Coverage Report - org.owasp.dependencycheck.taskdefs.Check
 
Classes in this File Line Coverage Branch Coverage Complexity
Check
50%
123/242
48%
35/72
1.75
Check$ReportFormats
100%
7/7
100%
2/2
1.75
 
 1   
 /*
 2   
  * This file is part of dependency-check-ant.
 3   
  *
 4   
  * Licensed under the Apache License, Version 2.0 (the "License");
 5   
  * you may not use this file except in compliance with the License.
 6   
  * You may obtain a copy of the License at
 7   
  *
 8   
  *     http://www.apache.org/licenses/LICENSE-2.0
 9   
  *
 10   
  * Unless required by applicable law or agreed to in writing, software
 11   
  * distributed under the License is distributed on an "AS IS" BASIS,
 12   
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13   
  * See the License for the specific language governing permissions and
 14   
  * limitations under the License.
 15   
  *
 16   
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 17   
  */
 18   
 package org.owasp.dependencycheck.taskdefs;
 19   
 
 20   
 import java.io.File;
 21   
 import java.util.List;
 22   
 import org.apache.tools.ant.BuildException;
 23   
 import org.apache.tools.ant.Project;
 24   
 import org.apache.tools.ant.types.EnumeratedAttribute;
 25   
 import org.apache.tools.ant.types.Reference;
 26   
 import org.apache.tools.ant.types.Resource;
 27   
 import org.apache.tools.ant.types.ResourceCollection;
 28   
 import org.apache.tools.ant.types.resources.FileProvider;
 29   
 import org.apache.tools.ant.types.resources.Resources;
 30   
 import org.owasp.dependencycheck.Engine;
 31   
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 32   
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 33   
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 34   
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 35   
 import org.owasp.dependencycheck.dependency.Dependency;
 36   
 import org.owasp.dependencycheck.dependency.Identifier;
 37   
 import org.owasp.dependencycheck.dependency.Vulnerability;
 38   
 import org.owasp.dependencycheck.exception.ExceptionCollection;
 39   
 import org.owasp.dependencycheck.exception.ReportException;
 40   
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 41   
 import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
 42   
 import org.owasp.dependencycheck.utils.Settings;
 43   
 import org.slf4j.impl.StaticLoggerBinder;
 44   
 
 45   
 /**
 46   
  * An Ant task definition to execute dependency-check during an Ant build.
 47   
  *
 48   
  * @author Jeremy Long
 49   
  */
 50   
 public class Check extends Update {
 51   
 
 52   
     /**
 53   
      * System specific new line character.
 54   
      */
 55  1 
     private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
 56   
 
 57   
     /**
 58   
      * Construct a new DependencyCheckTask.
 59   
      */
 60   
     public Check() {
 61  4 
         super();
 62   
         // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
 63   
         // core end up coming through this tasks logger
 64  4 
         StaticLoggerBinder.getSingleton().setTask(this);
 65  4 
     }
 66   
     //The following code was copied Apache Ant PathConvert
 67   
     //BEGIN COPY from org.apache.tools.ant.taskdefs.PathConvert
 68   
     /**
 69   
      * Path to be converted
 70   
      */
 71  4 
     private Resources path = null;
 72   
     /**
 73   
      * Reference to path/fileset to convert
 74   
      */
 75  4 
     private Reference refid = null;
 76   
 
 77   
     /**
 78   
      * Add an arbitrary ResourceCollection.
 79   
      *
 80   
      * @param rc the ResourceCollection to add.
 81   
      * @since Ant 1.7
 82   
      */
 83   
     public void add(ResourceCollection rc) {
 84  4 
         if (isReference()) {
 85  0 
             throw new BuildException("Nested elements are not allowed when using the refid attribute.");
 86   
         }
 87  4 
         getPath().add(rc);
 88  4 
     }
 89   
 
 90   
     /**
 91   
      * Returns the path. If the path has not been initialized yet, this class is
 92   
      * synchronized, and will instantiate the path object.
 93   
      *
 94   
      * @return the path
 95   
      */
 96   
     private synchronized Resources getPath() {
 97  4 
         if (path == null) {
 98  3 
             path = new Resources(getProject());
 99  3 
             path.setCache(true);
 100   
         }
 101  4 
         return path;
 102   
     }
 103   
 
 104   
     /**
 105   
      * Learn whether the refid attribute of this element been set.
 106   
      *
 107   
      * @return true if refid is valid.
 108   
      */
 109   
     public boolean isReference() {
 110  8 
         return refid != null;
 111   
     }
 112   
 
 113   
     /**
 114   
      * Add a reference to a Path, FileSet, DirSet, or FileList defined
 115   
      * elsewhere.
 116   
      *
 117   
      * @param r the reference to a path, fileset, dirset or filelist.
 118   
      */
 119   
     public void setRefid(Reference r) {
 120  0 
         if (path != null) {
 121  0 
             throw new BuildException("Nested elements are not allowed when using the refid attribute.");
 122   
         }
 123  0 
         refid = r;
 124  0 
     }
 125   
 
