View Javadoc

1   /*
2    * This file is part of dependency-check-maven.
3    *
4    * Dependency-check-maven is free software: you can redistribute it and/or modify it
5    * under the terms of the GNU General Public License as published by the Free
6    * Software Foundation, either version 3 of the License, or (at your option) any
7    * later version.
8    *
9    * Dependency-check-maven is distributed in the hope that it will be useful, but
10   * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11   * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
12   * details.
13   *
14   * You should have received a copy of the GNU General Public License along with
15   * dependency-check-maven. If not, see http://www.gnu.org/licenses/.
16   *
17   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
18   */
19  package org.owasp.dependencycheck.maven;
20  
21  import java.io.File;
22  import java.io.IOException;
23  import java.io.InputStream;
24  import java.io.UnsupportedEncodingException;
25  import java.net.URLEncoder;
26  import java.text.DateFormat;
27  import java.util.Date;
28  import java.util.List;
29  import java.util.Locale;
30  import java.util.logging.Level;
31  import java.util.logging.Logger;
32  import org.apache.maven.doxia.sink.SinkFactory;
33  import org.apache.maven.plugin.AbstractMojo;
34  import org.apache.maven.plugin.MojoExecutionException;
35  import org.apache.maven.project.MavenProject;
36  import java.util.Set;
37  import org.apache.maven.artifact.Artifact;
38  import org.apache.maven.plugins.annotations.Component;
39  import org.apache.maven.plugins.annotations.LifecyclePhase;
40  import org.apache.maven.plugins.annotations.Mojo;
41  import org.apache.maven.plugins.annotations.Parameter;
42  import org.apache.maven.plugins.annotations.ResolutionScope;
43  import org.apache.maven.reporting.MavenMultiPageReport;
44  import org.apache.maven.reporting.MavenReport;
45  import org.apache.maven.reporting.MavenReportException;
46  import org.apache.maven.doxia.sink.Sink;
47  import org.apache.maven.plugin.MojoFailureException;
48  import org.owasp.dependencycheck.Engine;
49  import org.owasp.dependencycheck.dependency.Dependency;
50  import org.owasp.dependencycheck.dependency.Evidence;
51  import org.owasp.dependencycheck.dependency.Identifier;
52  import org.owasp.dependencycheck.dependency.Reference;
53  import org.owasp.dependencycheck.dependency.Vulnerability;
54  import org.owasp.dependencycheck.dependency.VulnerableSoftware;
55  import org.owasp.dependencycheck.reporting.ReportGenerator;
56  import org.owasp.dependencycheck.utils.LogUtils;
57  import org.owasp.dependencycheck.utils.Settings;
58  
59  /**
60   * Maven Plugin that checks project dependencies to see if they have any known
61   * published vulnerabilities.
62   *
63   * @author Jeremy Long (jeremy.long@owasp.org)
64   */
65  @Mojo(name = "check", defaultPhase = LifecyclePhase.COMPILE, threadSafe = true,
66          requiresDependencyResolution = ResolutionScope.RUNTIME_PLUS_SYSTEM,
67          requiresOnline = true)
68  public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageReport {
69  
70      /**
71       * The properties file location.
72       */
73      private static final String PROPERTIES_FILE = "mojo.properties";
74      /**
75       * Name of the logging properties file.
76       */
77      private static final String LOG_PROPERTIES_FILE = "log.properties";
78      /**
79       * The name of the test scope.
80       */
81      public static final String TEST_SCOPE = "test";
82      // <editor-fold defaultstate="collapsed" desc="Maven bound parameters and components">
83      /**
84       * The Maven Project Object.
85       */
86      @Component
87      private MavenProject project;
88      /**
89       * The name of the site report destination.
