Coverage Report

Coverage Report - org.owasp.dependencycheck.taskdefs.DependencyCheckTask

Classes in this File

Line Coverage

Branch Coverage

Complexity

DependencyCheckTask

58%

103/177

46%

38/82

2.325

DependencyCheckTask$ReportFormats

100%

7/7

100%

2/2

2.325

 /*
  * This file is part of dependency-check-ant.
  *
  * Dependency-check-ant is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
  * Dependency-check-ant is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
  * dependency-check-ant. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.taskdefs;
 
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.tools.ant.BuildException;
 import org.apache.tools.ant.Task;
 import org.apache.tools.ant.types.EnumeratedAttribute;
 import org.apache.tools.ant.types.Reference;
 import org.apache.tools.ant.types.Resource;
 import org.apache.tools.ant.types.ResourceCollection;
 import org.apache.tools.ant.types.resources.FileProvider;
 import org.apache.tools.ant.types.resources.Resources;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
 import org.owasp.dependencycheck.utils.LogUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * An Ant task definition to execute dependency-check during an Ant build.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class DependencyCheckTask extends Task {
 
     /**
      * The properties file location.
      */
     private static final String PROPERTIES_FILE = "task.properties";
     /**
      * Name of the logging properties file.
      */
     private static final String LOG_PROPERTIES_FILE = "log.properties";
     /**
      * System specific new line character.
      */
     private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
 
     /**
      * Construct a new DependencyCheckTask.
      */
     public DependencyCheckTask() {
         super();
     }
     //The following code was copied Apache Ant PathConvert
     //BEGIN COPY from org.apache.tools.ant.taskdefs.PathConvert
     /**
      * Path to be converted
      */
     private Resources path = null;
     /**
      * Reference to path/fileset to convert
      */
     private Reference refid = null;
 
     /**
      * Add an arbitrary ResourceCollection.
      *
      * @param rc the ResourceCollection to add.
      * @since Ant 1.7
      */
     public void add(ResourceCollection rc) {
         if (isReference()) {
             throw new BuildException("Nested elements are not allowed when using the refid attribute.");
         }
         getPath().add(rc);
     }
 
     /**
      * Returns the path. If the path has not been initialized yet, this class is
      * synchronized, and will instantiate the path object.
      *
      * @return the path
      */
     private synchronized Resources getPath() {
         if (path == null) {
             path = new Resources(getProject());
             path.setCache(true);
         }
         return path;
     }
 
     /**
      * Learn whether the refid attribute of this element been set.
      *
      * @return true if refid is valid.
      */
     public boolean isReference() {
         return refid != null;
     }
 
     /**
      * Add a reference to a Path, FileSet, DirSet, or FileList defined
      * elsewhere.
      *
      * @param r the reference to a path, fileset, dirset or filelist.
      */
     public void setRefid(Reference r) {
         if (path != null) {
             throw new BuildException("Nested elements are not allowed when using the refid attribute.");
         }
         refid = r;
     }
 
     /**
      * If this is a reference, this method will add the referenced resource
      * collection to the collection of paths.
      *
      * @throws BuildException if the reference is not to a resource collection
      */
     private void dealWithReferences() throws BuildException {
         if (isReference()) {
             final Object o = refid.getReferencedObject(getProject());
             if (!(o instanceof ResourceCollection)) {
                 throw new BuildException("refid '" + refid.getRefId()
                         + "' does not refer to a resource collection.");
             }
             getPath().add((ResourceCollection) o);
         }
     }
     // END COPY from org.apache.tools.ant.taskdefs
     /**
      * The application name for the report.
      */
     private String applicationName = "Dependency-Check";
 
     /**
      * Get the value of applicationName.
      *
      * @return the value of applicationName
      */
     public String getApplicationName() {
         return applicationName;
     }
 
     /**
      * Set the value of applicationName.
      *
      * @param applicationName new value of applicationName
      */
     public void setApplicationName(String applicationName) {
         this.applicationName = applicationName;
     }
     /**
      * The location of the data directory that contains
      */
     private String dataDirectory = null;
 
     /**
      * Get the value of dataDirectory.
      *
      * @return the value of dataDirectory
      */
     public String getDataDirectory() {
         return dataDirectory;
     }
 
     /**
      * Set the value of dataDirectory.
      *
      * @param dataDirectory new value of dataDirectory
      */
     public void setDataDirectory(String dataDirectory) {
         this.dataDirectory = dataDirectory;
     }
     /**
      * Specifies the destination directory for the generated Dependency-Check
      * report.
      */
     private String reportOutputDirectory = ".";
 