 126   
     /**
 127   
      * If this is a reference, this method will add the referenced resource
 128   
      * collection to the collection of paths.
 129   
      *
 130   
      * @throws BuildException if the reference is not to a resource collection
 131   
      */
 132   
     private void dealWithReferences() throws BuildException {
 133  4 
         if (isReference()) {
 134  0 
             final Object o = refid.getReferencedObject(getProject());
 135  0 
             if (!(o instanceof ResourceCollection)) {
 136  0 
                 throw new BuildException("refid '" + refid.getRefId()
 137   
                         + "' does not refer to a resource collection.");
 138   
             }
 139  0 
             getPath().add((ResourceCollection) o);
 140   
         }
 141  4 
     }
 142   
     // END COPY from org.apache.tools.ant.taskdefs
 143   
     /**
 144   
      * The application name for the report.
 145   
      *
 146   
      * @deprecated use projectName instead.
 147   
      */
 148  4 
     @Deprecated
 149   
     private String applicationName = null;
 150   
 
 151   
     /**
 152   
      * Get the value of applicationName.
 153   
      *
 154   
      * @return the value of applicationName
 155   
      *
 156   
      * @deprecated use projectName instead.
 157   
      */
 158   
     @Deprecated
 159   
     public String getApplicationName() {
 160  0 
         return applicationName;
 161   
     }
 162   
 
 163   
     /**
 164   
      * Set the value of applicationName.
 165   
      *
 166   
      * @param applicationName new value of applicationName
 167   
      * @deprecated use projectName instead.
 168   
      */
 169   
     @Deprecated
 170   
     public void setApplicationName(String applicationName) {
 171  4 
         this.applicationName = applicationName;
 172  4 
     }
 173   
     /**
 174   
      * The name of the project being analyzed.
 175   
      */
 176  4 
     private String projectName = "dependency-check";
 177   
 
 178   
     /**
 179   
      * Get the value of projectName.
 180   
      *
 181   
      * @return the value of projectName
 182   
      */
 183   
     public String getProjectName() {
 184  3 
         if (applicationName != null) {
 185  3 
             log("Configuration 'applicationName' has been deprecated, please use 'projectName' instead", Project.MSG_WARN);
 186  3 
             if ("dependency-check".equals(projectName)) {
 187  3 
                 projectName = applicationName;
 188   
             }
 189   
         }
 190  3 
         return projectName;
 191   
     }
 192   
 
 193   
     /**
 194   
      * Set the value of projectName.
 195   
      *
 196   
      * @param projectName new value of projectName
 197   
      */
 198   
     public void setProjectName(String projectName) {
 199  0 
         this.projectName = projectName;
 200  0 
     }
 201   
 
 202   
     /**
 203   
      * Specifies the destination directory for the generated Dependency-Check
 204   
      * report.
 205   
      */
 206  4 
     private String reportOutputDirectory = ".";
 207   
 
 208   
     /**
 209   
      * Get the value of reportOutputDirectory.
 210   
      *
 211   
      * @return the value of reportOutputDirectory
 212   
      */
 213   
     public String getReportOutputDirectory() {
 214  0 
         return reportOutputDirectory;
 215   
     }
 216   
 
 217   
     /**
 218   
      * Set the value of reportOutputDirectory.
 219   
      *
 220   
      * @param reportOutputDirectory new value of reportOutputDirectory
 221   
      */
 222   
     public void setReportOutputDirectory(String reportOutputDirectory) {
 223  4 
         this.reportOutputDirectory = reportOutputDirectory;
 224  4 
     }
 225   
     /**
 226   
      * Specifies if the build should be failed if a CVSS score above a specified
 227   
      * level is identified. The default is 11 which means since the CVSS scores
 228   
      * are 0-10, by default the build will never fail and the CVSS score is set
 229   
      * to 11. The valid range for the fail build on CVSS is 0 to 11, where
 230   
      * anything above 10 will not cause the build to fail.
 231   
      */
 232  4 
     private float failBuildOnCVSS = 11;
 233   
 
 234   
     /**
 235   
      * Get the value of failBuildOnCVSS.
 236   
      *
 237   
      * @return the value of failBuildOnCVSS
 238   
      */
 239   
     public float getFailBuildOnCVSS() {
 240  0 
         return failBuildOnCVSS;
 241   
     }
 242   
 
 243   
     /**
 244   
      * Set the value of failBuildOnCVSS.
 245   
      *
 246   
      * @param failBuildOnCVSS new value of failBuildOnCVSS
 247   
      */
 248   
     public void setFailBuildOnCVSS(float failBuildOnCVSS) {
 249  1 
         this.failBuildOnCVSS = failBuildOnCVSS;
 250  1 
     }
 251   
     /**
 252   
      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
 253   
      * recommended that this be turned to false. Default is true.
 254   
      */
 255   
     private Boolean autoUpdate;
 256   
 
