View Javadoc

1   /*
2    * This file is part of dependency-check-maven.
3    *
4    * Dependency-check-maven is free software: you can redistribute it and/or modify it
5    * under the terms of the GNU General Public License as published by the Free
6    * Software Foundation, either version 3 of the License, or (at your option) any
7    * later version.
8    *
9    * Dependency-check-maven is distributed in the hope that it will be useful, but
10   * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11   * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
12   * details.
13   *
14   * You should have received a copy of the GNU General Public License along with
15   * dependency-check-maven. If not, see http://www.gnu.org/licenses/.
16   *
17   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
18   */
19  package org.owasp.dependencycheck.maven;
20  
21  import java.io.File;
22  import java.io.IOException;
23  import java.io.InputStream;
24  import java.io.UnsupportedEncodingException;
25  import java.net.URLEncoder;
26  import java.text.DateFormat;
27  import java.util.Date;
28  import java.util.List;
29  import java.util.Locale;
30  import java.util.logging.Level;
31  import java.util.logging.Logger;
32  import org.apache.maven.doxia.sink.SinkFactory;
33  import org.apache.maven.plugin.AbstractMojo;
34  import org.apache.maven.plugin.MojoExecutionException;
35  import org.apache.maven.project.MavenProject;
36  import java.util.Set;
37  import org.apache.maven.artifact.Artifact;
38  import org.apache.maven.plugins.annotations.Component;
39  import org.apache.maven.plugins.annotations.LifecyclePhase;
40  import org.apache.maven.plugins.annotations.Mojo;
41  import org.apache.maven.plugins.annotations.Parameter;
42  import org.apache.maven.plugins.annotations.ResolutionScope;
43  import org.apache.maven.reporting.MavenMultiPageReport;
44  import org.apache.maven.reporting.MavenReport;
45  import org.apache.maven.reporting.MavenReportException;
46  import org.apache.maven.doxia.sink.Sink;
47  import org.apache.maven.plugin.MojoFailureException;
48  import org.owasp.dependencycheck.Engine;
49  import org.owasp.dependencycheck.dependency.Dependency;
50  import org.owasp.dependencycheck.dependency.Evidence;
51  import org.owasp.dependencycheck.dependency.Identifier;
52  import org.owasp.dependencycheck.dependency.Reference;
53  import org.owasp.dependencycheck.dependency.Vulnerability;
54  import org.owasp.dependencycheck.dependency.VulnerableSoftware;
55  import org.owasp.dependencycheck.reporting.ReportGenerator;
56  import org.owasp.dependencycheck.utils.LogUtils;
57  import org.owasp.dependencycheck.utils.Settings;
58  
59  /**
60   * Maven Plugin that checks project dependencies to see if they have any known
61   * published vulnerabilities.
62   *
63   * @author Jeremy Long (jeremy.long@owasp.org)
64   */
65  @Mojo(name = "check", defaultPhase = LifecyclePhase.COMPILE, threadSafe = true,
66          requiresDependencyResolution = ResolutionScope.RUNTIME_PLUS_SYSTEM,
67          requiresOnline = true)
68  public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageReport {
69  
70      /**
71       * The properties file location.
72       */
73      private static final String PROPERTIES_FILE = "mojo.properties";
74      /**
75       * Name of the logging properties file.
76       */
77      private static final String LOG_PROPERTIES_FILE = "log.properties";
78      /**
79       * The name of the test scope.
80       */
81      public static final String TEST_SCOPE = "test";
82      // <editor-fold defaultstate="collapsed" desc="Maven bound parameters and components">
83      /**
84       * The Maven Project Object.
85       */
86      @Component
87      private MavenProject project;
88      /**
89       * The name of the site report destination.
