Coverage Report

Coverage Report - org.owasp.dependencycheck.agent.DependencyCheckScanAgent

Classes in this File
Line Coverage
Branch Coverage
Complexity
DependencyCheckScanAgent
0/240
0/110
1.857
 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2014 Steve Springett. All Rights Reserved.
  */
 package org.owasp.dependencycheck.agent;
 
 import java.io.File;
 import java.io.IOException;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.exception.ScanAgentException;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * This class provides a way to easily conduct a scan solely based on existing evidence metadata rather than collecting
  * evidence from the files themselves. This class is based on the Ant task and Maven plugin with the exception that it
  * takes a list of dependencies that can be programmatically added from data in a spreadsheet, database or some other
  * datasource and conduct a scan based on this pre-defined evidence.
  *
  * <h2>Example:</h2>
  * <pre>
  * List<Dependency> dependencies = new ArrayList<Dependency>();
  * Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
  * dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
  * dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
  * dependency.getVendorEvidence().addEvidence("my-datasource", "vendor", "mortbay", Confidence.HIGH);
  * dependencies.add(dependency);
  *
  * DependencyCheckScanAgent scan = new DependencyCheckScanAgent();
  * scan.setDependencies(dependencies);
  * scan.setReportFormat(ReportGenerator.Format.ALL);
  * scan.setReportOutputDirectory(System.getProperty("user.home"));
  * scan.execute();
  * </pre>
  *
  * @author Steve Springett <steve.springett@owasp.org>
  */
 @SuppressWarnings("unused")
 public class DependencyCheckScanAgent {
 
     /**
      * System specific new line character.
      */
     private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
     /**
      * Logger for use throughout the class.
      */
     private static final Logger LOGGER = Logger.getLogger(DependencyCheckScanAgent.class.getName());
     /**
      * The application name for the report.
      */
     private String applicationName = "Dependency-Check";
 
     /**
      * Get the value of applicationName.
      *
      * @return the value of applicationName
      */
     public String getApplicationName() {
         return applicationName;
     }
 
     /**
      * Set the value of applicationName.
      *
      * @param applicationName new value of applicationName
      */
     public void setApplicationName(String applicationName) {
         this.applicationName = applicationName;
     }
 
     /**
      * The pre-determined dependencies to scan
      */
     private List<Dependency> dependencies;
 
     /**
      * Returns a list of pre-determined dependencies.
      *
      * @return returns a list of dependencies
      */
     public List<Dependency> getDependencies() {
         return dependencies;
     }
 
     /**
      * Sets the list of dependencies to scan.
      *
      * @param dependencies new value of dependencies
      */
     public void setDependencies(List<Dependency> dependencies) {
         this.dependencies = dependencies;
     }
 
     /**
      * The location of the data directory that contains
      */
     private String dataDirectory = null;
 
     /**
      * Get the value of dataDirectory.
      *
      * @return the value of dataDirectory
      */
     public String getDataDirectory() {
         return dataDirectory;
     }
 
     /**
      * Set the value of dataDirectory.
      *
      * @param dataDirectory new value of dataDirectory
      */
     public void setDataDirectory(String dataDirectory) {
         this.dataDirectory = dataDirectory;
     }
 
     /**
      * Specifies the destination directory for the generated Dependency-Check report.
      */
     private String reportOutputDirectory;
 
     /**
      * Get the value of reportOutputDirectory.
      *
      * @return the value of reportOutputDirectory
      */
     public String getReportOutputDirectory() {
         return reportOutputDirectory;
     }
 
     /**
      * Set the value of reportOutputDirectory.
      *
      * @param reportOutputDirectory new value of reportOutputDirectory
      */
     public void setReportOutputDirectory(String reportOutputDirectory) {
         this.reportOutputDirectory = reportOutputDirectory;
     }
 
     /**
      * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
      * which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
      * The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
      */
     private float failBuildOnCVSS = 11;
 