     /**
      * Get the value of reportOutputDirectory.
      *
      * @return the value of reportOutputDirectory
      */
     public String getReportOutputDirectory() {
         return reportOutputDirectory;
     }
 
     /**
      * Set the value of reportOutputDirectory.
      *
      * @param reportOutputDirectory new value of reportOutputDirectory
      */
     public void setReportOutputDirectory(String reportOutputDirectory) {
         this.reportOutputDirectory = reportOutputDirectory;
     }
     /**
      * Specifies if the build should be failed if a CVSS score above a specified
      * level is identified. The default is 11 which means since the CVSS scores
      * are 0-10, by default the build will never fail and the CVSS score is set
      * to 11. The valid range for the fail build on CVSS is 0 to 11, where
      * anything above 10 will not cause the build to fail.
      */
     private float failBuildOnCVSS = 11;
 
     /**
      * Get the value of failBuildOnCVSS.
      *
      * @return the value of failBuildOnCVSS
      */
     public float getFailBuildOnCVSS() {
         return failBuildOnCVSS;
     }
 
     /**
      * Set the value of failBuildOnCVSS.
      *
      * @param failBuildOnCVSS new value of failBuildOnCVSS
      */
     public void setFailBuildOnCVSS(float failBuildOnCVSS) {
         this.failBuildOnCVSS = failBuildOnCVSS;
     }
     /**
      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
      * recommended that this be turned to false. Default is true.
      */
     private boolean autoUpdate = true;
 
     /**
      * Get the value of autoUpdate.
      *
      * @return the value of autoUpdate
      */
     public boolean isAutoUpdate() {
         return autoUpdate;
     }
 
     /**
      * Set the value of autoUpdate.
      *
      * @param autoUpdate new value of autoUpdate
      */
     public void setAutoUpdate(boolean autoUpdate) {
         this.autoUpdate = autoUpdate;
     }
     /**
      * The report format to be generated (HTML, XML, VULN, ALL). This
      * configuration option has no affect if using this within the Site plugin
      * unless the externalReport is set to true. Default is HTML.
      */
     private String reportFormat = "HTML";
 
     /**
      * Get the value of reportFormat.
      *
      * @return the value of reportFormat
      */
     public String getReportFormat() {
         return reportFormat;
     }
 
     /**
      * Set the value of reportFormat.
      *
      * @param reportFormat new value of reportFormat
      */
     public void setReportFormat(ReportFormats reportFormat) {
         this.reportFormat = reportFormat.getValue();
     }
     /**
      * The Proxy URL.
      */
     private String proxyUrl;
 
     /**
      * Get the value of proxyUrl.
      *
      * @return the value of proxyUrl
      */
     public String getProxyUrl() {
         return proxyUrl;
     }
 
     /**
      * Set the value of proxyUrl.
      *
      * @param proxyUrl new value of proxyUrl
      */
     public void setProxyUrl(String proxyUrl) {
         this.proxyUrl = proxyUrl;
     }
     /**
      * The Proxy Port.
      */
     private String proxyPort;
 
     /**
      * Get the value of proxyPort.
      *
      * @return the value of proxyPort
      */
     public String getProxyPort() {
         return proxyPort;
     }
 
     /**
      * Set the value of proxyPort.
      *
      * @param proxyPort new value of proxyPort
      */
     public void setProxyPort(String proxyPort) {
         this.proxyPort = proxyPort;
     }
     /**
      * The Proxy username.
      */
     private String proxyUsername;
 
     /**
      * Get the value of proxyUsername.
      *
      * @return the value of proxyUsername
      */
     public String getProxyUsername() {
         return proxyUsername;
     }
 
     /**
      * Set the value of proxyUsername.
      *
      * @param proxyUsername new value of proxyUsername
      */
     public void setProxyUsername(String proxyUsername) {
         this.proxyUsername = proxyUsername;
     }
     /**
      * The Proxy password.
      */
     private String proxyPassword;
 
     /**
      * Get the value of proxyPassword.
      *
      * @return the value of proxyPassword
      */
     public String getProxyPassword() {
         return proxyPassword;
     }
 
     /**
      * Set the value of proxyPassword.
      *
      * @param proxyPassword new value of proxyPassword
      */
     public void setProxyPassword(String proxyPassword) {
         this.proxyPassword = proxyPassword;
     }
     /**
      * The Connection Timeout.
      */
     private String connectionTimeout;
 
