org.owasp.dependencycheck.maven

Class BaseDependencyCheckMojo

java.lang.Object

org.apache.maven.plugin.AbstractMojo

org.owasp.dependencycheck.maven.BaseDependencyCheckMojo

All Implemented Interfaces:

org.apache.maven.plugin.ContextEnabled, org.apache.maven.plugin.Mojo, org.apache.maven.reporting.MavenReport

Direct Known Subclasses:

AggregateMojo, CheckMojo, PurgeMojo, UpdateMojo

public abstract class BaseDependencyCheckMojo
extends org.apache.maven.plugin.AbstractMojo
implements org.apache.maven.reporting.MavenReport

Author:

Jeremy Long

Field Summary

Fields inherited from interface org.apache.maven.reporting.MavenReport

CATEGORY_PROJECT_INFORMATION, CATEGORY_PROJECT_REPORTS, ROLE

Fields inherited from interface org.apache.maven.plugin.Mojo

ROLE

Constructor Summary

Constructors

Constructor and Description
BaseDependencyCheckMojo()

Method Summary

Modifier and Type	Method and Description
protected void	checkForFailure(List<Dependency> dependencies) Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the configuration.
protected boolean	excludeFromScan(String scope) Tests is the artifact should be included in the scan (i.e.
void	execute() Executes dependency-check.
void	generate(org.codehaus.doxia.sink.Sink sink, Locale locale) Deprecated. use generate(org.apache.maven.doxia.sink.Sink, java.util.Locale) instead.
void	generate(org.apache.maven.doxia.sink.Sink sink, Locale locale) Generates the Dependency-Check Site Report.
String	getCategoryName() Returns the category name.
protected String	getConnectionString() Returns the connection string.
protected File	getCorrectOutputDirectory() Returns the correct output directory depending on if a site is being executed or not.
protected File	getCorrectOutputDirectory(org.apache.maven.project.MavenProject current) Returns the correct output directory depending on if a site is being executed or not.
protected File	getDataFile(org.apache.maven.project.MavenProject current) Returns the correct output directory depending on if a site is being executed or not.
protected String	getDataFileContextKey() Returns the key used to store the path to the data file that is saved by writeDataFile().
protected String	getFormat() Returns the report format.
File	getOutputDirectory() Returns the output directory.
protected String	getOutputDirectoryContextKey() Returns the key used to store the path to the output directory.
String	getOutputName() Returns the output name.
protected org.apache.maven.project.MavenProject	getProject() Returns a reference to the current project.
protected List<org.apache.maven.project.MavenProject>	getReactorProjects() Returns the list of Maven Projects in this build.
File	getReportOutputDirectory() Returns the report output directory.
protected MavenEngine	initializeEngine() Initializes a new MavenEngine that can be used for scanning.
boolean	isExternalReport() Returns whether this is an external report.
protected boolean	isFailOnError() Returns if the mojo should fail the build if an exception occurs.
protected boolean	isGeneratingSite() Returns true if the Maven site is being generated.
protected void	populateSettings() Takes the properties supplied and updates the dependency-check settings.
protected List<Dependency>	readDataFile(org.apache.maven.project.MavenProject project) Reads the serialized scan data from disk.
abstract void	runCheck() Executes the dependency-check scan and generates the necassary report.
protected ExceptionCollection	scanArtifacts(org.apache.maven.project.MavenProject project, MavenEngine engine) Scans the project's artifacts and adds them to the engine's dependency list.
void	setReportOutputDirectory(File directory) Sets the Reporting output directory.
protected void	showSummary(org.apache.maven.project.MavenProject mp, List<Dependency> dependencies) Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
protected void	writeDataFile(org.apache.maven.project.MavenProject mp, File writeTo, List<Dependency> dependencies) Writes the scan data to disk.
protected void	writeReports(MavenEngine engine, org.apache.maven.project.MavenProject p, File outputDir) Generates the reports for a given dependency-check engine.