90       */
91      @Parameter(property = "report-name", defaultValue = "dependency-check-report")
92      private String reportName;
93      /**
94       * The path to the verbose log
95       */
96      @Parameter(property = "logfile", defaultValue = "")
97      private String logFile;
98      /**
99       * The name of the report to be displayed in the Maven Generated Reports
100      * page
101      */
102     @Parameter(property = "name", defaultValue = "Dependency-Check")
103     private String name;
104     /**
105      * The description of the Dependency-Check report to be displayed in the
106      * Maven Generated Reports page
107      */
108     @Parameter(property = "description", defaultValue = "A report providing details on any published "
109             + "vulnerabilities within project dependencies. This report is a best effort but may contain "
110             + "false positives and false negatives.")
111     private String description;
112     /**
113      * Specifies the destination directory for the generated Dependency-Check
114      * report.
115      */
116     @Parameter(property = "reportOutputDirectory", defaultValue = "${project.reporting.outputDirectory}", required = true)
117     private File reportOutputDirectory;
118     /**
119      * Specifies if the build should be failed if a CVSS score above a specified
120      * level is identified. The default is 11 which means since the CVSS scores
121      * are 0-10, by default the build will never fail.
122      */
123     @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
124     private float failBuildOnCVSS = 11;
125     /**
126      * The output directory.
127      */
128     @Parameter(defaultValue = "${project.build.directory}", required = true)
129     private File outputDirectory;
130     /**
131      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
132      * recommended that this be turned to false. Default is true.
133      */
134     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
135     @Parameter(property = "autoupdate", defaultValue = "true", required = true)
136     private boolean autoUpdate = true;
137     /**
138      * The report format to be generated (HTML, XML, VULN, ALL). This
139      * configuration option has no affect if using this within the Site plugin
140      * unless the externalReport is set to true. Default is HTML.
141      */
142     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
143     @Parameter(property = "format", defaultValue = "HTML", required = true)
144     private String format = "HTML";
145     /**
146      * Sets whether or not the external report format should be used.
147      */
148     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
149     @Parameter(property = "externalReport", defaultValue = "false", required = true)
150     private boolean externalReport = false;
151     /**
152      * The Proxy URL.
153      */
154     @SuppressWarnings("CanBeFinal")
155     @Parameter(property = "proxyUrl", defaultValue = "", required = false)
156     private String proxyUrl = null;
157     /**
158      * The Proxy Port.
159      */
160     @SuppressWarnings("CanBeFinal")
161     @Parameter(property = "proxyPort", defaultValue = "", required = false)
162     private String proxyPort = null;
163     /**
164      * The Proxy username.
165      */
166     @SuppressWarnings("CanBeFinal")
167     @Parameter(property = "proxyUsername", defaultValue = "", required = false)
168     private String proxyUsername = null;
169     /**
170      * The Proxy password.
171      */
172     @SuppressWarnings("CanBeFinal")
173     @Parameter(property = "proxyPassword", defaultValue = "", required = false)
174     private String proxyPassword = null;
175     /**
176      * The Connection Timeout.
177      */
178     @SuppressWarnings("CanBeFinal")
179     @Parameter(property = "connectionTimeout", defaultValue = "", required = false)
180     private String connectionTimeout = null;
181     /**
182      * The Connection Timeout.
183      */
184     @SuppressWarnings("CanBeFinal")
185     @Parameter(property = "suppressionFile", defaultValue = "", required = false)
186     private String suppressionFile = null;
187     // </editor-fold>
188 
189     /**
190      * Executes the Dependency-Check on the dependent libraries.
191      *
192      * @return the Engine used to scan the dependencies.
193      */
194     private Engine executeDependencyCheck() {
195 
196         final InputStream in = DependencyCheckMojo.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
197         LogUtils.prepareLogger(in, logFile);
198 
199         populateSettings();
200         final Engine engine = new Engine();
201         final Set<Artifact> artifacts = project.getArtifacts();
202         for (Artifact a : artifacts) {
203             if (!TEST_SCOPE.equals(a.getScope())) {
204                 engine.scan(a.getFile().getAbsolutePath());
205             }
206         }
207         engine.analyzeDependencies();
208         return engine;
209     }
210 
211     /**
212      * Generates the reports for a given dependency-check engine.
