Coverage Report - org.owasp.dependencycheck.taskdefs.Check
 
Classes in this File Line Coverage Branch Coverage Complexity
Check
0%
0/246
0%
0/80
1.788
Check$ReportFormats
0%
0/7
0%
0/2
1.788
 
 1   
 /*
 2   
  * This file is part of dependency-check-ant.
 3   
  *
 4   
  * Licensed under the Apache License, Version 2.0 (the "License");
 5   
  * you may not use this file except in compliance with the License.
 6   
  * You may obtain a copy of the License at
 7   
  *
 8   
  *     http://www.apache.org/licenses/LICENSE-2.0
 9   
  *
 10   
  * Unless required by applicable law or agreed to in writing, software
 11   
  * distributed under the License is distributed on an "AS IS" BASIS,
 12   
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13   
  * See the License for the specific language governing permissions and
 14   
  * limitations under the License.
 15   
  *
 16   
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 17   
  */
 18   
 package org.owasp.dependencycheck.taskdefs;
 19   
 
 20   
 import java.io.File;
 21   
 import java.io.IOException;
 22   
 import java.util.List;
 23   
 import org.apache.tools.ant.BuildException;
 24   
 import org.apache.tools.ant.Project;
 25   
 import org.apache.tools.ant.types.EnumeratedAttribute;
 26   
 import org.apache.tools.ant.types.Reference;
 27   
 import org.apache.tools.ant.types.Resource;
 28   
 import org.apache.tools.ant.types.ResourceCollection;
 29   
 import org.apache.tools.ant.types.resources.FileProvider;
 30   
 import org.apache.tools.ant.types.resources.Resources;
 31   
 import org.owasp.dependencycheck.Engine;
 32   
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 33   
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 34   
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 35   
 import org.owasp.dependencycheck.dependency.Dependency;
 36   
 import org.owasp.dependencycheck.dependency.Identifier;
 37   
 import org.owasp.dependencycheck.dependency.Vulnerability;
 38   
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 39   
 import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
 40   
 import org.owasp.dependencycheck.utils.Settings;
 41   
 import org.slf4j.impl.StaticLoggerBinder;
 42   
 
 43   
 /**
 44   
  * An Ant task definition to execute dependency-check during an Ant build.
 45   
  *
 46   
  * @author Jeremy Long
 47   
  */
 48   
 public class Check extends Update {
 49   
 
 50   
     /**
 51   
      * System specific new line character.
 52   
      */
 53  0 
     private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
 54   
 
 55   
     /**
 56   
      * Construct a new DependencyCheckTask.
 57   
      */
 58   
     public Check() {
 59  0 
         super();
 60   
         // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
 61   
         // core end up coming through this tasks logger
 62  0 
         StaticLoggerBinder.getSingleton().setTask(this);
 63  0 
     }
 64   
     //The following code was copied Apache Ant PathConvert
 65   
     //BEGIN COPY from org.apache.tools.ant.taskdefs.PathConvert
 66   
     /**
 67   
      * Path to be converted
 68   
      */
 69  0 
     private Resources path = null;
 70   
     /**
 71   
      * Reference to path/fileset to convert
 72   
      */
 73  0 
     private Reference refid = null;
 74   
 
 75   
     /**
 76   
      * Add an arbitrary ResourceCollection.
 77   
      *
 78   
      * @param rc the ResourceCollection to add.
 79   
      * @since Ant 1.7
 80   
      */
 81   
     public void add(ResourceCollection rc) {
 82  0 
         if (isReference()) {
 83  0 
             throw new BuildException("Nested elements are not allowed when using the refid attribute.");
 84   
         }
 85  0 
         getPath().add(rc);
 86  0 
     }
 87   
 
 88   
     /**
 89   
      * Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the path
 90   
      * object.
 91   
      *
 92   
      * @return the path
 93   
      */
 94   
     private synchronized Resources getPath() {
 95  0 
         if (path == null) {
 96  0 
             path = new Resources(getProject());
 97  0 
             path.setCache(true);
 98   
         }
 99  0 
         return path;
 100   
     }
 101   
 
 102   
     /**
 103   
      * Learn whether the refid attribute of this element been set.
 104   
      *
 105   
      * @return true if refid is valid.
 106   
      */
 107   
     public boolean isReference() {
 108  0 
         return refid != null;
 109   
     }
 110   
 
 111   
     /**
 112   
      * Add a reference to a Path, FileSet, DirSet, or FileList defined elsewhere.
 113   
      *
 114   
      * @param r the reference to a path, fileset, dirset or filelist.
 115   
      */
 116   
     public void setRefid(Reference r) {
 117  0 
         if (path != null) {
 118  0 
             throw new BuildException("Nested elements are not allowed when using the refid attribute.");
 119   
         }
 120  0 
         refid = r;
 121  0 
     }
 122   
 
