github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-18 15:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

added a warning to the build output if CVEs are identified

Browse Source 
Former-commit-id: e45640edbdb30efaa9b15374a2d89850a61a01d3
This commit is contained in:
Jeremy Long
2013-12-07 10:09:07 -05:00
parent b9436c0cab
commit 6640df18ac
2 changed files with 131 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
View File

@@ -34,6 +34,7 @@ import org.apache.tools.ant.types.resources.FileProvider;
import org.apache.tools.ant.types.resources.Resources; import org.apache.tools.ant.types.resources.Resources;
import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.reporting.ReportGenerator; import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.reporting.ReportGenerator.Format; import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
@@ -55,6 +56,10 @@ public class DependencyCheckTask extends Task {
* Name of the logging properties file. * Name of the logging properties file.
*/ */
private static final String LOG_PROPERTIES_FILE = "log.properties"; private static final String LOG_PROPERTIES_FILE = "log.properties";
/**
* System specific new line character.
*/
private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
/** /**
* Construct a new DependencyCheckTask. * Construct a new DependencyCheckTask.
@@ -433,6 +438,28 @@ public class DependencyCheckTask extends Task {
public void setSuppressionFile(String suppressionFile) { public void setSuppressionFile(String suppressionFile) {
this.suppressionFile = suppressionFile; this.suppressionFile = suppressionFile;
} }
/**
* flag indicating whether or not to show a summary of findings.
*/
private boolean showSummary = true;
/**
* Get the value of showSummary.
*
* @return the value of showSummary
*/
public boolean isShowSummary() {
return showSummary;
}
/**
* Set the value of showSummary.
*
* @param showSummary new value of showSummary
*/
public void setShowSummary(boolean showSummary) {
this.showSummary = showSummary;
}
@Override @Override
public void execute() throws BuildException { public void execute() throws BuildException {
@@ -461,6 +488,9 @@ public class DependencyCheckTask extends Task {
if (this.failBuildOnCVSS <= 10) { if (this.failBuildOnCVSS <= 10) {
checkForFailure(engine.getDependencies()); checkForFailure(engine.getDependencies());
} }
if (this.showSummary) {
showSummary(engine.getDependencies());
}
} catch (IOException ex) { } catch (IOException ex) {
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, null, ex); Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, null, ex);
throw new BuildException("Unable to generate dependency-check report", ex); throw new BuildException("Unable to generate dependency-check report", ex);
@@ -568,6 +598,47 @@ public class DependencyCheckTask extends Task {
} }
} }
/**
* Generates a warning message listing a summary of dependencies and their
* associated CPE and CVE entries.
*
* @param dependencies a list of dependency objects
*/
private void showSummary(List<Dependency> dependencies) {
final StringBuilder summary = new StringBuilder();
for (Dependency d : dependencies) {
boolean firstEntry = true;
final StringBuilder ids = new StringBuilder();
for (Vulnerability v : d.getVulnerabilities()) {
if (firstEntry) {
firstEntry = false;
} else {
ids.append(", ");
}
ids.append(v.getName());
}
if (ids.length() > 0) {
summary.append(d.getFileName()).append(" (");
firstEntry = true;
for (Identifier id : d.getIdentifiers()) {
if (firstEntry) {
firstEntry = false;
} else {
summary.append(", ");
}
summary.append(id.getValue());
}
summary.append(") : ").append(ids).append(NEW_LINE);
}
}
if (summary.length() > 0) {
final String msg = String.format("%n%n"
+ "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+ "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, msg);
}
}
/** /**
* An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN", * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN",
* etc.. * etc..

66
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java
View File

@@ -79,6 +79,10 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
* The name of the test scope. * The name of the test scope.
*/ */
public static final String TEST_SCOPE = "test"; public static final String TEST_SCOPE = "test";
/**
* System specific new line character.
*/
private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
// <editor-fold defaultstate="collapsed" desc="Maven bound parameters and components"> // <editor-fold defaultstate="collapsed" desc="Maven bound parameters and components">
/** /**
* The Maven Project Object. * The Maven Project Object.
@@ -151,39 +155,45 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
/** /**
* The Proxy URL. * The Proxy URL.
*/ */
@SuppressWarnings("CanBeFinal") @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "proxyUrl", defaultValue = "", required = false) @Parameter(property = "proxyUrl", defaultValue = "", required = false)
private String proxyUrl = null; private String proxyUrl = null;
/** /**
* The Proxy Port. * The Proxy Port.
*/ */
@SuppressWarnings("CanBeFinal") @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "proxyPort", defaultValue = "", required = false) @Parameter(property = "proxyPort", defaultValue = "", required = false)
private String proxyPort = null; private String proxyPort = null;
/** /**
* The Proxy username. * The Proxy username.
*/ */
@SuppressWarnings("CanBeFinal") @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "proxyUsername", defaultValue = "", required = false) @Parameter(property = "proxyUsername", defaultValue = "", required = false)
private String proxyUsername = null; private String proxyUsername = null;
/** /**
* The Proxy password. * The Proxy password.
*/ */
@SuppressWarnings("CanBeFinal") @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "proxyPassword", defaultValue = "", required = false) @Parameter(property = "proxyPassword", defaultValue = "", required = false)
private String proxyPassword = null; private String proxyPassword = null;
/** /**
* The Connection Timeout. * The Connection Timeout.
*/ */
@SuppressWarnings("CanBeFinal") @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "connectionTimeout", defaultValue = "", required = false) @Parameter(property = "connectionTimeout", defaultValue = "", required = false)
private String connectionTimeout = null; private String connectionTimeout = null;
/** /**
* The Connection Timeout. * The Connection Timeout.
*/ */
@SuppressWarnings("CanBeFinal") @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "suppressionFile", defaultValue = "", required = false) @Parameter(property = "suppressionFile", defaultValue = "", required = false)
private String suppressionFile = null; private String suppressionFile = null;
/**
* Flag indicating whether or not to show a summary in the output.
*/
@SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
@Parameter(property = "showSummary", defaultValue = "true", required = false)
private boolean showSummary = true;
// </editor-fold> // </editor-fold>
/** /**
@@ -670,6 +680,9 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
if (this.failBuildOnCVSS <= 10) { if (this.failBuildOnCVSS <= 10) {
checkForFailure(engine.getDependencies()); checkForFailure(engine.getDependencies());
} }
if (this.showSummary) {
showSummary(engine.getDependencies());
}
} }
/** /**
@@ -802,4 +815,45 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
throw new MojoFailureException(msg); throw new MojoFailureException(msg);
} }
} }
/**
* Generates a warning message listing a summary of dependencies and their
* associated CPE and CVE entries.
*
* @param dependencies a list of dependency objects
*/
private void showSummary(List<Dependency> dependencies) {
final StringBuilder summary = new StringBuilder();
for (Dependency d : dependencies) {
boolean firstEntry = true;
final StringBuilder ids = new StringBuilder();
for (Vulnerability v : d.getVulnerabilities()) {
if (firstEntry) {
firstEntry = false;
} else {
ids.append(", ");
}
ids.append(v.getName());
}
if (ids.length() > 0) {
summary.append(d.getFileName()).append(" (");
firstEntry = true;
for (Identifier id : d.getIdentifiers()) {
if (firstEntry) {
firstEntry = false;
} else {
summary.append(", ");
}
summary.append(id.getValue());
}
summary.append(") : ").append(ids).append(NEW_LINE);
}
}
if (summary.length() > 0) {
final String msg = String.format("%n%n"
+ "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+ "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.WARNING, msg);
}
}
} }