213      *
214      * @param engine a dependency-check engine
215      */
216     private void generateExternalReports(Engine engine) {
217         final ReportGenerator r = new ReportGenerator(project.getName(), engine.getDependencies(), engine.getAnalyzers());
218         try {
219             r.generateReports(outputDirectory.getCanonicalPath(), format);
220         } catch (IOException ex) {
221             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, null, ex);
222         } catch (Exception ex) {
223             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, null, ex);
224         }
225     }
226 
227     /**
228      * Generates a dependency-check report using the Maven Site format.
229      *
230      * @param engine the engine used to scan the dependencies
231      * @param sink the sink to write the data to
232      */
233     private void generateMavenSiteReport(final Engine engine, Sink sink) {
234         final List<Dependency> dependencies = engine.getDependencies();
235 
236         writeSiteReportHeader(sink, project.getName());
237         writeSiteReportTOC(sink, dependencies);
238 
239         int cnt = 0;
240         for (Dependency d : dependencies) {
241             writeSiteReportDependencyHeader(sink, d);
242             cnt = writeSiteReportDependencyAnalysisExceptions(d, cnt, sink);
243             cnt = writeSiteReportDependencyEvidenceUsed(d, cnt, sink);
244             cnt = writeSiteReportDependencyRelatedDependencies(d, cnt, sink);
245             writeSiteReportDependencyIdentifiers(d, sink);
246             writeSiteReportDependencyVulnerabilities(d, sink, cnt);
247         }
248         sink.body_();
249     }
250 
251     // <editor-fold defaultstate="collapsed" desc="various writeXXXXX methods to generate the Site Report">
252     /**
253      * Writes the vulnerabilities to the site report.
254      *
255      * @param d the dependency
256      * @param sink the sink to write the data to
257      * @param collapsibleHeaderCount the collapsible header count
258      */
259     private void writeSiteReportDependencyVulnerabilities(Dependency d, Sink sink, int collapsibleHeaderCount) {
260         int cnt = collapsibleHeaderCount;
261         if (d.getVulnerabilities() != null && !d.getVulnerabilities().isEmpty()) {
262             for (Vulnerability v : d.getVulnerabilities()) {
263 
264                 sink.paragraph();
265                 sink.bold();
266                 try {
267                     sink.link("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + URLEncoder.encode(v.getName(), "US-ASCII"));
268                     sink.text(v.getName());
269                     sink.link_();
270                     sink.bold_();
271                 } catch (UnsupportedEncodingException ex) {
272                     sink.text(v.getName());
273                     sink.bold_();
274                     sink.lineBreak();
275                     sink.text("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + v.getName());
276                 }
277                 sink.paragraph_();
278                 sink.paragraph();
279                 sink.text("Severity: ");
280                 if (v.getCvssScore() < 4.0) {
281                     sink.text("Low");
282                 } else {
283                     if (v.getCvssScore() >= 7.0) {
284                         sink.text("High");
285                     } else {
286                         sink.text("Medium");
287                     }
288                 }
289                 sink.lineBreak();
290                 sink.text("CVSS Score: " + v.getCvssScore());
291                 if (v.getCwe() != null && !v.getCwe().isEmpty()) {
292                     sink.lineBreak();
293                     sink.text("CWE: ");
294                     sink.text(v.getCwe());
295                 }
296                 sink.paragraph_();
297                 sink.paragraph();
298                 sink.text(v.getDescription());
299                 if (v.getReferences() != null && !v.getReferences().isEmpty()) {
300                     sink.list();
301                     for (Reference ref : v.getReferences()) {
302                         sink.listItem();
303                         sink.text(ref.getSource());
304                         sink.text(" - ");
305                         sink.link(ref.getUrl());
306                         sink.text(ref.getName());
307                         sink.link_();
308                         sink.listItem_();
309                     }
310                     sink.list_();
311                 }
312                 sink.paragraph_();
