Merge branch 'stevespringett-master'

dependency-check-maven/pom.xml

@@ -171,6 +171,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <artifactId>maven-core</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.maven.shared</groupId>
+            <artifactId>file-management</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.apache.maven.plugin-tools</groupId>
             <artifactId>maven-plugin-annotations</artifactId>

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -47,6 +47,8 @@ import org.apache.maven.shared.artifact.resolve.ArtifactResolverException;
 import org.apache.maven.shared.dependency.graph.DependencyGraphBuilder;
 import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException;
 import org.apache.maven.shared.dependency.graph.DependencyNode;
+import org.apache.maven.shared.model.fileset.FileSet;
+import org.apache.maven.shared.model.fileset.util.FileSetManager;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -494,6 +496,16 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      */
     private Filter<String> artifactTypeExcluded;
 
+    /**
+     * An array of <code>fileSet</code>s that specify additional files and/or directories
+     * (from the basedir) to analyze as part of the scan. If not specified, defaults to
+     * Maven conventions of:
+     * src/main/resources, src/main/filters, and src/main/webapp
+     */
+    @Parameter(property = "scanSet", required = false)
+    private FileSet[] scanSet;
+
+
     // </editor-fold>
     //<editor-fold defaultstate="collapsed" desc="Base Maven implementation">
     /**
@@ -748,6 +760,36 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
                 exCol.addException(ex);
             }
         }
+
+        // Define the default FileSets
+        if (scanSet == null || scanSet.length == 0) {
+            FileSet resourcesSet = new FileSet();
+            FileSet filtersSet = new FileSet();
+            FileSet webappSet = new FileSet();
+            try {
+                resourcesSet.setDirectory(new File(project.getBasedir(), "src/main/resources").getCanonicalPath());
+                filtersSet.setDirectory(new File(project.getBasedir(), "src/main/filters").getCanonicalPath());
+                webappSet.setDirectory(new File(project.getBasedir(), "src/main/webapp").getCanonicalPath());
+            } catch (IOException ex) {
+                if (exCol == null) {
+                    exCol = new ExceptionCollection();
+                }
+                exCol.addException(ex);
+            }
+            scanSet = new FileSet[] {resourcesSet, filtersSet, webappSet};
+        }
+        // Iterate through FileSets and scan included files
+        FileSetManager fileSetManager = new FileSetManager();
+        for (FileSet fileSet: scanSet) {
+            String[] includedFiles = fileSetManager.getIncludedFiles(fileSet);
+            for (String include: includedFiles) {
+                File includeFile = new File(fileSet.getDirectory(), include).getAbsoluteFile();
+                if (includeFile.exists()) {
+                    engine.scan(includeFile, project.getName());
+                }
+            }
+        }
+
         return exCol;
     }
 

dependency-check-maven/src/site/markdown/configuration.md

@@ -22,6 +22,7 @@ failOnError                 | Whether the build should fail if there is an error
 format                      | The report format to be generated (HTML, XML, CSV, JSON, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
 name                        | The name of the report in the site. | dependency-check or dependency-check:aggregate
 outputDirectory             | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build. | 'target'
+scanSet                     | An optional collection of filesets that specify additional files and/or directories to analyze as part of the scan. If not specified, defaults to standard Maven conventions. | src/main/resources, src/main/filters, src/main/webapp
 skip                        | Skips the dependency-check analysis.                       | false
 skipProvidedScope           | Skip analysis for artifacts with Provided Scope.           | false
 skipRuntimeScope            | Skip analysis for artifacts with Runtime Scope.            | false

pom.xml

@@ -708,6 +708,11 @@ Copyright (c) 2012 - Jeremy Long
                 <artifactId>maven-plugin-api</artifactId>
                 <version>${maven.api.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.maven.shared</groupId>
+                <artifactId>file-management</artifactId>
+                <version>3.0.0</version>
+            </dependency>
             <dependency>
                 <groupId>org.apache.maven</groupId>
                 <artifactId>maven-settings</artifactId>