     /**
      * Get the value of failBuildOnCVSS.
      *
      * @return the value of failBuildOnCVSS
      */
     public float getFailBuildOnCVSS() {
         return failBuildOnCVSS;
     }
 
     /**
      * Set the value of failBuildOnCVSS.
      *
      * @param failBuildOnCVSS new value of failBuildOnCVSS
      */
     public void setFailBuildOnCVSS(float failBuildOnCVSS) {
         this.failBuildOnCVSS = failBuildOnCVSS;
     }
 
     /**
      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
      * false. Default is true.
      */
     private boolean autoUpdate = true;
 
     /**
      * Get the value of autoUpdate.
      *
      * @return the value of autoUpdate
      */
     public boolean isAutoUpdate() {
         return autoUpdate;
     }
 
     /**
      * Set the value of autoUpdate.
      *
      * @param autoUpdate new value of autoUpdate
      */
     public void setAutoUpdate(boolean autoUpdate) {
         this.autoUpdate = autoUpdate;
     }
 
     /**
      * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
      * within the Site plugin unless the externalReport is set to true. Default is HTML.
      */
     private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
 
     /**
      * Get the value of reportFormat.
      *
      * @return the value of reportFormat
      */
     public ReportGenerator.Format getReportFormat() {
         return reportFormat;
     }
 
     /**
      * Set the value of reportFormat.
      *
      * @param reportFormat new value of reportFormat
      */
     public void setReportFormat(ReportGenerator.Format reportFormat) {
         this.reportFormat = reportFormat;
     }
 
     /**
      * The Proxy Server.
      */
     private String proxyServer;
 
     /**
      * Get the value of proxyServer.
      *
      * @return the value of proxyServer
      */
     public String getProxyServer() {
         return proxyServer;
     }
 
     /**
      * Set the value of proxyServer.
      *
      * @param proxyServer new value of proxyServer
      */
     public void setProxyServer(String proxyServer) {
         this.proxyServer = proxyServer;
     }
 
     /**
      * Get the value of proxyServer.
      *
      * @return the value of proxyServer
      * @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#getProxyServer()} instead
      */
     @Deprecated
     public String getProxyUrl() {
         return proxyServer;
     }
 
     /**
      * Set the value of proxyServer.
      *
      * @param proxyUrl new value of proxyServer
      * @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#setProxyServer(java.lang.String)
      * } instead
      */
     @Deprecated
     public void setProxyUrl(String proxyUrl) {
         this.proxyServer = proxyUrl;
     }
 
     /**
      * The Proxy Port.
      */
     private String proxyPort;
 
     /**
      * Get the value of proxyPort.
      *
      * @return the value of proxyPort
      */
     public String getProxyPort() {
         return proxyPort;
     }
 
     /**
      * Set the value of proxyPort.
      *
      * @param proxyPort new value of proxyPort
      */
     public void setProxyPort(String proxyPort) {
         this.proxyPort = proxyPort;
     }
 
     /**
      * The Proxy username.
      */
     private String proxyUsername;
 
     /**
      * Get the value of proxyUsername.
      *
      * @return the value of proxyUsername
      */
     public String getProxyUsername() {
         return proxyUsername;
     }
 
     /**
      * Set the value of proxyUsername.
      *
      * @param proxyUsername new value of proxyUsername
      */
     public void setProxyUsername(String proxyUsername) {
         this.proxyUsername = proxyUsername;
     }
 
     /**
      * The Proxy password.
      */
     private String proxyPassword;
 
     /**
      * Get the value of proxyPassword.
      *
      * @return the value of proxyPassword
      */
     public String getProxyPassword() {
         return proxyPassword;
     }
 
     /**
      * Set the value of proxyPassword.
      *
      * @param proxyPassword new value of proxyPassword
      */
     public void setProxyPassword(String proxyPassword) {
         this.proxyPassword = proxyPassword;
     }
 
     /**
      * The Connection Timeout.
      */
     private String connectionTimeout;
 
     /**
      * Get the value of connectionTimeout.
      *
      * @return the value of connectionTimeout
      */
     public String getConnectionTimeout() {
         return connectionTimeout;
     }
 
