From 35c2f4873cac24130055f3d74e882d1adb8ce322 Mon Sep 17 00:00:00 2001 From: Erik Hooijmeijer Date: Tue, 21 Oct 2014 20:09:54 +0200 Subject: [PATCH 1/3] values from the project pom.xml are now taken into account as well Former-commit-id: ca6c5b40f09959f162b337f2cb4268a57ce46d3d --- .gitignore | 3 ++ .../org/owasp/dependencycheck/Engine.java | 37 +++++++++++------ .../analyzer/NexusAnalyzer.java | 26 +----------- .../dependency/Dependency.java | 39 ++++++++++++++++++ .../dependency/DependencyTest.java | 40 +++++++++++++++++-- .../maven/DependencyCheckMojo.java | 38 ++++++++---------- 6 files changed, 122 insertions(+), 61 deletions(-) diff --git a/.gitignore b/.gitignore index 5fff7a394..b79573ae8 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,9 @@ # Eclipse project files .classpath .project +.settings +maven-eclipse.xml +.externalToolBuilders # Netbeans configuration nb-configuration.xml /target/ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index 3dfb16489..2794cc4eb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -27,6 +27,7 @@ import java.util.List; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; + import org.owasp.dependencycheck.analyzer.AnalysisPhase; import org.owasp.dependencycheck.analyzer.Analyzer; import org.owasp.dependencycheck.analyzer.AnalyzerService; @@ -34,12 +35,14 @@ import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex; import org.owasp.dependencycheck.data.cpe.IndexException; +import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.update.CachedWebDataSource; import org.owasp.dependencycheck.data.update.UpdateService; import org.owasp.dependencycheck.data.update.exception.UpdateException; +import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.exception.NoDataException; import org.owasp.dependencycheck.utils.FileUtils; @@ -188,7 +191,7 @@ public class Engine implements Serializable { public void scan(String path) { if (path.matches("^.*[\\/]\\*\\.[^\\/:*|?<>\"]+$")) { final String[] parts = path.split("\\*\\."); - final String[] ext = new String[]{parts[parts.length - 1]}; + final String[] ext = new String[] { parts[parts.length - 1] }; final File dir = new File(path.substring(0, path.length() - ext[0].length() - 2)); if (dir.isDirectory()) { final List files = (List) org.apache.commons.io.FileUtils.listFiles(dir, ext, true); @@ -287,6 +290,17 @@ public class Engine implements Serializable { * @param file The file to scan. */ protected void scanFile(File file) { + scan(file, null); + } + + /** + * Scans a specified file. If a dependency is identified it is added to the dependency collection. + * If there is an mavenArtifact present, it will be added to + * + * @param file The file to scan. + * @param mavenArtifact The (optional) Maven artifact. + */ + public void scan(File file, MavenArtifact mavenArtifact) { if (!file.isFile()) { final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString()); LOGGER.log(Level.FINE, msg); @@ -297,11 +311,13 @@ public class Engine implements Serializable { if (extension != null) { if (supportsExtension(extension)) { final Dependency dependency = new Dependency(file); + if (mavenArtifact != null) { + dependency.addAsEvidence("project-pom", mavenArtifact, Confidence.HIGH); + } dependencies.add(dependency); } } else { - final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.", - file.toString()); + final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.", file.toString()); LOGGER.log(Level.FINEST, msg); } } @@ -326,9 +342,7 @@ public class Engine implements Serializable { } - final String logHeader = String.format("%n" - + "----------------------------------------------------%n" - + "BEGIN ANALYSIS%n" + final String logHeader = String.format("%n" + "----------------------------------------------------%n" + "BEGIN ANALYSIS%n" + "----------------------------------------------------"); LOGGER.log(Level.FINE, logHeader); LOGGER.log(Level.INFO, "Analysis Starting"); @@ -381,9 +395,7 @@ public class Engine implements Serializable { } } - final String logFooter = String.format("%n" - + "----------------------------------------------------%n" - + "END ANALYSIS%n" + final String logFooter = String.format("%n" + "----------------------------------------------------%n" + "END ANALYSIS%n" + "----------------------------------------------------"); LOGGER.log(Level.FINE, logFooter); LOGGER.log(Level.INFO, "Analysis Complete"); @@ -437,10 +449,8 @@ public class Engine implements Serializable { try { source.update(); } catch (UpdateException ex) { - LOGGER.log(Level.WARNING, - "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities."); - LOGGER.log(Level.FINE, - String.format("Unable to update details for %s", source.getClass().getName()), ex); + LOGGER.log(Level.WARNING, "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities."); + LOGGER.log(Level.FINE, String.format("Unable to update details for %s", source.getClass().getName()), ex); } } } @@ -503,4 +513,5 @@ public class Engine implements Serializable { throw new NoDataException("No documents exist"); } } + } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index dbee6a5d7..1a21ba2b0 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -24,13 +24,13 @@ import java.net.URL; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; + import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.data.nexus.NexusSearch; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; -import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.utils.Settings; /** @@ -152,29 +152,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { try { final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum()); - if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) { - dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH); - } - if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) { - dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH); - } - if (ma.getVersion() != null && !"".equals(ma.getVersion())) { - dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH); - } - if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) { - boolean found = false; - for (Identifier i : dependency.getIdentifiers()) { - if ("maven".equals(i.getType()) && i.getValue().equals(ma.toString())) { - found = true; - i.setConfidence(Confidence.HIGHEST); - i.setUrl(ma.getArtifactUrl()); - break; - } - } - if (!found) { - dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST); - } - } + dependency.addAsEvidence("nexus", ma, Confidence.HIGH); } catch (IllegalArgumentException iae) { //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1")); LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName())); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 9ce32d38d..bd32c7f4b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -26,6 +26,8 @@ import java.util.SortedSet; import java.util.TreeSet; import java.util.logging.Level; import java.util.logging.Logger; + +import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.utils.Checksum; import org.owasp.dependencycheck.utils.FileUtils; @@ -316,6 +318,38 @@ public class Dependency implements Serializable, Comparable { this.identifiers.add(i); } + /** + * Adds the maven artifact as evidence. + * @param source The source of the evidence. + * @param mavenArtifact The maven artifact. + * @param confidence The confidence level of this evidence. + */ + public void addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence) { + if (mavenArtifact.getGroupId() != null && !"".equals(mavenArtifact.getGroupId())) { + this.getVendorEvidence().addEvidence(source, "groupid", mavenArtifact.getGroupId(), confidence); + } + if (mavenArtifact.getArtifactId() != null && !"".equals(mavenArtifact.getArtifactId())) { + this.getProductEvidence().addEvidence(source, "artifactid", mavenArtifact.getArtifactId(), confidence); + } + if (mavenArtifact.getVersion() != null && !"".equals(mavenArtifact.getVersion())) { + this.getVersionEvidence().addEvidence(source, "version", mavenArtifact.getVersion(), confidence); + } + if (mavenArtifact.getArtifactUrl() != null && !"".equals(mavenArtifact.getArtifactUrl())) { + boolean found = false; + for (Identifier i : this.getIdentifiers()) { + if ("maven".equals(i.getType()) && i.getValue().equals(mavenArtifact.toString())) { + found = true; + i.setConfidence(Confidence.HIGHEST); + i.setUrl(mavenArtifact.getArtifactUrl()); + break; + } + } + if (!found) { + this.addIdentifier("maven", mavenArtifact.toString(), mavenArtifact.getArtifactUrl(), Confidence.HIGHEST); + } + } + } + /** * Adds an entry to the list of detected Identifiers for the dependency file. * @@ -324,6 +358,7 @@ public class Dependency implements Serializable, Comparable { public void addIdentifier(Identifier identifier) { this.identifiers.add(identifier); } + /** * A set of identifiers that have been suppressed. */ @@ -441,6 +476,7 @@ public class Dependency implements Serializable, Comparable { public EvidenceCollection getVersionEvidence() { return this.versionEvidence; } + /** * The description of the JAR file. */ @@ -463,6 +499,7 @@ public class Dependency implements Serializable, Comparable { public void setDescription(String description) { this.description = description; } + /** * The license that this dependency uses. */ @@ -485,6 +522,7 @@ public class Dependency implements Serializable, Comparable { public void setLicense(String license) { this.license = license; } + /** * A list of vulnerabilities for this dependency. */ @@ -540,6 +578,7 @@ public class Dependency implements Serializable, Comparable { public void addVulnerability(Vulnerability vulnerability) { this.vulnerabilities.add(vulnerability); } + /** * A collection of related dependencies. */ diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java index 8062ddb11..1e8936a5d 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java @@ -17,16 +17,20 @@ */ package org.owasp.dependencycheck.dependency; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + import java.io.File; import java.util.List; import java.util.Set; + import org.junit.After; import org.junit.AfterClass; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; import org.junit.Before; import org.junit.BeforeClass; import org.junit.Test; +import org.owasp.dependencycheck.data.nexus.MavenArtifact; /** * @@ -152,7 +156,7 @@ public class DependencyTest { public void