     /**
      * Get the value of connectionTimeout.
      *
      * @return the value of connectionTimeout
      */
     public String getConnectionTimeout() {
         return connectionTimeout;
     }
 
     /**
      * Set the value of connectionTimeout.
      *
      * @param connectionTimeout new value of connectionTimeout
      */
     public void setConnectionTimeout(String connectionTimeout) {
         this.connectionTimeout = connectionTimeout;
     }
     /**
      * The file path used for verbose logging.
      */
     private String logFile = null;
 
     /**
      * Get the value of logFile.
      *
      * @return the value of logFile
      */
     public String getLogFile() {
         return logFile;
     }
 
     /**
      * Set the value of logFile.
      *
      * @param logFile new value of logFile
      */
     public void setLogFile(String logFile) {
         this.logFile = logFile;
     }
     /**
      * The path to the suppression file.
      */
     private String suppressionFile;
 
     /**
      * Get the value of suppressionFile.
      *
      * @return the value of suppressionFile
      */
     public String getSuppressionFile() {
         return suppressionFile;
     }
 
     /**
      * Set the value of suppressionFile.
      *
      * @param suppressionFile new value of suppressionFile
      */
     public void setSuppressionFile(String suppressionFile) {
         this.suppressionFile = suppressionFile;
     }
     /**
      * flag indicating whether or not to show a summary of findings.
      */
     private boolean showSummary = true;
 
     /**
      * Get the value of showSummary.
      *
      * @return the value of showSummary
      */
     public boolean isShowSummary() {
         return showSummary;
     }
 
     /**
      * Set the value of showSummary.
      *
      * @param showSummary new value of showSummary
      */
     public void setShowSummary(boolean showSummary) {
         this.showSummary = showSummary;
     }
 
     @Override
     public void execute() throws BuildException {
         final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
         LogUtils.prepareLogger(in, logFile);
 
         dealWithReferences();
         validateConfiguration();
         populateSettings();
 
         final Engine engine = new Engine();
         for (Resource resource : path) {
             final FileProvider provider = resource.as(FileProvider.class);
             if (provider != null) {
                 final File file = provider.getFile();
                 if (file != null && file.exists()) {
                     engine.scan(file);
                 }
             }
         }
         try {
             engine.analyzeDependencies();
             final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers());
             reporter.generateReports(reportOutputDirectory, reportFormat);
 
             if (this.failBuildOnCVSS <= 10) {
                 checkForFailure(engine.getDependencies());
             }
             if (this.showSummary) {
                 showSummary(engine.getDependencies());
             }
         } catch (IOException ex) {
             Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to generate dependency-check report", ex);
             throw new BuildException("Unable to generate dependency-check report", ex);
         } catch (Exception ex) {
             Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "An exception occurred; unable to continue task", ex);
             throw new BuildException("An exception occurred; unable to continue task", ex);
         }
     }
 
     /**
      * Validate the configuration to ensure the parameters have been properly
      * configured/initialized.
      *
      * @throws BuildException if the task was not configured correctly.
      */
     private void validateConfiguration() throws BuildException {
         if (path == null) {
             throw new BuildException("No project dependencies have been defined to analyze.");
         }
         if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) {
             throw new BuildException("Invalid configuration, failBuildOnCVSS must be between 0 and 11.");
         }
     }
 
     /**
      * Takes the properties supplied and updates the dependency-check settings.
      * Additionally, this sets the system properties required to change the
      * proxy url, port, and connection timeout.
      */
     private void populateSettings() {
         InputStream taskProperties = null;
         try {
             taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
             Settings.mergeProperties(taskProperties);
         } catch (IOException ex) {
             Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
             Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, null, ex);
         } finally {
             if (taskProperties != null) {
                 try {
                     taskProperties.close();
                 } catch (IOException ex) {
                     Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINEST, null, ex);
                 }
             }
         }
         if (dataDirectory != null) {
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
         } else {
             final File jarPath = new File(DependencyCheckTask.class.getProtectionDomain().getCodeSource().getLocation().getPath());
             final File base = jarPath.getParentFile();
             final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
             final File dataDir = new File(base, sub);
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
         }
 
         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
 
         if (proxyUrl != null && !proxyUrl.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
         }
         if (proxyPort != null && !proxyPort.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
         }
         if (proxyUsername != null && !proxyUsername.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
         }
         if (proxyPassword != null && !proxyPassword.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
         }
         if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
             Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
         }
         if (suppressionFile != null && !suppressionFile.isEmpty()) {
             Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
         }
     }
 
