Add an update only option

Former-commit-id: 67253232762acb61e1400dc60443e556f71db874

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java

@@ -261,6 +261,27 @@ public class DependencyCheckTask extends Task {
     public void setAutoUpdate(boolean autoUpdate) {
         this.autoUpdate = autoUpdate;
     }
+
+    private boolean updateOnly = false;
+
+    /**
+     * Get the value of updateOnly
+     *
+     * @return the value of updateOnly
+     */
+    public boolean isUpdateOnly() {
+        return updateOnly;
+    }
+
+    /**
+     * Set the value of updateOnly
+     *
+     * @param updateOnly new value of updateOnly
+     */
+    public void setUpdateOnly(boolean updateOnly) {
+        this.updateOnly = updateOnly;
+    }
+
     /**
      * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
      * Site plugin unless the externalReport is set to true. Default is HTML.
@@ -912,46 +933,51 @@ public class DependencyCheckTask extends Task {
         Engine engine = null;
         try {
             engine = new Engine(DependencyCheckTask.class.getClassLoader());
-
-            for (Resource resource : path) {
-                final FileProvider provider = resource.as(FileProvider.class);
-                if (provider != null) {
-                    final File file = provider.getFile();
-                    if (file != null && file.exists()) {
-                        engine.scan(file);
-                    }
-                }
-            }
-            try {
-                engine.analyzeDependencies();
-                DatabaseProperties prop = null;
-                CveDB cve = null;
+            //todo - should this be its own task?
+            if (updateOnly) {
+                engine.doUpdates();
+            } else {
                 try {
-                    cve = new CveDB();
-                    cve.open();
-                    prop = cve.getDatabaseProperties();
-                } catch (DatabaseException ex) {
-                    LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
-                } finally {
-                    if (cve != null) {
-                        cve.close();
+                    for (Resource resource : path) {
+                        final FileProvider provider = resource.as(FileProvider.class);
+                        if (provider != null) {
+                            final File file = provider.getFile();
+                            if (file != null && file.exists()) {
+                                engine.scan(file);
+                            }
+                        }
                     }
-                }
-                final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
-                reporter.generateReports(reportOutputDirectory, reportFormat);
 
-                if (this.failBuildOnCVSS <= 10) {
-                    checkForFailure(engine.getDependencies());
+                    engine.analyzeDependencies();
+                    DatabaseProperties prop = null;
+                    CveDB cve = null;
+                    try {
+                        cve = new CveDB();
+                        cve.open();
+                        prop = cve.getDatabaseProperties();
+                    } catch (DatabaseException ex) {
+                        LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
+                    } finally {
+                        if (cve != null) {
+                            cve.close();
+                        }
+                    }
+                    final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
+                    reporter.generateReports(reportOutputDirectory, reportFormat);
+
+                    if (this.failBuildOnCVSS <= 10) {
+                        checkForFailure(engine.getDependencies());
+                    }
+                    if (this.showSummary) {
+                        showSummary(engine.getDependencies());
+                    }
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINE, "Unable to generate dependency-check report", ex);
+                    throw new BuildException("Unable to generate dependency-check report", ex);
+                } catch (Exception ex) {
+                    LOGGER.log(Level.FINE, "An exception occurred; unable to continue task", ex);
+                    throw new BuildException("An exception occurred; unable to continue task", ex);
                 }
-                if (this.showSummary) {
-                    showSummary(engine.getDependencies());
-                }
-            } catch (IOException ex) {
-                LOGGER.log(Level.FINE, "Unable to generate dependency-check report", ex);
-                throw new BuildException("Unable to generate dependency-check report", ex);
-            } catch (Exception ex) {
-                LOGGER.log(Level.FINE, "An exception occurred; unable to continue task", ex);
-                throw new BuildException("An exception occurred; unable to continue task", ex);
             }
         } catch (DatabaseException ex) {
             LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");

dependency-check-ant/src/site/markdown/configuration.md

@@ -26,6 +26,7 @@ The following properties can be set on the dependency-check-maven plugin.
 Property             | Description                        | Default Value
 ---------------------|------------------------------------|------------------
 autoUpdate           | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
+updateOnly           | If set to true only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | false
 externalReport       | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
 outputDirectory      | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
 failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
@@ -53,7 +54,7 @@ zipExtensions           | A comma-separated list of additional file extensions t
 jarAnalyzer             | Sets whether the Jar Analyzer will be used.                                   | true
 centralAnalyzerEnabled  | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below).                                  | true
 nexusAnalyzerEnabled    | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
-nexusUrl                | Defines the Nexus Pro URL. If not set the Nexus Analyzer will be disabled. |  
+nexusUrl                | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |  
 nexusUsesProxy          | Whether or not the defined proxy should be used when connecting to Nexus. | true
 nuspecAnalyzerEnabled   | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.          | true
 assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used.            | true