     /**
      * Set the value of connectionTimeout.
      *
      * @param connectionTimeout new value of connectionTimeout
      */
     public void setConnectionTimeout(String connectionTimeout) {
         this.connectionTimeout = connectionTimeout;
     }
 
     /**
      * The file path used for verbose logging.
      */
     private String logFile = null;
 
     /**
      * Get the value of logFile.
      *
      * @return the value of logFile
      */
     public String getLogFile() {
         return logFile;
     }
 
     /**
      * Set the value of logFile.
      *
      * @param logFile new value of logFile
      */
     public void setLogFile(String logFile) {
         this.logFile = logFile;
     }
 
     /**
      * The path to the suppression file.
      */
     private String suppressionFile;
 
     /**
      * Get the value of suppressionFile.
      *
      * @return the value of suppressionFile
      */
     public String getSuppressionFile() {
         return suppressionFile;
     }
 
     /**
      * Set the value of suppressionFile.
      *
      * @param suppressionFile new value of suppressionFile
      */
     public void setSuppressionFile(String suppressionFile) {
         this.suppressionFile = suppressionFile;
     }
 
     /**
      * flag indicating whether or not to show a summary of findings.
      */
     private boolean showSummary = true;
 
     /**
      * Get the value of showSummary.
      *
      * @return the value of showSummary
      */
     public boolean isShowSummary() {
         return showSummary;
     }
 
     /**
      * Set the value of showSummary.
      *
      * @param showSummary new value of showSummary
      */
     public void setShowSummary(boolean showSummary) {
         this.showSummary = showSummary;
     }
 
     /**
      * Whether or not the Maven Central analyzer is enabled.
      */
     private boolean centralAnalyzerEnabled = true;
 
     /**
      * Get the value of centralAnalyzerEnabled.
      *
      * @return the value of centralAnalyzerEnabled
      */
     public boolean isCentralAnalyzerEnabled() {
         return centralAnalyzerEnabled;
     }
 
     /**
      * Set the value of centralAnalyzerEnabled.
      *
      * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
      */
     public void setCentralAnalyzerEnabled(boolean centralAnalyzerEnabled) {
         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
     }
 
     /**
      * The URL of Maven Central.
      */
     private String centralUrl;
 
     /**
      * Get the value of centralUrl.
      *
      * @return the value of centralUrl
      */
     public String getCentralUrl() {
         return centralUrl;
     }
 
     /**
      * Set the value of centralUrl.
      *
      * @param centralUrl new value of centralUrl
      */
     public void setCentralUrl(String centralUrl) {
         this.centralUrl = centralUrl;
     }
 
     /**
      * Whether or not the nexus analyzer is enabled.
      */
     private boolean nexusAnalyzerEnabled = true;
 
     /**
      * Get the value of nexusAnalyzerEnabled.
      *
      * @return the value of nexusAnalyzerEnabled
      */
     public boolean isNexusAnalyzerEnabled() {
         return nexusAnalyzerEnabled;
     }
 
     /**
      * Set the value of nexusAnalyzerEnabled.
      *
      * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
      */
     public void setNexusAnalyzerEnabled(boolean nexusAnalyzerEnabled) {
         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
     }
 
     /**
      * The URL of the Nexus server.
      */
     private String nexusUrl;
 
     /**
      * Get the value of nexusUrl.
      *
      * @return the value of nexusUrl
      */
     public String getNexusUrl() {
         return nexusUrl;
     }
 
     /**
      * Set the value of nexusUrl.
      *
      * @param nexusUrl new value of nexusUrl
      */
     public void setNexusUrl(String nexusUrl) {
         this.nexusUrl = nexusUrl;
     }
 
     /**
      * Whether or not the defined proxy should be used when connecting to Nexus.
      */
     private boolean nexusUsesProxy = true;
 