 257   
     /**
 258   
      * Get the value of autoUpdate.
 259   
      *
 260   
      * @return the value of autoUpdate
 261   
      */
 262   
     public Boolean isAutoUpdate() {
 263  0 
         return autoUpdate;
 264   
     }
 265   
 
 266   
     /**
 267   
      * Set the value of autoUpdate.
 268   
      *
 269   
      * @param autoUpdate new value of autoUpdate
 270   
      */
 271   
     public void setAutoUpdate(Boolean autoUpdate) {
 272  4 
         this.autoUpdate = autoUpdate;
 273  4 
     }
 274   
     /**
 275   
      * Whether only the update phase should be executed.
 276   
      *
 277   
      * @deprecated Use the update task instead
 278   
      */
 279  4 
     @Deprecated
 280   
     private boolean updateOnly = false;
 281   
 
 282   
     /**
 283   
      * Get the value of updateOnly.
 284   
      *
 285   
      * @return the value of updateOnly
 286   
      * @deprecated Use the update task instead
 287   
      */
 288   
     @Deprecated
 289   
     public boolean isUpdateOnly() {
 290  3 
         return updateOnly;
 291   
     }
 292   
 
 293   
     /**
 294   
      * Set the value of updateOnly.
 295   
      *
 296   
      * @param updateOnly new value of updateOnly
 297   
      * @deprecated Use the update task instead
 298   
      */
 299   
     @Deprecated
 300   
     public void setUpdateOnly(boolean updateOnly) {
 301  0 
         this.updateOnly = updateOnly;
 302  0 
     }
 303   
 
 304   
     /**
 305   
      * The report format to be generated (HTML, XML, VULN, ALL). Default is
 306   
      * HTML.
 307   
      */
 308  4 
     private String reportFormat = "HTML";
 309   
 
 310   
     /**
 311   
      * Get the value of reportFormat.
 312   
      *
 313   
      * @return the value of reportFormat
 314   
      */
 315   
     public String getReportFormat() {
 316  0 
         return reportFormat;
 317   
     }
 318   
 
 319   
     /**
 320   
      * Set the value of reportFormat.
 321   
      *
 322   
      * @param reportFormat new value of reportFormat
 323   
      */
 324   
     public void setReportFormat(ReportFormats reportFormat) {
 325  4 
         this.reportFormat = reportFormat.getValue();
 326  4 
     }
 327   
     /**
 328   
      * The path to the suppression file.
 329   
      */
 330   
     private String suppressionFile;
 331   
 
 332   
     /**
 333   
      * Get the value of suppressionFile.
 334   
      *
 335   
      * @return the value of suppressionFile
 336   
      */
 337   
     public String getSuppressionFile() {
 338  0 
         return suppressionFile;
 339   
     }
 340   
 
 341   
     /**
 342   
      * Set the value of suppressionFile.
 343   
      *
 344   
      * @param suppressionFile new value of suppressionFile
 345   
      */
 346   
     public void setSuppressionFile(String suppressionFile) {
 347  0 
         this.suppressionFile = suppressionFile;
 348  0 
     }
 349   
     /**
 350   
      * flag indicating whether or not to show a summary of findings.
 351   
      */
 352  4 
     private boolean showSummary = true;
 353   
 
 354   
     /**
 355   
      * Get the value of showSummary.
 356   
      *
 357   
      * @return the value of showSummary
 358   
      */
 359   
     public boolean isShowSummary() {
 360  0 
         return showSummary;
 361   
     }
 362   
 
 363   
     /**
 364   
      * Set the value of showSummary.
 365   
      *
 366   
      * @param showSummary new value of showSummary
 367   
      */
 368   
     public void setShowSummary(boolean showSummary) {
 369  0 
         this.showSummary = showSummary;
 370  0 
     }
 371   
 
 372   
     /**
 373   
      * Whether experimental analyzers are enabled.
 374   
      */
 375   
     private Boolean enableExperimental;
 376   
 
 377   
     /**
 378   
      * Get the value of enableExperimental.
 379   
      *
 380   
      * @return the value of enableExperimental
 381   
      */
 382   
     public Boolean isEnableExperimental() {
 383  0 
         return enableExperimental;
 384   
     }
 385   
 
 386   
     /**
 387   
      * Set the value of enableExperimental.
 388   
      *
 389   
      * @param enableExperimental new value of enableExperimental
 390   
      */
 391   
     public void setEnableExperimental(Boolean enableExperimental) {
 392  0 
         this.enableExperimental = enableExperimental;
 393  0 
     }
 394   
 
 395   
     /**
 396   
      * Whether or not the Jar Analyzer is enabled.
 397   
      */
 398   
     private Boolean jarAnalyzerEnabled;
 399   
 