testGetMd5sum() { File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath()); Dependency instance = new Dependency(file); -// assertEquals("89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B", result.getSha1sum()); + // assertEquals("89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B", result.getSha1sum()); String expResult = "C30B57142E1CCBC1EFD5CD15F307358F"; String result = instance.getMd5sum(); assertEquals(expResult, result); @@ -294,4 +298,34 @@ public class DependencyTest { EvidenceCollection result = instance.getVersionEvidence(); assertTrue(true); //this is just a getter setter pair. } + + /** + * Test of addAsEvidence method, of class Dependency. + */ + @Test + public void testAddAsEvidence() { + Dependency instance = new Dependency(); + MavenArtifact mavenArtifact = new MavenArtifact("group", "artifact", "version", "url"); + instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH); + assertTrue(instance.getEvidence().contains(Confidence.HIGH)); + assertFalse(instance.getEvidence().getEvidence("pom", "groupid").isEmpty()); + assertFalse(instance.getEvidence().getEvidence("pom", "artifactid").isEmpty()); + assertFalse(instance.getEvidence().getEvidence("pom", "version").isEmpty()); + assertFalse(instance.getIdentifiers().isEmpty()); + } + + /** + * Test of addAsEvidence method, of class Dependency. + */ + @Test + public void testAddAsEvidenceWithEmptyArtefact() { + Dependency instance = new Dependency(); + MavenArtifact mavenArtifact = new MavenArtifact(null, null, null, null); + instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH); + assertFalse(instance.getEvidence().contains(Confidence.HIGH)); + assertTrue(instance.getEvidence().getEvidence("pom", "groupid").isEmpty()); + assertTrue(instance.getEvidence().getEvidence("pom", "artifactid").isEmpty()); + assertTrue(instance.getEvidence().getEvidence("pom", "version").isEmpty()); + assertTrue(instance.getIdentifiers().isEmpty()); + } } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java index 26b9ef4c5..cde37376b 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java @@ -32,6 +32,7 @@ import java.util.Locale; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; + import org.apache.maven.artifact.Artifact; import org.apache.maven.plugin.MojoExecutionException; import org.apache.maven.plugin.MojoFailureException; @@ -46,6 +47,7 @@ import org.apache.maven.settings.Proxy; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; +import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Identifier; @@ -58,9 +60,7 @@ import org.owasp.dependencycheck.utils.Settings; * * @author Jeremy Long */ -@Mojo(name = "check", defaultPhase = LifecyclePhase.COMPILE, threadSafe = true, - requiresDependencyResolution = ResolutionScope.RUNTIME_PLUS_SYSTEM, - requiresOnline = true) +@Mojo(name = "check", defaultPhase = LifecyclePhase.COMPILE, threadSafe = true, requiresDependencyResolution = ResolutionScope.RUNTIME_PLUS_SYSTEM, requiresOnline = true) public class DependencyCheckMojo extends ReportAggregationMojo { // @@ -292,6 +292,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo { @Parameter(property = "externalReport") @Deprecated private String externalReport = null; + // /** * Constructs a new dependency-check-mojo. @@ -326,8 +327,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo { if (excludeFromScan(a)) { continue; } - - localEngine.scan(a.getFile().getAbsolutePath()); + localEngine.scan(a.getFile().getAbsoluteFile(), new MavenArtifact(a.getGroupId(), a.getArtifactId(), a.getVersion())); } localEngine.analyzeDependencies(); @@ -396,8 +396,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo { } if (proxyUrl != null && !proxyUrl.isEmpty()) { - LOGGER.warning("Deprecated configuration detected, proxyUrl will be ignored; use the maven settings " - + "to configure the proxy instead"); + LOGGER.warning("Deprecated configuration detected, proxyUrl will be ignored; use the maven settings " + "to configure the proxy instead"); } final Proxy proxy = getMavenProxy(); if (proxy != null) { @@ -510,6 +509,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo { } return null; } + // /** @@ -530,8 +530,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo { checkForFailure(engine.getDependencies()); } } catch (DatabaseException ex) { - LOGGER.log(Level.SEVERE, - "Unable to connect to the dependency-check database; analysis has stopped"); + LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped"); LOGGER.log(Level.FINE, "", ex); } } @@ -580,16 +579,15 @@ public class DependencyCheckMojo extends ReportAggregationMojo { engine = initializeEngine(); engine.getDependencies().addAll(deps); } catch (DatabaseException ex) { - final String msg = String.format("An unrecoverable exception with the dependency-check initialization occured while scanning %s", - getProject().getName()); + final String msg = String.format("An unrecoverable exception with the dependency-check initialization occured while scanning %s", getProject() + .getName()); throw new MavenReportException(msg, ex); } } else { try { engine = executeDependencyCheck(); } catch (DatabaseException