re-enabled summary and fail build on CVSS scores

Former-commit-id: f4568c46bfd2933aebf3e8bfe270749846fc4c01

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java

@@ -30,6 +30,7 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.maven.artifact.Artifact;
 import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.MojoFailureException;
 import org.apache.maven.plugins.annotations.LifecyclePhase;
 import org.apache.maven.plugins.annotations.Mojo;
 import org.apache.maven.plugins.annotations.ResolutionScope;
@@ -63,8 +64,14 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
      */
     private static final Logger LOGGER = Logger.getLogger(AggregateMojo.class.getName());
 
+    /**
+     * Executes the aggregate dependency-check goal. This runs dependency-check and generates the subsequent reports.
+     *
+     * @throws MojoExecutionException thrown if there is ane exception running the mojo
+     * @throws MojoFailureException thrown if dependency-check is configured to fail the build
+     */
     @Override
-    public void runCheck() throws MojoExecutionException {
+    public void runCheck() throws MojoExecutionException, MojoFailureException {
         final Engine engine = generateDataFile();
         if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
             final Map<MavenProject, Set<MavenProject>> children = buildAggregateInfo();
@@ -82,7 +89,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
                 }
 
                 for (MavenProject reportOn : childProjects) {
-                    List<Dependency> childDeps = readDataFile(reportOn);
+                    final List<Dependency> childDeps = readDataFile(reportOn);
                     if (childDeps != null && !childDeps.isEmpty()) {
                         dependencies.addAll(childDeps);
                     }
@@ -98,7 +105,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
                     LOGGER.log(Level.FINE, "Bundling Exception", ex);
                 }
 
-                File outputDir = getCorrectOutputDirectory(current);
+                final File outputDir = getCorrectOutputDirectory(current);
 
                 writeReports(engine, current, outputDir);
             }
@@ -142,9 +149,11 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
 
     /**
      * Builds the parent-child map.
+     *
+     * @return a map of the parent/child relationships
      */
     private Map<MavenProject, Set<MavenProject>> buildAggregateInfo() {
-        Map<MavenProject, Set<MavenProject>> parentChildMap = new HashMap<MavenProject, Set<MavenProject>>();
+        final Map<MavenProject, Set<MavenProject>> parentChildMap = new HashMap<MavenProject, Set<MavenProject>>();
         for (MavenProject proj : getReactorProjects()) {
             Set<MavenProject> depList = parentChildMap.get(proj.getParent());
             if (depList == null) {
@@ -156,7 +165,15 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
         return parentChildMap;
     }
 
-    protected Engine generateDataFile() throws MojoExecutionException {
+    /**
+     * Runs dependency-check's Engine and writes the serialized dependencies to disk.
+     *
+     * @return the Engine used to execute dependency-check
+     * @throws MojoExecutionException thrown if there is an exception running the mojo
+     * @throws MojoFailureException thrown if dependency-check is configured to fail the build if severe CVEs are
+     * identified.
+     */
+    protected Engine generateDataFile() throws MojoExecutionException, MojoFailureException {
         final Engine engine;
         try {
             engine = initializeEngine();
@@ -186,6 +203,8 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
         }
         engine.analyzeDependencies();
         writeDataFile(engine.getDependencies());
+        showSummary(engine.getDependencies());
+        checkForFailure(engine.getDependencies());
         return engine;
     }
 

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -330,9 +330,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         runCheck();
     }
 
+    /**
+     * Checks if the aggregate configuration parameter has been set to true. If it has a MojoExecutionException is
+     * thrown because the aggregate configuration parameter is no longer supported.
+     *
+     * @throws MojoExecutionException thrown if aggregate is set to true
+     */
     private void validateAggregate() throws MojoExecutionException {
-        if (aggregate == true) {
+        if (aggregate) {
-            String msg = "Aggregate configuration detected - as of dependency-check 1.2.8 this no longer supported. "
+            final String msg = "Aggregate configuration detected - as of dependency-check 1.2.8 this no longer supported. "
                     + "Please use the aggregate goal instead.";
             throw new MojoExecutionException(msg);
         }
@@ -369,6 +375,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
             runCheck();
         } catch (MojoExecutionException ex) {
             throw new MavenReportException(ex.getMessage(), ex);
+        } catch (MojoFailureException ex) {
+            LOGGER.warning("Vulnerabilities were identifies that exceed the CVSS threshold for failing the build");
         }
     }
 
@@ -390,7 +398,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * @throws MojoExecutionException thrown if there is an error loading the file path
      */
     protected File getCorrectOutputDirectory(MavenProject current) throws MojoExecutionException {
-        Object obj = current.getContextValue(getOutputDirectoryContextKey());
+        final Object obj = current.getContextValue(getOutputDirectoryContextKey());
         if (obj != null && obj instanceof File) {
             return (File) obj;
         } else {
@@ -402,8 +410,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * Executes the dependency-check scan and generates the necassary report.
      *
      * @throws MojoExecutionException thrown if there is an exception running the scan
+     * @throws MojoFailureException thrown if dependency-check is configured to fail the build
      */
-    public abstract void runCheck() throws MojoExecutionException;
+    public abstract void runCheck() throws MojoExecutionException, MojoFailureException;
 
