From af9bc9ec3e4dd0518ff2a186d46f3dd62f2ec12b Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Fri, 21 Jul 2017 06:53:54 -0400
Subject: [PATCH 1/4] updated exception handling

---
 .../org/owasp/dependencycheck/maven/AggregateMojo.java    | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
index 7a0c0b6d5..baac31aed 100644
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
@@ -86,6 +86,14 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
                 exCol.getExceptions().addAll(ex.getExceptions());
                 if (ex.isFatal()) {
                     exCol.setFatal(true);
+                    final String msg = String.format("Fatal exception(s) analyzing %s", childProject.getName());
+                    if (this.isFailOnError()) {
+                        throw new MojoExecutionException(msg, exCol);
+                    }
+                    getLog().error(msg);
+                    if (getLog().isDebugEnabled()) {
+                        getLog().debug(exCol);
+                    }
                 }
             }
         }

From 37b9f49467e2172a5a1e5eb7d9b77d77a9548b0a Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 22 Jul 2017 07:22:37 -0400
Subject: [PATCH 2/4] resolve issue #815

---
 .../broken-suppression.xml                    | 27 ++++++++++
 .../invoker.properties                        | 19 +++++++
 .../815-broken-suppression-aggregate/pom.xml  | 53 +++++++++++++++++++
 .../dependencycheck/maven/AggregateMojo.java  |  3 ++
 4 files changed, 102 insertions(+)
 create mode 100644 dependency-check-maven/src/it/815-broken-suppression-aggregate/broken-suppression.xml
 create mode 100644 dependency-check-maven/src/it/815-broken-suppression-aggregate/invoker.properties
 create mode 100644 dependency-check-maven/src/it/815-broken-suppression-aggregate/pom.xml

diff --git a/dependency-check-maven/src/it/815-broken-suppression-aggregate/broken-suppression.xml b/dependency-check-maven/src/it/815-broken-suppression-aggregate/broken-suppression.xml
new file mode 100644
index 000000000..598a56cae
--- /dev/null
+++ b/dependency-check-maven/src/it/815-broken-suppression-aggregate/broken-suppression.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-core.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+    <suppress>
+        <notes><![CDATA[
+   file name: android-json-0.0.20131108.vaadin1.jar
+   ]]>
+        <gav regex="true">^com\.vaadin\.external\.google:android-json:.*$</gav>
+        <cpe>cpe:/a:google:android</cpe>
+    </suppress>
+</suppressions>
diff --git a/dependency-check-maven/src/it/815-broken-suppression-aggregate/invoker.properties b/dependency-check-maven/src/it/815-broken-suppression-aggregate/invoker.properties
new file mode 100644
index 000000000..8d65ccd95
--- /dev/null
+++ b/dependency-check-maven/src/it/815-broken-suppression-aggregate/invoker.properties
@@ -0,0 +1,19 @@
+#
+# This file is part of dependency-check-core.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
+#
+invoker.buildResult = failure
+invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:aggregate
diff --git a/dependency-check-maven/src/it/815-broken-suppression-aggregate/pom.xml b/dependency-check-maven/src/it/815-broken-suppression-aggregate/pom.xml
new file mode 100644
index 000000000..e37076fd1
--- /dev/null
+++ b/dependency-check-maven/src/it/815-broken-suppression-aggregate/pom.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-core.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.owasp.test</groupId>
+    <artifactId>test-broken-suppression-files</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <dependencies>
+        <!-- These can be replaced by any other vulnerable dependency -->
+        <dependency>
+            <groupId>com.vaadin.external.google</groupId>
+            <artifactId>android-json</artifactId>
+            <version>0.0.20131108.vaadin1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.dataformat</groupId>
+            <artifactId>jackson-dataformat-xml</artifactId>
+            <version>2.4.5</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <configuration>
+                    <suppressionFiles>
+                        <suppressionFile>${project.basedir}/broken-suppression.xml</suppressionFile>
+                    </suppressionFiles>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
index baac31aed..b64e0b489 100644
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
@@ -147,6 +147,9 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
         }
         showSummary(this.getProject(), engine.getDependencies());
         checkForFailure(engine.getDependencies());
+        if (exCol != null && this.isFailOnError()) {
+            throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol);
+        }
         engine.cleanup();
         Settings.cleanup();
     }

From 43d71e7665234d0eea9eeba0fb94a7bc0991a323 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 22 Jul 2017 07:23:49 -0400
Subject: [PATCH 3/4] upgraded invoker version so that the threadcount can be
 increased to reduce build time