     /**
      * Get the value of nexusUsesProxy.
      *
      * @return the value of nexusUsesProxy
      */
     public boolean isNexusUsesProxy() {
         return nexusUsesProxy;
     }
 
     /**
      * Set the value of nexusUsesProxy.
      *
      * @param nexusUsesProxy new value of nexusUsesProxy
      */
     public void setNexusUsesProxy(boolean nexusUsesProxy) {
         this.nexusUsesProxy = nexusUsesProxy;
     }
 
     /**
      * The database driver name; such as org.h2.Driver.
      */
     private String databaseDriverName;
 
     /**
      * Get the value of databaseDriverName.
      *
      * @return the value of databaseDriverName
      */
     public String getDatabaseDriverName() {
         return databaseDriverName;
     }
 
     /**
      * Set the value of databaseDriverName.
      *
      * @param databaseDriverName new value of databaseDriverName
      */
     public void setDatabaseDriverName(String databaseDriverName) {
         this.databaseDriverName = databaseDriverName;
     }
 
     /**
      * The path to the database driver JAR file if it is not on the class path.
      */
     private String databaseDriverPath;
 
     /**
      * Get the value of databaseDriverPath.
      *
      * @return the value of databaseDriverPath
      */
     public String getDatabaseDriverPath() {
         return databaseDriverPath;
     }
 
     /**
      * Set the value of databaseDriverPath.
      *
      * @param databaseDriverPath new value of databaseDriverPath
      */
     public void setDatabaseDriverPath(String databaseDriverPath) {
         this.databaseDriverPath = databaseDriverPath;
     }
 
     /**
      * The database connection string.
      */
     private String connectionString;
 
     /**
      * Get the value of connectionString.
      *
      * @return the value of connectionString
      */
     public String getConnectionString() {
         return connectionString;
     }
 
     /**
      * Set the value of connectionString.
      *
      * @param connectionString new value of connectionString
      */
     public void setConnectionString(String connectionString) {
         this.connectionString = connectionString;
     }
 
     /**
      * The user name for connecting to the database.
      */
     private String databaseUser;
 
     /**
      * Get the value of databaseUser.
      *
      * @return the value of databaseUser
      */
     public String getDatabaseUser() {
         return databaseUser;
     }
 
     /**
      * Set the value of databaseUser.
      *
      * @param databaseUser new value of databaseUser
      */
     public void setDatabaseUser(String databaseUser) {
         this.databaseUser = databaseUser;
     }
 
     /**
      * The password to use when connecting to the database.
      */
     private String databasePassword;
 
     /**
      * Get the value of databasePassword.
      *
      * @return the value of databasePassword
      */
     public String getDatabasePassword() {
         return databasePassword;
     }
 
     /**
      * Set the value of databasePassword.
      *
      * @param databasePassword new value of databasePassword
      */
     public void setDatabasePassword(String databasePassword) {
         this.databasePassword = databasePassword;
     }
 
     /**
      * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
      * like ZIP files.
      */
     private String zipExtensions;
 
     /**
      * Get the value of zipExtensions.
      *
      * @return the value of zipExtensions
      */
     public String getZipExtensions() {
         return zipExtensions;
     }
 
     /**
      * Set the value of zipExtensions.
      *
      * @param zipExtensions new value of zipExtensions
      */
     public void setZipExtensions(String zipExtensions) {
         this.zipExtensions = zipExtensions;
     }
 
     /**
      * The url for the modified NVD CVE (1.2 schema).
      */
     private String cveUrl12Modified;
 
     /**
      * Get the value of cveUrl12Modified.
      *
      * @return the value of cveUrl12Modified
      */
     public String getCveUrl12Modified() {
         return cveUrl12Modified;
     }
 
     /**
      * Set the value of cveUrl12Modified.
      *
      * @param cveUrl12Modified new value of cveUrl12Modified
      */
     public void setCveUrl12Modified(String cveUrl12Modified) {
         this.cveUrl12Modified = cveUrl12Modified;
     }
 
     /**
      * The url for the modified NVD CVE (2.0 schema).
      */
     private String cveUrl20Modified;
 
