View Javadoc
1   /*
2    * This file is part of dependency-check-maven.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.maven;
19  
20  import java.io.File;
21  import java.io.IOException;
22  import java.io.InputStream;
23  import java.io.UnsupportedEncodingException;
24  import java.net.URLEncoder;
25  import java.text.DateFormat;
26  import java.util.Date;
27  import java.util.List;
28  import java.util.Locale;
29  import java.util.Set;
30  import java.util.logging.Level;
31  import java.util.logging.Logger;
32  import org.apache.maven.artifact.Artifact;
33  import org.apache.maven.doxia.sink.Sink;
34  import org.apache.maven.doxia.sink.SinkFactory;
35  import org.apache.maven.plugin.AbstractMojo;
36  import org.apache.maven.plugin.MojoExecutionException;
37  import org.apache.maven.plugin.MojoFailureException;
38  import org.apache.maven.plugins.annotations.Component;
39  import org.apache.maven.plugins.annotations.LifecyclePhase;
40  import org.apache.maven.plugins.annotations.Mojo;
41  import org.apache.maven.plugins.annotations.Parameter;
42  import org.apache.maven.plugins.annotations.ResolutionScope;
43  import org.apache.maven.project.MavenProject;
44  import org.apache.maven.reporting.MavenMultiPageReport;
45  import org.apache.maven.reporting.MavenReport;
46  import org.apache.maven.reporting.MavenReportException;
47  import org.owasp.dependencycheck.Engine;
48  import org.owasp.dependencycheck.data.nvdcve.CveDB;
49  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
50  import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
51  import org.owasp.dependencycheck.dependency.Dependency;
52  import org.owasp.dependencycheck.dependency.Evidence;
53  import org.owasp.dependencycheck.dependency.Identifier;
54  import org.owasp.dependencycheck.dependency.Reference;
55  import org.owasp.dependencycheck.dependency.Vulnerability;
56  import org.owasp.dependencycheck.dependency.VulnerableSoftware;
57  import org.owasp.dependencycheck.reporting.ReportGenerator;
58  import org.owasp.dependencycheck.utils.LogUtils;
59  import org.owasp.dependencycheck.utils.Settings;
60  
61  /**
62   * Maven Plugin that checks project dependencies to see if they have any known published vulnerabilities.
63   *
64   * @author Jeremy Long <jeremy.long@owasp.org>
65   */
66  @Mojo(name = "check", defaultPhase = LifecyclePhase.COMPILE, threadSafe = true,
67          requiresDependencyResolution = ResolutionScope.RUNTIME_PLUS_SYSTEM,
68          requiresOnline = true)
69  public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageReport {
70  
71      /**
72       * The properties file location.
73       */
74      private static final String PROPERTIES_FILE = "mojo.properties";
75      /**
76       * Name of the logging properties file.
77       */
78      private static final String LOG_PROPERTIES_FILE = "log.properties";
79      /**
80       * The name of the test scope.
81       */
82      public static final String TEST_SCOPE = "test";
83      /**
84       * System specific new line character.
85       */
86      private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
87      // <editor-fold defaultstate="collapsed" desc="Maven bound parameters and components">
88      /**
89       * The Maven Project Object.
90       */
91      @Component
92      private MavenProject project;
93      /**
94       * The name of the site report destination.
95       */
96      @Parameter(property = "report-name", defaultValue = "dependency-check-report")
97      private String reportName;
98      /**
99       * The path to the verbose log
100      */
101     @Parameter(property = "logfile", defaultValue = "")
102     private String logFile;
103     /**
104      * The name of the report to be displayed in the Maven Generated Reports page
105      */
106     @Parameter(property = "name", defaultValue = "Dependency-Check")
107     private String name;
108     /**
109      * The description of the Dependency-Check report to be displayed in the Maven Generated Reports page
110      */
111     @Parameter(property = "description", defaultValue = "A report providing details on any published "
112             + "vulnerabilities within project dependencies. This report is a best effort but may contain "
113             + "false positives and false negatives.")
114     private String description;
115     /**
116      * Specifies the destination directory for the generated Dependency-Check report.
117      */
118     @Parameter(property = "reportOutputDirectory", defaultValue = "${project.reporting.outputDirectory}", required = true)
119     private File reportOutputDirectory;
120     /**
121      * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
122      * which means since the CVSS scores are 0-10, by default the build will never fail.