 123   
     /**
 124   
      * If this is a reference, this method will add the referenced resource collection to the collection of paths.
 125   
      *
 126   
      * @throws BuildException if the reference is not to a resource collection
 127   
      */
 128   
     private void dealWithReferences() throws BuildException {
 129  0 
         if (isReference()) {
 130  0 
             final Object o = refid.getReferencedObject(getProject());
 131  0 
             if (!(o instanceof ResourceCollection)) {
 132  0 
                 throw new BuildException("refid '" + refid.getRefId()
 133   
                         + "' does not refer to a resource collection.");
 134   
             }
 135  0 
             getPath().add((ResourceCollection) o);
 136   
         }
 137  0 
     }
 138   
     // END COPY from org.apache.tools.ant.taskdefs
 139   
     /**
 140   
      * The application name for the report.
 141   
      *
 142   
      * @deprecated use projectName instead.
 143   
      */
 144  0 
     @Deprecated
 145   
     private String applicationName = null;
 146   
 
 147   
     /**
 148   
      * Get the value of applicationName.
 149   
      *
 150   
      * @return the value of applicationName
 151   
      *
 152   
      * @deprecated use projectName instead.
 153   
      */
 154   
     @Deprecated
 155   
     public String getApplicationName() {
 156  0 
         return applicationName;
 157   
     }
 158   
 
 159   
     /**
 160   
      * Set the value of applicationName.
 161   
      *
 162   
      * @param applicationName new value of applicationName
 163   
      * @deprecated use projectName instead.
 164   
      */
 165   
     @Deprecated
 166   
     public void setApplicationName(String applicationName) {
 167  0 
         this.applicationName = applicationName;
 168  0 
     }
 169   
     /**
 170   
      * The name of the project being analyzed.
 171   
      */
 172  0 
     private String projectName = "dependency-check";
 173   
 
 174   
     /**
 175   
      * Get the value of projectName.
 176   
      *
 177   
      * @return the value of projectName
 178   
      */
 179   
     public String getProjectName() {
 180  0 
         if (applicationName != null) {
 181  0 
             log("Configuration 'applicationName' has been deprecated, please use 'projectName' instead", Project.MSG_WARN);
 182  0 
             if ("dependency-check".equals(projectName)) {
 183  0 
                 projectName = applicationName;
 184   
             }
 185   
         }
 186  0 
         return projectName;
 187   
     }
 188   
 
 189   
     /**
 190   
      * Set the value of projectName.
 191   
      *
 192   
      * @param projectName new value of projectName
 193   
      */
 194   
     public void setProjectName(String projectName) {
 195  0 
         this.projectName = projectName;
 196  0 
     }
 197   
 
 198   
     /**
 199   
      * Specifies the destination directory for the generated Dependency-Check report.
 200   
      */
 201  0 
     private String reportOutputDirectory = ".";
 202   
 
 203   
     /**
 204   
      * Get the value of reportOutputDirectory.
 205   
      *
 206   
      * @return the value of reportOutputDirectory
 207   
      */
 208   
     public String getReportOutputDirectory() {
 209  0 
         return reportOutputDirectory;
 210   
     }
 211   
 
 212   
     /**
 213   
      * Set the value of reportOutputDirectory.
 214   
      *
 215   
      * @param reportOutputDirectory new value of reportOutputDirectory
 216   
      */
 217   
     public void setReportOutputDirectory(String reportOutputDirectory) {
 218  0 
         this.reportOutputDirectory = reportOutputDirectory;
 219  0 
     }
 220   
     /**
 221   
      * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
 222   
      * means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11. The valid range
 223   
      * for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
 224   
      */
 225  0 
     private float failBuildOnCVSS = 11;
 226   
 
 227   
     /**
 228   
      * Get the value of failBuildOnCVSS.
 229   
      *
 230   
      * @return the value of failBuildOnCVSS
 231   
      */
 232   
     public float getFailBuildOnCVSS() {
 233  0 
         return failBuildOnCVSS;
 234   
     }
 235   
 
 236   
     /**
 237   
      * Set the value of failBuildOnCVSS.
 238   
      *
 239   
      * @param failBuildOnCVSS new value of failBuildOnCVSS
 240   
      */
 241   
     public void setFailBuildOnCVSS(float failBuildOnCVSS) {
 242  0 
         this.failBuildOnCVSS = failBuildOnCVSS;
 243  0 
     }
 244   
     /**
 245   
      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
 246   
      * is true.
 247   
      */
 248  0 
     private boolean autoUpdate = true;
 249   
 
