re-enabled summary and fail build on CVSS scores

Former-commit-id: f4568c46bfd2933aebf3e8bfe270749846fc4c01

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java

@@ -30,6 +30,7 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.maven.artifact.Artifact;
 import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.MojoFailureException;
 import org.apache.maven.plugins.annotations.LifecyclePhase;
 import org.apache.maven.plugins.annotations.Mojo;
 import org.apache.maven.plugins.annotations.ResolutionScope;
@@ -63,8 +64,14 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
      */
     private static final Logger LOGGER = Logger.getLogger(AggregateMojo.class.getName());
 
+    /**
+     * Executes the aggregate dependency-check goal. This runs dependency-check and generates the subsequent reports.
+     *
+     * @throws MojoExecutionException thrown if there is ane exception running the mojo
+     * @throws MojoFailureException thrown if dependency-check is configured to fail the build
+     */
     @Override
-    public void runCheck() throws MojoExecutionException {
+    public void runCheck() throws MojoExecutionException, MojoFailureException {
         final Engine engine = generateDataFile();
         if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
             final Map<MavenProject, Set<MavenProject>> children = buildAggregateInfo();
@@ -82,7 +89,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
                 }
 
                 for (MavenProject reportOn : childProjects) {
-                    List<Dependency> childDeps = readDataFile(reportOn);
+                    final List<Dependency> childDeps = readDataFile(reportOn);
                     if (childDeps != null && !childDeps.isEmpty()) {
                         dependencies.addAll(childDeps);
                     }
@@ -98,7 +105,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
                     LOGGER.log(Level.FINE, "Bundling Exception", ex);
                 }
 
-                File outputDir = getCorrectOutputDirectory(current);
+                final File outputDir = getCorrectOutputDirectory(current);
 
                 writeReports(engine, current, outputDir);
             }
@@ -142,9 +149,11 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
 
     /**
      * Builds the parent-child map.
+     *
+     * @return a map of the parent/child relationships
      */
     private Map<MavenProject, Set<MavenProject>> buildAggregateInfo() {
-        Map<MavenProject, Set<MavenProject>> parentChildMap = new HashMap<MavenProject, Set<MavenProject>>();
+        final Map<MavenProject, Set<MavenProject>> parentChildMap = new HashMap<MavenProject, Set<MavenProject>>();
         for (MavenProject proj : getReactorProjects()) {
             Set<MavenProject> depList = parentChildMap.get(proj.getParent());
             if (depList == null) {
@@ -156,7 +165,15 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
         return parentChildMap;
     }
 
-    protected Engine generateDataFile() throws MojoExecutionException {
+    /**
+     * Runs dependency-check's Engine and writes the serialized dependencies to disk.
+     *
+     * @return the Engine used to execute dependency-check
+     * @throws MojoExecutionException thrown if there is an exception running the mojo
+     * @throws MojoFailureException thrown if dependency-check is configured to fail the build if severe CVEs are
+     * identified.
+     */
+    protected Engine generateDataFile() throws MojoExecutionException, MojoFailureException {
         final Engine engine;
         try {
             engine = initializeEngine();
@@ -186,6 +203,8 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
         }
         engine.analyzeDependencies();
         writeDataFile(engine.getDependencies());
+        showSummary(engine.getDependencies());
+        checkForFailure(engine.getDependencies());
         return engine;
     }
 

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -330,9 +330,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         runCheck();
     }
 
+    /**
+     * Checks if the aggregate configuration parameter has been set to true. If it has a MojoExecutionException is
+     * thrown because the aggregate configuration parameter is no longer supported.
+     *
+     * @throws MojoExecutionException thrown if aggregate is set to true
+     */
     private void validateAggregate() throws MojoExecutionException {
-        if (aggregate == true) {
+        if (aggregate) {
-            String msg = "Aggregate configuration detected - as of dependency-check 1.2.8 this no longer supported. "
+            final String msg = "Aggregate configuration detected - as of dependency-check 1.2.8 this no longer supported. "
                     + "Please use the aggregate goal instead.";
             throw new MojoExecutionException(msg);
         }
@@ -369,6 +375,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
             runCheck();
         } catch (MojoExecutionException ex) {
             throw new MavenReportException(ex.getMessage(), ex);
+        } catch (MojoFailureException ex) {
+            LOGGER.warning("Vulnerabilities were identifies that exceed the CVSS threshold for failing the build");
         }
     }
 
@@ -390,7 +398,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * @throws MojoExecutionException thrown if there is an error loading the file path
      */
     protected File getCorrectOutputDirectory(MavenProject current) throws MojoExecutionException {
-        Object obj = current.getContextValue(getOutputDirectoryContextKey());
+        final Object obj = current.getContextValue(getOutputDirectoryContextKey());
         if (obj != null && obj instanceof File) {
             return (File) obj;
         } else {
@@ -402,8 +410,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * Executes the dependency-check scan and generates the necassary report.
      *
      * @throws MojoExecutionException thrown if there is an exception running the scan
+     * @throws MojoFailureException thrown if dependency-check is configured to fail the build
      */
-    public abstract void runCheck() throws MojoExecutionException;
+    public abstract void runCheck() throws MojoExecutionException, MojoFailureException;
 
     /**
      * Sets the Reporting output directory.
@@ -722,6 +731,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * @throws MojoFailureException thrown if a CVSS score is found that is higher then the threshold set
      */
     protected void checkForFailure(List<Dependency> dependencies) throws MojoFailureException {
+        if (failBuildOnCVSS <= 10) {
             final StringBuilder ids = new StringBuilder();
             for (Dependency d : dependencies) {
                 boolean addName = true;
@@ -744,6 +754,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
                 throw new MojoFailureException(msg);
             }
         }
+    }
 
     /**
      * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
@@ -751,6 +762,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * @param dependencies a list of dependency objects
      */
     protected void showSummary(List<Dependency> dependencies) {
+        if (showSummary) {
             final StringBuilder summary = new StringBuilder();
             for (Dependency d : dependencies) {
                 boolean firstEntry = true;
@@ -783,6 +795,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
                 LOGGER.log(Level.WARNING, msg);
             }
         }
+    }
 
     //</editor-fold>
     //<editor-fold defaultstate="collapsed" desc="Methods to read/write the serialized data file">

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java

@@ -24,6 +24,7 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.maven.artifact.Artifact;
 import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.MojoFailureException;
 import org.apache.maven.plugins.annotations.LifecyclePhase;
 import org.apache.maven.plugins.annotations.Mojo;
 import org.apache.maven.plugins.annotations.ResolutionScope;
@@ -69,7 +70,13 @@ public class CheckMojo extends BaseDependencyCheckMojo {
         return isCapable;
     }
 
-    public void runCheck() throws MojoExecutionException {
+    /**
+     * Executes the dependency-check engine on the project's dependencies and generates the report.
+     *
+     * @throws MojoExecutionException thrown if there is an exception executing the goal
+     * @throws MojoFailureException thrown if dependency-check is configured to fail the build
+     */
+    public void runCheck() throws MojoExecutionException, MojoFailureException {
         final Engine engine;
         try {
             engine = initializeEngine();
@@ -104,7 +111,10 @@ public class CheckMojo extends BaseDependencyCheckMojo {
             engine.analyzeDependencies();
             writeReports(engine, getProject(), getCorrectOutputDirectory());
             writeDataFile(engine.getDependencies());
+            showSummary(engine.getDependencies());
+            checkForFailure(engine.getDependencies());
         }
+
         engine.cleanup();
         Settings.cleanup();
     }