123      */
124     @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
125     private float failBuildOnCVSS = 11;
126     /**
127      * The output directory.
128      */
129     @Parameter(defaultValue = "${project.build.directory}", required = true)
130     private File outputDirectory;
131     /**
132      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
133      * false. Default is true.
134      */
135     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
136     @Parameter(property = "autoupdate", defaultValue = "true", required = true)
137     private boolean autoUpdate = true;
138     /**
139      * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
140      * within the Site plugin unless the externalReport is set to true. Default is HTML.
141      */
142     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
143     @Parameter(property = "format", defaultValue = "HTML", required = true)
144     private String format = "HTML";
145     /**
146      * Sets whether or not the external report format should be used.
147      */
148     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
149     @Parameter(property = "externalReport", defaultValue = "false", required = true)
150     private boolean externalReport = false;
151     /**
152      * The Proxy URL.
153      */
154     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
155     @Parameter(property = "proxyUrl", defaultValue = "", required = false)
156     private String proxyUrl = null;
157     /**
158      * The Proxy Port.
159      */
160     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
161     @Parameter(property = "proxyPort", defaultValue = "", required = false)
162     private String proxyPort = null;
163     /**
164      * The Proxy username.
165      */
166     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
167     @Parameter(property = "proxyUsername", defaultValue = "", required = false)
168     private String proxyUsername = null;
169     /**
170      * The Proxy password.
171      */
172     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
173     @Parameter(property = "proxyPassword", defaultValue = "", required = false)
174     private String proxyPassword = null;
175     /**
176      * The Connection Timeout.
177      */
178     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
179     @Parameter(property = "connectionTimeout", defaultValue = "", required = false)
180     private String connectionTimeout = null;
181     /**
182      * The Connection Timeout.
183      */
184     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
185     @Parameter(property = "suppressionFile", defaultValue = "", required = false)
186     private String suppressionFile = null;
187     /**
188      * Flag indicating whether or not to show a summary in the output.
189      */
190     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
191     @Parameter(property = "showSummary", defaultValue = "true", required = false)
192     private boolean showSummary = true;
193     /**
194      * Whether or not the Nexus Analyzer is enabled.
195      */
196     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
197     @Parameter(property = "nexusAnalyzerEnabled", defaultValue = "true", required = false)
198     private boolean nexusAnalyzerEnabled = true;
199     /**
200      * Whether or not the Nexus Analyzer is enabled.
201      */
202     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
203     @Parameter(property = "nexusUrl", defaultValue = "", required = false)
204     private String nexusUrl;
205     /**
206      * The database connection string.
207      */
208     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
209     @Parameter(property = "connectionString", defaultValue = "", required = false)
210     private String connectionString;
211     /**
212      * The database driver name. An example would be org.h2.Driver.
213      */
214     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
215     @Parameter(property = "databaseDriverName", defaultValue = "", required = false)
216     private String databaseDriverName;
217     /**
218      * The path to the database driver if it is not on the class path.
219      */
220     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
221     @Parameter(property = "databaseDriverPath", defaultValue = "", required = false)
222     private String databaseDriverPath;
223     /**
224      * The database user name.
225      */
226     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
227     @Parameter(property = "databaseUser", defaultValue = "", required = false)
228     private String databaseUser;
229     /**
230      * The password to use when connecting to the database.
231      */
232     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
233     @Parameter(property = "databasePassword", defaultValue = "", required = false)
234     private String databasePassword;
235     // </editor-fold>
236 
237     /**
238      * Executes the Dependency-Check on the dependent libraries.
239      *
240      * @return the Engine used to scan the dependencies.
241      */
242     private Engine executeDependencyCheck() {
243 
244         final InputStream in = DependencyCheckMojo.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
245         LogUtils.prepareLogger(in, logFile);
246 
247         populateSettings();
248         final Engine engine = new Engine();
249         final Set<Artifact> artifacts = project.getArtifacts();
250         for (Artifact a : artifacts) {
251             if (!TEST_SCOPE.equals(a.getScope())) {
252                 engine.scan(a.getFile().getAbsolutePath());
253             }
254         }
255         engine.analyzeDependencies();
256         return engine;
257     }
258 
259     /**
260      * Generates the reports for a given dependency-check engine.