 400   
     /**
 401   
      * Returns whether or not the analyzer is enabled.
 402   
      *
 403   
      * @return true if the analyzer is enabled
 404   
      */
 405   
     public Boolean isJarAnalyzerEnabled() {
 406  0 
         return jarAnalyzerEnabled;
 407   
     }
 408   
 
 409   
     /**
 410   
      * Sets whether or not the analyzer is enabled.
 411   
      *
 412   
      * @param jarAnalyzerEnabled the value of the new setting
 413   
      */
 414   
     public void setJarAnalyzerEnabled(Boolean jarAnalyzerEnabled) {
 415  0 
         this.jarAnalyzerEnabled = jarAnalyzerEnabled;
 416  0 
     }
 417   
     /**
 418   
      * Whether or not the Archive Analyzer is enabled.
 419   
      */
 420   
     private Boolean archiveAnalyzerEnabled;
 421   
 
 422   
     /**
 423   
      * Returns whether or not the analyzer is enabled.
 424   
      *
 425   
      * @return true if the analyzer is enabled
 426   
      */
 427   
     public Boolean isArchiveAnalyzerEnabled() {
 428  0 
         return archiveAnalyzerEnabled;
 429   
     }
 430   
     /**
 431   
      * Whether or not the .NET Assembly Analyzer is enabled.
 432   
      */
 433   
     private Boolean assemblyAnalyzerEnabled;
 434   
 
 435   
     /**
 436   
      * Sets whether or not the analyzer is enabled.
 437   
      *
 438   
      * @param archiveAnalyzerEnabled the value of the new setting
 439   
      */
 440   
     public void setArchiveAnalyzerEnabled(Boolean archiveAnalyzerEnabled) {
 441  0 
         this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
 442  0 
     }
 443   
 
 444   
     /**
 445   
      * Returns whether or not the analyzer is enabled.
 446   
      *
 447   
      * @return true if the analyzer is enabled
 448   
      */
 449   
     public Boolean isAssemblyAnalyzerEnabled() {
 450  0 
         return assemblyAnalyzerEnabled;
 451   
     }
 452   
 
 453   
     /**
 454   
      * Sets whether or not the analyzer is enabled.
 455   
      *
 456   
      * @param assemblyAnalyzerEnabled the value of the new setting
 457   
      */
 458   
     public void setAssemblyAnalyzerEnabled(Boolean assemblyAnalyzerEnabled) {
 459  0 
         this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
 460  0 
     }
 461   
     /**
 462   
      * Whether or not the .NET Nuspec Analyzer is enabled.
 463   
      */
 464   
     private Boolean nuspecAnalyzerEnabled;
 465   
 
 466   
     /**
 467   
      * Returns whether or not the analyzer is enabled.
 468   
      *
 469   
      * @return true if the analyzer is enabled
 470   
      */
 471   
     public Boolean isNuspecAnalyzerEnabled() {
 472  0 
         return nuspecAnalyzerEnabled;
 473   
     }
 474   
 
 475   
     /**
 476   
      * Sets whether or not the analyzer is enabled.
 477   
      *
 478   
      * @param nuspecAnalyzerEnabled the value of the new setting
 479   
      */
 480   
     public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) {
 481  0 
         this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
 482  0 
     }
 483   
     /**
 484   
      * Whether or not the PHP Composer Analyzer is enabled.
 485   
      */
 486   
     private Boolean composerAnalyzerEnabled;
 487   
 
 488   
     /**
 489   
      * Get the value of composerAnalyzerEnabled.
 490   
      *
 491   
      * @return the value of composerAnalyzerEnabled
 492   
      */
 493   
     public Boolean isComposerAnalyzerEnabled() {
 494  0 
         return composerAnalyzerEnabled;
 495   
     }
 496   
 
 497   
     /**
 498   
      * Set the value of composerAnalyzerEnabled.
 499   
      *
 500   
      * @param composerAnalyzerEnabled new value of composerAnalyzerEnabled
 501   
      */
 502   
     public void setComposerAnalyzerEnabled(Boolean composerAnalyzerEnabled) {
 503  0 
         this.composerAnalyzerEnabled = composerAnalyzerEnabled;
 504  0 
     }
 505   
     /**
 506   
      * Whether the autoconf analyzer should be enabled.
 507   
      */
 508   
     private Boolean autoconfAnalyzerEnabled;
 509   
 
 510   
     /**
 511   
      * Get the value of autoconfAnalyzerEnabled.
 512   
      *
 513   
      * @return the value of autoconfAnalyzerEnabled
 514   
      */
 515   
     public Boolean isAutoconfAnalyzerEnabled() {
 516  0 
         return autoconfAnalyzerEnabled;
 517   
     }
 518   
 
