View Javadoc
1   /*
2    * This file is part of dependency-check-maven.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.maven;
19  
20  import java.util.Locale;
21  import java.util.logging.Level;
22  import java.util.logging.Logger;
23  import org.apache.maven.artifact.Artifact;
24  import org.apache.maven.plugin.MojoExecutionException;
25  import org.apache.maven.plugin.MojoFailureException;
26  import org.apache.maven.plugins.annotations.LifecyclePhase;
27  import org.apache.maven.plugins.annotations.Mojo;
28  import org.apache.maven.plugins.annotations.ResolutionScope;
29  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
30  import org.owasp.dependencycheck.utils.Settings;
31  
32  /**
33   * Maven Plugin that checks the project dependencies to see if they have any known published vulnerabilities.
34   *
35   * @author Jeremy Long
36   */
37  @Mojo(
38          name = "check",
39          defaultPhase = LifecyclePhase.COMPILE,
40          threadSafe = true,
41          requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
42          requiresOnline = true
43  )
44  public class CheckMojo extends BaseDependencyCheckMojo {
45  
46      /**
47       * Logger field reference.
48       */
49      private static final Logger LOGGER = Logger.getLogger(CheckMojo.class.getName());
50  
51      /**
52       * Returns whether or not a the report can be generated.
53       *
54       * @return <code>true</code> if the report can be generated; otherwise <code>false</code>
55       */
56      @Override
57      public boolean canGenerateReport() {
58          boolean isCapable = false;
59          for (Artifact a : getProject().getArtifacts()) {
60              if (!excludeFromScan(a)) {
61                  isCapable = true;
62                  break;
63              }
64          }
65          return isCapable;
66      }
67  
68      /**
69       * Executes the dependency-check engine on the project's dependencies and generates the report.
70       *
71       * @throws MojoExecutionException thrown if there is an exception executing the goal
72       * @throws MojoFailureException thrown if dependency-check is configured to fail the build
73       */
74      @Override
75      public void runCheck() throws MojoExecutionException, MojoFailureException {
76          final Engine engine;
77          try {
78              engine = initializeEngine();
79          } catch (DatabaseException ex) {
80              LOGGER.log(Level.FINE, "Database connection error", ex);
81              throw new MojoExecutionException("An exception occured connecting to the local database. Please see the log file for more details.", ex);
82          }
83          scanArtifacts(getProject(), engine);
84          if (engine.getDependencies().isEmpty()) {
85              LOGGER.info("No dependencies were identified that could be analyzed by dependency-check");
86          } else {
87              engine.analyzeDependencies();
88              writeReports(engine, getProject(), getCorrectOutputDirectory());
89              writeDataFile(getProject(), null, engine.getDependencies());
90              showSummary(getProject(), engine.getDependencies());
91              checkForFailure(engine.getDependencies());
92          }
93          engine.cleanup();
94          Settings.cleanup();
95      }
96  
97      /**
98       * Returns the report name.
99       *
100      * @param locale the location
101      * @return the report name
102      */
103     public String getName(Locale locale) {
104         return "dependency-check";
105     }
106 
107     /**
108      * Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
109      *
110      * @param locale The Locale to get the description for
111      * @return the description
112      */
113     public String getDescription(Locale locale) {
114         return "Generates a report providing details on any published vulnerabilities within project dependencies. "
115                 + "This report is a best effort and may contain false positives and false negatives.";
116     }
117 
118 }