313                 if (v.getVulnerableSoftware() != null && !v.getVulnerableSoftware().isEmpty()) {
314                     sink.paragraph();
315 
316                     cnt += 1;
317                     sink.rawText("Vulnerable Software <a href=\"javascript:toggleElement(this, 'vulnSoft" + cnt + "')\">[-]</a>");
318                     sink.rawText("<div id=\"vulnSoft" + cnt + "\" style=\"display:block\">");
319                     sink.list();
320                     for (VulnerableSoftware vs : v.getVulnerableSoftware()) {
321                         sink.listItem();
322                         try {
323                             sink.link("http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + URLEncoder.encode(vs.getName(), "US-ASCII"));
324                             sink.text(vs.getName());
325                             sink.link_();
326                             if (vs.hasPreviousVersion()) {
327                                 sink.text(" and all previous versions.");
328                             }
329                         } catch (UnsupportedEncodingException ex) {
330                             sink.text(vs.getName());
331                             if (vs.hasPreviousVersion()) {
332                                 sink.text(" and all previous versions.");
333                             }
334                             sink.text(" (http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + vs.getName() + ")");
335                         }
336 
337                         sink.listItem_();
338                     }
339                     sink.list_();
340                     sink.rawText("</div>");
341                     sink.paragraph_();
342                 }
343             }
344         }
345     }
346 
347     /**
348      * Writes the identifiers to the site report.
349      *
350      * @param d the dependency
351      * @param sink the sink to write the data to
352      */
353     private void writeSiteReportDependencyIdentifiers(Dependency d, Sink sink) {
354         if (d.getIdentifiers() != null && !d.getIdentifiers().isEmpty()) {
355             sink.sectionTitle4();
356             sink.text("Identifiers");
357             sink.sectionTitle4_();
358             sink.list();
359             for (Identifier i : d.getIdentifiers()) {
360                 sink.listItem();
361                 sink.text(i.getType());
362                 sink.text(": ");
363                 if (i.getUrl() != null && i.getUrl().length() > 0) {
364                     sink.link(i.getUrl());
365                     sink.text(i.getValue());
366                     sink.link_();
367                 } else {
368                     sink.text(i.getValue());
369                 }
370                 if (i.getDescription() != null && i.getDescription().length() > 0) {
371                     sink.lineBreak();
372                     sink.text(i.getDescription());
373                 }
374                 sink.listItem_();
375             }
376             sink.list_();
377         }
378     }
379 
380     /**
381      * Writes the related dependencies to the site report.
382      *
383      * @param d the dependency
384      * @param sink the sink to write the data to
385      * @param collapsibleHeaderCount the collapsible header count
386      * @return the collapsible header count
387      */
388     private int writeSiteReportDependencyRelatedDependencies(Dependency d, int collapsibleHeaderCount, Sink sink) {
389         int cnt = collapsibleHeaderCount;
390         if (d.getRelatedDependencies() != null && !d.getRelatedDependencies().isEmpty()) {
391             cnt += 1;
392             sink.sectionTitle4();
393             sink.rawText("Related Dependencies <a href=\"javascript:toggleElement(this, 'related" + cnt + "')\">[+]</a>");
394             sink.sectionTitle4_();
395             sink.rawText("<div id=\"related" + cnt + "\" style=\"display:none\">");
396             sink.list();
397             for (Dependency r : d.getRelatedDependencies()) {
398                 sink.listItem();
399                 sink.text(r.getFileName());
400                 sink.list();
401                 writeListItem(sink, "File Path: " + r.getFilePath());
402                 writeListItem(sink, "SHA1: " + r.getSha1sum());
403                 writeListItem(sink, "MD5: " + r.getMd5sum());
404                 sink.list_();
405                 sink.listItem_();
406             }
407             sink.list_();
408             sink.rawText("</div>");
409         }
410         return cnt;
411     }
412 
413     /**
414      * Writes the evidence used to the site report.