     /**
      * Sets the Reporting output directory.
@@ -722,26 +731,28 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * @throws MojoFailureException thrown if a CVSS score is found that is higher then the threshold set
      */
     protected void checkForFailure(List<Dependency> dependencies) throws MojoFailureException {
-        final StringBuilder ids = new StringBuilder();
+        if (failBuildOnCVSS <= 10) {
-        for (Dependency d : dependencies) {
+            final StringBuilder ids = new StringBuilder();
-            boolean addName = true;
+            for (Dependency d : dependencies) {
-            for (Vulnerability v : d.getVulnerabilities()) {
+                boolean addName = true;
-                if (v.getCvssScore() >= failBuildOnCVSS) {
+                for (Vulnerability v : d.getVulnerabilities()) {
-                    if (addName) {
+                    if (v.getCvssScore() >= failBuildOnCVSS) {
-                        addName = false;
+                        if (addName) {
-                        ids.append(NEW_LINE).append(d.getFileName()).append(": ");
+                            addName = false;
-                        ids.append(v.getName());
+                            ids.append(NEW_LINE).append(d.getFileName()).append(": ");
-                    } else {
+                            ids.append(v.getName());
-                        ids.append(", ").append(v.getName());
+                        } else {
+                            ids.append(", ").append(v.getName());
+                        }
                     }
                 }
             }
-        }
+            if (ids.length() > 0) {
-        if (ids.length() > 0) {
+                final String msg = String.format("%n%nDependency-Check Failure:%n"
-            final String msg = String.format("%n%nDependency-Check Failure:%n"
+                        + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
-                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
+                        + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
-                    + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
+                throw new MojoFailureException(msg);
-            throw new MojoFailureException(msg);
+            }
         }
     }
 
@@ -751,36 +762,38 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * @param dependencies a list of dependency objects
      */
     protected void showSummary(List<Dependency> dependencies) {
-        final StringBuilder summary = new StringBuilder();
+        if (showSummary) {
-        for (Dependency d : dependencies) {
+            final StringBuilder summary = new StringBuilder();
-            boolean firstEntry = true;
+            for (Dependency d : dependencies) {
-            final StringBuilder ids = new StringBuilder();
+                boolean firstEntry = true;
-            for (Vulnerability v : d.getVulnerabilities()) {
+                final StringBuilder ids = new StringBuilder();
-                if (firstEntry) {
+                for (Vulnerability v : d.getVulnerabilities()) {
-                    firstEntry = false;
-                } else {
-                    ids.append(", ");
-                }
-                ids.append(v.getName());
-            }
-            if (ids.length() > 0) {
-                summary.append(d.getFileName()).append(" (");
-                firstEntry = true;
-                for (Identifier id : d.getIdentifiers()) {
                     if (firstEntry) {
                         firstEntry = false;
                     } else {
-                        summary.append(", ");
+                        ids.append(", ");
                     }
-                    summary.append(id.getValue());
+                    ids.append(v.getName());
+                }
+                if (ids.length() > 0) {
+                    summary.append(d.getFileName()).append(" (");
+                    firstEntry = true;
+                    for (Identifier id : d.getIdentifiers()) {
+                        if (firstEntry) {
+                            firstEntry = false;
+                        } else {
+                            summary.append(", ");
+                        }
+                        summary.append(id.getValue());
+                    }
+                    summary.append(") : ").append(ids).append(NEW_LINE);
                 }
-                summary.append(") : ").append(ids).append(NEW_LINE);
             }
-        }
+            if (summary.length() > 0) {
-        if (summary.length() > 0) {
+                final String msg = String.format("%n%n" + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
-            final String msg = String.format("%n%n" + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+                        + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
-                    + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
+                LOGGER.log(Level.WARNING, msg);
-            LOGGER.log(Level.WARNING, msg);
+            }
         }
     }
 

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java

@@ -24,6 +24,7 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.maven.artifact.Artifact;
 import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.MojoFailureException;
 import org.apache.maven.plugins.annotations.LifecyclePhase;
 import org.apache.maven.plugins.annotations.Mojo;
 import org.apache.maven.plugins.annotations.ResolutionScope;
@@ -69,7 +70,13 @@ public class CheckMojo extends BaseDependencyCheckMojo {
         return isCapable;
     }
 
-    public void runCheck() throws MojoExecutionException {
+    /**
+     * Executes the dependency-check engine on the project's dependencies and generates the report.
+     *
+     * @throws MojoExecutionException thrown if there is an exception executing the goal
+     * @throws MojoFailureException thrown if dependency-check is configured to fail the build
+     */
+    public void runCheck() throws MojoExecutionException, MojoFailureException {
         final Engine engine;
         try {
             engine = initializeEngine();
@@ -104,7 +111,10 @@ public class CheckMojo extends BaseDependencyCheckMojo {
             engine.analyzeDependencies();
             writeReports(engine, getProject(), getCorrectOutputDirectory());
             writeDataFile(engine.getDependencies());
+            showSummary(engine.getDependencies());
+            checkForFailure(engine.getDependencies());
         }
+
         engine.cleanup();
         Settings.cleanup();
     }