 250   
     /**
 251   
      * Get the value of autoUpdate.
 252   
      *
 253   
      * @return the value of autoUpdate
 254   
      */
 255   
     public boolean isAutoUpdate() {
 256  0 
         return autoUpdate;
 257   
     }
 258   
 
 259   
     /**
 260   
      * Set the value of autoUpdate.
 261   
      *
 262   
      * @param autoUpdate new value of autoUpdate
 263   
      */
 264   
     public void setAutoUpdate(boolean autoUpdate) {
 265  0 
         this.autoUpdate = autoUpdate;
 266  0 
     }
 267   
     /**
 268   
      * Whether only the update phase should be executed.
 269   
      */
 270  0 
     private boolean updateOnly = false;
 271   
 
 272   
     /**
 273   
      * Get the value of updateOnly.
 274   
      *
 275   
      * @return the value of updateOnly
 276   
      */
 277   
     public boolean isUpdateOnly() {
 278  0 
         return updateOnly;
 279   
     }
 280   
 
 281   
     /**
 282   
      * Set the value of updateOnly.
 283   
      *
 284   
      * @param updateOnly new value of updateOnly
 285   
      */
 286   
     public void setUpdateOnly(boolean updateOnly) {
 287  0 
         this.updateOnly = updateOnly;
 288  0 
     }
 289   
 
 290   
     /**
 291   
      * The report format to be generated (HTML, XML, VULN, ALL). Default is HTML.
 292   
      */
 293  0 
     private String reportFormat = "HTML";
 294   
 
 295   
     /**
 296   
      * Get the value of reportFormat.
 297   
      *
 298   
      * @return the value of reportFormat
 299   
      */
 300   
     public String getReportFormat() {
 301  0 
         return reportFormat;
 302   
     }
 303   
 
 304   
     /**
 305   
      * Set the value of reportFormat.
 306   
      *
 307   
      * @param reportFormat new value of reportFormat
 308   
      */
 309   
     public void setReportFormat(ReportFormats reportFormat) {
 310  0 
         this.reportFormat = reportFormat.getValue();
 311  0 
     }
 312   
     /**
 313   
      * The path to the suppression file.
 314   
      */
 315   
     private String suppressionFile;
 316   
 
 317   
     /**
 318   
      * Get the value of suppressionFile.
 319   
      *
 320   
      * @return the value of suppressionFile
 321   
      */
 322   
     public String getSuppressionFile() {
 323  0 
         return suppressionFile;
 324   
     }
 325   
 
 326   
     /**
 327   
      * Set the value of suppressionFile.
 328   
      *
 329   
      * @param suppressionFile new value of suppressionFile
 330   
      */
 331   
     public void setSuppressionFile(String suppressionFile) {
 332  0 
         this.suppressionFile = suppressionFile;
 333  0 
     }
 334   
     /**
 335   
      * flag indicating whether or not to show a summary of findings.
 336   
      */
 337  0 
     private boolean showSummary = true;
 338   
 
 339   
     /**
 340   
      * Get the value of showSummary.
 341   
      *
 342   
      * @return the value of showSummary
 343   
      */
 344   
     public boolean isShowSummary() {
 345  0 
         return showSummary;
 346   
     }
 347   
 
 348   
     /**
 349   
      * Set the value of showSummary.
 350   
      *
 351   
      * @param showSummary new value of showSummary
 352   
      */
 353   
     public void setShowSummary(boolean showSummary) {
 354  0 
         this.showSummary = showSummary;
 355  0 
     }
 356   
 
 357   
     /**
 358   
      * Whether or not the Jar Analyzer is enabled.
 359   
      */
 360  0 
     private boolean jarAnalyzerEnabled = true;
 361   
 
 362   
     /**
 363   
      * Returns whether or not the analyzer is enabled.
 364   
      *
 365   
      * @return true if the analyzer is enabled
 366   
      */
 367   
     public boolean isJarAnalyzerEnabled() {
 368  0 
         return jarAnalyzerEnabled;
 369   
     }
 370   
 
 371   
     /**
 372   
      * Sets whether or not the analyzer is enabled.
 373   
      *
 374   
      * @param jarAnalyzerEnabled the value of the new setting
 375   
      */
 376   
     public void setJarAnalyzerEnabled(boolean jarAnalyzerEnabled) {
 377  0 
         this.jarAnalyzerEnabled = jarAnalyzerEnabled;
 378  0 
     }
 379   
     /**
 380   
      * Whether or not the Archive Analyzer is enabled.
 381   
      */
 382  0 
     private boolean archiveAnalyzerEnabled = true;
 383   
 