ex) { - final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s", - getProject().getName()); + final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s", getProject().getName()); throw new MavenReportException(msg, ex); } } @@ -612,8 +610,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo { try { engine = executeDependencyCheck(project); } catch (DatabaseException ex) { - final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s", - project.getName()); + final String msg = String.format("An unrecoverable exception with the dependency-check scan occured while scanning %s", project.getName()); throw new MavenReportException(msg, ex); } } @@ -646,8 +643,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo { * @return the output name */ public String getOutputName() { - if ("HTML".equalsIgnoreCase(this.format) - || "ALL".equalsIgnoreCase(this.format)) { + if ("HTML".equalsIgnoreCase(this.format) || "ALL".equalsIgnoreCase(this.format)) { return "dependency-check-report"; } else if ("XML".equalsIgnoreCase(this.format)) { return "dependency-check-report.xml#"; @@ -685,8 +681,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo { * @return the description */ public String getDescription(Locale locale) { - return "A report providing details on any published " - + "vulnerabilities within project dependencies. This report is a best effort but may contain " + return "A report providing details on any published " + "vulnerabilities within project dependencies. This report is a best effort but may contain " + "false positives and false negatives."; } @@ -740,6 +735,7 @@ public class DependencyCheckMojo extends ReportAggregationMojo { protected boolean canGenerateAggregateReport() { return isAggregate() && isLastProject(); } + // // @@ -807,12 +803,12 @@ public class DependencyCheckMojo extends ReportAggregationMojo { } } if (summary.length() > 0) { - final String msg = String.format("%n%n" - + "One or more dependencies were identified with known vulnerabilities:%n%n%s" + final String msg = String.format("%n%n" + "One or more dependencies were identified with known vulnerabilities:%n%n%s" + "%n%nSee the dependency-check report for more details.%n%n", summary.toString()); LOGGER.log(Level.WARNING, msg); } } + // // From 5caf023677d8b1974e55c5de2129e7966c009b0e Mon Sep 17 00:00:00 2001 From: Erik Hooijmeijer Date: Wed, 22 Oct 2014 19:08:33 +0200 Subject: [PATCH 2/3] added excludeInternalGroupIds configuration parameter that allows the exclusion of groupIds of internal projects. This is to speed up analysis as internal projects have no public vulnerabilites nor a sonatype listing but do frequently have names that collide with other libraries. The parameter can have multiple values, e.g. nl.someinteral.projectorg.another.one Former-commit-id: ffa0716366c6c7b65d1181f2bd945472b75b5483 --- .../dependencycheck/maven/DependencyCheckMojo.java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java index cde37376b..bb2fc9561 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java @@ -33,6 +33,7 @@ import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; +import org.apache.commons.lang.StringUtils; import org.apache.maven.artifact.Artifact; import org.apache.maven.plugin.MojoExecutionException; import org.apache.maven.plugin.MojoFailureException; @@ -242,6 +243,13 @@ public class DependencyCheckMojo extends ReportAggregationMojo { @SuppressWarnings("CanBeFinal") @Parameter(property = "skipProvidedScope", defaultValue = "false", required = false) private boolean skipProvidedScope = false; + /** + * Skip Analysis of Dependencies that have a groupId that starts with this string. + * Multiple excludes are allowed by repeating the element. + */ + @SuppressWarnings("CanBeFinal") + @Parameter(property = "excludeInternalGroupIds", required = false) + private String[] excludeInternalGroupIds = new String[0]; /** * The data directory, hold DC SQL DB. */ @@ -362,6 +370,12 @@ public class DependencyCheckMojo extends ReportAggregationMojo { if (skipRuntimeScope && !Artifact.SCOPE_RUNTIME.equals(a.getScope())) { return true; } + for (String groupId : excludeInternalGroupIds) { + if (!StringUtils.isEmpty(groupId) && (a.getGroupId().startsWith(groupId))) { + LOGGER.log(Level.INFO, "Excluding " + a.getGroupId() + ":" + a.getArtifactId()); + return true; + } + } return false; } From f9e4ca0cc2eac7db0e36d729cf34731d32ad13a4 Mon Sep 17 00:00:00 2001 From: Erik Hooijmeijer Date: Wed, 22 Oct 2014 19:10:54 +0200 Subject: [PATCH 3/3] corrected javadoc Former-commit-id: 3e0533a8a36afcacb647610f352bfd854e505272 --- .../owasp/dependencycheck/maven/DependencyCheckMojo.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java index bb2fc9561..281dd3b6b 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java @@ -245,7 +245,11 @@ public class DependencyCheckMojo extends ReportAggregationMojo { private boolean skipProvidedScope = false; /** * Skip Analysis of Dependencies that have a groupId that starts with this string. - * Multiple excludes are allowed by repeating the element. + * 
+     * <excludeInternalGroupIds>
+     *  <groupId>some.group.id</groupId>
+     * </excludeInternalGroupIds>
+     *
*/ @SuppressWarnings("CanBeFinal") @Parameter(property = "excludeInternalGroupIds", required = false)