 519   
     /**
 520   
      * Set the value of autoconfAnalyzerEnabled.
 521   
      *
 522   
      * @param autoconfAnalyzerEnabled new value of autoconfAnalyzerEnabled
 523   
      */
 524   
     public void setAutoconfAnalyzerEnabled(Boolean autoconfAnalyzerEnabled) {
 525  0 
         this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled;
 526  0 
     }
 527   
     /**
 528   
      * Whether the CMake analyzer should be enabled.
 529   
      */
 530   
     private Boolean cmakeAnalyzerEnabled;
 531   
 
 532   
     /**
 533   
      * Get the value of cmakeAnalyzerEnabled.
 534   
      *
 535   
      * @return the value of cmakeAnalyzerEnabled
 536   
      */
 537   
     public Boolean isCMakeAnalyzerEnabled() {
 538  0 
         return cmakeAnalyzerEnabled;
 539   
     }
 540   
 
 541   
     /**
 542   
      * Set the value of cmakeAnalyzerEnabled.
 543   
      *
 544   
      * @param cmakeAnalyzerEnabled new value of cmakeAnalyzerEnabled
 545   
      */
 546   
     public void setCMakeAnalyzerEnabled(Boolean cmakeAnalyzerEnabled) {
 547  0 
         this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
 548  0 
     }
 549   
     /**
 550   
      * Whether or not the openssl analyzer is enabled.
 551   
      */
 552   
     private Boolean opensslAnalyzerEnabled;
 553   
 
 554   
     /**
 555   
      * Get the value of opensslAnalyzerEnabled.
 556   
      *
 557   
      * @return the value of opensslAnalyzerEnabled
 558   
      */
 559   
     public Boolean isOpensslAnalyzerEnabled() {
 560  0 
         return opensslAnalyzerEnabled;
 561   
     }
 562   
 
 563   
     /**
 564   
      * Set the value of opensslAnalyzerEnabled.
 565   
      *
 566   
      * @param opensslAnalyzerEnabled new value of opensslAnalyzerEnabled
 567   
      */
 568   
     public void setOpensslAnalyzerEnabled(Boolean opensslAnalyzerEnabled) {
 569  0 
         this.opensslAnalyzerEnabled = opensslAnalyzerEnabled;
 570  0 
     }
 571   
     /**
 572   
      * Whether or not the Node.js Analyzer is enabled.
 573   
      */
 574   
     private Boolean nodeAnalyzerEnabled;
 575   
 
 576   
     /**
 577   
      * Get the value of nodeAnalyzerEnabled.
 578   
      *
 579   
      * @return the value of nodeAnalyzerEnabled
 580   
      */
 581   
     public Boolean isNodeAnalyzerEnabled() {
 582  0 
         return nodeAnalyzerEnabled;
 583   
     }
 584   
 
 585   
     /**
 586   
      * Set the value of nodeAnalyzerEnabled.
 587   
      *
 588   
      * @param nodeAnalyzerEnabled new value of nodeAnalyzerEnabled
 589   
      */
 590   
     public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) {
 591  0 
         this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
 592  0 
     }
 593   
     /**
 594   
      * Whether the ruby gemspec analyzer should be enabled.
 595   
      */
 596   
     private Boolean rubygemsAnalyzerEnabled;
 597   
 
 598   
     /**
 599   
      * Get the value of rubygemsAnalyzerEnabled.
 600   
      *
 601   
      * @return the value of rubygemsAnalyzerEnabled
 602   
      */
 603   
     public Boolean isRubygemsAnalyzerEnabled() {
 604  0 
         return rubygemsAnalyzerEnabled;
 605   
     }
 606   
 
 607   
     /**
 608   
      * Set the value of rubygemsAnalyzerEnabled.
 609   
      *
 610   
      * @param rubygemsAnalyzerEnabled new value of rubygemsAnalyzerEnabled
 611   
      */
 612   
     public void setRubygemsAnalyzerEnabled(Boolean rubygemsAnalyzerEnabled) {
 613  0 
         this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled;
 614  0 
     }
 615   
     /**
 616   
      * Whether the python package analyzer should be enabled.
 617   
      */
 618   
     private Boolean pyPackageAnalyzerEnabled;
 619   
 
 620   
     /**
 621   
      * Get the value of pyPackageAnalyzerEnabled.
 622   
      *
 623   
      * @return the value of pyPackageAnalyzerEnabled
 624   
      */
 625   
     public Boolean isPyPackageAnalyzerEnabled() {
 626  0 
         return pyPackageAnalyzerEnabled;
 627   
     }
 628   
 
 629   
     /**
 630   
      * Set the value of pyPackageAnalyzerEnabled.
 631   
      *
 632   
      * @param pyPackageAnalyzerEnabled new value of pyPackageAnalyzerEnabled
 633   
      */
 634   
     public void setPyPackageAnalyzerEnabled(Boolean pyPackageAnalyzerEnabled) {
 635  0 
         this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled;
 636  0 
     }
 637   
 