 384   
     /**
 385   
      * Returns whether or not the analyzer is enabled.
 386   
      *
 387   
      * @return true if the analyzer is enabled
 388   
      */
 389   
     public boolean isArchiveAnalyzerEnabled() {
 390  0 
         return archiveAnalyzerEnabled;
 391   
     }
 392   
     /**
 393   
      * Whether or not the .NET Assembly Analyzer is enabled.
 394   
      */
 395  0 
     private boolean assemblyAnalyzerEnabled = true;
 396   
 
 397   
     /**
 398   
      * Sets whether or not the analyzer is enabled.
 399   
      *
 400   
      * @param archiveAnalyzerEnabled the value of the new setting
 401   
      */
 402   
     public void setArchiveAnalyzerEnabled(boolean archiveAnalyzerEnabled) {
 403  0 
         this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
 404  0 
     }
 405   
 
 406   
     /**
 407   
      * Returns whether or not the analyzer is enabled.
 408   
      *
 409   
      * @return true if the analyzer is enabled
 410   
      */
 411   
     public boolean isAssemblyAnalyzerEnabled() {
 412  0 
         return assemblyAnalyzerEnabled;
 413   
     }
 414   
 
 415   
     /**
 416   
      * Sets whether or not the analyzer is enabled.
 417   
      *
 418   
      * @param assemblyAnalyzerEnabled the value of the new setting
 419   
      */
 420   
     public void setAssemblyAnalyzerEnabled(boolean assemblyAnalyzerEnabled) {
 421  0 
         this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
 422  0 
     }
 423   
     /**
 424   
      * Whether or not the .NET Nuspec Analyzer is enabled.
 425   
      */
 426  0 
     private boolean nuspecAnalyzerEnabled = true;
 427   
 
 428   
     /**
 429   
      * Returns whether or not the analyzer is enabled.
 430   
      *
 431   
      * @return true if the analyzer is enabled
 432   
      */
 433   
     public boolean isNuspecAnalyzerEnabled() {
 434  0 
         return nuspecAnalyzerEnabled;
 435   
     }
 436   
 
 437   
     /**
 438   
      * Sets whether or not the analyzer is enabled.
 439   
      *
 440   
      * @param nuspecAnalyzerEnabled the value of the new setting
 441   
      */
 442   
     public void setNuspecAnalyzerEnabled(boolean nuspecAnalyzerEnabled) {
 443  0 
         this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
 444  0 
     }
 445   
     /**
 446   
      * Whether or not the PHP Composer Analyzer is enabled.
 447   
      */
 448  0 
     private boolean composerAnalyzerEnabled = true;
 449   
 
 450   
     /**
 451   
      * Get the value of composerAnalyzerEnabled.
 452   
      *
 453   
      * @return the value of composerAnalyzerEnabled
 454   
      */
 455   
     public boolean isComposerAnalyzerEnabled() {
 456  0 
         return composerAnalyzerEnabled;
 457   
     }
 458   
 
 459   
     /**
 460   
      * Set the value of composerAnalyzerEnabled.
 461   
      *
 462   
      * @param composerAnalyzerEnabled new value of composerAnalyzerEnabled
 463   
      */
 464   
     public void setComposerAnalyzerEnabled(boolean composerAnalyzerEnabled) {
 465  0 
         this.composerAnalyzerEnabled = composerAnalyzerEnabled;
 466  0 
     }
 467   
     /**
 468   
      * Whether the autoconf analyzer should be enabled.
 469   
      */
 470  0 
     private boolean autoconfAnalyzerEnabled = true;
 471   
 
 472   
     /**
 473   
      * Get the value of autoconfAnalyzerEnabled.
 474   
      *
 475   
      * @return the value of autoconfAnalyzerEnabled
 476   
      */
 477   
     public boolean isAutoconfAnalyzerEnabled() {
 478  0 
         return autoconfAnalyzerEnabled;
 479   
     }
 480   
 
 481   
     /**
 482   
      * Set the value of autoconfAnalyzerEnabled.
 483   
      *
 484   
      * @param autoconfAnalyzerEnabled new value of autoconfAnalyzerEnabled
 485   
      */
 486   
     public void setAutoconfAnalyzerEnabled(boolean autoconfAnalyzerEnabled) {
 487  0 
         this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled;
 488  0 
     }
 489   
     /**
 490   
      * Whether the CMake analyzer should be enabled.
 491   
      */
 492  0 
     private boolean cmakeAnalyzerEnabled = true;
 493   
 