     /**
      * Get the value of cveUrl20Modified.
      *
      * @return the value of cveUrl20Modified
      */
     public String getCveUrl20Modified() {
         return cveUrl20Modified;
     }
 
     /**
      * Set the value of cveUrl20Modified.
      *
      * @param cveUrl20Modified new value of cveUrl20Modified
      */
     public void setCveUrl20Modified(String cveUrl20Modified) {
         this.cveUrl20Modified = cveUrl20Modified;
     }
 
     /**
      * Base Data Mirror URL for CVE 1.2.
      */
     private String cveUrl12Base;
 
     /**
      * Get the value of cveUrl12Base.
      *
      * @return the value of cveUrl12Base
      */
     public String getCveUrl12Base() {
         return cveUrl12Base;
     }
 
     /**
      * Set the value of cveUrl12Base.
      *
      * @param cveUrl12Base new value of cveUrl12Base
      */
     public void setCveUrl12Base(String cveUrl12Base) {
         this.cveUrl12Base = cveUrl12Base;
     }
 
     /**
      * Data Mirror URL for CVE 2.0.
      */
     private String cveUrl20Base;
 
     /**
      * Get the value of cveUrl20Base.
      *
      * @return the value of cveUrl20Base
      */
     public String getCveUrl20Base() {
         return cveUrl20Base;
     }
 
     /**
      * Set the value of cveUrl20Base.
      *
      * @param cveUrl20Base new value of cveUrl20Base
      */
     public void setCveUrl20Base(String cveUrl20Base) {
         this.cveUrl20Base = cveUrl20Base;
     }
 
     /**
      * The path to Mono for .NET assembly analysis on non-windows systems.
      */
     private String pathToMono;
 
     /**
      * Get the value of pathToMono.
      *
      * @return the value of pathToMono
      */
     public String getPathToMono() {
         return pathToMono;
     }
 
     /**
      * Set the value of pathToMono.
      *
      * @param pathToMono new value of pathToMono
      */
     public void setPathToMono(String pathToMono) {
         this.pathToMono = pathToMono;
     }
 
     /**
      * Executes the Dependency-Check on the dependent libraries.
      *
      * @return the Engine used to scan the dependencies.
      * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException thrown if there is an exception connecting to the
      * database
      */
     private Engine executeDependencyCheck() throws DatabaseException {
         populateSettings();
         Engine engine = null;
         engine = new Engine();
         engine.setDependencies(this.dependencies);
         engine.analyzeDependencies();
         return engine;
     }
 
     /**
      * Generates the reports for a given dependency-check engine.
      *
      * @param engine a dependency-check engine
      * @param outDirectory the directory to write the reports to
      */
     private void generateExternalReports(Engine engine, File outDirectory) {
         DatabaseProperties prop = null;
         CveDB cve = null;
         try {
             cve = new CveDB();
             cve.open();
             prop = cve.getDatabaseProperties();
         } catch (DatabaseException ex) {
             LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
         } finally {
             if (cve != null) {
                 cve.close();
             }
         }
         final ReportGenerator r = new ReportGenerator(this.applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
         try {
             r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
         } catch (IOException ex) {
             LOGGER.log(Level.SEVERE,
                     "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
             LOGGER.log(Level.FINE, null, ex);
         } catch (Throwable ex) {
             LOGGER.log(Level.SEVERE,
                     "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
             LOGGER.log(Level.FINE, null, ex);
         }
     }
 
     /**
      * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
      * properties required to change the proxy server, port, and connection timeout.
      */
     private void populateSettings() {
         Settings.initialize();
         if (dataDirectory != null) {
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
         } else {
             final File jarPath = new File(DependencyCheckScanAgent.class.getProtectionDomain().getCodeSource().getLocation().getPath());
             final File base = jarPath.getParentFile();
             final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
             final File dataDir = new File(base, sub);
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
         }
 