 638   
     /**
 639   
      * Whether the python distribution analyzer should be enabled.
 640   
      */
 641   
     private Boolean pyDistributionAnalyzerEnabled;
 642   
 
 643   
     /**
 644   
      * Get the value of pyDistributionAnalyzerEnabled.
 645   
      *
 646   
      * @return the value of pyDistributionAnalyzerEnabled
 647   
      */
 648   
     public Boolean isPyDistributionAnalyzerEnabled() {
 649  0 
         return pyDistributionAnalyzerEnabled;
 650   
     }
 651   
 
 652   
     /**
 653   
      * Set the value of pyDistributionAnalyzerEnabled.
 654   
      *
 655   
      * @param pyDistributionAnalyzerEnabled new value of
 656   
      * pyDistributionAnalyzerEnabled
 657   
      */
 658   
     public void setPyDistributionAnalyzerEnabled(Boolean pyDistributionAnalyzerEnabled) {
 659  0 
         this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
 660  0 
     }
 661   
 
 662   
     /**
 663   
      * Whether or not the central analyzer is enabled.
 664   
      */
 665   
     private Boolean centralAnalyzerEnabled;
 666   
 
 667   
     /**
 668   
      * Get the value of centralAnalyzerEnabled.
 669   
      *
 670   
      * @return the value of centralAnalyzerEnabled
 671   
      */
 672   
     public Boolean isCentralAnalyzerEnabled() {
 673  0 
         return centralAnalyzerEnabled;
 674   
     }
 675   
 
 676   
     /**
 677   
      * Set the value of centralAnalyzerEnabled.
 678   
      *
 679   
      * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
 680   
      */
 681   
     public void setCentralAnalyzerEnabled(Boolean centralAnalyzerEnabled) {
 682  0 
         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
 683  0 
     }
 684   
 
 685   
     /**
 686   
      * Whether or not the nexus analyzer is enabled.
 687   
      */
 688   
     private Boolean nexusAnalyzerEnabled;
 689   
 
 690   
     /**
 691   
      * Get the value of nexusAnalyzerEnabled.
 692   
      *
 693   
      * @return the value of nexusAnalyzerEnabled
 694   
      */
 695   
     public Boolean isNexusAnalyzerEnabled() {
 696  0 
         return nexusAnalyzerEnabled;
 697   
     }
 698   
 
 699   
     /**
 700   
      * Set the value of nexusAnalyzerEnabled.
 701   
      *
 702   
      * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
 703   
      */
 704   
     public void setNexusAnalyzerEnabled(Boolean nexusAnalyzerEnabled) {
 705  0 
         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
 706  0 
     }
 707   
 
 708   
     /**
 709   
      * The URL of a Nexus server's REST API end point
 710   
      * (http://domain/nexus/service/local).
 711   
      */
 712   
     private String nexusUrl;
 713   
 
 714   
     /**
 715   
      * Get the value of nexusUrl.
 716   
      *
 717   
      * @return the value of nexusUrl
 718   
      */
 719   
     public String getNexusUrl() {
 720  0 
         return nexusUrl;
 721   
     }
 722   
 
 723   
     /**
 724   
      * Set the value of nexusUrl.
 725   
      *
 726   
      * @param nexusUrl new value of nexusUrl
 727   
      */
 728   
     public void setNexusUrl(String nexusUrl) {
 729  0 
         this.nexusUrl = nexusUrl;
 730  0 
     }
 731   
     /**
 732   
      * Whether or not the defined proxy should be used when connecting to Nexus.
 733   
      */
 734   
     private Boolean nexusUsesProxy;
 735   
 
 736   
     /**
 737   
      * Get the value of nexusUsesProxy.
 738   
      *
 739   
      * @return the value of nexusUsesProxy
 740   
      */
 741   
     public Boolean isNexusUsesProxy() {
 742  0 
         return nexusUsesProxy;
 743   
     }
 744   
 
 745   
     /**
 746   
      * Set the value of nexusUsesProxy.
 747   
      *
 748   
      * @param nexusUsesProxy new value of nexusUsesProxy
 749   
      */
 750   
     public void setNexusUsesProxy(Boolean nexusUsesProxy) {
 751  0 
         this.nexusUsesProxy = nexusUsesProxy;
 752  0 
     }
 753   
 
 754   
     /**
 755   
      * Additional ZIP File extensions to add analyze. This should be a
 756   
      * comma-separated list of file extensions to treat like ZIP files.
 757   
      */
 758   
     private String zipExtensions;
 759   
 
 760   
     /**
 761   
      * Get the value of zipExtensions.
 762   
      *
 763   
      * @return the value of zipExtensions
 764   
      */
 765   
     public String getZipExtensions() {
 766  0 
         return zipExtensions;
 767   
     }
 768   
 