---
 dependency-check-maven/pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml
index 42233ed3d..187081527 100644
--- a/dependency-check-maven/pom.xml
+++ b/dependency-check-maven/pom.xml
@@ -217,7 +217,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-invoker-plugin</artifactId>
-                        <version>2.0.0</version>
+                        <version>3.0.1</version>
                         <dependencies>
                             <dependency>
                                 <groupId>org.codehaus.groovy</groupId>
@@ -228,7 +228,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                         <configuration>
                             <!--streamLogs>true</streamLogs-->
                             <!-- The parallel builds cannot be increased beyond 2 as 690 must run before others (can be run parralel to 618 though) -->
-                            <parallelThreads>2</parallelThreads>
+                            <parallelThreads>4</parallelThreads>
                             <setupIncludes>
                                 <setupInclude>690-threadsafety/pom.xml</setupInclude>
                                 <setupInclude>618-aggregator-purge/pom.xml</setupInclude>

From cc2051b308e65f3d162e90eaafe6532ba6dfba32 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 22 Jul 2017 07:24:50 -0400
Subject: [PATCH 4/4] removed un-needed prebuild scripts

---
 .../prebuild.groovy                           | 17 -----------
 .../prebuild.groovy                           | 18 ------------
 .../it/629-jackson-dataformat/prebuild.groovy | 17 -----------
 .../src/it/690-threadsafety/prebuild.groovy   | 17 -----------
 .../it/710-pom-parse-error/prebuild.groovy    | 17 -----------
 .../729-system-scope-resolved/prebuild.groovy | 17 -----------
 .../729-system-scope-skipped/prebuild.groovy  | 17 -----------
 .../src/it/false-positives/prebuild.groovy    | 28 -------------------
 8 files changed, 148 deletions(-)
 delete mode 100644 dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy
 delete mode 100644 dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy
 delete mode 100644 dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy
 delete mode 100644 dependency-check-maven/src/it/690-threadsafety/prebuild.groovy
 delete mode 100644 dependency-check-maven/src/it/710-pom-parse-error/prebuild.groovy
 delete mode 100644 dependency-check-maven/src/it/729-system-scope-resolved/prebuild.groovy
 delete mode 100644 dependency-check-maven/src/it/729-system-scope-skipped/prebuild.groovy
 delete mode 100644 dependency-check-maven/src/it/false-positives/prebuild.groovy

diff --git a/dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy b/dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy
deleted file mode 100644
index 9eff4bb5c..000000000
--- a/dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * This file is part of dependency-check-maven.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
- */
diff --git a/dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy b/dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy
deleted file mode 100644
index 3071d8668..000000000
--- a/dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy
+++ /dev/null
@@ -1,18 +0,0 @@
-/*
- * This file is part of dependency-check-maven.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
- */
-
diff --git a/dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy b/dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy
deleted file mode 100644
index 9eff4bb5c..000000000
--- a/dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * This file is part of dependency-check-maven.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
- */
diff --git a/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy b/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy
deleted file mode 100644
index 9eff4bb5c..000000000
--- a/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * This file is part of dependency-check-maven.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
- */
diff --git a/dependency-check-maven/src/it/710-pom-parse-error/prebuild.groovy b/dependency-check-maven/src/it/710-pom-parse-error/prebuild.groovy
deleted file mode 100644
index 9eff4bb5c..000000000
--- a/dependency-check-maven/src/it/710-pom-parse-error/prebuild.groovy
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * This file is part of dependency-check-maven.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
- */
diff --git a/dependency-check-maven/src/it/729-system-scope-resolved/prebuild.groovy b/dependency-check-maven/src/it/729-system-scope-resolved/prebuild.groovy
deleted file mode 100644
index 9ec3a0a91..000000000
--- a/dependency-check-maven/src/it/729-system-scope-resolved/prebuild.groovy
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * This file is part of dependency-check-maven.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2017 Jeremy Long. All Rights Reserved.
- */
diff --git a/dependency-check-maven/src/it/729-system-scope-skipped/prebuild.groovy b/dependency-check-maven/src/it/729-system-scope-skipped/prebuild.groovy
deleted file mode 100644
index 9eff4bb5c..000000000
--- a/dependency-check-maven/src/it/729-system-scope-skipped/prebuild.groovy
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * This file is part of dependency-check-maven.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
- */
diff --git a/dependency-check-maven/src/it/false-positives/prebuild.groovy b/dependency-check-maven/src/it/false-positives/prebuild.groovy
deleted file mode 100644
index c1e9eda11..000000000
--- a/dependency-check-maven/src/it/false-positives/prebuild.groovy
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * This file is part of dependency-check-maven.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
- */
-
-import org.apache.commons.io.FileUtils;
-
-// Load NVD-CVE if not exist and had been saved in a previous IT
-File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
-File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
-
-if (!datasDwl.exists() && datasSave.exists()){
-    System.out.println("Load NVD-CVE from backup");
-    FileUtils.copyFile(datasSave, datasDwl);    
-}