View Javadoc
1   /*
2    * This file is part of dependency-check-maven.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.maven;
19  
20  import java.util.Locale;
21  import org.apache.maven.artifact.Artifact;
22  import org.apache.maven.plugin.MojoExecutionException;
23  import org.apache.maven.plugin.MojoFailureException;
24  import org.apache.maven.plugins.annotations.LifecyclePhase;
25  import org.apache.maven.plugins.annotations.Mojo;
26  import org.apache.maven.plugins.annotations.ResolutionScope;
27  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
28  import org.owasp.dependencycheck.utils.Settings;
29  
30  /**
31   * Maven Plugin that checks the project dependencies to see if they have any known published vulnerabilities.
32   *
33   * @author Jeremy Long
34   */
35  @Mojo(
36          name = "check",
37          defaultPhase = LifecyclePhase.COMPILE,
38          threadSafe = true,
39          requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
40          requiresOnline = true
41  )
42  public class CheckMojo extends BaseDependencyCheckMojo {
43  
44      /**
45       * Returns whether or not a the report can be generated.
46       *
47       * @return <code>true</code> if the report can be generated; otherwise <code>false</code>
48       */
49      @Override
50      public boolean canGenerateReport() {
51          boolean isCapable = false;
52          for (Artifact a : getProject().getArtifacts()) {
53              if (!excludeFromScan(a)) {
54                  isCapable = true;
55                  break;
56              }
57          }
58          return isCapable;
59      }
60  
61      /**
62       * Executes the dependency-check engine on the project's dependencies and generates the report.
63       *
64       * @throws MojoExecutionException thrown if there is an exception executing the goal
65       * @throws MojoFailureException thrown if dependency-check is configured to fail the build
66       */
67      @Override
68      public void runCheck() throws MojoExecutionException, MojoFailureException {
69          final Engine engine;
70          try {
71              engine = initializeEngine();
72          } catch (DatabaseException ex) {
73              if (getLog().isDebugEnabled()) {
74                  getLog().debug("Database connection error", ex);
75              }
76              throw new MojoExecutionException("An exception occured connecting to the local database. Please see the log file for more details.", ex);
77          }
78          scanArtifacts(getProject(), engine);
79          if (engine.getDependencies().isEmpty()) {
80              getLog().info("No dependencies were identified that could be analyzed by dependency-check");
81          } else {
82              engine.analyzeDependencies();
83              writeReports(engine, getProject(), getCorrectOutputDirectory());
84              writeDataFile(getProject(), null, engine.getDependencies());
85              showSummary(getProject(), engine.getDependencies());
86              checkForFailure(engine.getDependencies());
87          }
88          engine.cleanup();
89          Settings.cleanup();
90      }
91  
92      /**
93       * Returns the report name.
94       *
95       * @param locale the location
96       * @return the report name
97       */
98      public String getName(Locale locale) {
99          return "dependency-check";
100     }
101 
102     /**
103      * Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
104      *
105      * @param locale The Locale to get the description for
106      * @return the description
107      */
108     public String getDescription(Locale locale) {
109         return "Generates a report providing details on any published vulnerabilities within project dependencies. "
110                 + "This report is a best effort and may contain false positives and false negatives.";
111     }
112 
113 }