     /**
      * Checks to see if a vulnerability has been identified with a CVSS score
      * that is above the threshold set in the configuration.
      *
      * @param dependencies the list of dependency objects
      * @throws BuildException thrown if a CVSS score is found that is higher
      * then the threshold set
      */
     private void checkForFailure(List<Dependency> dependencies) throws BuildException {
         final StringBuilder ids = new StringBuilder();
         for (Dependency d : dependencies) {
             for (Vulnerability v : d.getVulnerabilities()) {
                 if (v.getCvssScore() >= failBuildOnCVSS) {
                     if (ids.length() == 0) {
                         ids.append(v.getName());
                     } else {
                         ids.append(", ").append(v.getName());
                     }
                 }
             }
         }
         if (ids.length() > 0) {
             final String msg = String.format("%n%nDependency-Check Failure:%n"
                     + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
                     + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
             throw new BuildException(msg);
         }
     }
 
     /**
      * Generates a warning message listing a summary of dependencies and their
      * associated CPE and CVE entries.
      *
      * @param dependencies a list of dependency objects
      */
     private void showSummary(List<Dependency> dependencies) {
         final StringBuilder summary = new StringBuilder();
         for (Dependency d : dependencies) {
             boolean firstEntry = true;
             final StringBuilder ids = new StringBuilder();
             for (Vulnerability v : d.getVulnerabilities()) {
                 if (firstEntry) {
                     firstEntry = false;
                 } else {
                     ids.append(", ");
                 }
                 ids.append(v.getName());
             }
             if (ids.length() > 0) {
                 summary.append(d.getFileName()).append(" (");
                 firstEntry = true;
                 for (Identifier id : d.getIdentifiers()) {
                     if (firstEntry) {
                         firstEntry = false;
                     } else {
                         summary.append(", ");
                     }
                     summary.append(id.getValue());
                 }
                 summary.append(") : ").append(ids).append(NEW_LINE);
             }
         }
         if (summary.length() > 0) {
             final String msg = String.format("%n%n"
                     + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
                     + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
             Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, msg);
         }
     }
 
     /**
      * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN",
      * etc..
      */
     public static class ReportFormats extends EnumeratedAttribute {
 
         /**
          * Returns the list of values for the report format.
          *
          * @return the list of values for the report format
          */
         @Override
         public String[] getValues() {
             int i = 0;
             final Format[] formats = Format.values();
             final String[] values = new String[formats.length];
             for (Format format : formats) {
                 values[i++] = format.name();
             }
             return values;
         }
     }
 }