415      *
416      * @param d the dependency
417      * @param sink the sink to write the data to
418      * @param collapsibleHeaderCount the collapsible header count
419      * @return the collapsible header count
420      */
421     private int writeSiteReportDependencyEvidenceUsed(Dependency d, int collapsibleHeaderCount, Sink sink) {
422         int cnt = collapsibleHeaderCount;
423         if (d.getEvidenceUsed() != null && d.getEvidenceUsed().size() > 0) {
424             cnt += 1;
425             sink.sectionTitle4();
426             sink.rawText("Evidence Collected <a href=\"javascript:toggleElement(this, 'evidence" + cnt + "')\">[+]</a>");
427             sink.sectionTitle4_();
428             sink.rawText("<div id=\"evidence" + cnt + "\" style=\"display:none\">");
429             sink.table();
430             sink.tableRow();
431             writeTableHeaderCell(sink, "Source");
432             writeTableHeaderCell(sink, "Name");
433             writeTableHeaderCell(sink, "Value");
434             sink.tableRow_();
435             for (Evidence e : d.getEvidenceUsed()) {
436                 sink.tableRow();
437                 writeTableCell(sink, e.getSource());
438                 writeTableCell(sink, e.getName());
439                 writeTableCell(sink, e.getValue());
440                 sink.tableRow_();
441             }
442             sink.table_();
443             sink.rawText("</div>");
444         }
445         return cnt;
446     }
447 
448     /**
449      * Writes the analysis exceptions generated during analysis to the site
450      * report.
451      *
452      * @param d the dependency
453      * @param sink the sink to write the data to
454      * @param collapsibleHeaderCount the collapsible header count
455      * @return the collapsible header count
456      */
457     private int writeSiteReportDependencyAnalysisExceptions(Dependency d, int collapsibleHeaderCount, Sink sink) {
458         int cnt = collapsibleHeaderCount;
459         if (d.getAnalysisExceptions() != null && !d.getAnalysisExceptions().isEmpty()) {
460             cnt += 1;
461             sink.sectionTitle4();
462             sink.rawText("<font style=\"color:red\">Errors occurred during analysis:</font> <a href=\"javascript:toggleElement(this, 'errors"
463                     + cnt + "')\">[+]</a>");
464             sink.sectionTitle4_();
465             sink.rawText("<div id=\"errors" + cnt + "\">");
466             sink.list();
467             for (Exception e : d.getAnalysisExceptions()) {
468                 sink.listItem();
469                 sink.text(e.getMessage());
470                 sink.listItem_();
471             }
472             sink.list_();
473             sink.rawText("</div>");
474         }
475         return cnt;
476     }
477 
478     /**
479      * Writes the dependency header to the site report.
480      *
481      * @param d the dependency
482      * @param sink the sink to write the data to
483      */
484     private void writeSiteReportDependencyHeader(Sink sink, Dependency d) {
485         sink.sectionTitle2();
486         sink.anchor("sha1" + d.getSha1sum());
487         sink.text(d.getFileName());
488         sink.anchor_();
489         sink.sectionTitle2_();
490         if (d.getDescription() != null && d.getDescription().length() > 0) {
491             sink.paragraph();
492             sink.bold();
493             sink.text("Description: ");
494             sink.bold_();
495             sink.text(d.getDescription());
496             sink.paragraph_();
497         }
498         if (d.getLicense() != null && d.getLicense().length() > 0) {
499             sink.paragraph();
500             sink.bold();
501             sink.text("License: ");
502             sink.bold_();
503             if (d.getLicense().startsWith("http://") && !d.getLicense().contains(" ")) {
504                 sink.link(d.getLicense());
505                 sink.text(d.getLicense());
506                 sink.link_();
507             } else {
508                 sink.text(d.getLicense());
509             }
510             sink.paragraph_();
511         }
512     }
513 
514     /**
515      * Adds a list item to the site report.
516      *
517      * @param sink the sink to write the data to
518      * @param text the text to write
519      */
520     private void writeListItem(Sink sink, String text) {
521         sink.listItem();
522         sink.text(text);
523         sink.listItem_();
524     }
525 
526     /**
527      * Adds a table cell to the site report.
