the artifact has been scanned twice for '%s:%s' in project %s", dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName()); getLog().warn(msg); } } } else { final String msg = String.format("Unable to resolve '%s' in project %s", dependencyNode.getArtifact().getId(), project.getName()); getLog().debug(msg); if (exCol == null) { exCol = new ExceptionCollection(); } } } return exCol; } //CSON: OperatorWrap /** * Utility method for a work-around to MSHARED-998 * * @param allDeps The List of ArtifactResults for all dependencies * @param unresolvedArtifact The ArtifactCoordinate of the artifact we're * looking for * @param project The project in whose context resolution was attempted * @return the resolved artifact matching with {@code unresolvedArtifact} * @throws DependencyNotFoundException If {@code unresolvedArtifact} could * not be found within {@code allDeps} */ private Artifact findInAllDeps(final List allDeps, final Artifact unresolvedArtifact, final MavenProject project) throws DependencyNotFoundException { Artifact result = null; for (final ArtifactResult res : allDeps) { if (sameArtifact(res, unresolvedArtifact)) { result = res.getArtifact(); break; } } if (result == null) { throw new DependencyNotFoundException(String.format("Expected dependency not found in resolved artifacts for " + "dependency %s of project-artifact %s", unresolvedArtifact, project.getArtifactId())); } return result; } /** * Utility method for a work-around to MSHARED-998 * * @param res A single ArtifactResult obtained from the DependencyResolver * @param unresolvedArtifact The unresolved Artifact from the * dependencyGraph that we try to find * @return {@code true} when unresolvedArtifact is non-null and matches with * the artifact of res */ private boolean sameArtifact(final ArtifactResult res, final Artifact unresolvedArtifact) { if (res == null || res.getArtifact() == null || unresolvedArtifact == null) { return false; } boolean result = Objects.equals(res.getArtifact().getGroupId(), unresolvedArtifact.getGroupId()); result &= Objects.equals(res.getArtifact().getArtifactId(), unresolvedArtifact.getArtifactId()); result &= Objects.equals(res.getArtifact().getBaseVersion(), unresolvedArtifact.getBaseVersion()); result &= Objects.equals(res.getArtifact().getClassifier(), unresolvedArtifact.getClassifier()); result &= Objects.equals(res.getArtifact().getType(), unresolvedArtifact.getType()); return result; } /** * @param project the {@link MavenProject} * @param dependencyNode the {@link DependencyNode} * @return the name to be used when creating a * {@link Dependency#getProjectReferences() project reference} in a * {@link Dependency}. The behavior of this method returns {@link MavenProject#getName() project.getName()} + ":" + * * {@link DependencyNode#getArtifact() dependencyNode.getArtifact()}{@link Artifact#getScope() .getScope()}. */ protected String createProjectReferenceName(MavenProject project, DependencyNode dependencyNode) { return project.getName() + ":" + dependencyNode.getArtifact().getScope(); } /** * Scans the projects dependencies including the default (or defined) * FileSets. * * @param engine the core dependency-check engine * @param project the project being scanned * @param nodes the list of dependency nodes, generally obtained via the * DependencyGraphBuilder * @param buildingRequest the Maven project building request * @param aggregate whether the scan is part of an aggregate build * @return a collection of exceptions that may have occurred while resolving * and scanning the dependencies */ private ExceptionCollection collectDependencies(Engine engine, MavenProject project, List nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) { ExceptionCollection exCol; exCol = collectMavenDependencies(engine, project, nodes, buildingRequest, aggregate); final List projectScan; if (scanDirectory != null && !scanDirectory.isEmpty()) { if (scanSet == null) { scanSet = new ArrayList<>(); } scanDirectory.forEach(d -> { final FileSet fs = new FileSet(); fs.setDirectory(d); fs.addInclude(INCLUDE_ALL); scanSet.add(fs); }); } if (scanSet == null || scanSet.isEmpty()) { // Define the default FileSets final FileSet resourcesSet = new FileSet(); final FileSet filtersSet = new FileSet(); final FileSet webappSet = new FileSet(); final FileSet mixedLangSet = new FileSet(); try { resourcesSet.setDirectory(new File(project.getBasedir(), "src/main/resources").getCanonicalPath()); resourcesSet.addInclude(INCLUDE_ALL); filtersSet.setDirectory(new File(project.getBasedir(), "src/main/filters").getCanonicalPath()); filtersSet.addInclude(INCLUDE_ALL); webappSet.setDirectory(new