View Javadoc
1   /*
2    * This file is part of dependency-check-maven.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.maven;
19  
20  import java.io.File;
21  import java.io.IOException;
22  import java.io.InputStream;
23  import java.io.UnsupportedEncodingException;
24  import java.net.URLEncoder;
25  import java.text.DateFormat;
26  import java.util.Date;
27  import java.util.List;
28  import java.util.Locale;
29  import java.util.Set;
30  import java.util.logging.Level;
31  import java.util.logging.Logger;
32  import org.apache.maven.artifact.Artifact;
33  import org.apache.maven.doxia.sink.Sink;
34  import org.apache.maven.doxia.sink.SinkFactory;
35  import org.apache.maven.plugin.AbstractMojo;
36  import org.apache.maven.plugin.MojoExecutionException;
37  import org.apache.maven.plugin.MojoFailureException;
38  import org.apache.maven.plugins.annotations.Component;
39  import org.apache.maven.plugins.annotations.LifecyclePhase;
40  import org.apache.maven.plugins.annotations.Mojo;
41  import org.apache.maven.plugins.annotations.Parameter;
42  import org.apache.maven.plugins.annotations.ResolutionScope;
43  import org.apache.maven.project.MavenProject;
44  import org.apache.maven.reporting.MavenMultiPageReport;
45  import org.apache.maven.reporting.MavenReport;
46  import org.apache.maven.reporting.MavenReportException;
47  import org.apache.maven.settings.Proxy;
48  import org.owasp.dependencycheck.Engine;
49  import org.owasp.dependencycheck.data.nvdcve.CveDB;
50  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
51  import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
52  import org.owasp.dependencycheck.dependency.Dependency;
53  import org.owasp.dependencycheck.dependency.Evidence;
54  import org.owasp.dependencycheck.dependency.Identifier;
55  import org.owasp.dependencycheck.dependency.Reference;
56  import org.owasp.dependencycheck.dependency.Vulnerability;
57  import org.owasp.dependencycheck.dependency.VulnerableSoftware;
58  import org.owasp.dependencycheck.reporting.ReportGenerator;
59  import org.owasp.dependencycheck.utils.LogUtils;
60  import org.owasp.dependencycheck.utils.Settings;
61  
62  /**
63   * Maven Plugin that checks project dependencies to see if they have any known published vulnerabilities.
64   *
65   * @author Jeremy Long <jeremy.long@owasp.org>
66   */
67  @Mojo(name = "check", defaultPhase = LifecyclePhase.COMPILE, threadSafe = true,
68          requiresDependencyResolution = ResolutionScope.RUNTIME_PLUS_SYSTEM,
69          requiresOnline = true)
70  public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageReport {
71  
72      /**
73       * Logger field reference.
74       */
75      private final Logger logger = Logger.getLogger(DependencyCheckMojo.class.getName());
76  
77      /**
78       * The properties file location.
79       */
80      private static final String PROPERTIES_FILE = "mojo.properties";
81      /**
82       * Name of the logging properties file.
83       */
84      private static final String LOG_PROPERTIES_FILE = "log.properties";
85      /**
86       * System specific new line character.
87       */
88      private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
89      // <editor-fold defaultstate="collapsed" desc="Maven bound parameters and components">
90      /**
91       * The Maven Project Object.
92       */
93      @Component
94      private MavenProject project;
95      /**
96       * The path to the verbose log.
97       */
98      @Parameter(property = "logfile", defaultValue = "")
99      private String logFile;
100     /**
101      * The name of the report to be displayed in the Maven Generated Reports page.
102      */
103     @Parameter(property = "name", defaultValue = "Dependency-Check")
104     private String name;
105     /**
106      * The description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
107      */
108     @Parameter(property = "description", defaultValue = "A report providing details on any published "
109             + "vulnerabilities within project dependencies. This report is a best effort but may contain "
110             + "false positives and false negatives.")
111     private String description;
112     /**
113      * Specifies the destination directory for the generated Dependency-Check report. This generally maps to
114      * "target/site".
115      */
116     @Parameter(property = "reportOutputDirectory", defaultValue = "${project.reporting.outputDirectory}", required = true)
117     private File reportOutputDirectory;
118     /**
119      * The output directory. This generally maps to "target".
120      */
121     @Parameter(defaultValue = "${project.build.directory}", required = true)
122     private File outputDirectory;
123     /**
124      * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
125      * which means since the CVSS scores are 0-10, by default the build will never fail.
126      */
127     @SuppressWarnings("CanBeFinal")
128     @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
129     private float failBuildOnCVSS = 11;
130     /**
131      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
132      * false. Default is true.
133      */
134     @SuppressWarnings("CanBeFinal")
135     @Parameter(property = "autoupdate", defaultValue = "true", required = true)
136     private boolean autoUpdate = true;
137     /**
138      * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
139      * within the Site plugin unless the externalReport is set to true. Default is HTML.
