From dfaa5df9658d78b31d3a4d9aa9d9215e593ec070 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 24 Dec 2014 08:34:05 -0500 Subject: [PATCH] re-enabled summary and fail build on CVSS scores Former-commit-id: f4568c46bfd2933aebf3e8bfe270749846fc4c01 --- .../dependencycheck/maven/AggregateMojo.java | 29 ++++- .../maven/BaseDependencyCheckMojo.java | 103 ++++++++++-------- .../dependencycheck/maven/CheckMojo.java | 12 +- 3 files changed, 93 insertions(+), 51 deletions(-) diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java index 25a6d520b..5a6c77112 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java @@ -30,6 +30,7 @@ import java.util.logging.Level; import java.util.logging.Logger; import org.apache.maven.artifact.Artifact; import org.apache.maven.plugin.MojoExecutionException; +import org.apache.maven.plugin.MojoFailureException; import org.apache.maven.plugins.annotations.LifecyclePhase; import org.apache.maven.plugins.annotations.Mojo; import org.apache.maven.plugins.annotations.ResolutionScope; @@ -63,8 +64,14 @@ public class AggregateMojo extends BaseDependencyCheckMojo { */ private static final Logger LOGGER = Logger.getLogger(AggregateMojo.class.getName()); + /** + * Executes the aggregate dependency-check goal. This runs dependency-check and generates the subsequent reports. + * + * @throws MojoExecutionException thrown if there is ane exception running the mojo + * @throws MojoFailureException thrown if dependency-check is configured to fail the build + */ @Override - public void runCheck() throws MojoExecutionException { + public void runCheck() throws MojoExecutionException, MojoFailureException { final Engine engine = generateDataFile(); if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) { final Map> children = buildAggregateInfo(); @@ -82,7 +89,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo { } for (MavenProject reportOn : childProjects) { - List childDeps = readDataFile(reportOn); + final List childDeps = readDataFile(reportOn); if (childDeps != null && !childDeps.isEmpty()) { dependencies.addAll(childDeps); } @@ -98,7 +105,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo { LOGGER.log(Level.FINE, "Bundling Exception", ex); } - File outputDir = getCorrectOutputDirectory(current); + final File outputDir = getCorrectOutputDirectory(current); writeReports(engine, current, outputDir); } @@ -142,9 +149,11 @@ public class AggregateMojo extends BaseDependencyCheckMojo { /** * Builds the parent-child map. + * + * @return a map of the parent/child relationships */ private Map> buildAggregateInfo() { - Map> parentChildMap = new HashMap>(); + final Map> parentChildMap = new HashMap>(); for (MavenProject proj : getReactorProjects()) { Set depList = parentChildMap.get(proj.getParent()); if (depList == null) { @@ -156,7 +165,15 @@ public class AggregateMojo extends BaseDependencyCheckMojo { return parentChildMap; } - protected Engine generateDataFile() throws MojoExecutionException { + /** + * Runs dependency-check's Engine and writes the serialized dependencies to disk. + * + * @return the Engine used to execute dependency-check + * @throws MojoExecutionException thrown if there is an exception running the mojo + * @throws MojoFailureException thrown if dependency-check is configured to fail the build if severe CVEs are + * identified. + */ + protected Engine generateDataFile() throws MojoExecutionException, MojoFailureException { final Engine engine; try { engine = initializeEngine(); @@ -186,6 +203,8 @@ public class AggregateMojo extends BaseDependencyCheckMojo { } engine.analyzeDependencies(); writeDataFile(engine.getDependencies()); + showSummary(engine.getDependencies()); + checkForFailure(engine.getDependencies()); return engine; } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 4b38c9eb3..6e7625d3a 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -330,9 +330,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma runCheck(); } + /** + * Checks if the aggregate configuration parameter has been set to true. If it has a MojoExecutionException is + * thrown because the aggregate configuration parameter is no longer supported. + * + * @throws MojoExecutionException thrown if aggregate is set to true + */ private void validateAggregate() throws MojoExecutionException { - if (aggregate == true) { - String msg = "Aggregate configuration detected - as of dependency-check 1.2.8 this no longer supported. " + if (aggregate) { + final String msg = "Aggregate configuration detected - as of dependency-check 1.2.8 this no longer supported. " + "Please use the aggregate goal instead."; throw new MojoExecutionException(msg); } @@ -369,6 +375,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma runCheck(); } catch (MojoExecutionException ex) { throw new MavenReportException(ex.getMessage(), ex); + } catch (MojoFailureException ex) { + LOGGER.warning("Vulnerabilities were identifies that exceed the CVSS threshold for failing the build"); } } @@ -390,7 +398,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma * @throws MojoExecutionException thrown if there is an error loading the file path */ protected File getCorrectOutputDirectory(MavenProject current) throws MojoExecutionException { - Object obj = current.getContextValue(getOutputDirectoryContextKey()); + final Object obj = current.getContextValue(getOutputDirectoryContextKey()); if (obj != null && obj instanceof File) { return (File) obj; } else { @@ -402,8 +410,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma * Executes the dependency-check scan and generates the necassary report. * * @throws MojoExecutionException thrown if there is an exception running the scan + * @throws MojoFailureException thrown if dependency-check is configured to fail the build */ - public abstract void runCheck() throws MojoExecutionException; + public abstract void runCheck() throws MojoExecutionException, MojoFailureException; /** * Sets the Reporting output directory. @@ -722,26 +731,28 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma * @throws MojoFailureException thrown if a CVSS score is found that is higher then the threshold set */ protected void checkForFailure(List dependencies) throws MojoFailureException { - final StringBuilder ids = new StringBuilder(); - for (Dependency d : dependencies) { - boolean addName = true; - for (Vulnerability v : d.getVulnerabilities()) { - if (v.getCvssScore() >= failBuildOnCVSS) { - if (addName) { - addName = false; - ids.append(NEW_LINE).append(d.getFileName()).append(": "); - ids.append(v.getName()); - } else { - ids.append(", ").append(v.getName()); + if (failBuildOnCVSS <= 10) { + final StringBuilder ids = new StringBuilder(); + for (Dependency d : dependencies) { + boolean addName = true; + for (Vulnerability v : d.getVulnerabilities()) { + if (v.getCvssScore() >= failBuildOnCVSS) { + if (addName) { + addName = false; + ids.append(NEW_LINE).append(d.getFileName()).append(": "); + ids.append(v.getName()); + } else { + ids.append(", ").append(v.getName()); + } } } } - } - if (ids.length() > 0) { - final String msg = String.format("%n%nDependency-Check Failure:%n" - + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n" - + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString()); - throw new MojoFailureException(msg); + if (ids.length() > 0) { + final String msg = String.format("%n%nDependency-Check Failure:%n" + + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n" + + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString()); + throw new MojoFailureException(msg); + } } } @@ -751,36 +762,38 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma * @param dependencies a list of dependency objects */ protected void showSummary(List dependencies) { - final StringBuilder summary = new StringBuilder(); - for (Dependency d : dependencies) { - boolean firstEntry = true; - final StringBuilder ids = new StringBuilder(); - for (Vulnerability v : d.getVulnerabilities()) { - if (firstEntry) { - firstEntry = false; - } else { - ids.append(", "); - } - ids.append(v.getName()); - } - if (ids.length() > 0) { - summary.append(d.getFileName()).append(" ("); - firstEntry = true; - for (Identifier id : d.getIdentifiers()) { + if (showSummary) { + final StringBuilder summary = new StringBuilder(); + for (Dependency d : dependencies) { + boolean firstEntry = true; + final StringBuilder ids = new StringBuilder(); + for (Vulnerability v : d.getVulnerabilities()) { if (firstEntry) { firstEntry = false; } else { - summary.append(", "); + ids.append(", "); } - summary.append(id.getValue()); + ids.append(v.getName()); + } + if (ids.length() > 0) { + summary.append(d.getFileName()).append(" ("); + firstEntry = true; + for (Identifier id : d.getIdentifiers()) { + if (firstEntry) { + firstEntry = false; + } else { + summary.append(", "); + } + summary.append(id.getValue()); + } + summary.append(") : ").append(ids).append(NEW_LINE); } - summary.append(") : ").append(ids).append(NEW_LINE); } - } - if (summary.length() > 0) { - final String msg = String.format("%n%n" + "One or more dependencies were identified with known vulnerabilities:%n%n%s" - + "%n%nSee the dependency-check report for more details.%n%n", summary.toString()); - LOGGER.log(Level.WARNING, msg); + if (summary.length() > 0) { + final String msg = String.format("%n%n" + "One or more dependencies were identified with known vulnerabilities:%n%n%s" + + "%n%nSee the dependency-check report for more details.%n%n", summary.toString()); + LOGGER.log(Level.WARNING, msg); + } } } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java index c1fb6d145..5ec35870e 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java @@ -24,6 +24,7 @@ import java.util.logging.Level; import java.util.logging.Logger; import org.apache.maven.artifact.Artifact; import org.apache.maven.plugin.MojoExecutionException; +import org.apache.maven.plugin.MojoFailureException; import org.apache.maven.plugins.annotations.LifecyclePhase; import org.apache.maven.plugins.annotations.Mojo; import org.apache.maven.plugins.annotations.ResolutionScope; @@ -69,7 +70,13 @@ public class CheckMojo extends BaseDependencyCheckMojo { return isCapable; } - public void runCheck() throws MojoExecutionException { + /** + * Executes the dependency-check engine on the project's dependencies and generates the report. + * + * @throws MojoExecutionException thrown if there is an exception executing the goal + * @throws MojoFailureException thrown if dependency-check is configured to fail the build + */ + public void runCheck() throws MojoExecutionException, MojoFailureException { final Engine engine; try { engine = initializeEngine(); @@ -104,7 +111,10 @@ public class CheckMojo extends BaseDependencyCheckMojo { engine.analyzeDependencies(); writeReports(engine, getProject(), getCorrectOutputDirectory()); writeDataFile(engine.getDependencies()); + showSummary(engine.getDependencies()); + checkForFailure(engine.getDependencies()); } + engine.cleanup(); Settings.cleanup(); }