1		/*
2		* This file is part of dependency-check-ant.
3		*
4		* Dependency-check-ant is free software: you can redistribute it and/or modify it
5		* under the terms of the GNU General Public License as published by the Free
6		* Software Foundation, either version 3 of the License, or (at your option) any
7		* later version.
8		*
9		* Dependency-check-ant is distributed in the hope that it will be useful, but
10		* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11		* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
12		* details.
13		*
14		* You should have received a copy of the GNU General Public License along with
15		* dependency-check-ant. If not, see http://www.gnu.org/licenses/.
16		*
17		* Copyright (c) 2013 Jeremy Long. All Rights Reserved.
18		*/
19		package org.owasp.dependencycheck.taskdefs;
20
21		import java.io.File;
22		import java.io.IOException;
23		import java.io.InputStream;
24		import java.util.List;
25		import java.util.logging.Level;
26		import java.util.logging.Logger;
27		import org.apache.tools.ant.BuildException;
28		import org.apache.tools.ant.Task;
29		import org.apache.tools.ant.types.EnumeratedAttribute;
30		import org.apache.tools.ant.types.Reference;
31		import org.apache.tools.ant.types.Resource;
32		import org.apache.tools.ant.types.ResourceCollection;
33		import org.apache.tools.ant.types.resources.FileProvider;
34		import org.apache.tools.ant.types.resources.Resources;
35		import org.owasp.dependencycheck.Engine;
36		import org.owasp.dependencycheck.dependency.Dependency;
37		import org.owasp.dependencycheck.dependency.Identifier;
38		import org.owasp.dependencycheck.dependency.Vulnerability;
39		import org.owasp.dependencycheck.reporting.ReportGenerator;
40		import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
41		import org.owasp.dependencycheck.utils.LogUtils;
42		import org.owasp.dependencycheck.utils.Settings;
43
44		/**
45		* An Ant task definition to execute dependency-check during an Ant build.
46		*
47		* @author Jeremy Long <jeremy.long@owasp.org>
48		*/
49		public class DependencyCheckTask extends Task {
50
51		/**
52		* The properties file location.
53		*/
54		private static final String PROPERTIES_FILE = "task.properties";
55		/**
56		* Name of the logging properties file.
57		*/
58		private static final String LOG_PROPERTIES_FILE = "log.properties";
59		/**
60		* System specific new line character.
61		*/
62	1	private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
63
64		/**
65		* Construct a new DependencyCheckTask.
66		*/
67		public DependencyCheckTask() {
68	4	super();
69	4	}
70		//The following code was copied Apache Ant PathConvert
71		//BEGIN COPY from org.apache.tools.ant.taskdefs.PathConvert
72		/**
73		* Path to be converted
74		*/
75	4	private Resources path = null;
76		/**
77		* Reference to path/fileset to convert
78		*/
79	4	private Reference refid = null;
80
81		/**
82		* Add an arbitrary ResourceCollection.
83		*
84		* @param rc the ResourceCollection to add.
85		* @since Ant 1.7
86		*/
87		public void add(ResourceCollection rc) {
88	4	if (isReference()) {
89	0	throw new BuildException("Nested elements are not allowed when using the refid attribute.");
90		}
91	4	getPath().add(rc);
92	4	}
93
94		/**
95		* Returns the path. If the path has not been initialized yet, this class is
96		* synchronized, and will instantiate the path object.
97		*
98		* @return the path
99		*/
100		private synchronized Resources getPath() {
101	4	if (path == null) {
102	3	path = new Resources(getProject());
103	3	path.setCache(true);
104		}
105	4	return path;
106		}
107
108		/**
109		* Learn whether the refid attribute of this element been set.
110		*
111		* @return true if refid is valid.
112		*/
113		public boolean isReference() {
114	8	return refid != null;
115		}
116
117		/**
118		* Add a reference to a Path, FileSet, DirSet, or FileList defined
119		* elsewhere.
120		*
121		* @param r the reference to a path, fileset, dirset or filelist.
122		*/
123		public void setRefid(Reference r) {
124	0	if (path != null) {
125	0	throw new BuildException("Nested elements are not allowed when using the refid attribute.");
126		}
127	0	refid = r;
128	0	}
129
130		/**
131		* If this is a reference, this method will add the referenced resource
132		* collection to the collection of paths.
133		*
134		* @throws BuildException if the reference is not to a resource collection
135		*/
136		private void dealWithReferences() throws BuildException {
137	4	if (isReference()) {
138	0	final Object o = refid.getReferencedObject(getProject());
139	0	if (!(o instanceof ResourceCollection)) {
140	0	throw new BuildException("refid '" + refid.getRefId()
141		+ "' does not refer to a resource collection.");
142		}
143	0	getPath().add((ResourceCollection) o);
144		}
145	4	}
146		// END COPY from org.apache.tools.ant.taskdefs
147		/**
148		* The application name for the report.
149		*/