261      *
262      * @param engine a dependency-check engine
263      */
264     private void generateExternalReports(Engine engine) {
265         DatabaseProperties prop = null;
266         CveDB cve = null;
267         try {
268             cve = new CveDB();
269             cve.open();
270             prop = cve.getDatabaseProperties();
271         } catch (DatabaseException ex) {
272             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
273         } finally {
274             if (cve != null) {
275                 cve.close();
276             }
277         }
278         final ReportGenerator r = new ReportGenerator(project.getName(), engine.getDependencies(), engine.getAnalyzers(), prop);
279         try {
280             r.generateReports(outputDirectory.getCanonicalPath(), format);
281         } catch (IOException ex) {
282             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE,
283                     "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
284             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, null, ex);
285         } catch (Exception ex) {
286             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE,
287                     "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
288             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, null, ex);
289         }
290     }
291 
292     /**
293      * Generates a dependency-check report using the Maven Site format.
294      *
295      * @param engine the engine used to scan the dependencies
296      * @param sink the sink to write the data to
297      */
298     private void generateMavenSiteReport(final Engine engine, Sink sink) {
299         final List<Dependency> dependencies = engine.getDependencies();
300 
301         writeSiteReportHeader(sink, project.getName());
302         writeSiteReportTOC(sink, dependencies);
303 
304         int cnt = 0;
305         for (Dependency d : dependencies) {
306             writeSiteReportDependencyHeader(sink, d);
307             cnt = writeSiteReportDependencyAnalysisExceptions(d, cnt, sink);
308             cnt = writeSiteReportDependencyEvidenceUsed(d, cnt, sink);
309             cnt = writeSiteReportDependencyRelatedDependencies(d, cnt, sink);
310             writeSiteReportDependencyIdentifiers(d, sink);
311             writeSiteReportDependencyVulnerabilities(d, sink, cnt);
312         }
313         sink.body_();
314     }
315 
316     // <editor-fold defaultstate="collapsed" desc="various writeXXXXX methods to generate the Site Report">
317     /**
318      * Writes the vulnerabilities to the site report.
319      *
320      * @param d the dependency
321      * @param sink the sink to write the data to
322      * @param collapsibleHeaderCount the collapsible header count
323      */
324     private void writeSiteReportDependencyVulnerabilities(Dependency d, Sink sink, int collapsibleHeaderCount) {
325         int cnt = collapsibleHeaderCount;
326         if (d.getVulnerabilities() != null && !d.getVulnerabilities().isEmpty()) {
327             for (Vulnerability v : d.getVulnerabilities()) {
328 
329                 sink.paragraph();
330                 sink.bold();
331                 try {
332                     sink.link("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + URLEncoder.encode(v.getName(), "US-ASCII"));
333                     sink.text(v.getName());
334                     sink.link_();
335                     sink.bold_();
336                 } catch (UnsupportedEncodingException ex) {
337                     sink.text(v.getName());
338                     sink.bold_();
339                     sink.lineBreak();
340                     sink.text("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + v.getName());
341                 }
342                 sink.paragraph_();
343                 sink.paragraph();
344                 sink.text("Severity: ");
345                 if (v.getCvssScore() < 4.0) {
346                     sink.text("Low");
347                 } else {
348                     if (v.getCvssScore() >= 7.0) {
349                         sink.text("High");
350                     } else {
351                         sink.text("Medium");
352                     }
353                 }
354                 sink.lineBreak();
355                 sink.text("CVSS Score: " + v.getCvssScore());
356                 if (v.getCwe() != null && !v.getCwe().isEmpty()) {
357                     sink.lineBreak();
358                     sink.text("CWE: ");
359                     sink.text(v.getCwe());
360                 }
361                 sink.paragraph_();
362                 sink.paragraph();
363                 sink.text(v.getDescription());
364                 if (v.getReferences() != null && !v.getReferences().isEmpty()) {
365                     sink.list();
366                     for (Reference ref : v.getReferences()) {
367                         sink.listItem();
368                         sink.text(ref.getSource());
369                         sink.text(" - ");
370                         sink.link(ref.getUrl());
371                         sink.text(ref.getName());
372                         sink.link_();
373                         sink.listItem_();
374                     }
375                     sink.list_();
376                 }
377                 sink.paragraph_();
378                 if (v.getVulnerableSoftware() != null && !v.getVulnerableSoftware().isEmpty()) {
379                     sink.paragraph();
380 
381                     cnt += 1;
382                     sink.rawText("Vulnerable Software <a href=\"javascript:toggleElement(this, 'vulnSoft" + cnt + "')\">[-]</a>");
383                     sink.rawText("<div id=\"vulnSoft" + cnt + "\" style=\"display:block\">");
384                     sink.list();
385                     for (VulnerableSoftware vs : v.getVulnerableSoftware()) {
386                         sink.listItem();
387                         try {
388                             sink.link("http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + URLEncoder.encode(vs.getName(), "US-ASCII"));
389                             sink.text(vs.getName());
390                             sink.link_();
391                             if (vs.hasPreviousVersion()) {
392                                 sink.text(" and all previous versions.");
393                             }
394                         } catch (UnsupportedEncodingException ex) {
395                             sink.text(vs.getName());
396                             if (vs.hasPreviousVersion()) {
397                                 sink.text(" and all previous versions.");
398                             }
399                             sink.text(" (http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + vs.getName() + ")");
400                         }
401 
402                         sink.listItem_();
403                     }
404                     sink.list_();
405                     sink.rawText("</div>");
406                     sink.paragraph_();
407                 }
408             }
409         }
410     }
411 
412     /**
413      * Writes the identifiers to the site report.