528      *
529      * @param sink the sink to write the data to
530      * @param text the text to write
531      */
532     private void writeTableCell(Sink sink, String text) {
533         sink.tableCell();
534         sink.text(text);
535         sink.tableCell_();
536     }
537 
538     /**
539      * Adds a table header cell to the site report.
540      *
541      * @param sink the sink to write the data to
542      * @param text the text to write
543      */
544     private void writeTableHeaderCell(Sink sink, String text) {
545         sink.tableHeaderCell();
546         sink.text(text);
547         sink.tableHeaderCell_();
548     }
549 
550     /**
551      * Writes the TOC for the site report.
552      *
553      * @param sink the sink to write the data to
554      * @param dependencies the dependencies that are being reported on
555      */
556     private void writeSiteReportTOC(Sink sink, final List<Dependency> dependencies) {
557         sink.list();
558         for (Dependency d : dependencies) {
559             sink.listItem();
560             sink.link("#sha1" + d.getSha1sum());
561             sink.text(d.getFileName());
562             sink.link_();
563             if (!d.getVulnerabilities().isEmpty()) {
564                 sink.rawText(" <font style=\"color:red\">•</font>");
565             }
566             if (!d.getRelatedDependencies().isEmpty()) {
567                 sink.list();
568                 for (Dependency r : d.getRelatedDependencies()) {
569                     writeListItem(sink, r.getFileName());
570                 }
571                 sink.list_();
572             }
573             sink.listItem_();
574         }
575         sink.list_();
576     }
577 
578     /**
579      * Writes the site report header.
580      *
581      * @param sink the sink to write the data to
582      * @param projectName the name of the project
583      */
584     private void writeSiteReportHeader(Sink sink, String projectName) {
585         sink.head();
586         sink.title();
587         sink.text("Dependency-Check Report: " + projectName);
588         sink.title_();
589         sink.head_();
590         sink.body();
591         sink.rawText("<script type=\"text/javascript\">");
592         sink.rawText("function toggleElement(el, targetId) {");
593         sink.rawText("if (el.innerText == '[+]') {");
594         sink.rawText("    el.innerText = '[-]';");
595         sink.rawText("    document.getElementById(targetId).style.display='block';");
596         sink.rawText("} else {");
597         sink.rawText("    el.innerText = '[+]';");
598         sink.rawText("    document.getElementById(targetId).style.display='none';");
599         sink.rawText("}");
600 
601         sink.rawText("}");
602         sink.rawText("</script>");
603         sink.section1();
604         sink.sectionTitle1();
605         sink.text("Project: " + projectName);
606         sink.sectionTitle1_();
607         sink.date();
608         final Date now = new Date();
609         sink.text(DateFormat.getDateTimeInstance().format(now));
610         sink.date_();
611         sink.section1_();
612     }
613     // </editor-fold>
614 
615     /**
616      * Takes the properties supplied and updates the dependency-check settings.
617      * Additionally, this sets the system properties required to change the
618      * proxy url, port, and connection timeout.
619      */
620     private void populateSettings() {
621         InputStream mojoProperties = null;
622         try {
623             mojoProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
624             Settings.mergeProperties(mojoProperties);
625         } catch (IOException ex) {
626             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
627             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, null, ex);
628         } finally {
629             if (mojoProperties != null) {
630                 try {
631                     mojoProperties.close();
632                 } catch (IOException ex) {
633                     Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINEST, null, ex);
634                 }
635             }
636         }
637 
638         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
639 
640         if (proxyUrl != null && !proxyUrl.isEmpty()) {
641             Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
642         }
643         if (proxyPort != null && !proxyPort.isEmpty()) {
644             Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
645         }
646         if (proxyUsername != null && !proxyUsername.isEmpty()) {
647             Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
648         }
649         if (proxyPassword != null && !proxyPassword.isEmpty()) {
650             Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
651         }
652         if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
653             Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
654         }
655         if (suppressionFile != null && !suppressionFile.isEmpty()) {
656             Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
657         }
658     }
659 
660     /**
661      * Executes the dependency-check and generates the report.