150	4	private String applicationName = "Dependency-Check";
151
152		/**
153		* Get the value of applicationName.
154		*
155		* @return the value of applicationName
156		*/
157		public String getApplicationName() {
158	0	return applicationName;
159		}
160
161		/**
162		* Set the value of applicationName.
163		*
164		* @param applicationName new value of applicationName
165		*/
166		public void setApplicationName(String applicationName) {
167	4	this.applicationName = applicationName;
168	4	}
169		/**
170		* The location of the data directory that contains
171		*/
172	4	private String dataDirectory = null;
173
174		/**
175		* Get the value of dataDirectory.
176		*
177		* @return the value of dataDirectory
178		*/
179		public String getDataDirectory() {
180	0	return dataDirectory;
181		}
182
183		/**
184		* Set the value of dataDirectory.
185		*
186		* @param dataDirectory new value of dataDirectory
187		*/
188		public void setDataDirectory(String dataDirectory) {
189	0	this.dataDirectory = dataDirectory;
190	0	}
191		/**
192		* Specifies the destination directory for the generated Dependency-Check
193		* report.
194		*/
195	4	private String reportOutputDirectory = ".";
196
197		/**
198		* Get the value of reportOutputDirectory.
199		*
200		* @return the value of reportOutputDirectory
201		*/
202		public String getReportOutputDirectory() {
203	0	return reportOutputDirectory;
204		}
205
206		/**
207		* Set the value of reportOutputDirectory.
208		*
209		* @param reportOutputDirectory new value of reportOutputDirectory
210		*/
211		public void setReportOutputDirectory(String reportOutputDirectory) {
212	4	this.reportOutputDirectory = reportOutputDirectory;
213	4	}
214		/**
215		* Specifies if the build should be failed if a CVSS score above a specified
216		* level is identified. The default is 11 which means since the CVSS scores
217		* are 0-10, by default the build will never fail and the CVSS score is set
218		* to 11. The valid range for the fail build on CVSS is 0 to 11, where
219		* anything above 10 will not cause the build to fail.
220		*/
221	4	private float failBuildOnCVSS = 11;
222
223		/**
224		* Get the value of failBuildOnCVSS.
225		*
226		* @return the value of failBuildOnCVSS
227		*/
228		public float getFailBuildOnCVSS() {
229	0	return failBuildOnCVSS;
230		}
231
232		/**
233		* Set the value of failBuildOnCVSS.
234		*
235		* @param failBuildOnCVSS new value of failBuildOnCVSS
236		*/
237		public void setFailBuildOnCVSS(float failBuildOnCVSS) {
238	1	this.failBuildOnCVSS = failBuildOnCVSS;
239	1	}
240		/**
241		* Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
242		* recommended that this be turned to false. Default is true.
243		*/
244	4	private boolean autoUpdate = true;
245
246		/**
247		* Get the value of autoUpdate.
248		*
249		* @return the value of autoUpdate
250		*/
251		public boolean isAutoUpdate() {
252	0	return autoUpdate;
253		}
254
255		/**
256		* Set the value of autoUpdate.
257		*
258		* @param autoUpdate new value of autoUpdate
259		*/
260		public void setAutoUpdate(boolean autoUpdate) {
261	4	this.autoUpdate = autoUpdate;
262	4	}
263		/**
264		* The report format to be generated (HTML, XML, VULN, ALL). This
265		* configuration option has no affect if using this within the Site plugin
266		* unless the externalReport is set to true. Default is HTML.
267		*/
268	4	private String reportFormat = "HTML";
269
270		/**
271		* Get the value of reportFormat.
272		*
273		* @return the value of reportFormat
274		*/
275		public String getReportFormat() {
276	0	return reportFormat;
277		}
278
279		/**
280		* Set the value of reportFormat.
281		*
282		* @param reportFormat new value of reportFormat
283		*/
284		public void setReportFormat(ReportFormats reportFormat) {
285	4	this.reportFormat = reportFormat.getValue();
286	4	}
287		/**
288		* The Proxy URL.
289		*/
290		private String proxyUrl;
291
292		/**
293		* Get the value of proxyUrl.
294		*
295		* @return the value of proxyUrl
296		*/
297		public String getProxyUrl() {
298	0	return proxyUrl;
299		}
300
301		/**
302		* Set the value of proxyUrl.
303		*
304		* @param proxyUrl new value of proxyUrl
305		*/
306		public void setProxyUrl(String proxyUrl) {
307	0	this.proxyUrl = proxyUrl;
308	0	}
309		/**
310		* The Proxy Port.
311		*/
312		private String proxyPort;
313
314		/**
315		* Get the value of proxyPort.
316		*
317		* @return the value of proxyPort
318		*/
319		public String getProxyPort() {
320	0	return proxyPort;
321		}
322
323		/**
324		* Set the value of proxyPort.
325		*
326		* @param proxyPort new value of proxyPort
327		*/
328		public void setProxyPort(String proxyPort) {
329	0	this.proxyPort = proxyPort;
330	0	}
331		/**
332		* The Proxy username.
333		*/
334		private String proxyUsername;
335
336		/**
337		* Get the value of proxyUsername.
338		*
339		* @return the value of proxyUsername
340		*/
341		public String getProxyUsername() {
342	0	return proxyUsername;
343		}
344