414      *
415      * @param d the dependency
416      * @param sink the sink to write the data to
417      */
418     private void writeSiteReportDependencyIdentifiers(Dependency d, Sink sink) {
419         if (d.getIdentifiers() != null && !d.getIdentifiers().isEmpty()) {
420             sink.sectionTitle4();
421             sink.text("Identifiers");
422             sink.sectionTitle4_();
423             sink.list();
424             for (Identifier i : d.getIdentifiers()) {
425                 sink.listItem();
426                 sink.text(i.getType());
427                 sink.text(": ");
428                 if (i.getUrl() != null && i.getUrl().length() > 0) {
429                     sink.link(i.getUrl());
430                     sink.text(i.getValue());
431                     sink.link_();
432                 } else {
433                     sink.text(i.getValue());
434                 }
435                 if (i.getDescription() != null && i.getDescription().length() > 0) {
436                     sink.lineBreak();
437                     sink.text(i.getDescription());
438                 }
439                 sink.listItem_();
440             }
441             sink.list_();
442         }
443     }
444 
445     /**
446      * Writes the related dependencies to the site report.
447      *
448      * @param d the dependency
449      * @param sink the sink to write the data to
450      * @param collapsibleHeaderCount the collapsible header count
451      * @return the collapsible header count
452      */
453     private int writeSiteReportDependencyRelatedDependencies(Dependency d, int collapsibleHeaderCount, Sink sink) {
454         int cnt = collapsibleHeaderCount;
455         if (d.getRelatedDependencies() != null && !d.getRelatedDependencies().isEmpty()) {
456             cnt += 1;
457             sink.sectionTitle4();
458             sink.rawText("Related Dependencies <a href=\"javascript:toggleElement(this, 'related" + cnt + "')\">[+]</a>");
459             sink.sectionTitle4_();
460             sink.rawText("<div id=\"related" + cnt + "\" style=\"display:none\">");
461             sink.list();
462             for (Dependency r : d.getRelatedDependencies()) {
463                 sink.listItem();
464                 sink.text(r.getFileName());
465                 sink.list();
466                 writeListItem(sink, "File Path: " + r.getFilePath());
467                 writeListItem(sink, "SHA1: " + r.getSha1sum());
468                 writeListItem(sink, "MD5: " + r.getMd5sum());
469                 sink.list_();
470                 sink.listItem_();
471             }
472             sink.list_();
473             sink.rawText("</div>");
474         }
475         return cnt;
476     }
477 
478     /**
479      * Writes the evidence used to the site report.
