From b8edcaeaf89c15c8e2c71f5bb54c8f2a1cd9c35c Mon Sep 17 00:00:00 2001 From: stevespringett Date: Sat, 22 Jul 2017 15:10:42 -0500 Subject: [PATCH] Adds Maven support for specifying multiple filesets in a 'scanSet'. #773 --- dependency-check-maven/pom.xml | 4 ++ .../maven/BaseDependencyCheckMojo.java | 42 +++++++++++++++++++ .../src/site/markdown/configuration.md | 1 + pom.xml | 5 +++ 4 files changed, 52 insertions(+) diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index 187081527..591467488 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -171,6 +171,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. maven-core provided + + org.apache.maven.shared + file-management + org.apache.maven.plugin-tools maven-plugin-annotations diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 6d26ef4ae..3e6cac416 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -47,6 +47,8 @@ import org.apache.maven.shared.artifact.resolve.ArtifactResolverException; import org.apache.maven.shared.dependency.graph.DependencyGraphBuilder; import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException; import org.apache.maven.shared.dependency.graph.DependencyNode; +import org.apache.maven.shared.model.fileset.FileSet; +import org.apache.maven.shared.model.fileset.util.FileSetManager; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; @@ -494,6 +496,16 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma */ private Filter artifactTypeExcluded; + /** + * An array of fileSets that specify additional files and/or directories + * (from the basedir) to analyze as part of the scan. If not specified, defaults to + * Maven conventions of: + * src/main/resources, src/main/filters, and src/main/webapp + */ + @Parameter(property = "scanSet", required = false) + private FileSet[] scanSet; + + // // /** @@ -748,6 +760,36 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma exCol.addException(ex); } } + + // Define the default FileSets + if (scanSet == null || scanSet.length == 0) { + FileSet resourcesSet = new FileSet(); + FileSet filtersSet = new FileSet(); + FileSet webappSet = new FileSet(); + try { + resourcesSet.setDirectory(new File(project.getBasedir(), "src/main/resources").getCanonicalPath()); + filtersSet.setDirectory(new File(project.getBasedir(), "src/main/filters").getCanonicalPath()); + webappSet.setDirectory(new File(project.getBasedir(), "src/main/webapp").getCanonicalPath()); + } catch (IOException ex) { + if (exCol == null) { + exCol = new ExceptionCollection(); + } + exCol.addException(ex); + } + scanSet = new FileSet[] {resourcesSet, filtersSet, webappSet}; + } + // Iterate through FileSets and scan included files + FileSetManager fileSetManager = new FileSetManager(); + for (FileSet fileSet: scanSet) { + String[] includedFiles = fileSetManager.getIncludedFiles(fileSet); + for (String include: includedFiles) { + File includeFile = new File(fileSet.getDirectory(), include).getAbsoluteFile(); + if (includeFile.exists()) { + engine.scan(includeFile, project.getName()); + } + } + } + return exCol; } diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md index b2abb8686..6803b177e 100644 --- a/dependency-check-maven/src/site/markdown/configuration.md +++ b/dependency-check-maven/src/site/markdown/configuration.md @@ -22,6 +22,7 @@ failOnError | Whether the build should fail if there is an error format | The report format to be generated (HTML, XML, CSV, JSON, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML name | The name of the report in the site. | dependency-check or dependency-check:aggregate outputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build. | 'target' +scanSet | An optional collection of filesets that specify additional files and/or directories to analyze as part of the scan. If not specified, defaults to standard Maven conventions. | src/main/resources, src/main/filters, src/main/webapp skip | Skips the dependency-check analysis. | false skipProvidedScope | Skip analysis for artifacts with Provided Scope. | false skipRuntimeScope | Skip analysis for artifacts with Runtime Scope. | false diff --git a/pom.xml b/pom.xml index e40912d5b..047154aec 100644 --- a/pom.xml +++ b/pom.xml @@ -708,6 +708,11 @@ Copyright (c) 2012 - Jeremy Long maven-plugin-api ${maven.api.version} + + org.apache.maven.shared + file-management + 3.0.0 + org.apache.maven maven-settings