345		/**
346		* Set the value of proxyUsername.
347		*
348		* @param proxyUsername new value of proxyUsername
349		*/
350		public void setProxyUsername(String proxyUsername) {
351	0	this.proxyUsername = proxyUsername;
352	0	}
353		/**
354		* The Proxy password.
355		*/
356		private String proxyPassword;
357
358		/**
359		* Get the value of proxyPassword.
360		*
361		* @return the value of proxyPassword
362		*/
363		public String getProxyPassword() {
364	0	return proxyPassword;
365		}
366
367		/**
368		* Set the value of proxyPassword.
369		*
370		* @param proxyPassword new value of proxyPassword
371		*/
372		public void setProxyPassword(String proxyPassword) {
373	0	this.proxyPassword = proxyPassword;
374	0	}
375		/**
376		* The Connection Timeout.
377		*/
378		private String connectionTimeout;
379
380		/**
381		* Get the value of connectionTimeout.
382		*
383		* @return the value of connectionTimeout
384		*/
385		public String getConnectionTimeout() {
386	0	return connectionTimeout;
387		}
388
389		/**
390		* Set the value of connectionTimeout.
391		*
392		* @param connectionTimeout new value of connectionTimeout
393		*/
394		public void setConnectionTimeout(String connectionTimeout) {
395	0	this.connectionTimeout = connectionTimeout;
396	0	}
397		/**
398		* The file path used for verbose logging.
399		*/
400	4	private String logFile = null;
401
402		/**
403		* Get the value of logFile.
404		*
405		* @return the value of logFile
406		*/
407		public String getLogFile() {
408	0	return logFile;
409		}
410
411		/**
412		* Set the value of logFile.
413		*
414		* @param logFile new value of logFile
415		*/
416		public void setLogFile(String logFile) {
417	0	this.logFile = logFile;
418	0	}
419		/**
420		* The path to the suppression file.
421		*/
422		private String suppressionFile;
423
424		/**
425		* Get the value of suppressionFile.
426		*
427		* @return the value of suppressionFile
428		*/
429		public String getSuppressionFile() {
430	0	return suppressionFile;
431		}
432
433		/**
434		* Set the value of suppressionFile.
435		*
436		* @param suppressionFile new value of suppressionFile
437		*/
438		public void setSuppressionFile(String suppressionFile) {
439	0	this.suppressionFile = suppressionFile;
440	0	}
441		/**
442		* flag indicating whether or not to show a summary of findings.
443		*/
444	4	private boolean showSummary = true;
445
446		/**
447		* Get the value of showSummary.
448		*
449		* @return the value of showSummary
450		*/
451		public boolean isShowSummary() {
452	0	return showSummary;
453		}
454
455		/**
456		* Set the value of showSummary.
457		*
458		* @param showSummary new value of showSummary
459		*/
460		public void setShowSummary(boolean showSummary) {
461	0	this.showSummary = showSummary;
462	0	}
463
464		@Override
465		public void execute() throws BuildException {
466	4	final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
467	4	LogUtils.prepareLogger(in, logFile);
468
469	4	dealWithReferences();
470	4	validateConfiguration();
471	3	populateSettings();
472
473	3	final Engine engine = new Engine();
474	3	for (Resource resource : path) {
475	5	final FileProvider provider = resource.as(FileProvider.class);
476	5	if (provider != null) {
477	5	final File file = provider.getFile();
478	5	if (file != null && file.exists()) {
479	4	engine.scan(file);
480		}
481		}
482	5	}
483		try {
484	3	engine.analyzeDependencies();
485	3	final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers());
486	3	reporter.generateReports(reportOutputDirectory, reportFormat);
487
488	3	if (this.failBuildOnCVSS <= 10) {
489	0	checkForFailure(engine.getDependencies());
490		}
491	3	if (this.showSummary) {
492	3	showSummary(engine.getDependencies());
493		}
494	0	} catch (IOException ex) {
495	0	Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to generate dependency-check report", ex);
496	0	throw new BuildException("Unable to generate dependency-check report", ex);
497	0	} catch (Exception ex) {
498	0	Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "An exception occurred; unable to continue task", ex);
499	0	throw new BuildException("An exception occurred; unable to continue task", ex);
500	3	}
501	3	}
502
503		/**
504		* Validate the configuration to ensure the parameters have been properly
505		* configured/initialized.
506		*
507		* @throws BuildException if the task was not configured correctly.
508		*/
509		private void validateConfiguration() throws BuildException {
510	4	if (path == null) {
511	1	throw new BuildException("No project dependencies have been defined to analyze.");
512		}
513	3	if (failBuildOnCVSS < 0 \|\| failBuildOnCVSS > 11) {
514	0	throw new BuildException("Invalid configuration, failBuildOnCVSS must be between 0 and 11.");
515		}
516	3	}
517
518		/**
519		* Takes the properties supplied and updates the dependency-check settings.
520		* Additionally, this sets the system properties required to change the