90       */
91      @Parameter(property = "report-name", defaultValue = "dependency-check-report")
92      private String reportName;
93      /**
94       * The path to the verbose log
95       */
96      @Parameter(property = "logfile", defaultValue = "")
97      private String logFile;
98      /**
99       * The name of the report to be displayed in the Maven Generated Reports
100      * page
101      */
102     @Parameter(property = "name", defaultValue = "Dependency-Check")
103     private String name;
104     /**
105      * The description of the Dependency-Check report to be displayed in the
106      * Maven Generated Reports page
107      */
108     @Parameter(property = "description", defaultValue = "A report providing details on any published "
109             + "vulnerabilities within project dependencies. This report is a best effort but may contain "
110             + "false positives and false negatives.")
111     private String description;
112     /**
113      * Specifies the destination directory for the generated Dependency-Check
114      * report.
115      */
116     @Parameter(property = "reportOutputDirectory", defaultValue = "${project.reporting.outputDirectory}", required = true)
117     private File reportOutputDirectory;
118     /**
119      * Specifies if the build should be failed if a CVSS score above a specified
120      * level is identified. The default is 11 which means since the CVSS scores
121      * are 0-10, by default the build will never fail.
122      */
123     @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
124     private float failBuildOnCVSS = 11;
125     /**
126      * The output directory.
127      */
128     @Parameter(defaultValue = "${project.build.directory}", required = true)
129     private File outputDirectory;
130     /**
131      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
132      * recommended that this be turned to false. Default is true.
133      */
134     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
135     @Parameter(property = "autoupdate", defaultValue = "true", required = true)
136     private boolean autoUpdate = true;
137     /**
138      * The report format to be generated (HTML, XML, VULN, ALL). This
139      * configuration option has no affect if using this within the Site plugin
140      * unless the externalReport is set to true. Default is HTML.
141      */
142     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
143     @Parameter(property = "format", defaultValue = "HTML", required = true)
144     private String format = "HTML";
145     /**
146      * Sets whether or not the external report format should be used.
147      */
148     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
149     @Parameter(property = "externalReport", defaultValue = "false", required = true)
150     private boolean externalReport = false;
151     /**
152      * The Proxy URL.
153      */
154     @SuppressWarnings("CanBeFinal")
155     @Parameter(property = "proxyUrl", defaultValue = "", required = false)
156     private String proxyUrl = null;
157     /**
158      * The Proxy Port.
159      */
160     @SuppressWarnings("CanBeFinal")
161     @Parameter(property = "proxyPort", defaultValue = "", required = false)
162     private String proxyPort = null;
163     /**
164      * The Connection Timeout.
165      */
166     @SuppressWarnings("CanBeFinal")
167     @Parameter(property = "connectionTimeout", defaultValue = "", required = false)
168     private String connectionTimeout = null;
169 
170     // </editor-fold>
171     /**
172      * Executes the Dependency-Check on the dependent libraries.
173      *
174      * @return the Engine used to scan the dependencies.
175      */
176     private Engine executeDependencyCheck() {
177 
178         final InputStream in = DependencyCheckMojo.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
179         LogUtils.prepareLogger(in, logFile);
180 
181         populateSettings();
182         final Engine engine = new Engine();
183         final Set<Artifact> artifacts = project.getArtifacts();
184         for (Artifact a : artifacts) {
185             if (!TEST_SCOPE.equals(a.getScope())) {
186                 engine.scan(a.getFile().getAbsolutePath());
187             }
188         }
189         engine.analyzeDependencies();
190         return engine;
191     }
192 
193     /**
194      * Generates the reports for a given dependency-check engine.
195      *
196      * @param engine a dependency-check engine
197      */
198     private void generateExternalReports(Engine engine) {
199         final ReportGenerator r = new ReportGenerator(project.getName(), engine.getDependencies(), engine.getAnalyzers());
200         try {
201             r.generateReports(outputDirectory.getCanonicalPath(), format);
202         } catch (IOException ex) {
203             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, null, ex);
204         } catch (Exception ex) {
205             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, null, ex);
206         }
207     }
208 
209     /**
210      * Generates a dependency-check report using the Maven Site format.