480      *
481      * @param d the dependency
482      * @param sink the sink to write the data to
483      * @param collapsibleHeaderCount the collapsible header count
484      * @return the collapsible header count
485      */
486     private int writeSiteReportDependencyEvidenceUsed(Dependency d, int collapsibleHeaderCount, Sink sink) {
487         int cnt = collapsibleHeaderCount;
488         if (d.getEvidenceUsed() != null && d.getEvidenceUsed().size() > 0) {
489             cnt += 1;
490             sink.sectionTitle4();
491             sink.rawText("Evidence Collected <a href=\"javascript:toggleElement(this, 'evidence" + cnt + "')\">[+]</a>");
492             sink.sectionTitle4_();
493             sink.rawText("<div id=\"evidence" + cnt + "\" style=\"display:none\">");
494             sink.table();
495             sink.tableRow();
496             writeTableHeaderCell(sink, "Source");
497             writeTableHeaderCell(sink, "Name");
498             writeTableHeaderCell(sink, "Value");
499             sink.tableRow_();
500             for (Evidence e : d.getEvidenceUsed()) {
501                 sink.tableRow();
502                 writeTableCell(sink, e.getSource());
503                 writeTableCell(sink, e.getName());
504                 writeTableCell(sink, e.getValue());
505                 sink.tableRow_();
506             }
507             sink.table_();
508             sink.rawText("</div>");
509         }
510         return cnt;
511     }
512 
513     /**
514      * Writes the analysis exceptions generated during analysis to the site report.
515      *
516      * @param d the dependency
517      * @param sink the sink to write the data to
518      * @param collapsibleHeaderCount the collapsible header count
519      * @return the collapsible header count
520      */
521     private int writeSiteReportDependencyAnalysisExceptions(Dependency d, int collapsibleHeaderCount, Sink sink) {
522         int cnt = collapsibleHeaderCount;
523         if (d.getAnalysisExceptions() != null && !d.getAnalysisExceptions().isEmpty()) {
524             cnt += 1;
525             sink.sectionTitle4();
526             sink.rawText("<font style=\"color:red\">Errors occurred during analysis:</font> <a href=\"javascript:toggleElement(this, 'errors"
527                     + cnt + "')\">[+]</a>");
528             sink.sectionTitle4_();
529             sink.rawText("<div id=\"errors" + cnt + "\">");
530             sink.list();
531             for (Exception e : d.getAnalysisExceptions()) {
532                 sink.listItem();
533                 sink.text(e.getMessage());
534                 sink.listItem_();
535             }
536             sink.list_();
537             sink.rawText("</div>");
538         }
539         return cnt;
540     }
541 
542     /**
543      * Writes the dependency header to the site report.
544      *
545      * @param d the dependency
546      * @param sink the sink to write the data to
547      */
548     private void writeSiteReportDependencyHeader(Sink sink, Dependency d) {
549         sink.sectionTitle2();
550         sink.anchor("sha1" + d.getSha1sum());
551         sink.text(d.getFileName());
552         sink.anchor_();
553         sink.sectionTitle2_();
554         if (d.getDescription() != null && d.getDescription().length() > 0) {
555             sink.paragraph();
556             sink.bold();
557             sink.text("Description: ");
558             sink.bold_();
559             sink.text(d.getDescription());
560             sink.paragraph_();
561         }
562         if (d.getLicense() != null && d.getLicense().length() > 0) {
563             sink.paragraph();
564             sink.bold();
565             sink.text("License: ");
566             sink.bold_();
567             if (d.getLicense().startsWith("http://") && !d.getLicense().contains(" ")) {
568                 sink.link(d.getLicense());
569                 sink.text(d.getLicense());
570                 sink.link_();
571             } else {
572                 sink.text(d.getLicense());
573             }
574             sink.paragraph_();
575         }
576     }
577 
578     /**
579      * Adds a list item to the site report.
580      *
581      * @param sink the sink to write the data to
582      * @param text the text to write
583      */
584     private void writeListItem(Sink sink, String text) {
585         sink.listItem();
586         sink.text(text);
587         sink.listItem_();
588     }
589 
590     /**
591      * Adds a table cell to the site report.
592      *
593      * @param sink the sink to write the data to
594      * @param text the text to write
595      */
596     private void writeTableCell(Sink sink, String text) {
597         sink.tableCell();
598         sink.text(text);
599         sink.tableCell_();
600     }
601 
602     /**
603      * Adds a table header cell to the site report.
604      *
605      * @param sink the sink to write the data to
606      * @param text the text to write
607      */
608     private void writeTableHeaderCell(Sink sink, String text) {
609         sink.tableHeaderCell();
610         sink.text(text);
611         sink.tableHeaderCell_();
612     }
613 
614     /**
615      * Writes the TOC for the site report.