 494   
     /**
 495   
      * Get the value of cmakeAnalyzerEnabled.
 496   
      *
 497   
      * @return the value of cmakeAnalyzerEnabled
 498   
      */
 499   
     public boolean isCMakeAnalyzerEnabled() {
 500  0 
         return cmakeAnalyzerEnabled;
 501   
     }
 502   
 
 503   
     /**
 504   
      * Set the value of cmakeAnalyzerEnabled.
 505   
      *
 506   
      * @param cmakeAnalyzerEnabled new value of cmakeAnalyzerEnabled
 507   
      */
 508   
     public void setCMakeAnalyzerEnabled(boolean cmakeAnalyzerEnabled) {
 509  0 
         this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
 510  0 
     }
 511   
     /**
 512   
      * Whether or not the openssl analyzer is enabled.
 513   
      */
 514  0 
     private boolean opensslAnalyzerEnabled = true;
 515   
 
 516   
     /**
 517   
      * Get the value of opensslAnalyzerEnabled.
 518   
      *
 519   
      * @return the value of opensslAnalyzerEnabled
 520   
      */
 521   
     public boolean isOpensslAnalyzerEnabled() {
 522  0 
         return opensslAnalyzerEnabled;
 523   
     }
 524   
 
 525   
     /**
 526   
      * Set the value of opensslAnalyzerEnabled.
 527   
      *
 528   
      * @param opensslAnalyzerEnabled new value of opensslAnalyzerEnabled
 529   
      */
 530   
     public void setOpensslAnalyzerEnabled(boolean opensslAnalyzerEnabled) {
 531  0 
         this.opensslAnalyzerEnabled = opensslAnalyzerEnabled;
 532  0 
     }
 533   
     /**
 534   
      * Whether or not the Node.js Analyzer is enabled.
 535   
      */
 536  0 
     private boolean nodeAnalyzerEnabled = true;
 537   
 
 538   
     /**
 539   
      * Get the value of nodeAnalyzerEnabled.
 540   
      *
 541   
      * @return the value of nodeAnalyzerEnabled
 542   
      */
 543   
     public boolean isNodeAnalyzerEnabled() {
 544  0 
         return nodeAnalyzerEnabled;
 545   
     }
 546   
 
 547   
     /**
 548   
      * Set the value of nodeAnalyzerEnabled.
 549   
      *
 550   
      * @param nodeAnalyzerEnabled new value of nodeAnalyzerEnabled
 551   
      */
 552   
     public void setNodeAnalyzerEnabled(boolean nodeAnalyzerEnabled) {
 553  0 
         this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
 554  0 
     }
 555   
     /**
 556   
      * Whether the ruby gemspec analyzer should be enabled.
 557   
      */
 558  0 
     private boolean rubygemsAnalyzerEnabled = true;
 559   
 
 560   
     /**
 561   
      * Get the value of rubygemsAnalyzerEnabled.
 562   
      *
 563   
      * @return the value of rubygemsAnalyzerEnabled
 564   
      */
 565   
     public boolean isRubygemsAnalyzerEnabled() {
 566  0 
         return rubygemsAnalyzerEnabled;
 567   
     }
 568   
 
 569   
     /**
 570   
      * Set the value of rubygemsAnalyzerEnabled.
 571   
      *
 572   
      * @param rubygemsAnalyzerEnabled new value of rubygemsAnalyzerEnabled
 573   
      */
 574   
     public void setRubygemsAnalyzerEnabled(boolean rubygemsAnalyzerEnabled) {
 575  0 
         this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled;
 576  0 
     }
 577   
     /**
 578   
      * Whether the python package analyzer should be enabled.
 579   
      */
 580  0 
     private boolean pyPackageAnalyzerEnabled = true;
 581   
 
 582   
     /**
 583   
      * Get the value of pyPackageAnalyzerEnabled.
 584   
      *
 585   
      * @return the value of pyPackageAnalyzerEnabled
 586   
      */
 587   
     public boolean isPyPackageAnalyzerEnabled() {
 588  0 
         return pyPackageAnalyzerEnabled;
 589   
     }
 590   
 
 591   
     /**
 592   
      * Set the value of pyPackageAnalyzerEnabled.
 593   
      *
 594   
      * @param pyPackageAnalyzerEnabled new value of pyPackageAnalyzerEnabled
 595   
      */
 596   
     public void setPyPackageAnalyzerEnabled(boolean pyPackageAnalyzerEnabled) {
 597  0 
         this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled;
 598  0 
     }
 599   
 
 600   
     /**
 601   
      * Whether the python distribution analyzer should be enabled.
 602   
      */
 603  0 
     private boolean pyDistributionAnalyzerEnabled = true;
 604   
 