Methods inherited from class org.apache.maven.plugin.AbstractMojo

getLog, getPluginContext, setLog, setPluginContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.maven.reporting.MavenReport

canGenerateReport, getDescription, getName

Constructor Detail

BaseDependencyCheckMojo

public BaseDependencyCheckMojo()

Method Detail

isFailOnError

protected boolean isFailOnError()

Returns if the mojo should fail the build if an exception occurs.

Returns:

whether or not the mojo should fail the build

getConnectionString

protected String getConnectionString()

Returns the connection string.

Returns:

the connection string

execute

public void execute()
             throws org.apache.maven.plugin.MojoExecutionException,
                    org.apache.maven.plugin.MojoFailureException

Executes dependency-check.

Specified by:

execute in interface org.apache.maven.plugin.Mojo

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an exception executing the mojo

org.apache.maven.plugin.MojoFailureException - thrown if dependency-check failed the build

generate

@Deprecated
public final void generate(org.codehaus.doxia.sink.Sink sink,
                                        Locale locale)
                                 throws org.apache.maven.reporting.MavenReportException

Deprecated. use generate(org.apache.maven.doxia.sink.Sink, java.util.Locale) instead.

Generates the Dependency-Check Site Report.

Specified by:

generate in interface org.apache.maven.reporting.MavenReport

Parameters:

sink - the sink to write the report to

locale - the locale to use when generating the report

Throws:

org.apache.maven.reporting.MavenReportException - if a maven report exception occurs

isGeneratingSite

protected boolean isGeneratingSite()

Returns true if the Maven site is being generated.

Returns:

true if the Maven site is being generated

generate

public void generate(org.apache.maven.doxia.sink.Sink sink,
                     Locale locale)
              throws org.apache.maven.reporting.MavenReportException

Generates the Dependency-Check Site Report.

Parameters:

sink - the sink to write the report to

locale - the locale to use when generating the report

Throws:

org.apache.maven.reporting.MavenReportException - if a maven report exception occurs

getCorrectOutputDirectory

protected File getCorrectOutputDirectory()
                                  throws org.apache.maven.plugin.MojoExecutionException

Returns the correct output directory depending on if a site is being executed or not.

Returns:

the directory to write the report(s)

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an error loading the file path

getCorrectOutputDirectory

protected File getCorrectOutputDirectory(org.apache.maven.project.MavenProject current)

Returns the correct output directory depending on if a site is being executed or not.

Parameters:

current - the Maven project to get the output directory from

Returns:

the directory to write the report(s)

getDataFile

protected File getDataFile(org.apache.maven.project.MavenProject current)

Returns the correct output directory depending on if a site is being executed or not.

Parameters:

current - the Maven project to get the output directory from

Returns:

the directory to write the report(s)

scanArtifacts

protected ExceptionCollection scanArtifacts(org.apache.maven.project.MavenProject project,
                                            MavenEngine engine)

Scans the project's artifacts and adds them to the engine's dependency list.

Parameters:

project - the project to scan the dependencies of

engine - the engine to use to scan the dependencies

Returns:

a collection of exceptions that may have occurred while resolving and scanning the dependencies

runCheck

public abstract void runCheck()
                       throws org.apache.maven.plugin.MojoExecutionException,
                              org.apache.maven.plugin.MojoFailureException

Executes the dependency-check scan and generates the necassary report.

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an exception running the scan

org.apache.maven.plugin.MojoFailureException - thrown if dependency-check is configured to fail the build

setReportOutputDirectory

public void setReportOutputDirectory(File directory)

Sets the Reporting output directory.

Specified by:

setReportOutputDirectory in interface org.apache.maven.reporting.MavenReport

Parameters:

directory - the output directory

getReportOutputDirectory

public File getReportOutputDirectory()

Returns the report output directory.

Specified by:

getReportOutputDirectory in interface org.apache.maven.reporting.MavenReport

Returns:

the report output directory

getOutputDirectory

public File getOutputDirectory()

Returns the output directory.