616      *
617      * @param sink the sink to write the data to
618      * @param dependencies the dependencies that are being reported on
619      */
620     private void writeSiteReportTOC(Sink sink, final List<Dependency> dependencies) {
621         sink.list();
622         for (Dependency d : dependencies) {
623             sink.listItem();
624             sink.link("#sha1" + d.getSha1sum());
625             sink.text(d.getFileName());
626             sink.link_();
627             if (!d.getVulnerabilities().isEmpty()) {
628                 sink.rawText(" <font style=\"color:red\">•</font>");
629             }
630             if (!d.getRelatedDependencies().isEmpty()) {
631                 sink.list();
632                 for (Dependency r : d.getRelatedDependencies()) {
633                     writeListItem(sink, r.getFileName());
634                 }
635                 sink.list_();
636             }
637             sink.listItem_();
638         }
639         sink.list_();
640     }
641 
642     /**
643      * Writes the site report header.
644      *
645      * @param sink the sink to write the data to
646      * @param projectName the name of the project
647      */
648     private void writeSiteReportHeader(Sink sink, String projectName) {
649         sink.head();
650         sink.title();
651         sink.text("Dependency-Check Report: " + projectName);
652         sink.title_();
653         sink.head_();
654         sink.body();
655         sink.rawText("<script type=\"text/javascript\">");
656         sink.rawText("function toggleElement(el, targetId) {");
657         sink.rawText("if (el.innerText == '[+]') {");
658         sink.rawText("    el.innerText = '[-]';");
659         sink.rawText("    document.getElementById(targetId).style.display='block';");
660         sink.rawText("} else {");
661         sink.rawText("    el.innerText = '[+]';");
662         sink.rawText("    document.getElementById(targetId).style.display='none';");
663         sink.rawText("}");
664 
665         sink.rawText("}");
666         sink.rawText("</script>");
667         sink.section1();
668         sink.sectionTitle1();
669         sink.text("Project: " + projectName);
670         sink.sectionTitle1_();
671         sink.date();
672         final Date now = new Date();
673         sink.text(DateFormat.getDateTimeInstance().format(now));
674         sink.date_();
675         sink.section1_();
676     }
677     // </editor-fold>
678 
679     /**
680      * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
681      * properties required to change the proxy url, port, and connection timeout.
682      */
683     private void populateSettings() {
684         InputStream mojoProperties = null;
685         try {
686             mojoProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
687             Settings.mergeProperties(mojoProperties);
688         } catch (IOException ex) {
689             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
690             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, null, ex);
691         } finally {
692             if (mojoProperties != null) {
693                 try {
694                     mojoProperties.close();
695                 } catch (IOException ex) {
696                     Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINEST, null, ex);
697                 }
698             }
699         }
700 
701         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
702 
703         if (proxyUrl != null && !proxyUrl.isEmpty()) {
704             Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
705         }
706         if (proxyPort != null && !proxyPort.isEmpty()) {
707             Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
708         }
709         if (proxyUsername != null && !proxyUsername.isEmpty()) {
710             Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
711         }
712         if (proxyPassword != null && !proxyPassword.isEmpty()) {
713             Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
714         }
715         if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
716             Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
717         }
718         if (suppressionFile != null && !suppressionFile.isEmpty()) {
719             Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
720         }
721         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
722         if (nexusUrl != null && !nexusUrl.isEmpty()) {
723             Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
724         }
725         if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
726             Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
727         }
728         if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
729             Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
730         }
731         if (connectionString != null && !connectionString.isEmpty()) {
732             Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
733         }
734         if (databaseUser != null && !databaseUser.isEmpty()) {
735             Settings.setString(Settings.KEYS.DB_USER, databaseUser);
736         }
737         if (databasePassword != null && !databasePassword.isEmpty()) {
738             Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
739         }
740     }
741 
742     /**
743      * Executes the dependency-check and generates the report.
744      *
745      * @throws MojoExecutionException if a maven exception occurs
746      * @throws MojoFailureException thrown if a CVSS score is found that is higher then the configured level
747      */
748     public void execute() throws MojoExecutionException, MojoFailureException {
749         final Engine engine = executeDependencyCheck();
750         generateExternalReports(engine);
751         if (this.failBuildOnCVSS <= 10) {
752             checkForFailure(engine.getDependencies());
753         }
754         if (this.showSummary) {
755             showSummary(engine.getDependencies());
756         }
757     }
758 
759     /**
760      * Generates the Dependency-Check Site Report.