211      *
212      * @param engine the engine used to scan the dependencies
213      * @param sink the sink to write the data to
214      */
215     private void generateMavenSiteReport(final Engine engine, Sink sink) {
216         final List<Dependency> dependencies = engine.getDependencies();
217 
218         writeSiteReportHeader(sink, project.getName());
219         writeSiteReportTOC(sink, dependencies);
220 
221         int cnt = 0;
222         for (Dependency d : dependencies) {
223             writeSiteReportDependencyHeader(sink, d);
224             cnt = writeSiteReportDependencyAnalysisExceptions(d, cnt, sink);
225             cnt = writeSiteReportDependencyEvidenceUsed(d, cnt, sink);
226             cnt = writeSiteReportDependencyRelatedDependencies(d, cnt, sink);
227             writeSiteReportDependencyIdentifiers(d, sink);
228             writeSiteReportDependencyVulnerabilities(d, sink, cnt);
229         }
230         sink.body_();
231     }
232 
233     // <editor-fold defaultstate="collapsed" desc="various writeXXXXX methods to generate the Site Report">
234     /**
235      * Writes the vulnerabilities to the site report.
236      *
237      * @param d the dependency
238      * @param sink the sink to write the data to
239      * @param collapsibleHeaderCount the collapsible header count
240      */
241     private void writeSiteReportDependencyVulnerabilities(Dependency d, Sink sink, int collapsibleHeaderCount) {
242         int cnt = collapsibleHeaderCount;
243         if (d.getVulnerabilities() != null && !d.getVulnerabilities().isEmpty()) {
244             for (Vulnerability v : d.getVulnerabilities()) {
245 
246                 sink.paragraph();
247                 sink.bold();
248                 try {
249                     sink.link("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + URLEncoder.encode(v.getName(), "US-ASCII"));
250                     sink.text(v.getName());
251                     sink.link_();
252                     sink.bold_();
253                 } catch (UnsupportedEncodingException ex) {
254                     sink.text(v.getName());
255                     sink.bold_();
256                     sink.lineBreak();
257                     sink.text("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + v.getName());
258                 }
259                 sink.paragraph_();
260                 sink.paragraph();
261                 sink.text("Severity: ");
262                 if (v.getCvssScore() < 4.0) {
263                     sink.text("Low");
264                 } else {
265                     if (v.getCvssScore() >= 7.0) {
266                         sink.text("High");
267                     } else {
268                         sink.text("Medium");
269                     }
270                 }
271                 sink.lineBreak();
272                 sink.text("CVSS Score: " + v.getCvssScore());
273                 if (v.getCwe() != null && !v.getCwe().isEmpty()) {
274                     sink.lineBreak();
275                     sink.text("CWE: ");
276                     sink.text(v.getCwe());
277                 }
278                 sink.paragraph_();
279                 sink.paragraph();
280                 sink.text(v.getDescription());
281                 if (v.getReferences() != null && !v.getReferences().isEmpty()) {
282                     sink.list();
283                     for (Reference ref : v.getReferences()) {
284                         sink.listItem();
285                         sink.text(ref.getSource());
286                         sink.text(" - ");
287                         sink.link(ref.getUrl());
288                         sink.text(ref.getName());
289                         sink.link_();
290                         sink.listItem_();
291                     }
292                     sink.list_();
293                 }
294                 sink.paragraph_();
295                 if (v.getVulnerableSoftware() != null && !v.getVulnerableSoftware().isEmpty()) {
296                     sink.paragraph();
297 
298                     cnt += 1;
299                     sink.rawText("Vulnerable Software <a href=\"javascript:toggleElement(this, 'vulnSoft" + cnt + "')\">[-]</a>");
300                     sink.rawText("<div id=\"vulnSoft" + cnt + "\" style=\"display:block\">");
301                     sink.list();
302                     for (VulnerableSoftware vs : v.getVulnerableSoftware()) {
303                         sink.listItem();
304                         try {
305                             sink.link("http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + URLEncoder.encode(vs.getName(), "US-ASCII"));
306                             sink.text(vs.getName());
307                             sink.link_();
308                             if (vs.hasPreviousVersion()) {
309                                 sink.text(" and all previous versions.");
310                             }
311                         } catch (UnsupportedEncodingException ex) {
312                             sink.text(vs.getName());
313                             if (vs.hasPreviousVersion()) {
314                                 sink.text(" and all previous versions.");
315                             }
316                             sink.text(" (http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + vs.getName() + ")");
317                         }
318 
319                         sink.listItem_();
320                     }
321                     sink.list_();
322                     sink.rawText("</div>");
323                     sink.paragraph_();
324                 }
325             }
326         }
327     }
328 
329     /**
330      * Writes the identifiers to the site report.