Returns:

the output directory

isExternalReport

public final boolean isExternalReport()

Returns whether this is an external report. This method always returns true.

Specified by:

isExternalReport in interface org.apache.maven.reporting.MavenReport

Returns:

true

getOutputName

public String getOutputName()

Returns the output name.

Specified by:

getOutputName in interface org.apache.maven.reporting.MavenReport

Returns:

the output name

getCategoryName

public String getCategoryName()

Returns the category name.

Specified by:

getCategoryName in interface org.apache.maven.reporting.MavenReport

Returns:

the category name

initializeEngine

protected MavenEngine initializeEngine()
                                throws DatabaseException

Initializes a new MavenEngine that can be used for scanning.

Returns:

a newly instantiated MavenEngine

Throws:

DatabaseException - thrown if there is a database exception

populateSettings

protected void populateSettings()

Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties required to change the proxy url, port, and connection timeout.

excludeFromScan

protected boolean excludeFromScan(String scope)

Tests is the artifact should be included in the scan (i.e. is the dependency in a scope that is being scanned).

Parameters:

scope - the scope of the artifact to test

Returns:

true if the artifact is in an excluded scope; otherwise false

getProject

protected org.apache.maven.project.MavenProject getProject()

Returns a reference to the current project. This method is used instead of auto-binding the project via component annotation in concrete implementations of this. If the child has a @Component MavenProject project; defined then the abstract class (i.e. this class) will not have access to the current project (just the way Maven works with the binding).

Returns:

returns a reference to the current project

getReactorProjects

protected List<org.apache.maven.project.MavenProject> getReactorProjects()

Returns the list of Maven Projects in this build.

Returns:

the list of Maven Projects in this build

getFormat

protected String getFormat()

Returns the report format.

Returns:

the report format

writeReports

protected void writeReports(MavenEngine engine,
                            org.apache.maven.project.MavenProject p,
                            File outputDir)
                     throws ReportException

Generates the reports for a given dependency-check engine.

Parameters:

engine - a dependency-check engine

p - the Maven project

outputDir - the directory path to write the report(s)

Throws:

ReportException - thrown if there is an error writing the report

checkForFailure

protected void checkForFailure(List<Dependency> dependencies)
                        throws org.apache.maven.plugin.MojoFailureException

Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the configuration.

Parameters:

dependencies - the list of dependency objects

Throws:

org.apache.maven.plugin.MojoFailureException - thrown if a CVSS score is found that is higher then the threshold set

showSummary

protected void showSummary(org.apache.maven.project.MavenProject mp,
                           List<Dependency> dependencies)

Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.

Parameters:

mp - the Maven project for which the summary is shown

dependencies - a list of dependency objects

getDataFileContextKey

protected String getDataFileContextKey()

Returns the key used to store the path to the data file that is saved by writeDataFile(). This key is used in the MavenProject.(set|get)ContextValue.

Returns:

the key used to store the path to the data file

getOutputDirectoryContextKey

protected String getOutputDirectoryContextKey()

Returns the key used to store the path to the output directory. When generating the report in the executeAggregateReport() the output directory should be obtained by using this key.

Returns:

the key used to store the path to the output directory

writeDataFile

protected void writeDataFile(org.apache.maven.project.MavenProject mp,
                             File writeTo,
                             List<Dependency> dependencies)

Writes the scan data to disk. This is used to serialize the scan data between the "check" and "aggregate" phase.

Parameters:

mp - the mMven project for which the data file was created

writeTo - the directory to write the data file

dependencies - the list of dependencies to serialize

readDataFile

protected List<Dependency> readDataFile(org.apache.maven.project.MavenProject project)

Reads the serialized scan data from disk. This is used to serialize the scan data between the "check" and "aggregate" phase.

Parameters:

project - the Maven project to read the data file from

Returns:

a MavenEngine object populated with dependencies if the serialized data file exists; otherwise null is returned