File(project.getBasedir(), "src/main/webapp").getCanonicalPath()); webappSet.addInclude(INCLUDE_ALL); mixedLangSet.setDirectory(project.getBasedir().getCanonicalPath()); mixedLangSet.addInclude("package.json"); mixedLangSet.addInclude("package-lock.json"); mixedLangSet.addInclude("npm-shrinkwrap.json"); mixedLangSet.addInclude("Gopkg.lock"); mixedLangSet.addInclude("go.mod"); mixedLangSet.addInclude("yarn.lock"); mixedLangSet.addInclude("pnpm-lock.yaml"); mixedLangSet.addExclude("/node_modules/"); } catch (IOException ex) { if (exCol == null) { exCol = new ExceptionCollection(); } exCol.addException(ex); } projectScan = new ArrayList<>(); projectScan.add(resourcesSet); projectScan.add(filtersSet); projectScan.add(webappSet); projectScan.add(mixedLangSet); } else if (aggregate) { projectScan = new ArrayList<>(); for (FileSet copyFrom : scanSet) { //deep copy of the FileSet - modifying the directory if it is not absolute. final FileSet fsCopy = new FileSet(); final File f = new File(copyFrom.getDirectory()); if (f.isAbsolute()) { fsCopy.setDirectory(copyFrom.getDirectory()); } else { try { fsCopy.setDirectory(new File(project.getBasedir(), copyFrom.getDirectory()).getCanonicalPath()); } catch (IOException ex) { if (exCol == null) { exCol = new ExceptionCollection(); } exCol.addException(ex); fsCopy.setDirectory(copyFrom.getDirectory()); } } fsCopy.setDirectoryMode(copyFrom.getDirectoryMode()); fsCopy.setExcludes(copyFrom.getExcludes()); fsCopy.setFileMode(copyFrom.getFileMode()); fsCopy.setFollowSymlinks(copyFrom.isFollowSymlinks()); fsCopy.setIncludes(copyFrom.getIncludes()); fsCopy.setLineEnding(copyFrom.getLineEnding()); fsCopy.setMapper(copyFrom.getMapper()); fsCopy.setModelEncoding(copyFrom.getModelEncoding()); fsCopy.setOutputDirectory(copyFrom.getOutputDirectory()); fsCopy.setUseDefaultExcludes(copyFrom.isUseDefaultExcludes()); projectScan.add(fsCopy); } } else { projectScan = scanSet; } // Iterate through FileSets and scan included files final FileSetManager fileSetManager = new FileSetManager(); for (FileSet fileSet : projectScan) { getLog().debug("Scanning fileSet: " + fileSet.getDirectory()); final String[] includedFiles = fileSetManager.getIncludedFiles(fileSet); for (String include : includedFiles) { final File includeFile = new File(fileSet.getDirectory(), include).getAbsoluteFile(); if (includeFile.exists()) { engine.scan(includeFile, project.getName()); } } } return exCol; } /** * Checks if the current artifact is actually in the reactor projects that * have not yet been built. If true a virtual dependency is created based on * the evidence in the project. * * @param engine a reference to the engine being used to scan * @param artifact the artifact being analyzed in the mojo * @param depender The project that depends on this virtual dependency * @return true if the artifact is in the reactor; otherwise * false */ private boolean addReactorDependency(Engine engine, Artifact artifact, final MavenProject depender) { return addVirtualDependencyFromReactor(engine, artifact, depender, "Unable to resolve %s as it has not been built yet " + "- creating a virtual dependency instead."); } /** * Checks if the current artifact is actually in the reactor projects. If * true a virtual dependency is created based on the evidence in the * project. * * @param engine a reference to the engine being used to scan * @param artifact the artifact being analyzed in the mojo * @param depender The project that depends on this virtual dependency * @param infoLogTemplate the template for the infoLog entry written when a * virtual dependency is added. Needs a single %s placeholder for the * location of the displayName in the message * @return true if the artifact is in the reactor; otherwise * false */ private boolean addVirtualDependencyFromReactor(Engine engine, Artifact artifact, final MavenProject depender, String infoLogTemplate) { getLog().debug(String.format("Checking the reactor projects (%d) for %s:%s:%s", reactorProjects.size(), artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion())); for (MavenProject prj : reactorProjects) { getLog().debug(String.format("Comparing %s:%s:%s to %s:%s:%s", artifact.getGroupId(), artifact.getArtifactId(), artifact.getBaseVersion(), prj.getGroupId(), prj.getArtifactId(), prj.getVersion())); if (prj.getArtifactId().equals(artifact.getArtifactId()) && prj.getGroupId().equals(artifact.getGroupId()) && prj.getVersion().equals(artifact.getBaseVersion())) { final String displayName = String.format("%s:%s:%s", prj.getGroupId(), prj.getArtifactId(), prj.getVersion()); getLog().info(String.format(infoLogTemplate, displayName)); final Dependency d = newDependency(prj); final String key = String.format("%s:%s:%s", prj.getGroupId(), prj.getArtifactId(), prj.getVersion()); d.setSha1sum(Checksum.getSHA1Checksum(key)); d.setSha256sum(Checksum.getSHA256Checksum(key)); d.setMd5sum(Checksum.getMD5Checksum(key)); d.setEcosystem(JarAnalyzer.DEPENDENCY_ECOSYSTEM); d.setDisplayFileName(displayName); d.addProjectReference(depender.getName()); d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", prj.getArtifactId(), Confidence.HIGHEST); d.addEvidence(EvidenceType.VENDOR, "project", "artifactid", prj.getArtifactId(), Confidence.LOW); d.addEvidence(EvidenceType.VENDOR, "project", "groupid", prj.getGroupId(), Confidence.HIGHEST); d.addEvidence(EvidenceType.PRODUCT, "project", "groupid", prj.getGroupId(), Confidence.LOW); d.setEcosystem(JarAnalyzer.DEPENDENCY_ECOSYSTEM); Identifier id; try { id = new PurlIdentifier(StandardTypes.MAVEN, artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion(), Confidence.HIGHEST); } catch (MalformedPackageURLException ex) { getLog().debug("Unable to create PackageURL object:" + key); id = new GenericIdentifier("maven:" + key, Confidence.HIGHEST); } d.addSoftwareIdentifier(id); //TODO unify the setName/version and package path - they are equivelent ideas submitted by two seperate committers d.setName(String.format("%s:%s", prj.getGroupId(), prj.getArtifactId())); d.setVersion(prj.getVersion()); d.setPackagePath(displayName); if (prj.getDescription() != null) { JarAnalyzer.addDescription(d, prj.getDescription(), "project", "description"); } for (License l : prj.getLicenses()) { final StringBuilder license = new StringBuilder(); if (l.getName() != null) { license.append(l.getName()); } if (l.getUrl() != null) { license.append(" ").append(l.getUrl()); } if (d.getLicense() == null) { d.setLicense(license.toString()); } else if (!d.getLicense().contains(license)) { d.setLicense(String.format("%s%n%s", d.getLicense(), license)); } } engine.addDependency(d); return true; } } return false; } Dependency newDependency(MavenProject prj) { final File pom = new File(prj.getBasedir(), "pom.xml"); if (pom.isFile()) { getLog().debug("Adding virtual dependency from pom.xml"); return new Dependency(pom, true); } else if (prj.getFile().isFile()) { getLog().debug("Adding virtual dependency from file"); return new Dependency(prj.getFile(), true); } else { return new Dependency(true); } } /** * Checks if the current artifact is actually in the reactor projects. If * true a virtual dependency is created based on the evidence in the * project. * * @param engine a reference to the engine being used to scan * @param artifact the artifact being analyzed in the mojo * @param depender The project that depends on this virtual dependency * @return true if the artifact is a snapshot artifact in the * reactor; otherwise false */ private boolean addSnapshotReactorDependency(Engine engine, Artifact artifact, final MavenProject depender) { if (!artifact.isSnapshot()) { return false; } return addVirtualDependencyFromReactor(engine, artifact, depender, "Found snapshot reactor project in aggregate for %s - " + "creating a virtual dependency as the snapshot found in the repository may contain outdated dependencies."); } /** * @param project The target project to create a building request for. * @return Returns a new ProjectBuildingRequest populated from the current * session and the target project remote repositories, used to resolve * artifacts. */ public ProjectBuildingRequest newResolveArtifactProjectBuildingRequest(MavenProject project) { final ProjectBuildingRequest buildingRequest = new DefaultProjectBuildingRequest(session.getProjectBuildingRequest()); buildingRequest.setRemoteRepositories(new ArrayList<>(project.getRemoteArtifactRepositories())); buildingRequest.setProject(project); return buildingRequest; } /** * Executes the dependency-check scan and generates the necessary report. * * @throws MojoExecutionException thrown if there is an exception running * the scan * @throws MojoFailureException thrown if dependency-check is configured to * fail the build */ protected void runCheck() throws MojoExecutionException, MojoFailureException { muteJCS(); try (Engine engine = initializeEngine()) { ExceptionCollection exCol = scanDependencies(engine); try { engine.analyzeDependencies(); } catch (ExceptionCollection ex) { exCol = handleAnalysisExceptions(exCol, ex); } if (exCol == null || !exCol.isFatal()) { File outputDir = getCorrectOutputDirectory(this.getProject()); if (outputDir == null) { //in some regards we shouldn't be writing this, but we are anyway. //we shouldn't write this because nothing is configured to generate this report. outputDir = new File(this.getProject().getBuild().getDirectory()); } try { final MavenProject p = this.getProject(); for (String f : getFormats()) { engine.writeReports(p.getName(), p.getGroupId(), p.getArtifactId(), p.getVersion(), outputDir, f, exCol); } } catch (ReportException ex) { if (exCol == null) { exCol = new ExceptionCollection(ex); } else { exCol.addException(ex); } if (this.isFailOnError()) { throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol); } else { getLog().debug("Error writing the