331      *
332      * @param d the dependency
333      * @param sink the sink to write the data to
334      */
335     private void writeSiteReportDependencyIdentifiers(Dependency d, Sink sink) {
336         if (d.getIdentifiers() != null && !d.getIdentifiers().isEmpty()) {
337             sink.sectionTitle4();
338             sink.text("Identifiers");
339             sink.sectionTitle4_();
340             sink.list();
341             for (Identifier i : d.getIdentifiers()) {
342                 sink.listItem();
343                 sink.text(i.getType());
344                 sink.text(": ");
345                 if (i.getUrl() != null && i.getUrl().length() > 0) {
346                     sink.link(i.getUrl());
347                     sink.text(i.getValue());
348                     sink.link_();
349                 } else {
350                     sink.text(i.getValue());
351                 }
352                 if (i.getDescription() != null && i.getDescription().length() > 0) {
353                     sink.lineBreak();
354                     sink.text(i.getDescription());
355                 }
356                 sink.listItem_();
357             }
358             sink.list_();
359         }
360     }
361 
362     /**
363      * Writes the related dependencies to the site report.
364      *
365      * @param d the dependency
366      * @param sink the sink to write the data to
367      * @param collapsibleHeaderCount the collapsible header count
368      * @return the collapsible header count
369      */
370     private int writeSiteReportDependencyRelatedDependencies(Dependency d, int collapsibleHeaderCount, Sink sink) {
371         int cnt = collapsibleHeaderCount;
372         if (d.getRelatedDependencies() != null && !d.getRelatedDependencies().isEmpty()) {
373             cnt += 1;
374             sink.sectionTitle4();
375             sink.rawText("Related Dependencies <a href=\"javascript:toggleElement(this, 'related" + cnt + "')\">[+]</a>");
376             sink.sectionTitle4_();
377             sink.rawText("<div id=\"related" + cnt + "\" style=\"display:none\">");
378             sink.list();
379             for (Dependency r : d.getRelatedDependencies()) {
380                 sink.listItem();
381                 sink.text(r.getFileName());
382                 sink.list();
383                 writeListItem(sink, "File Path: " + r.getFilePath());
384                 writeListItem(sink, "SHA1: " + r.getSha1sum());
385                 writeListItem(sink, "MD5: " + r.getMd5sum());
386                 sink.list_();
387                 sink.listItem_();
388             }
389             sink.list_();
390             sink.rawText("</div>");
391         }
392         return cnt;
393     }
394 
395     /**
396      * Writes the evidence used to the site report.