140      */
141     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
142     @Parameter(property = "format", defaultValue = "HTML", required = true)
143     private String format = "HTML";
144     /**
145      * Sets whether or not the external report format should be used.
146      */
147     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
148     @Parameter(property = "externalReport", defaultValue = "false", required = true)
149     private boolean externalReport = false;
150 
151     /**
152      * The maven settings.
153      */
154     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
155     @Parameter(property = "mavenSettings", defaultValue = "${settings}", required = false)
156     private org.apache.maven.settings.Settings mavenSettings;
157 
158     /**
159      * The maven settings proxy id.
160      */
161     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
162     @Parameter(property = "mavenSettingsProxyId", required = false)
163     private String mavenSettingsProxyId;
164 
165     /**
166      * The Connection Timeout.
167      */
168     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
169     @Parameter(property = "connectionTimeout", defaultValue = "", required = false)
170     private String connectionTimeout = null;
171     /**
172      * The path to the suppression file.
173      */
174     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
175     @Parameter(property = "suppressionFile", defaultValue = "", required = false)
176     private String suppressionFile = null;
177     /**
178      * Flag indicating whether or not to show a summary in the output.
179      */
180     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
181     @Parameter(property = "showSummary", defaultValue = "true", required = false)
182     private boolean showSummary = true;
183 
184     /**
185      * Whether or not the Jar Analyzer is enabled.
186      */
187     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
188     @Parameter(property = "jarAnalyzerEnabled", defaultValue = "true", required = false)
189     private boolean jarAnalyzerEnabled = true;
190 
191     /**
192      * Whether or not the Archive Analyzer is enabled.
193      */
194     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
195     @Parameter(property = "archiveAnalyzerEnabled", defaultValue = "true", required = false)
196     private boolean archiveAnalyzerEnabled = true;
197 
198     /**
199      * Whether or not the .NET Assembly Analyzer is enabled.
200      */
201     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
202     @Parameter(property = "assemblyAnalyzerEnabled", defaultValue = "true", required = false)
203     private boolean assemblyAnalyzerEnabled = true;
204 
205     /**
206      * Whether or not the .NET Nuspec Analyzer is enabled.
207      */
208     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
209     @Parameter(property = "nuspecAnalyzerEnabled", defaultValue = "true", required = false)
210     private boolean nuspecAnalyzerEnabled = true;
211 
212     /**
213      * Whether or not the Nexus Analyzer is enabled.
214      */
215     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
216     @Parameter(property = "nexusAnalyzerEnabled", defaultValue = "true", required = false)
217     private boolean nexusAnalyzerEnabled = true;
218     /**
219      * Whether or not the Nexus Analyzer is enabled.
220      */
221     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
222     @Parameter(property = "nexusUrl", defaultValue = "", required = false)
223     private String nexusUrl;
224     /**
225      * Whether or not the configured proxy is used to connect to Nexus.
226      */
227     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
228     @Parameter(property = "nexusUsesProxy", defaultValue = "true", required = false)
229     private boolean nexusUsesProxy = true;
230     /**
231      * The database connection string.
232      */
233     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
234     @Parameter(property = "connectionString", defaultValue = "", required = false)
235     private String connectionString;
236     /**
237      * The database driver name. An example would be org.h2.Driver.
238      */
239     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
240     @Parameter(property = "databaseDriverName", defaultValue = "", required = false)
241     private String databaseDriverName;
242     /**
243      * The path to the database driver if it is not on the class path.
244      */
245     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
246     @Parameter(property = "databaseDriverPath", defaultValue = "", required = false)
247     private String databaseDriverPath;
248     /**
249      * The database user name.
250      */
251     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
252     @Parameter(property = "databaseUser", defaultValue = "", required = false)
253     private String databaseUser;
254     /**
255      * The password to use when connecting to the database.
256      */
257     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
258     @Parameter(property = "databasePassword", defaultValue = "", required = false)
259     private String databasePassword;
260     /**
261      * A comma-separated list of file extensions to add to analysis next to jar, zip, ....
262      */
263     @Parameter(property = "zipExtensions", required = false)
264     private String zipExtensions;
265     /**
266      * Skip Analysis for Test Scope Dependencies.
267      */
268     @SuppressWarnings("CanBeFinal")
269     @Parameter(property = "skipTestScope", defaultValue = "true", required = false)
270     private boolean skipTestScope = true;
271     /**
272      * Skip Analysis for Runtime Scope Dependencies.
273      */
274     @SuppressWarnings("CanBeFinal")
275     @Parameter(property = "skipRuntimeScope", defaultValue = "false", required = false)
276     private boolean skipRuntimeScope = false;
277     /**
278      * Skip Analysis for Provided Scope Dependencies.
279      */
280     @SuppressWarnings("CanBeFinal")
281     @Parameter(property = "skipProvidedScope", defaultValue = "false", required = false)
282     private boolean skipProvidedScope = false;
283     /**
284      * The data directory, hold DC SQL DB.
