mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-03-19 07:44:23 +01:00
Jeremy Long
@@ -55,6 +55,7 @@ import org.owasp.dependencycheck.dependency.Confidence;
|
||||
import org.owasp.dependencycheck.dependency.Dependency;
|
||||
import org.owasp.dependencycheck.dependency.Identifier;
|
||||
import org.owasp.dependencycheck.dependency.Vulnerability;
|
||||
import org.owasp.dependencycheck.exception.DependencyNotFoundException;
|
||||
import org.owasp.dependencycheck.exception.ExceptionCollection;
|
||||
import org.owasp.dependencycheck.exception.ReportException;
|
||||
import org.owasp.dependencycheck.reporting.ReportGenerator;
|
||||
@@ -403,6 +404,13 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
||||
@SuppressWarnings("CanBeFinal")
|
||||
@Parameter(property = "skipProvidedScope", defaultValue = "false", required = false)
|
||||
private boolean skipProvidedScope = false;
|
||||
|
||||
/**
|
||||
* Skip Analysis for Provided Scope Dependencies.
|
||||
*/
|
||||
@SuppressWarnings("CanBeFinal")
|
||||
@Parameter(property = "skipSystemScope", defaultValue = "false", required = false)
|
||||
private boolean skipSystemScope = false;
|
||||
/**
|
||||
* The data directory, hold DC SQL DB.
|
||||
*/
|
||||
@@ -631,21 +639,50 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
||||
List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest) {
|
||||
ExceptionCollection exCol = null;
|
||||
for (DependencyNode dependencyNode : nodes) {
|
||||
exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest);
|
||||
if (excludeFromScan(dependencyNode.getArtifact().getScope())) {
|
||||
continue;
|
||||
}
|
||||
exCol = collectDependencies(engine, project, dependencyNode.getChildren(), buildingRequest);
|
||||
try {
|
||||
final ArtifactCoordinate coordinate = TransferUtils.toArtifactCoordinate(dependencyNode.getArtifact());
|
||||
final Artifact result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
|
||||
if (result.isResolved() && result.getFile() != null) {
|
||||
final List<Dependency> deps = engine.scan(result.getFile().getAbsoluteFile(),
|
||||
boolean isResolved = false;
|
||||
File artifactFile = null;
|
||||
String artifactId = null;
|
||||
String groupId = null;
|
||||
String version = null;
|
||||
if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
|
||||
for (org.apache.maven.model.Dependency d : project.getDependencies()) {
|
||||
Artifact a = dependencyNode.getArtifact();
|
||||
if (d.getSystemPath() != null && artifactsMatch(d, a)) {
|
||||
|
||||
artifactFile = new File(d.getSystemPath());
|
||||
isResolved = artifactFile.isFile();
|
||||
groupId = a.getGroupId();
|
||||
artifactId = a.getArtifactId();
|
||||
version = a.getVersion();
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!isResolved) {
|
||||
getLog().error("Unable to resolve system scoped dependency: " + dependencyNode.toNodeString());
|
||||
exCol.addException(new DependencyNotFoundException("Unable to resolve system scoped dependency: " + dependencyNode.toNodeString()));
|
||||
}
|
||||
} else {
|
||||
final ArtifactCoordinate coordinate = TransferUtils.toArtifactCoordinate(dependencyNode.getArtifact());
|
||||
final Artifact result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
|
||||
isResolved = result.isResolved();
|
||||
artifactFile = result.getFile();
|
||||
groupId = result.getGroupId();
|
||||
artifactId = result.getArtifactId();
|
||||
version = result.getVersion();
|
||||
}
|
||||
if (isResolved && artifactFile != null) {
|
||||
final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
|
||||
project.getName() + ":" + dependencyNode.getArtifact().getScope());
|
||||
if (deps != null) {
|
||||
if (deps.size() == 1) {
|
||||
final Dependency d = deps.get(0);
|
||||
if (d != null) {
|
||||
final MavenArtifact ma = new MavenArtifact(result.getGroupId(), result.getArtifactId(), result.getVersion());
|
||||
final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
|
||||
d.addAsEvidence("pom", ma, Confidence.HIGHEST);
|
||||
if (getLog().isDebugEnabled()) {
|
||||
getLog().debug(String.format("Adding project reference %s on dependency %s",
|
||||
@@ -683,6 +720,33 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
||||
return exCol;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if the groupId, artifactId, and version of the Maven
|
||||
* dependency and artifact match.