521		* proxy url, port, and connection timeout.
522		*/
523		private void populateSettings() {
524	3	InputStream taskProperties = null;
525		try {
526	3	taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
527	3	Settings.mergeProperties(taskProperties);
528	0	} catch (IOException ex) {
529	0	Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
530	0	Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, null, ex);
531		} finally {
532	3	if (taskProperties != null) {
533		try {
534	3	taskProperties.close();
535	0	} catch (IOException ex) {
536	0	Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINEST, null, ex);
537	3	}
538		}
539		}
540	3	if (dataDirectory != null) {
541	0	Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
542		} else {
543	3	final File jarPath = new File(DependencyCheckTask.class.getProtectionDomain().getCodeSource().getLocation().getPath());
544	3	final File base = jarPath.getParentFile();
545	3	final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
546	3	final File dataDir = new File(base, sub);
547	3	Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
548		}
549
550	3	Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
551
552	3	if (proxyUrl != null && !proxyUrl.isEmpty()) {
553	0	Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
554		}
555	3	if (proxyPort != null && !proxyPort.isEmpty()) {
556	0	Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
557		}
558	3	if (proxyUsername != null && !proxyUsername.isEmpty()) {
559	0	Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
560		}
561	3	if (proxyPassword != null && !proxyPassword.isEmpty()) {
562	0	Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
563		}
564	3	if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
565	0	Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
566		}
567	3	if (suppressionFile != null && !suppressionFile.isEmpty()) {
568	0	Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
569		}
570	3	}
571
572		/**
573		* Checks to see if a vulnerability has been identified with a CVSS score
574		* that is above the threshold set in the configuration.
575		*
576		* @param dependencies the list of dependency objects
577		* @throws BuildException thrown if a CVSS score is found that is higher
578		* then the threshold set
579		*/
580		private void checkForFailure(List<Dependency> dependencies) throws BuildException {
581	0	final StringBuilder ids = new StringBuilder();
582	0	for (Dependency d : dependencies) {
583	0	for (Vulnerability v : d.getVulnerabilities()) {
584	0	if (v.getCvssScore() >= failBuildOnCVSS) {
585	0	if (ids.length() == 0) {
586	0	ids.append(v.getName());
587		} else {
588	0	ids.append(", ").append(v.getName());
589		}
590		}
591	0	}
592	0	}
593	0	if (ids.length() > 0) {
594	0	final String msg = String.format("%n%nDependency-Check Failure:%n"
595		+ "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
596		+ "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
597	0	throw new BuildException(msg);
598		}
599	0	}
600
601		/**
602		* Generates a warning message listing a summary of dependencies and their
603		* associated CPE and CVE entries.
604		*
605		* @param dependencies a list of dependency objects
606		*/
607		private void showSummary(List<Dependency> dependencies) {
608	3	final StringBuilder summary = new StringBuilder();
609	3	for (Dependency d : dependencies) {
610	5	boolean firstEntry = true;
611	5	final StringBuilder ids = new StringBuilder();
612	5	for (Vulnerability v : d.getVulnerabilities()) {
613	20	if (firstEntry) {
614	4	firstEntry = false;
615		} else {
616	16	ids.append(", ");
617		}
618	20	ids.append(v.getName());
619	20	}
620	5	if (ids.length() > 0) {
621	4	summary.append(d.getFileName()).append(" (");
622	4	firstEntry = true;
623	4	for (Identifier id : d.getIdentifiers()) {
624	12	if (firstEntry) {
625	4	firstEntry = false;
626		} else {
627	8	summary.append(", ");
628		}
629	12	summary.append(id.getValue());
630	12	}
631	4	summary.append(") : ").append(ids).append(NEW_LINE);
632		}
633	5	}
634	3	if (summary.length() > 0) {
635	3	final String msg = String.format("%n%n"
636		+ "One or more dependencies were identified with known vulnerabilities:%n%n%s"
637		+ "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
638	3	Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, msg);
639		}
640	3	}
641
642		/**
643		* An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN",
644		* etc..
645		*/
646	4	public static class ReportFormats extends EnumeratedAttribute {
647
648		/**
649		* Returns the list of values for the report format.
650		*
651		* @return the list of values for the report format
652		*/
653		@Override
654		public String[] getValues() {
655	4	int i = 0;
656	4	final Format[] formats = Format.values();
657	4	final String[] values = new String[formats.length];
658	20	for (Format format : formats) {
659	16	values[i++] = format.name();
660		}
661	4	return values;
662		}
663		}
664		}