 769   
     /**
 770   
      * Set the value of zipExtensions.
 771   
      *
 772   
      * @param zipExtensions new value of zipExtensions
 773   
      */
 774   
     public void setZipExtensions(String zipExtensions) {
 775  0 
         this.zipExtensions = zipExtensions;
 776  0 
     }
 777   
 
 778   
     /**
 779   
      * The path to Mono for .NET assembly analysis on non-windows systems.
 780   
      */
 781   
     private String pathToMono;
 782   
 
 783   
     /**
 784   
      * Get the value of pathToMono.
 785   
      *
 786   
      * @return the value of pathToMono
 787   
      */
 788   
     public String getPathToMono() {
 789  0 
         return pathToMono;
 790   
     }
 791   
 
 792   
     /**
 793   
      * Set the value of pathToMono.
 794   
      *
 795   
      * @param pathToMono new value of pathToMono
 796   
      */
 797   
     public void setPathToMono(String pathToMono) {
 798  0 
         this.pathToMono = pathToMono;
 799  0 
     }
 800   
 
 801   
     @Override
 802   
     public void execute() throws BuildException {
 803  4 
         dealWithReferences();
 804  4 
         validateConfiguration();
 805  3 
         populateSettings();
 806  3 
         Engine engine = null;
 807   
         try {
 808  3 
             engine = new Engine(Check.class.getClassLoader());
 809  3 
             if (isUpdateOnly()) {
 810  0 
                 log("Deprecated 'UpdateOnly' property set; please use the UpdateTask instead", Project.MSG_WARN);
 811   
                 try {
 812  0 
                     engine.doUpdates();
 813  0 
                 } catch (UpdateException ex) {
 814  0 
                     if (this.isFailOnError()) {
 815  0 
                         throw new BuildException(ex);
 816   
                     }
 817  0 
                     log(ex.getMessage(), Project.MSG_ERR);
 818  0 
                 }
 819   
             } else {
 820  3 
                 for (Resource resource : path) {
 821  5 
                     final FileProvider provider = resource.as(FileProvider.class);
 822  5 
                     if (provider != null) {
 823  5 
                         final File file = provider.getFile();
 824  5 
                         if (file != null && file.exists()) {
 825  4 
                             engine.scan(file);
 826   
                         }
 827   
                     }
 828  5 
                 }
 829   
 
 830   
                 try {
 831  3 
                     engine.analyzeDependencies();
 832  0 
                 } catch (ExceptionCollection ex) {
 833  0 
                     if (this.isFailOnError()) {
 834  0 
                         throw new BuildException(ex);
 835   
                     }
 836  3 
                 }
 837  3 
                 DatabaseProperties prop = null;
 838  3 
                 CveDB cve = null;
 839   
                 try {
 840  3 
                     cve = new CveDB();
 841  3 
                     cve.open();
 842  3 
                     prop = cve.getDatabaseProperties();
 843  0 
                 } catch (DatabaseException ex) {
 844  0 
                     log("Unable to retrieve DB Properties", ex, Project.MSG_DEBUG);
 845   
                 } finally {
 846  3 
                     if (cve != null) {
 847  3 
                         cve.close();
 848   
                     }
 849   
                 }
 850  3 
                 final ReportGenerator reporter = new ReportGenerator(getProjectName(), engine.getDependencies(), engine.getAnalyzers(), prop);
 851  3 
                 reporter.generateReports(reportOutputDirectory, reportFormat);
 852   
 
 853  3 
                 if (this.failBuildOnCVSS <= 10) {
 854  0 
                     checkForFailure(engine.getDependencies());
 855   
                 }
 856  3 
                 if (this.showSummary) {
 857  3 
                     showSummary(engine.getDependencies());
 858   
                 }
 859   
             }
 860  0 
         } catch (DatabaseException ex) {
 861  0 
             final String msg = "Unable to connect to the dependency-check database; analysis has stopped";
 862  0 
             if (this.isFailOnError()) {
 863  0 
                 throw new BuildException(msg, ex);
 864   
             }
 865  0 
             log(msg, ex, Project.MSG_ERR);
 866  0 
         } catch (ReportException ex) {
 867  0 
             final String msg = "Unable to generate the dependency-check report";
 868  0 
             if (this.isFailOnError()) {
 869  0 
                 throw new BuildException(msg, ex);
 870   
             }
 871  0 
             log(msg, ex, Project.MSG_ERR);
 872   
         } finally {
 873  3 
             Settings.cleanup(true);
 874  3 
             if (engine != null) {
 875  3 
                 engine.cleanup();
 876   
             }
 877   
         }
 878  3 
     }
 879   
 
 880   
     /**
 881   
      * Validate the configuration to ensure the parameters have been properly
 882   
      * configured/initialized.
 883   
      *
 884   
      * @throws BuildException if the task was not configured correctly.
 885   
      */
 886   
     private void validateConfiguration() throws BuildException {
 887  4 
         if (path == null) {
 888  1 
             throw new BuildException("No project dependencies have been defined to analyze.");
 889   
         }
 890  3 
         if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) {
 891  0 
             throw new BuildException("Invalid configuration, failBuildOnCVSS must be between 0 and 11.");
 892   
         }
 893  3 
     }
 894   
 