662      *
663      * @throws MojoExecutionException if a maven exception occurs
664      * @throws MojoFailureException thrown if a CVSS score is found that is
665      * higher then the configured level
666      */
667     public void execute() throws MojoExecutionException, MojoFailureException {
668         final Engine engine = executeDependencyCheck();
669         generateExternalReports(engine);
670         if (this.failBuildOnCVSS <= 10) {
671             checkForFailure(engine.getDependencies());
672         }
673     }
674 
675     /**
676      * Generates the Dependency-Check Site Report.
677      *
678      * @param sink the sink to write the report to
679      * @param locale the locale to use when generating the report
680      * @throws MavenReportException if a Maven report exception occurs
681      */
682     public void generate(@SuppressWarnings("deprecation") org.codehaus.doxia.sink.Sink sink,
683             Locale locale) throws MavenReportException {
684         generate((Sink) sink, null, locale);
685     }
686 
687     /**
688      * Generates the Dependency-Check Site Report.
689      *
690      * @param sink the sink to write the report to
691      * @param sinkFactory the sink factory
692      * @param locale the locale to use when generating the report
693      * @throws MavenReportException if a maven report exception occurs
694      */
695     public void generate(Sink sink, SinkFactory sinkFactory, Locale locale) throws MavenReportException {
696         final Engine engine = executeDependencyCheck();
697         generateMavenSiteReport(engine, sink);
698     }
699 
700     // <editor-fold defaultstate="collapsed" desc="required setter/getter methods">
701     /**
702      * Returns the output name.
703      *
704      * @return the output name
705      */
706     public String getOutputName() {
707         return reportName;
708     }
709 
710     /**
711      * Returns the category name.
712      *
713      * @return the category name
714      */
715     public String getCategoryName() {
716         return MavenReport.CATEGORY_PROJECT_REPORTS;
717     }
718 
719     /**
720      * Returns the report name.
721      *
722      * @param locale the location
723      * @return the report name
724      */
725     public String getName(Locale locale) {
726         return name;
727     }
728 
729     /**
730      * Sets the Reporting output directory.
731      *
732      * @param directory the output directory
733      */
734     public void setReportOutputDirectory(File directory) {
735         reportOutputDirectory = directory;
736     }
737 
738     /**
739      * Returns the output directory.
740      *
741      * @return the output directory
742      */
743     public File getReportOutputDirectory() {
744         return reportOutputDirectory;
745     }
746 
747     /**
748      * Gets the description of the Dependency-Check report to be displayed in
749      * the Maven Generated Reports page.
750      *
751      * @param locale The Locale to get the description for
752      * @return the description
753      */
754     public String getDescription(Locale locale) {
755         return description;
756     }
757 
758     /**
759      * Returns whether this is an external report.
760      *
761      * @return true or false;
762      */
763     public boolean isExternalReport() {
764         return externalReport;
765     }
766 
767     /**
768      * Returns whether or not the plugin can generate a report.
769      *
770      * @return true
771      */
772     public boolean canGenerateReport() {
773         return true;
774     }
775     // </editor-fold>
776 
777     /**
778      * Checks to see if a vulnerability has been identified with a CVSS score
779      * that is above the threshold set in the configuration.
780      *
781      * @param dependencies the list of dependency objects
782      * @throws MojoFailureException thrown if a CVSS score is found that is
783      * higher then the threshold set
784      */
785     private void checkForFailure(List<Dependency> dependencies) throws MojoFailureException {
786         final StringBuilder ids = new StringBuilder();
787         for (Dependency d : dependencies) {
788             for (Vulnerability v : d.getVulnerabilities()) {
789                 if (v.getCvssScore() >= failBuildOnCVSS) {
790                     if (ids.length() == 0) {
791                         ids.append(v.getName());
792                     } else {
793                         ids.append(", ").append(v.getName());
794                     }
795                 }
796             }
797         }
798         if (ids.length() > 0) {
799             final String msg = String.format("%n%nDependency-Check Failure:%n"
800                     + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
801                     + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
802             throw new MojoFailureException(msg);
803         }
804     }
805 }