 605   
     /**
 606   
      * Get the value of pyDistributionAnalyzerEnabled.
 607   
      *
 608   
      * @return the value of pyDistributionAnalyzerEnabled
 609   
      */
 610   
     public boolean isPyDistributionAnalyzerEnabled() {
 611  0 
         return pyDistributionAnalyzerEnabled;
 612   
     }
 613   
 
 614   
     /**
 615   
      * Set the value of pyDistributionAnalyzerEnabled.
 616   
      *
 617   
      * @param pyDistributionAnalyzerEnabled new value of pyDistributionAnalyzerEnabled
 618   
      */
 619   
     public void setPyDistributionAnalyzerEnabled(boolean pyDistributionAnalyzerEnabled) {
 620  0 
         this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
 621  0 
     }
 622   
 
 623   
     /**
 624   
      * Whether or not the central analyzer is enabled.
 625   
      */
 626  0 
     private boolean centralAnalyzerEnabled = false;
 627   
 
 628   
     /**
 629   
      * Get the value of centralAnalyzerEnabled.
 630   
      *
 631   
      * @return the value of centralAnalyzerEnabled
 632   
      */
 633   
     public boolean isCentralAnalyzerEnabled() {
 634  0 
         return centralAnalyzerEnabled;
 635   
     }
 636   
 
 637   
     /**
 638   
      * Set the value of centralAnalyzerEnabled.
 639   
      *
 640   
      * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
 641   
      */
 642   
     public void setCentralAnalyzerEnabled(boolean centralAnalyzerEnabled) {
 643  0 
         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
 644  0 
     }
 645   
 
 646   
     /**
 647   
      * Whether or not the nexus analyzer is enabled.
 648   
      */
 649  0 
     private boolean nexusAnalyzerEnabled = true;
 650   
 
 651   
     /**
 652   
      * Get the value of nexusAnalyzerEnabled.
 653   
      *
 654   
      * @return the value of nexusAnalyzerEnabled
 655   
      */
 656   
     public boolean isNexusAnalyzerEnabled() {
 657  0 
         return nexusAnalyzerEnabled;
 658   
     }
 659   
 
 660   
     /**
 661   
      * Set the value of nexusAnalyzerEnabled.
 662   
      *
 663   
      * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
 664   
      */
 665   
     public void setNexusAnalyzerEnabled(boolean nexusAnalyzerEnabled) {
 666  0 
         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
 667  0 
     }
 668   
 
 669   
     /**
 670   
      * The URL of a Nexus server's REST API end point (http://domain/nexus/service/local).
 671   
      */
 672   
     private String nexusUrl;
 673   
 
 674   
     /**
 675   
      * Get the value of nexusUrl.
 676   
      *
 677   
      * @return the value of nexusUrl
 678   
      */
 679   
     public String getNexusUrl() {
 680  0 
         return nexusUrl;
 681   
     }
 682   
 
 683   
     /**
 684   
      * Set the value of nexusUrl.
 685   
      *
 686   
      * @param nexusUrl new value of nexusUrl
 687   
      */
 688   
     public void setNexusUrl(String nexusUrl) {
 689  0 
         this.nexusUrl = nexusUrl;
 690  0 
     }
 691   
     /**
 692   
      * Whether or not the defined proxy should be used when connecting to Nexus.
 693   
      */
 694  0 
     private boolean nexusUsesProxy = true;
 695   
 
 696   
     /**
 697   
      * Get the value of nexusUsesProxy.
 698   
      *
 699   
      * @return the value of nexusUsesProxy
 700   
      */
 701   
     public boolean isNexusUsesProxy() {
 702  0 
         return nexusUsesProxy;
 703   
     }
 704   
 
 705   
     /**
 706   
      * Set the value of nexusUsesProxy.
 707   
      *
 708   
      * @param nexusUsesProxy new value of nexusUsesProxy
 709   
      */
 710   
     public void setNexusUsesProxy(boolean nexusUsesProxy) {
 711  0 
         this.nexusUsesProxy = nexusUsesProxy;
 712  0 
     }
 713   
 
 714   
     /**
 715   
      * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP
 716   
      * files.
 717   
      */
 718   
     private String zipExtensions;
 719   
 
 720   
     /**
 721   
      * Get the value of zipExtensions.
 722   
      *
 723   
      * @return the value of zipExtensions
 724   
      */
 725   
     public String getZipExtensions() {
 726  0 
         return zipExtensions;
 727   
     }
 728   
 