397      *
398      * @param d the dependency
399      * @param sink the sink to write the data to
400      * @param collapsibleHeaderCount the collapsible header count
401      * @return the collapsible header count
402      */
403     private int writeSiteReportDependencyEvidenceUsed(Dependency d, int collapsibleHeaderCount, Sink sink) {
404         int cnt = collapsibleHeaderCount;
405         if (d.getEvidenceUsed() != null && d.getEvidenceUsed().size() > 0) {
406             cnt += 1;
407             sink.sectionTitle4();
408             sink.rawText("Evidence Collected <a href=\"javascript:toggleElement(this, 'evidence" + cnt + "')\">[+]</a>");
409             sink.sectionTitle4_();
410             sink.rawText("<div id=\"evidence" + cnt + "\" style=\"display:none\">");
411             sink.table();
412             sink.tableRow();
413             writeTableHeaderCell(sink, "Source");
414             writeTableHeaderCell(sink, "Name");
415             writeTableHeaderCell(sink, "Value");
416             sink.tableRow_();
417             for (Evidence e : d.getEvidenceUsed()) {
418                 sink.tableRow();
419                 writeTableCell(sink, e.getSource());
420                 writeTableCell(sink, e.getName());
421                 writeTableCell(sink, e.getValue());
422                 sink.tableRow_();
423             }
424             sink.table_();
425             sink.rawText("</div>");
426         }
427         return cnt;
428     }
429 
430     /**
431      * Writes the analysis exceptions generated during analysis to the site
432      * report.
433      *
434      * @param d the dependency
435      * @param sink the sink to write the data to
436      * @param collapsibleHeaderCount the collapsible header count
437      * @return the collapsible header count
438      */
439     private int writeSiteReportDependencyAnalysisExceptions(Dependency d, int collapsibleHeaderCount, Sink sink) {
440         int cnt = collapsibleHeaderCount;
441         if (d.getAnalysisExceptions() != null && !d.getAnalysisExceptions().isEmpty()) {
442             cnt += 1;
443             sink.sectionTitle4();
444             sink.rawText("<font style=\"color:red\">Errors occurred during analysis:</font> <a href=\"javascript:toggleElement(this, 'errors"
445                     + cnt + "')\">[+]</a>");
446             sink.sectionTitle4_();
447             sink.rawText("<div id=\"errors" + cnt + "\">");
448             sink.list();
449             for (Exception e : d.getAnalysisExceptions()) {
450                 sink.listItem();
451                 sink.text(e.getMessage());
452                 sink.listItem_();
453             }
454             sink.list_();
455             sink.rawText("</div>");
456         }
457         return cnt;
458     }
459 
460     /**
461      * Writes the dependency header to the site report.
462      *
463      * @param d the dependency
464      * @param sink the sink to write the data to
465      */
466     private void writeSiteReportDependencyHeader(Sink sink, Dependency d) {
467         sink.sectionTitle2();
468         sink.anchor("sha1" + d.getSha1sum());
469         sink.text(d.getFileName());
470         sink.anchor_();
471         sink.sectionTitle2_();
472         if (d.getDescription() != null && d.getDescription().length() > 0) {
473             sink.paragraph();
474             sink.bold();
475             sink.text("Description: ");
476             sink.bold_();
477             sink.text(d.getDescription());
478             sink.paragraph_();
479         }
480         if (d.getLicense() != null && d.getLicense().length() > 0) {
481             sink.paragraph();
482             sink.bold();
483             sink.text("License: ");
484             sink.bold_();
485             if (d.getLicense().startsWith("http://") && !d.getLicense().contains(" ")) {
486                 sink.link(d.getLicense());
487                 sink.text(d.getLicense());
488                 sink.link_();
489             } else {
490                 sink.text(d.getLicense());
491             }
492             sink.paragraph_();
493         }
494     }
495 
496     /**
497      * Adds a list item to the site report.
498      *
499      * @param sink the sink to write the data to
500      * @param text the text to write
501      */
502     private void writeListItem(Sink sink, String text) {
503         sink.listItem();
504         sink.text(text);
505         sink.listItem_();
506     }
507 
508     /**
509      * Adds a table cell to the site report.