|
||||
*
|
||||
* @param d the Maven dependency
|
||||
* @param a the Maven artifact
|
||||
* @return true if the groupId, artifactId, and version match
|
||||
*/
|
||||
private static boolean artifactsMatch(org.apache.maven.model.Dependency d, Artifact a) {
|
||||
return (isEqualOrNull(a.getArtifactId(), d.getArtifactId()))
|
||||
&& (isEqualOrNull(a.getGroupId(), d.getGroupId()))
|
||||
&& (isEqualOrNull(a.getVersion(), d.getVersion()));
|
||||
}
|
||||
|
||||
/**
|
||||
* Compares two strings for equality; if both strings are null they are
|
||||
* considered equal.
|
||||
*
|
||||
* @param left the first string to compare
|
||||
* @param right the second string to compare
|
||||
* @return true if the strings are equal or if they are both null; otherwise
|
||||
* false.
|
||||
*/
|
||||
private static boolean isEqualOrNull(String left, String right) {
|
||||
return (left != null && left.equals(right)) || (left == null && right == null);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return Returns a new ProjectBuildingRequest populated from the current
|
||||
* session and the current project remote repositories, used to resolve
|
||||
@@ -967,6 +1031,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
|
||||
if (skipProvidedScope && org.apache.maven.artifact.Artifact.SCOPE_PROVIDED.equals(scope)) {
|
||||
return true;
|
||||
}
|
||||
if (skipSystemScope && org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(scope)) {
|
||||
return true;
|
||||
}
|
||||
return skipRuntimeScope && !org.apache.maven.artifact.Artifact.SCOPE_RUNTIME.equals(scope);
|
||||
}
|
||||
|
||||
|
||||
@@ -108,24 +108,23 @@ public class CheckMojo extends BaseDependencyCheckMojo {
|
||||
}
|
||||
exCol = ex;
|
||||
}
|
||||
if (exCol == null || !exCol.isFatal()) {
|
||||
try {
|
||||
writeReports(engine, getProject(), getCorrectOutputDirectory());
|
||||
} catch (ReportException ex) {
|
||||
if (this.isFailOnError()) {
|
||||
if (exCol != null) {
|
||||
exCol.addException(ex);
|
||||
} else {
|
||||
exCol = new ExceptionCollection("Unable to write the dependency-check report", ex);
|
||||
}
|
||||
}
|
||||
if (exCol == null || !exCol.isFatal()) {
|
||||
try {
|
||||
writeReports(engine, getProject(), getCorrectOutputDirectory());
|
||||
} catch (ReportException ex) {
|
||||
if (this.isFailOnError()) {
|
||||
if (exCol != null) {
|
||||
exCol.addException(ex);
|
||||
} else {
|
||||
exCol = new ExceptionCollection("Unable to write the dependency-check report", ex);
|
||||
}
|
||||
}
|
||||
//writeDataFile(getProject(), null, engine.getDependencies());
|
||||
showSummary(getProject(), engine.getDependencies());
|
||||
checkForFailure(engine.getDependencies());
|
||||
if (exCol != null && this.isFailOnError()) {
|
||||
throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol);
|
||||
}
|
||||
}
|
||||
showSummary(getProject(), engine.getDependencies());
|
||||
checkForFailure(engine.getDependencies());
|
||||
if (exCol != null && this.isFailOnError()) {
|
||||
throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol);
|
||||
}
|
||||
}
|
||||
engine.cleanup();
|
||||
|
||||
Reference in New Issue
Block a user