         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
 
         if (proxyServer != null && !proxyServer.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
         }
         if (proxyPort != null && !proxyPort.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
         }
         if (proxyUsername != null && !proxyUsername.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
         }
         if (proxyPassword != null && !proxyPassword.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
         }
         if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
             Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
         }
         if (suppressionFile != null && !suppressionFile.isEmpty()) {
             Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
         }
         Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
         if (centralUrl != null && !centralUrl.isEmpty()) {
             Settings.setString(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
         }
         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
         if (nexusUrl != null && !nexusUrl.isEmpty()) {
             Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
         }
         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
         if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
             Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
         }
         if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
             Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
         }
         if (connectionString != null && !connectionString.isEmpty()) {
             Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
         }
         if (databaseUser != null && !databaseUser.isEmpty()) {
             Settings.setString(Settings.KEYS.DB_USER, databaseUser);
         }
         if (databasePassword != null && !databasePassword.isEmpty()) {
             Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
         }
         if (zipExtensions != null && !zipExtensions.isEmpty()) {
             Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
         }
         if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
             Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
         }
         if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
             Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
         }
         if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
             Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
         }
         if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
             Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
         }
         if (pathToMono != null && !pathToMono.isEmpty()) {
             Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
         }
     }
 
     /**
      * Executes the dependency-check and generates the report.
      *
      * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
      * scan.
      */
     public void execute() throws ScanAgentException {
         Engine engine = null;
         try {
             engine = executeDependencyCheck();
             generateExternalReports(engine, new File(this.reportOutputDirectory));
             if (this.showSummary) {
                 showSummary(engine.getDependencies());
             }
             if (this.failBuildOnCVSS <= 10) {
                 checkForFailure(engine.getDependencies());
             }
         } catch (DatabaseException ex) {
             LOGGER.log(Level.SEVERE,
                     "Unable to connect to the dependency-check database; analysis has stopped");
             LOGGER.log(Level.FINE, "", ex);
         } finally {
             Settings.cleanup(true);
             if (engine != null) {
                 engine.cleanup();
             }
         }
     }
 
     /**
      * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
      * configuration.
      *
      * @param dependencies the list of dependency objects
      * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
      * scan.
      */
     private void checkForFailure(List<Dependency> dependencies) throws ScanAgentException {
         final StringBuilder ids = new StringBuilder();
         for (Dependency d : dependencies) {
             boolean addName = true;
             for (Vulnerability v : d.getVulnerabilities()) {
                 if (v.getCvssScore() >= failBuildOnCVSS) {
                     if (addName) {
                         addName = false;
                         ids.append(NEW_LINE).append(d.getFileName()).append(": ");
                         ids.append(v.getName());
                     } else {
                         ids.append(", ").append(v.getName());
                     }
                 }
             }
         }
         if (ids.length() > 0) {
             final String msg = String.format("%n%nDependency-Check Failure:%n"
                     + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
                     + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
 
             throw new ScanAgentException(msg);
         }
     }
 
     /**
      * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
      *
      * @param dependencies a list of dependency objects
      */
     private void showSummary(List<Dependency> dependencies) {
         final StringBuilder summary = new StringBuilder();
         for (Dependency d : dependencies) {
             boolean firstEntry = true;
             final StringBuilder ids = new StringBuilder();
             for (Vulnerability v : d.getVulnerabilities()) {
                 if (firstEntry) {
                     firstEntry = false;
                 } else {
                     ids.append(", ");
                 }
                 ids.append(v.getName());
             }
             if (ids.length() > 0) {
                 summary.append(d.getFileName()).append(" (");
                 firstEntry = true;
                 for (Identifier id : d.getIdentifiers()) {
                     if (firstEntry) {
                         firstEntry = false;
                     } else {
                         summary.append(", ");
                     }
                     summary.append(id.getValue());
                 }
                 summary.append(") : ").append(ids).append(NEW_LINE);
             }
         }
         if (summary.length() > 0) {
             final String msg = String.format("%n%n"
                     + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
                     + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
             LOGGER.log(Level.WARNING, msg);
         }
     }
 
 }