510      *
511      * @param sink the sink to write the data to
512      * @param text the text to write
513      */
514     private void writeTableCell(Sink sink, String text) {
515         sink.tableCell();
516         sink.text(text);
517         sink.tableCell_();
518     }
519 
520     /**
521      * Adds a table header cell to the site report.
522      *
523      * @param sink the sink to write the data to
524      * @param text the text to write
525      */
526     private void writeTableHeaderCell(Sink sink, String text) {
527         sink.tableHeaderCell();
528         sink.text(text);
529         sink.tableHeaderCell_();
530     }
531 
532     /**
533      * Writes the TOC for the site report.
534      *
535      * @param sink the sink to write the data to
536      * @param dependencies the dependencies that are being reported on
537      */
538     private void writeSiteReportTOC(Sink sink, final List<Dependency> dependencies) {
539         sink.list();
540         for (Dependency d : dependencies) {
541             sink.listItem();
542             sink.link("#sha1" + d.getSha1sum());
543             sink.text(d.getFileName());
544             sink.link_();
545             if (!d.getVulnerabilities().isEmpty()) {
546                 sink.rawText(" <font style=\"color:red\">•</font>");
547             }
548             if (!d.getRelatedDependencies().isEmpty()) {
549                 sink.list();
550                 for (Dependency r : d.getRelatedDependencies()) {
551                     writeListItem(sink, r.getFileName());
552                 }
553                 sink.list_();
554             }
555             sink.listItem_();
556         }
557         sink.list_();
558     }
559 
560     /**
561      * Writes the site report header.
562      *
563      * @param sink the sink to write the data to
564      * @param projectName the name of the project
565      */
566     private void writeSiteReportHeader(Sink sink, String projectName) {
567         sink.head();
568         sink.title();
569         sink.text("Dependency-Check Report: " + projectName);
570         sink.title_();
571         sink.head_();
572         sink.body();
573         sink.rawText("<script type=\"text/javascript\">");
574         sink.rawText("function toggleElement(el, targetId) {");
575         sink.rawText("if (el.innerText == '[+]') {");
576         sink.rawText("    el.innerText = '[-]';");
577         sink.rawText("    document.getElementById(targetId).style.display='block';");
578         sink.rawText("} else {");
579         sink.rawText("    el.innerText = '[+]';");
580         sink.rawText("    document.getElementById(targetId).style.display='none';");
581         sink.rawText("}");
582 
583         sink.rawText("}");
584         sink.rawText("</script>");
585         sink.section1();
586         sink.sectionTitle1();
587         sink.text("Project: " + projectName);
588         sink.sectionTitle1_();
589         sink.date();
590         final Date now = new Date();
591         sink.text(DateFormat.getDateTimeInstance().format(now));
592         sink.date_();
593         sink.section1_();
594     }
595     // </editor-fold>
596 
597     /**
598      * Takes the properties supplied and updates the dependency-check settings.
599      * Additionally, this sets the system properties required to change the
600      * proxy url, port, and connection timeout.
601      */
602     private void populateSettings() {
603         InputStream mojoProperties = null;
604         try {
605             mojoProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
606             Settings.mergeProperties(mojoProperties);
607         } catch (IOException ex) {
608             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
609             Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, null, ex);
610         } finally {
611             if (mojoProperties != null) {
612                 try {
613                     mojoProperties.close();
614                 } catch (IOException ex) {
615                     Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINEST, null, ex);
616                 }
617             }
618         }
619 
620         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
621 
622         if (proxyUrl != null && !proxyUrl.isEmpty()) {
623             Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
624         }
625         if (proxyPort != null && !proxyPort.isEmpty()) {
626             Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
627         }
628         if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
629             Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
630         }
631     }
632 
633     /**
634      * Executes the dependency-check and generates the report.