 729   
     /**
 730   
      * Set the value of zipExtensions.
 731   
      *
 732   
      * @param zipExtensions new value of zipExtensions
 733   
      */
 734   
     public void setZipExtensions(String zipExtensions) {
 735  0 
         this.zipExtensions = zipExtensions;
 736  0 
     }
 737   
 
 738   
     /**
 739   
      * The path to Mono for .NET assembly analysis on non-windows systems.
 740   
      */
 741   
     private String pathToMono;
 742   
 
 743   
     /**
 744   
      * Get the value of pathToMono.
 745   
      *
 746   
      * @return the value of pathToMono
 747   
      */
 748   
     public String getPathToMono() {
 749  0 
         return pathToMono;
 750   
     }
 751   
 
 752   
     /**
 753   
      * Set the value of pathToMono.
 754   
      *
 755   
      * @param pathToMono new value of pathToMono
 756   
      */
 757   
     public void setPathToMono(String pathToMono) {
 758  0 
         this.pathToMono = pathToMono;
 759  0 
     }
 760   
 
 761   
     @Override
 762   
     public void execute() throws BuildException {
 763  0 
         dealWithReferences();
 764  0 
         validateConfiguration();
 765  0 
         populateSettings();
 766  0 
         Engine engine = null;
 767   
         try {
 768  0 
             engine = new Engine(Check.class.getClassLoader());
 769  0 
             if (isUpdateOnly()) {
 770  0 
                 log("Deprecated 'UpdateOnly' property set; please use the UpdateTask instead", Project.MSG_WARN);
 771  0 
                 engine.doUpdates();
 772   
             } else {
 773   
                 try {
 774  0 
                     for (Resource resource : path) {
 775  0 
                         final FileProvider provider = resource.as(FileProvider.class);
 776  0 
                         if (provider != null) {
 777  0 
                             final File file = provider.getFile();
 778  0 
                             if (file != null && file.exists()) {
 779  0 
                                 engine.scan(file);
 780   
                             }
 781   
                         }
 782  0 
                     }
 783   
 
 784  0 
                     engine.analyzeDependencies();
 785  0 
                     DatabaseProperties prop = null;
 786  0 
                     CveDB cve = null;
 787   
                     try {
 788  0 
                         cve = new CveDB();
 789  0 
                         cve.open();
 790  0 
                         prop = cve.getDatabaseProperties();
 791  0 
                     } catch (DatabaseException ex) {
 792  0 
                         log("Unable to retrieve DB Properties", ex, Project.MSG_DEBUG);
 793   
                     } finally {
 794  0 
                         if (cve != null) {
 795  0 
                             cve.close();
 796   
                         }
 797   
                     }
 798  0 
                     final ReportGenerator reporter = new ReportGenerator(getProjectName(), engine.getDependencies(), engine.getAnalyzers(), prop);
 799  0 
                     reporter.generateReports(reportOutputDirectory, reportFormat);
 800   
 
 801  0 
                     if (this.failBuildOnCVSS <= 10) {
 802  0 
                         checkForFailure(engine.getDependencies());
 803   
                     }
 804  0 
                     if (this.showSummary) {
 805  0 
                         showSummary(engine.getDependencies());
 806   
                     }
 807  0 
                 } catch (IOException ex) {
 808  0 
                     log("Unable to generate dependency-check report", ex, Project.MSG_DEBUG);
 809  0 
                     throw new BuildException("Unable to generate dependency-check report", ex);
 810  0 
                 } catch (Exception ex) {
 811  0 
                     log("An exception occurred; unable to continue task", ex, Project.MSG_DEBUG);
 812  0 
                     throw new BuildException("An exception occurred; unable to continue task", ex);
 813  0 
                 }
 814   
             }
 815  0 
         } catch (DatabaseException ex) {
 816  0 
             log("Unable to connect to the dependency-check database; analysis has stopped", ex, Project.MSG_ERR);
 817   
         } finally {
 818  0 
             Settings.cleanup(true);
 819  0 
             if (engine != null) {
 820  0 
                 engine.cleanup();
 821   
             }
 822   
         }
 823  0 
     }
 824   
 
 825   
     /**
 826   
      * Validate the configuration to ensure the parameters have been properly configured/initialized.
 827   
      *
 828   
      * @throws BuildException if the task was not configured correctly.
 829   
      */
 830   
     private void validateConfiguration() throws BuildException {
 831  0 
         if (path == null) {
 832  0 
             throw new BuildException("No project dependencies have been defined to analyze.");
 833   
         }
 834  0 
         if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) {
 835  0 
             throw new BuildException("Invalid configuration, failBuildOnCVSS must be between 0 and 11.");
 836   
         }
 837  0 
     }
 838   
 