761      *
762      * @param sink the sink to write the report to
763      * @param locale the locale to use when generating the report
764      * @throws MavenReportException if a Maven report exception occurs
765      */
766     public void generate(@SuppressWarnings("deprecation") org.codehaus.doxia.sink.Sink sink,
767             Locale locale) throws MavenReportException {
768         generate((Sink) sink, null, locale);
769     }
770 
771     /**
772      * Generates the Dependency-Check Site Report.
773      *
774      * @param sink the sink to write the report to
775      * @param sinkFactory the sink factory
776      * @param locale the locale to use when generating the report
777      * @throws MavenReportException if a maven report exception occurs
778      */
779     public void generate(Sink sink, SinkFactory sinkFactory, Locale locale) throws MavenReportException {
780         final Engine engine = executeDependencyCheck();
781         generateMavenSiteReport(engine, sink);
782     }
783 
784     // <editor-fold defaultstate="collapsed" desc="required setter/getter methods">
785     /**
786      * Returns the output name.
787      *
788      * @return the output name
789      */
790     public String getOutputName() {
791         return reportName;
792     }
793 
794     /**
795      * Returns the category name.
796      *
797      * @return the category name
798      */
799     public String getCategoryName() {
800         return MavenReport.CATEGORY_PROJECT_REPORTS;
801     }
802 
803     /**
804      * Returns the report name.
805      *
806      * @param locale the location
807      * @return the report name
808      */
809     public String getName(Locale locale) {
810         return name;
811     }
812 
813     /**
814      * Sets the Reporting output directory.
815      *
816      * @param directory the output directory
817      */
818     public void setReportOutputDirectory(File directory) {
819         reportOutputDirectory = directory;
820     }
821 
822     /**
823      * Returns the output directory.
824      *
825      * @return the output directory
826      */
827     public File getReportOutputDirectory() {
828         return reportOutputDirectory;
829     }
830 
831     /**
832      * Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
833      *
834      * @param locale The Locale to get the description for
835      * @return the description
836      */
837     public String getDescription(Locale locale) {
838         return description;
839     }
840 
841     /**
842      * Returns whether this is an external report.
843      *
844      * @return true or false;
845      */
846     public boolean isExternalReport() {
847         return externalReport;
848     }
849 
850     /**
851      * Returns whether or not the plugin can generate a report.
852      *
853      * @return true
854      */
855     public boolean canGenerateReport() {
856         return true;
857     }
858     // </editor-fold>
859 
860     /**
861      * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
862      * configuration.
863      *
864      * @param dependencies the list of dependency objects
865      * @throws MojoFailureException thrown if a CVSS score is found that is higher then the threshold set
866      */
867     private void checkForFailure(List<Dependency> dependencies) throws MojoFailureException {
868         final StringBuilder ids = new StringBuilder();
869         for (Dependency d : dependencies) {
870             for (Vulnerability v : d.getVulnerabilities()) {
871                 if (v.getCvssScore() >= failBuildOnCVSS) {
872                     if (ids.length() == 0) {
873                         ids.append(v.getName());
874                     } else {
875                         ids.append(", ").append(v.getName());
876                     }
877                 }
878             }
879         }
880         if (ids.length() > 0) {
881             final String msg = String.format("%n%nDependency-Check Failure:%n"
882                     + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
883                     + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
884             throw new MojoFailureException(msg);
885         }
886     }
887 
888     /**
889      * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
890      *
891      * @param dependencies a list of dependency objects
892      */
893     private void showSummary(List<Dependency> dependencies) {
894         final StringBuilder summary = new StringBuilder();
895         for (Dependency d : dependencies) {
896             boolean firstEntry = true;
897             final StringBuilder ids = new StringBuilder();
898             for (Vulnerability v : d.getVulnerabilities()) {
899                 if (firstEntry) {
900                     firstEntry = false;
901                 } else {
902                     ids.append(", ");
903                 }
904                 ids.append(v.getName());
905             }
906             if (ids.length() > 0) {
907                 summary.append(d.getFileName()).append(" (");
908                 firstEntry = true;
909                 for (Identifier id : d.getIdentifiers()) {
910                     if (firstEntry) {
911                         firstEntry = false;
912                     } else {
913                         summary.append(", ");
914                     }
915                     summary.append(id.getValue());
916                 }
917                 summary.append(") : ").append(ids).append(NEW_LINE);
918             }
919         }
920         if (summary.length() > 0) {
921             final String msg = String.format("%n%n"
922                     + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
923                     + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
924             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.WARNING, msg);
925         }
926     }
927 }