report", ex); } } showSummary(this.getProject(), engine.getDependencies()); checkForFailure(engine.getDependencies()); if (exCol != null && this.isFailOnError()) { throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol); } } } catch (DatabaseException ex) { if (getLog().isDebugEnabled()) { getLog().debug("Database connection error", ex); } final String msg = "An exception occurred connecting to the local database. Please see the log file for more details."; if (this.isFailOnError()) { throw new MojoExecutionException(msg, ex); } getLog().error(msg, ex); } finally { getSettings().cleanup(); } } /** * Combines the two exception collections and if either are fatal, throw an * MojoExecutionException * * @param currentEx the primary exception collection * @param newEx the new exception collection to add * @return the combined exception collection * @throws MojoExecutionException thrown if dependency-check is configured * to fail on errors */ private ExceptionCollection handleAnalysisExceptions(ExceptionCollection currentEx, ExceptionCollection newEx) throws MojoExecutionException { ExceptionCollection returnEx = currentEx; if (returnEx == null) { returnEx = newEx; } else { returnEx.getExceptions().addAll(newEx.getExceptions()); if (newEx.isFatal()) { returnEx.setFatal(true); } } if (returnEx.isFatal()) { final String msg = String.format("Fatal exception(s) analyzing %s", getProject().getName()); if (this.isFailOnError()) { throw new MojoExecutionException(msg, returnEx); } getLog().error(msg); if (getLog().isDebugEnabled()) { getLog().debug(returnEx); } } else { final String msg = String.format("Exception(s) analyzing %s", getProject().getName()); if (getLog().isDebugEnabled()) { getLog().debug(msg, returnEx); } } return returnEx; } /** * Scans the dependencies of the projects in aggregate. * * @param engine the engine used to perform the scanning * @return a collection of exceptions * @throws MojoExecutionException thrown if a fatal exception occurs */ protected abstract ExceptionCollection scanDependencies(Engine engine) throws MojoExecutionException; /** * Returns the report output directory. * * @return the report output directory */ @Override public File getReportOutputDirectory() { return reportOutputDirectory; } /** * Sets the Reporting output directory. * * @param directory the output directory */ @Override public void setReportOutputDirectory(File directory) { reportOutputDirectory = directory; } /** * Returns the output directory. * * @return the output directory */ public File getOutputDirectory() { return outputDirectory; } /** * Returns whether this is an external report. This method always returns * true. * * @return true */ @Override public final boolean isExternalReport() { return true; } /** * Returns the output name. * * @return the output name */ @Override public String getOutputName() { final Set selectedFormats = getFormats(); if (selectedFormats.contains("HTML") || selectedFormats.contains("ALL") || selectedFormats.size() > 1) { return "dependency-check-report"; } else if (selectedFormats.contains("JENKINS")) { return "dependency-check-jenkins.html"; } else if (selectedFormats.contains("XML")) { return "dependency-check-report.xml"; } else if (selectedFormats.contains("JUNIT")) { return "dependency-check-junit.xml"; } else if (selectedFormats.contains("JSON")) { return "dependency-check-report.json"; } else if (selectedFormats.contains("SARIF")) { return "dependency-check-report.sarif"; } else if (selectedFormats.contains("CSV")) { return "dependency-check-report.csv"; } else { getLog().warn("Unknown report format used during site generation."); return "dependency-check-report"; } } /** * Returns the category name. * * @return the category name */ @Override public String getCategoryName() { return MavenReport.CATEGORY_PROJECT_REPORTS; } // /** * Initializes a new Engine that can be used for scanning. This * method should only be called in a try-with-resources to ensure that the * engine is properly closed. * * @return a newly instantiated Engine * @throws DatabaseException thrown if there is a database exception */ protected Engine initializeEngine() throws DatabaseException { populateSettings(); return new Engine(settings); } /** * Takes the properties supplied and updates the dependency-check settings. * Additionally, this sets the system properties required to change the * proxy URL, port, and connection timeout. */ protected void populateSettings() { settings = new Settings(); InputStream mojoProperties = null; try { mojoProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE); settings.mergeProperties(mojoProperties); } catch (IOException ex) { getLog().warn("Unable to load the dependency-check maven mojo.properties file."); if (getLog().isDebugEnabled()) { getLog().debug("", ex); } } finally { if (mojoProperties != null) { try { mojoProperties.close(); } catch (IOException ex) { if (getLog().isDebugEnabled()) { getLog().debug("", ex); } } } } settings.setStringIfNotEmpty(Settings.KEYS.MAVEN_LOCAL_REPO, mavenSettings.getLocalRepository()); settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, enableRetired); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_DEP_ENABLED, golangDepEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_MOD_ENABLED, golangModEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_DART_ENABLED, dartAnalyzerEnabled); settings.setStringIfNotNull(Settings.KEYS.ANALYZER_GOLANG_PATH, pathToGo); settings.setStringIfNotNull(Settings.KEYS.ANALYZER_YARN_PATH, pathToYarn); settings.setStringIfNotNull(Settings.KEYS.ANALYZER_PNPM_PATH, pathToPnpm); final Proxy proxy = getMavenProxy(); boolean proxySet = false; if (proxy != null) { proxySet = true; settings.setString(Settings.KEYS.PROXY_SERVER, proxy.getHost()); settings.setString(Settings.KEYS.PROXY_PORT, Integer.toString(proxy.getPort())); final String userName = proxy.getUsername(); String password = proxy.getPassword(); if (password != null && !password.isEmpty()) { if (settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) { System.setProperty("jdk.http.auth.tunneling.disabledSchemes", ""); } try { password = decryptPasswordFromSettings(password); } catch (SecDispatcherException ex) { password = handleSecDispatcherException("proxy", proxy.getId(), password, ex); } } settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName); settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password); settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, proxy.getNonProxyHosts()); } if (!proxySet && System.getProperty("http.proxyHost") != null) { settings.setString(Settings.KEYS.PROXY_SERVER, System.getProperty("http.proxyHost", "")); if (System.getProperty("http.proxyPort") != null) { settings.setString(Settings.KEYS.PROXY_PORT, System.getProperty("http.proxyPort")); } if (System.getProperty("http.proxyUser") != null) { settings.setString(Settings.KEYS.PROXY_USERNAME, System.getProperty("http.proxyUser")); } if (System.getProperty("http.proxyPassword") != null) { settings.setString(Settings.KEYS.PROXY_PASSWORD, System.getProperty("http.proxyPassword")); } if (System.getProperty("http.nonProxyHosts") != null) { settings.setString(Settings.KEYS.PROXY_NON_PROXY_HOSTS, System.getProperty("http.nonProxyHosts")); } } final String[] suppressions = determineSuppressions(); settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressions); settings.setBooleanIfNotNull(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, versionCheckEnabled); settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout); settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_READ_TIMEOUT, readTimeout); settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile); settings.setFloat(Settings.KEYS.JUNIT_FAIL_ON_CVSS, junitFailOnCVSS); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, nugetconfAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE, centralAnalyzerUseCache); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED, artifactoryAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED, msbuildAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled); settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions); settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_DOTNET_PATH, pathToCore); settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl); configureServerCredentials(nexusServerId, Settings.KEYS.ANALYZER_NEXUS_USER, Settings.KEYS.ANALYZER_NEXUS_PASSWORD); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy); settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_URL, artifactoryAnalyzerUrl); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY, artifactoryAnalyzerUseProxy); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS, artifactoryAnalyzerParallelAnalysis); if (Boolean.TRUE.equals(artifactoryAnalyzerEnabled)) { if (artifactoryAnalyzerServerId != null) { configureServerCredentials(artifactoryAnalyzerServerId, Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME, Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN); } else { settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME, artifactoryAnalyzerUsername); settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN, artifactoryAnalyzerApiToken); } settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_BEARER_TOKEN, artifactoryAnalyzerBearerToken); } settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, mavenInstallAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIP_ENABLED, pipAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, pipfileAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_POETRY_ENABLED, poetryAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CPANFILE_ENABLED, cpanfileAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, nodeAuditAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, nodeAuditAnalyzerUseCache); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, nodePackageSkipDevDependencies); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED, yarnAuditAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PNPM_AUDIT_ENABLED, pnpmAuditAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_ENABLED, retireJsAnalyzerEnabled); settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_URL, retireJsUrl); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FORCEUPDATE, retireJsForceUpdate); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED, mixAuditAnalyzerEnabled); settings.setStringIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_PATH, mixAuditPath); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled); settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath); settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, bundleAuditWorkingDirectory); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, ossindexAnalyzerEnabled); settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, ossindexAnalyzerUrl); configureServerCredentials(ossIndexServerId, Settings.KEYS.ANALYZER_OSSINDEX_USER, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE, ossindexAnalyzerUseCache); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, ossIndexWarnOnlyOnRemoteErrors); if (retirejs != null) { settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, retirejs.getFilterNonVulnerable()); settings.setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, retirejs.getFilters()); } //Database configuration settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName); settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath); settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString); if (databaseUser == null && databasePassword == null && serverId != null) { configureServerCredentials(serverId, Settings.KEYS.DB_USER, Settings.KEYS.DB_PASSWORD); } else { settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser); settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword); } settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory); settings.setStringIfNotEmpty(Settings.KEYS.DB_FILE_NAME, dbFilename); final String cveModifiedJson = Optional.ofNullable(cveUrlModified) .filter(arg -> !arg.isEmpty()) .orElseGet(this::getDefaultCveUrlModified); settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_JSON, cveModifiedJson); settings.setStringIfNotEmpty(Settings.KEYS.CVE_BASE_JSON, cveUrlBase); settings.setStringIfNotEmpty(Settings.KEYS.CVE_DOWNLOAD_WAIT_TIME, cveWaitTime); settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours); if (cveStartYear != null && cveStartYear < 2002) { getLog().warn("Invalid configuration: cveStartYear must be 2002 or greater"); cveStartYear = 2002; } settings.setIntIfNotNull(Settings.KEYS.CVE_START_YEAR, cveStartYear); settings.setBooleanIfNotNull(Settings.KEYS.PRETTY_PRINT, prettyPrint); artifactScopeExcluded = new ArtifactScopeExcluded(skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope); artifactTypeExcluded = new ArtifactTypeExcluded(skipArtifactType); if (cveUser == null && cvePassword == null && cveServerId != null) { configureServerCredentials(cveServerId, Settings.KEYS.CVE_USER, Settings.KEYS.CVE_PASSWORD); } else { settings.setStringIfNotEmpty(Settings.KEYS.CVE_USER, cveUser); settings.setStringIfNotEmpty(Settings.KEYS.CVE_PASSWORD, cvePassword); } if (suppressionFileUser == null && suppressionFilePassword == null && suppressionFileServerId != null) { configureServerCredentials(suppressionFileServerId, Settings.KEYS.SUPPRESSION_FILE_USER, Settings.KEYS.SUPPRESSION_FILE_PASSWORD); } else { settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_USER, suppressionFileUser); settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_PASSWORD, suppressionFilePassword); } } /** * Retrieves the server credentials from the settings.xml, decrypts the * password, and places the values into the settings under the given key * names. * * @param serverId the server id * @param userSettingKey the property name for the username * @param passwordSettingKey the property name for the password */ private void configureServerCredentials(String serverId, String userSettingKey, String passwordSettingKey) { if (serverId != null) { final Server server = settingsXml.getServer(serverId); if (server != null) { final String username = server.getUsername(); String password = null; try { password = decryptPasswordFromSettings(server.getPassword()); } catch (SecDispatcherException ex) { password = handleSecDispatcherException("server", serverId, server.getPassword(), ex); } settings.setStringIfNotEmpty(userSettingKey, username); settings.setStringIfNotEmpty(passwordSettingKey, password); } else { getLog().error(String.format("Server '%s' not found in the settings.xml file", serverId)); } } } /** * Decrypts a password from the Maven settings if it needs to be decrypted. * If it's not encrypted the input password will be returned unchanged. * * @param password the original password value from the settings.xml * @return the decrypted password from the Maven configuration * @throws SecDispatcherException thrown if there is an error decrypting the * password */ private String decryptPasswordFromSettings(String password) throws SecDispatcherException { //The following fix was copied from: // https://github.com/bsorrentino/maven-confluence-plugin/blob/master/maven-confluence-reporting-plugin/src/main/java/org/bsc/maven/confluence/plugin/AbstractBaseConfluenceMojo.java // // FIX to resolve // org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: // java.io.FileNotFoundException: ~/.settings-security.xml (No such file or directory) // if (securityDispatcher instanceof DefaultSecDispatcher) { ((DefaultSecDispatcher) securityDispatcher).setConfigurationFile("~/.m2/settings-security.xml"); } return securityDispatcher.decrypt(password); } /** * Handles a SecDispatcherException that was thrown at an attempt to decrypt * an encrypted password from the Maven settings. * * @param settingsElementName - "server" or "proxy" * @param settingsElementId - value of the id attribute of the proxy resp. * server element to which the password belongs * @param passwordValueFromSettings - original, undecrypted password value * from the settings * @param ex - the Exception to handle * @return the password fallback value to go on with, might be a not working * one. */ private String handleSecDispatcherException(String settingsElementName, String settingsElementId, String passwordValueFromSettings, SecDispatcherException ex) { String password = passwordValueFromSettings; if (ex.getCause() instanceof FileNotFoundException || (ex.getCause() != null && ex.getCause().getCause() instanceof FileNotFoundException)) { //maybe its not encrypted? final String tmp = passwordValueFromSettings; if (tmp.startsWith("{") && tmp.endsWith("}")) { getLog().error(String.format( "Unable to decrypt the %s password for %s id '%s' in settings.xml%n\tCause: %s", settingsElementName, settingsElementName, settingsElementId, ex.getMessage())); } else { password = tmp; } } else { getLog().error(String.format( "Unable to decrypt the %s password for %s id '%s' in settings.xml%n\tCause: %s", settingsElementName, settingsElementName, settingsElementId, ex.getMessage())); } return password; } /** * Combines the configured suppressionFile and suppressionFiles into a * single array. * * @return an array of suppression file paths */ private String[] determineSuppressions() { String[] suppressions = suppressionFiles; if (suppressionFile != null) { if (suppressions == null) { suppressions = new String[]{suppressionFile}; } else { suppressions = Arrays.copyOf(suppressions, suppressions.length + 1); suppressions[suppressions.length - 1] = suppressionFile; } } return suppressions; } /** * Hacky method of muting the noisy logging from JCS. Implemented using a * solution from SO: https://stackoverflow.com/a/50723801 */ private void muteJCS() { final String[] noisyLoggers = { "org.apache.commons.jcs.auxiliary.disk.AbstractDiskCache", "org.apache.commons.jcs.engine.memory.AbstractMemoryCache", "org.apache.commons.jcs.engine.control.CompositeCache", "org.apache.commons.jcs.auxiliary.disk.indexed.IndexedDiskCache", "org.apache.commons.jcs.engine.control.CompositeCache", "org.apache.commons.jcs.engine.memory.AbstractMemoryCache", "org.apache.commons.jcs.engine.control.event.ElementEventQueue", "org.apache.commons.jcs.engine.memory.AbstractDoubleLinkedListMemoryCache", "org.apache.commons.jcs.auxiliary.AuxiliaryCacheConfigurator", "org.apache.commons.jcs.engine.control.CompositeCacheManager", "org.apache.commons.jcs.utils.threadpool.ThreadPoolManager", "org.apache.commons.jcs.engine.control.CompositeCacheConfigurator"}; for (String loggerName : noisyLoggers) { try { //This is actually a MavenSimpleLogger, but due to various classloader issues, can't work with the directly. final Logger l = LoggerFactory.getLogger(loggerName); final Field f = l.getClass().getSuperclass().getDeclaredField("currentLogLevel"); f.setAccessible(true); f.set(l, LocationAwareLogger.ERROR_INT); } catch (IllegalAccessException | IllegalArgumentException | NoSuchFieldException | SecurityException e) { getLog().debug("Failed to reset the log level of " + loggerName + ", it will continue being noisy."); } } } /** * Returns the maven proxy. * * @return the maven proxy */ private Proxy getMavenProxy() { if (mavenSettings != null) { final List proxies = mavenSettings.getProxies(); if (proxies != null && !proxies.isEmpty()) { if (mavenSettingsProxyId != null) { for (Proxy proxy : proxies) { if (mavenSettingsProxyId.equalsIgnoreCase(proxy.getId())) { return proxy; } } } else { for (Proxy aProxy : proxies) { if (aProxy.isActive()) { return aProxy; } } } } } return null; } /** * Returns a reference to the current project. This method is used instead * of auto-binding the project via component annotation in concrete * implementations of this. If the child has a * @Component MavenProject project; defined then the abstract * class (i.e. this class) will not have access to the current project (just * the way Maven works with the binding). * * @return returns a reference to the current project */ protected MavenProject getProject() { return project; } /** * Returns the list of Maven Projects in this build. * * @return the list of Maven Projects in this build */ protected List getReactorProjects() { return reactorProjects; } /** * Combines the format and formats properties into a single collection. * * @return the selected report formats */ private Set getFormats() { final Set invalid = new HashSet<>(); final Set selectedFormats = formats == null || formats.length == 0 ? new HashSet<>() : new HashSet<>(Arrays.asList(formats)); selectedFormats.forEach((s) -> { try { ReportGenerator.Format.valueOf(s.toUpperCase()); } catch (IllegalArgumentException ex) { invalid.add(s); } }); invalid.forEach((s) -> getLog().warn("Invalid report format specified: " + s)); if (selectedFormats.contains("true")) { selectedFormats.remove("true"); } if (format != null && selectedFormats.isEmpty()) { selectedFormats.add(format); } return selectedFormats; } /** * Returns the list of excluded artifacts based on either artifact id or * group id and artifact id. * * @return a list of artifact to exclude */ public List getExcludes() { if (excludes == null) { excludes = new ArrayList<>(); } return excludes; } /** * Returns the artifact scope excluded filter. * * @return the artifact scope excluded filter */ protected Filter getArtifactScopeExcluded() { return artifactScopeExcluded; } /** * Returns the configured settings. * * @return the configured settings */ protected Settings getSettings() { return settings; } // /** * Checks to see if a vulnerability has been identified with a CVSS score * that is above the threshold set in the configuration. * * @param dependencies the list of dependency objects * @throws MojoFailureException thrown if a CVSS score is found that is * higher then the threshold set */ protected void checkForFailure(Dependency[] dependencies) throws MojoFailureException { final StringBuilder ids = new StringBuilder(); for (Dependency d : dependencies) { boolean addName = true; for (Vulnerability v : d.getVulnerabilities()) { final float cvssV2 = v.getCvssV2() != null ? v.getCvssV2().getScore() : -1; final float cvssV3 = v.getCvssV3() != null ? v.getCvssV3().getBaseScore() : -1; final float unscoredCvss = v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1; if (failBuildOnAnyVulnerability || cvssV2 >= failBuildOnCVSS || cvssV3 >= failBuildOnCVSS || unscoredCvss >= failBuildOnCVSS //safety net to fail on any if for some reason the above misses on 0 || (failBuildOnCVSS <= 0.0f)) { String name = v.getName(); if (cvssV3 >= 0.0f) { name += "(" + cvssV3 + ")"; } else if (cvssV2 >= 0.0f) { name += "(" + cvssV2 + ")"; } else if (unscoredCvss >= 0.0f) { name += "(" + unscoredCvss + ")"; } if (addName) { addName = false; ids.append(NEW_LINE).append(d.getFileName()).append(": "); ids.append(name); } else { ids.append(", ").append(name); } } } } if (ids.length() > 0) { final String msg; if (showSummary) { if (failBuildOnAnyVulnerability) { msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities: %n%s%n%n" + "See the dependency-check report for more details.%n%n", ids); } else { msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities that have a CVSS score greater than or " + "equal to '%.1f': %n%s%n%nSee the dependency-check report for more details.%n%n", failBuildOnCVSS, ids); } } else { msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities.%n%n" + "See the dependency-check report for more details.%n%n"); } throw new MojoFailureException(msg); } } /** * Generates a warning message listing a summary of dependencies and their * associated CPE and CVE entries. * * @param mp the Maven project for which the summary is shown * @param dependencies a list of dependency objects */ protected void showSummary(MavenProject mp, Dependency[] dependencies) { if (showSummary) { DependencyCheckScanAgent.showSummary(mp.getName(), dependencies); } } private String getDefaultCveUrlModified() { return CveUrlParser.newInstance(getSettings()) .getDefaultCveUrlModified(cveUrlBase); } // } //CSON: FileLength




© 2015 - 2025 Weber Informatics LLC | Privacy Policy