adds a new flag 'failBuildOnAnyVulnerability'

In our build system, we enable checkers based on boolean values. Currently, the only way to enable failing the build on vulnerabilities is by providing a numeric value (0-10) for another property. This change adds a boolean switch that will fail the build if any vulnerability is present (we have a strict "no vulnerabilities in our builds" policy).
2026-03-21 00:29:21 +01:00 · 2016-12-28 17:24:26 -08:00
parent 63ad13ff7a
commit 20b1ff38f9
1 changed files with 27 additions and 17 deletions
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -158,6 +158,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
    private float failBuildOnCVSS = 11;
    /**
     * Fail the build if any dependency has a vulnerability listed.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property="failBuildOnAnyVulnerability", defaultValue="false", required=true)
    private boolean failBuildOnAnyVulnerability = false;
    /**
     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
     * recommended that this be turned to false. Default is true.
@@ -1060,28 +1066,32 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     * higher then the threshold set
     */
    protected void checkForFailure(List<Dependency> dependencies) throws MojoFailureException {
-        if (failBuildOnCVSS <= 10) {
+        final StringBuilder ids = new StringBuilder();
-            final StringBuilder ids = new StringBuilder();
+        for (Dependency d : dependencies) {
-            for (Dependency d : dependencies) {
+            boolean addName = true;
-                boolean addName = true;
+            for (Vulnerability v : d.getVulnerabilities()) {
-                for (Vulnerability v : d.getVulnerabilities()) {
+                if (failBuildOnAnyVulnerability || v.getCvssScore() >= failBuildOnCVSS) {
-                    if (v.getCvssScore() >= failBuildOnCVSS) {
+                    if (addName) {
-                        if (addName) {
+                        addName = false;
-                            addName = false;
+                        ids.append(NEW_LINE).append(d.getFileName()).append(": ");
-                            ids.append(NEW_LINE).append(d.getFileName()).append(": ");
+                        ids.append(v.getName());
-                            ids.append(v.getName());
+                    } else {
-                        } else {
+                        ids.append(", ").append(v.getName());
                            ids.append(", ").append(v.getName());
                        }
                    }
                }
            }
-            if (ids.length() > 0) {
+        }
-                final String msg = String.format("%n%nDependency-Check Failure:%n"
+        if (ids.length() > 0) {
-                        + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
+            final String msg;
            if (failBuildOnAnyVulnerability) {
                msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities: %n%s%n%n"
                        + "See the dependency-check report for more details.%n%n", ids.toString());
            } else {
                msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %n%s%n%n"
                        + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
                throw new MojoFailureException(msg);
            }
            throw new MojoFailureException(msg);
        }
    }