 839   
     /**
 840   
      * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
 841   
      * required to change the proxy server, port, and connection timeout.
 842   
      */
 843   
     @Override
 844   
     protected void populateSettings() {
 845  0 
         super.populateSettings();
 846  0 
         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
 847   
 
 848  0 
         if (suppressionFile != null && !suppressionFile.isEmpty()) {
 849  0 
             Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
 850   
         }
 851   
 
 852  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
 853   
 
 854  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
 855  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
 856  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
 857  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
 858  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
 859  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
 860  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
 861  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
 862   
 
 863  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
 864  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
 865  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
 866  0 
         if (nexusUrl != null && !nexusUrl.isEmpty()) {
 867  0 
             Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
 868   
         }
 869  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
 870  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
 871  0 
         if (zipExtensions != null && !zipExtensions.isEmpty()) {
 872  0 
             Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
 873   
         }
 874  0 
         Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
 875  0 
         if (pathToMono != null && !pathToMono.isEmpty()) {
 876  0 
             Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
 877   
         }
 878  0 
     }
 879   
 
 880   
     /**
 881   
      * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
 882   
      * configuration.
 883   
      *
 884   
      * @param dependencies the list of dependency objects
 885   
      * @throws BuildException thrown if a CVSS score is found that is higher then the threshold set
 886   
      */
 887   
     private void checkForFailure(List<Dependency> dependencies) throws BuildException {
 888  0 
         final StringBuilder ids = new StringBuilder();
 889  0 
         for (Dependency d : dependencies) {
 890  0 
             for (Vulnerability v : d.getVulnerabilities()) {
 891  0 
                 if (v.getCvssScore() >= failBuildOnCVSS) {
 892  0 
                     if (ids.length() == 0) {
 893  0 
                         ids.append(v.getName());
 894   
                     } else {
 895  0 
                         ids.append(", ").append(v.getName());
 896   
                     }
 897   
                 }
 898  0 
             }
 899  0 
         }
 900  0 
         if (ids.length() > 0) {
 901  0 
             final String msg = String.format("%n%nDependency-Check Failure:%n"
 902   
                     + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
 903   
                     + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
 904  0 
             throw new BuildException(msg);
 905   
         }
 906  0 
     }
 907   
 
 908   
     /**
 909   
      * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
 910   
      *
 911   
      * @param dependencies a list of dependency objects
 912   
      */
 913   
     private void showSummary(List<Dependency> dependencies) {
 914  0 
         final StringBuilder summary = new StringBuilder();
 915  0 
         for (Dependency d : dependencies) {
 916  0 
             boolean firstEntry = true;
 917  0 
             final StringBuilder ids = new StringBuilder();
 918  0 
             for (Vulnerability v : d.getVulnerabilities()) {
 919  0 
                 if (firstEntry) {
 920  0 
                     firstEntry = false;
 921   
                 } else {
 922  0 
                     ids.append(", ");
 923   
                 }
 924  0 
                 ids.append(v.getName());
 925  0 
             }
 926  0 
             if (ids.length() > 0) {
 927  0 
                 summary.append(d.getFileName()).append(" (");
 928  0 
                 firstEntry = true;
 929  0 
                 for (Identifier id : d.getIdentifiers()) {
 930  0 
                     if (firstEntry) {
 931  0 
                         firstEntry = false;
 932   
                     } else {
 933  0 
                         summary.append(", ");
 934   
                     }
 935  0 
                     summary.append(id.getValue());
 936  0 
                 }
 937  0 
                 summary.append(") : ").append(ids).append(NEW_LINE);
 938   
             }
 939  0 
         }
 940  0 
         if (summary.length() > 0) {
 941  0 
             final String msg = String.format("%n%n"
 942   
                     + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
 943   
                     + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
 944  0 
             log(msg, Project.MSG_WARN);
 945   
         }
 946  0 
     }
 947   
 
 948   
     /**
 949   
      * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN", etc..
 950   
      */
 951  0 
     public static class ReportFormats extends EnumeratedAttribute {
 952   
 
 953   
         /**
 954   
          * Returns the list of values for the report format.
 955   
          *
 956   
          * @return the list of values for the report format
 957   
          */
 958   
         @Override
 959   
         public String[] getValues() {
 960  0 
             int i = 0;
 961  0 
             final Format[] formats = Format.values();
 962  0 
             final String[] values = new String[formats.length];
 963  0 
             for (Format format : formats) {
 964  0 
                 values[i++] = format.name();
 965   
             }
 966  0 
             return values;
 967   
         }
 968   
     }
 969   
 }
Report generated by Cobertura 2.1.1 on 9/20/15 6:49 AM.