635      *
636      * @throws MojoExecutionException if a maven exception occurs
637      * @throws MojoFailureException thrown if a CVSS score is found that is
638      * higher then the configured level
639      */
640     public void execute() throws MojoExecutionException, MojoFailureException {
641         final Engine engine = executeDependencyCheck();
642         generateExternalReports(engine);
643         if (this.failBuildOnCVSS <= 10) {
644             checkForFailure(engine.getDependencies());
645         }
646     }
647 
648     /**
649      * Generates the Dependency-Check Site Report.
650      *
651      * @param sink the sink to write the report to
652      * @param locale the locale to use when generating the report
653      * @throws MavenReportException if a Maven report exception occurs
654      */
655     public void generate(@SuppressWarnings("deprecation") org.codehaus.doxia.sink.Sink sink,
656             Locale locale) throws MavenReportException {
657         generate((Sink) sink, null, locale);
658     }
659 
660     /**
661      * Generates the Dependency-Check Site Report.
662      *
663      * @param sink the sink to write the report to
664      * @param sinkFactory the sink factory
665      * @param locale the locale to use when generating the report
666      * @throws MavenReportException if a maven report exception occurs
667      */
668     public void generate(Sink sink, SinkFactory sinkFactory, Locale locale) throws MavenReportException {
669         final Engine engine = executeDependencyCheck();
670         generateMavenSiteReport(engine, sink);
671     }
672 
673     // <editor-fold defaultstate="collapsed" desc="required setter/getter methods">
674     /**
675      * Returns the output name.
676      *
677      * @return the output name
678      */
679     public String getOutputName() {
680         return reportName;
681     }
682 
683     /**
684      * Returns the category name.
685      *
686      * @return the category name
687      */
688     public String getCategoryName() {
689         return MavenReport.CATEGORY_PROJECT_REPORTS;
690     }
691 
692     /**
693      * Returns the report name.
694      *
695      * @param locale the location
696      * @return the report name
697      */
698     public String getName(Locale locale) {
699         return name;
700     }
701 
702     /**
703      * Sets the Reporting output directory.
704      *
705      * @param directory the output directory
706      */
707     public void setReportOutputDirectory(File directory) {
708         reportOutputDirectory = directory;
709     }
710 
711     /**
712      * Returns the output directory.
713      *
714      * @return the output directory
715      */
716     public File getReportOutputDirectory() {
717         return reportOutputDirectory;
718     }
719 
720     /**
721      * Gets the description of the Dependency-Check report to be displayed in
722      * the Maven Generated Reports page.
723      *
724      * @param locale The Locale to get the description for
725      * @return the description
726      */
727     public String getDescription(Locale locale) {
728         return description;
729     }
730 
731     /**
732      * Returns whether this is an external report.
733      *
734      * @return true or false;
735      */
736     public boolean isExternalReport() {
737         return externalReport;
738     }
739 
740     /**
741      * Returns whether or not the plugin can generate a report.
742      *
743      * @return true
744      */
745     public boolean canGenerateReport() {
746         return true;
747     }
748     // </editor-fold>
749 
750     /**
751      * Checks to see if a vulnerability has been identified with a CVSS score
752      * that is above the threshold set in the configuration.
753      *
754      * @param dependencies the list of dependency objects
755      * @throws MojoFailureException thrown if a CVSS score is found that is
756      * higher then the threshold set
757      */
758     private void checkForFailure(List<Dependency> dependencies) throws MojoFailureException {
759         final StringBuilder ids = new StringBuilder();
760         for (Dependency d : dependencies) {
761             for (Vulnerability v : d.getVulnerabilities()) {
762                 if (v.getCvssScore() >= failBuildOnCVSS) {
763                     if (ids.length() == 0) {
764                         ids.append(v.getName());
765                     } else {
766                         ids.append(", ").append(v.getName());
767                     }
768                 }
769             }
770         }
771         if (ids.length() > 0) {
772             final String msg = String.format("%n%nDependency-Check Failure:%n"
773                     + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
774                     + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
775             throw new MojoFailureException(msg);
776         }
777     }
778 }