 895   
     /**
 896   
      * Takes the properties supplied and updates the dependency-check settings.
 897   
      * Additionally, this sets the system properties required to change the
 898   
      * proxy server, port, and connection timeout.
 899   
      *
 900   
      * @throws BuildException thrown when an invalid setting is configured.
 901   
      */
 902   
     @Override
 903   
     protected void populateSettings() throws BuildException {
 904  3 
         super.populateSettings();
 905  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
 906  3 
         Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
 907  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
 908  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
 909  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
 910  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
 911  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
 912  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
 913  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
 914  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
 915  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
 916  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
 917  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
 918  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
 919  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
 920  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
 921  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
 922  3 
         Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
 923  3 
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
 924  3 
         Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
 925  3 
         Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
 926  3 
     }
 927   
 
 928   
     /**
 929   
      * Checks to see if a vulnerability has been identified with a CVSS score
 930   
      * that is above the threshold set in the configuration.
 931   
      *
 932   
      * @param dependencies the list of dependency objects
 933   
      * @throws BuildException thrown if a CVSS score is found that is higher
 934   
      * then the threshold set
 935   
      */
 936   
     private void checkForFailure(List<Dependency> dependencies) throws BuildException {
 937  0 
         final StringBuilder ids = new StringBuilder();
 938  0 
         for (Dependency d : dependencies) {
 939  0 
             for (Vulnerability v : d.getVulnerabilities()) {
 940  0 
                 if (v.getCvssScore() >= failBuildOnCVSS) {
 941  0 
                     if (ids.length() == 0) {
 942  0 
                         ids.append(v.getName());
 943   
                     } else {
 944  0 
                         ids.append(", ").append(v.getName());
 945   
                     }
 946   
                 }
 947  0 
             }
 948  0 
         }
 949  0 
         if (ids.length() > 0) {
 950  0 
             final String msg = String.format("%n%nDependency-Check Failure:%n"
 951   
                     + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
 952  0 
                     + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
 953  0 
             throw new BuildException(msg);
 954   
         }
 955  0 
     }
 956   
 
 957   
     /**
 958   
      * Generates a warning message listing a summary of dependencies and their
 959   
      * associated CPE and CVE entries.
 960   
      *
 961   
      * @param dependencies a list of dependency objects
 962   
      */
 963   
     private void showSummary(List<Dependency> dependencies) {
 964  3 
         final StringBuilder summary = new StringBuilder();
 965  3 
         for (Dependency d : dependencies) {
 966  5 
             boolean firstEntry = true;
 967  5 
             final StringBuilder ids = new StringBuilder();
 968  5 
             for (Vulnerability v : d.getVulnerabilities()) {
 969  18 
                 if (firstEntry) {
 970  4 
                     firstEntry = false;
 971   
                 } else {
 972  14 
                     ids.append(", ");
 973   
                 }
 974  18 
                 ids.append(v.getName());
 975  18 
             }
 976  5 
             if (ids.length() > 0) {
 977  4 
                 summary.append(d.getFileName()).append(" (");
 978  4 
                 firstEntry = true;
 979  4 
                 for (Identifier id : d.getIdentifiers()) {
 980  15 
                     if (firstEntry) {
 981  4 
                         firstEntry = false;
 982   
                     } else {
 983  11 
                         summary.append(", ");
 984   
                     }
 985  15 
                     summary.append(id.getValue());
 986  15 
                 }
 987  4 
                 summary.append(") : ").append(ids).append(NEW_LINE);
 988   
             }
 989  5 
         }
 990  3 
         if (summary.length() > 0) {
 991  6 
             final String msg = String.format("%n%n"
 992   
                     + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
 993  3 
                     + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
 994  3 
             log(msg, Project.MSG_WARN);
 995   
         }
 996  3 
     }
 997   
 
 998   
     /**
 999   
      * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN",
 1000   
      * etc..
 1001   
      */
 1002  4 
     public static class ReportFormats extends EnumeratedAttribute {
 1003   
 
 1004   
         /**
 1005   
          * Returns the list of values for the report format.
 1006   
          *
 1007   
          * @return the list of values for the report format
 1008   
          */
 1009   
         @Override
 1010   
         public String[] getValues() {
 1011  4 
             int i = 0;
 1012  4 
             final Format[] formats = Format.values();
 1013  4 
             final String[] values = new String[formats.length];
 1014  20 
             for (Format format : formats) {
 1015  16 
                 values[i++] = format.name();
 1016   
             }
 1017  4 
             return values;
 1018   
         }
 1019   
     }
 1020   
 }
Report generated by Cobertura 2.1.1 on 9/6/16 6:50 AM.