View Javadoc
1   /*
2    * This file is part of dependency-check-maven.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.maven;
19  
20  import java.util.Locale;
21  import org.apache.maven.artifact.Artifact;
22  import org.apache.maven.plugin.MojoExecutionException;
23  import org.apache.maven.plugin.MojoFailureException;
24  import org.apache.maven.plugins.annotations.LifecyclePhase;
25  import org.apache.maven.plugins.annotations.Mojo;
26  import org.apache.maven.plugins.annotations.Parameter;
27  import org.apache.maven.plugins.annotations.ResolutionScope;
28  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
29  import org.owasp.dependencycheck.utils.Settings;
30  
31  /**
32   * Maven Plugin that checks the project dependencies to see if they have any known published vulnerabilities.
33   *
34   * @author Jeremy Long
35   */
36  @Mojo(
37          name = "check",
38          defaultPhase = LifecyclePhase.VERIFY,
39          threadSafe = false,
40          requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
41          requiresOnline = true
42  )
43  public class CheckMojo extends BaseDependencyCheckMojo {
44  
45      /**
46       * Returns whether or not a the report can be generated.
47       *
48       * @return <code>true</code> if the report can be generated; otherwise <code>false</code>
49       */
50      @Override
51      public boolean canGenerateReport() {
52          boolean isCapable = false;
53          for (Artifact a : getProject().getArtifacts()) {
54              if (!excludeFromScan(a)) {
55                  isCapable = true;
56                  break;
57              }
58          }
59          return isCapable;
60      }
61  
62      /**
63       * Executes the dependency-check engine on the project's dependencies and generates the report.
64       *
65       * @throws MojoExecutionException thrown if there is an exception executing the goal
66       * @throws MojoFailureException thrown if dependency-check is configured to fail the build
67       */
68      @Override
69      public void runCheck() throws MojoExecutionException, MojoFailureException {
70          final Engine engine;
71          try {
72              engine = initializeEngine();
73          } catch (DatabaseException ex) {
74              if (getLog().isDebugEnabled()) {
75                  getLog().debug("Database connection error", ex);
76              }
77              throw new MojoExecutionException("An exception occured connecting to the local database. Please see the log file for more details.", ex);
78          }
79          scanArtifacts(getProject(), engine);
80          if (engine.getDependencies().isEmpty()) {
81              getLog().info("No dependencies were identified that could be analyzed by dependency-check");
82          } else {
83              engine.analyzeDependencies();
84              writeReports(engine, getProject(), getCorrectOutputDirectory());
85              writeDataFile(getProject(), null, engine.getDependencies());
86              showSummary(getProject(), engine.getDependencies());
87              checkForFailure(engine.getDependencies());
88          }
89          engine.cleanup();
90          Settings.cleanup();
91      }
92  
93      /**
94       * The name of the report in the site.
95       */
96      @SuppressWarnings("CanBeFinal")
97      @Parameter(property = "name", defaultValue = "dependency-check", required = true)
98      private String name = "dependency-check";
99  
100     /**
101      * Returns the report name.
102      *
103      * @param locale the location
104      * @return the report name
105      */
106     @Override
107     public String getName(Locale locale) {
108         return name;
109     }
110 
111     /**
112      * Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
113      *
114      * @param locale The Locale to get the description for
115      * @return the description
116      */
117     @Override
118     public String getDescription(Locale locale) {
119         return "Generates a report providing details on any published vulnerabilities within project dependencies. "
120                 + "This report is a best effort and may contain false positives and false negatives.";
121     }
122 
123 }