285      */
286     @Parameter(property = "dataDirectory", defaultValue = "", required = false)
287     private String dataDirectory;
288     /**
289      * Data Mirror URL for CVE 1.2.
290      */
291     @Parameter(property = "cveUrl12Modified", defaultValue = "", required = false)
292     private String cveUrl12Modified;
293     /**
294      * Data Mirror URL for CVE 2.0.
295      */
296     @Parameter(property = "cveUrl20Modified", defaultValue = "", required = false)
297     private String cveUrl20Modified;
298     /**
299      * Base Data Mirror URL for CVE 1.2.
300      */
301     @Parameter(property = "cveUrl12Base", defaultValue = "", required = false)
302     private String cveUrl12Base;
303     /**
304      * Data Mirror URL for CVE 2.0.
305      */
306     @Parameter(property = "cveUrl20Base", defaultValue = "", required = false)
307     private String cveUrl20Base;
308 
309     /**
310      * The path to mono for .NET Assembly analysis on non-windows systems.
311      */
312     @Parameter(property = "pathToMono", defaultValue = "", required = false)
313     private String pathToMono;
314 
315     /**
316      * The Proxy URL.
317      *
318      * @deprecated Please use mavenSettings instead
319      */
320     @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
321     @Parameter(property = "proxyUrl", defaultValue = "", required = false)
322     @Deprecated
323     private String proxyUrl = null;
324 
325     // </editor-fold>
326     /**
327      * Executes the Dependency-Check on the dependent libraries.
328      *
329      * @return the Engine used to scan the dependencies.
330      * @throws DatabaseException thrown if there is an exception connecting to the database
331      */
332     private Engine executeDependencyCheck() throws DatabaseException {
333 
334         final InputStream in = DependencyCheckMojo.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
335         LogUtils.prepareLogger(in, logFile);
336 
337         populateSettings();
338         final Engine engine = new Engine();
339 
340         final Set<Artifact> artifacts = project.getArtifacts();
341         for (Artifact a : artifacts) {
342             if (skipTestScope && Artifact.SCOPE_TEST.equals(a.getScope())) {
343                 continue;
344             }
345 
346             if (skipProvidedScope && Artifact.SCOPE_PROVIDED.equals(a.getScope())) {
347                 continue;
348             }
349 
350             if (skipRuntimeScope && !Artifact.SCOPE_RUNTIME.equals(a.getScope())) {
351                 continue;
352             }
353 
354             engine.scan(a.getFile().getAbsolutePath());
355         }
356         engine.analyzeDependencies();
357 
358         return engine;
359     }
360 
361     /**
362      * Generates the reports for a given dependency-check engine.
363      *
364      * @param engine a dependency-check engine
365      * @param outDirectory the directory to write the reports to
366      */
367     private void generateExternalReports(Engine engine, File outDirectory) {
368         DatabaseProperties prop = null;
369         CveDB cve = null;
370         try {
371             cve = new CveDB();
372             cve.open();
373             prop = cve.getDatabaseProperties();
374         } catch (DatabaseException ex) {
375             logger.log(Level.FINE, "Unable to retrieve DB Properties", ex);
376         } finally {
377             if (cve != null) {
378                 cve.close();
379             }
380         }
381         final ReportGenerator r = new ReportGenerator(project.getName(), engine.getDependencies(), engine.getAnalyzers(), prop);
382         try {
383             r.generateReports(outDirectory.getCanonicalPath(), format);
384         } catch (IOException ex) {
385             logger.log(Level.SEVERE,
386                     "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
387             logger.log(Level.FINE, null, ex);
388         } catch (Throwable ex) {
389             logger.log(Level.SEVERE,
390                     "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
391             logger.log(Level.FINE, null, ex);
392         }
393     }
394 
395     /**
396      * Generates a dependency-check report using the Maven Site format.
397      *
398      * @param engine the engine used to scan the dependencies
399      * @param sink the sink to write the data to
400      */
401     private void generateMavenSiteReport(final Engine engine, Sink sink) {
402         final List<Dependency> dependencies = engine.getDependencies();
403 
404         writeSiteReportHeader(sink, project.getName());
405         writeSiteReportTOC(sink, dependencies);
406 
407         int cnt = 0;
408         for (Dependency d : dependencies) {
409             writeSiteReportDependencyHeader(sink, d);
410             cnt = writeSiteReportDependencyEvidenceUsed(d, cnt, sink);
411             cnt = writeSiteReportDependencyRelatedDependencies(d, cnt, sink);
412             writeSiteReportDependencyIdentifiers(d, sink);
413             writeSiteReportDependencyVulnerabilities(d, sink, cnt);
414         }
415         sink.body_();
416     }
417 
418     // <editor-fold defaultstate="collapsed" desc="various writeXXXXX methods to generate the Site Report">
419     /**
420      * Writes the vulnerabilities to the site report.
421      *
422      * @param d the dependency
423      * @param sink the sink to write the data to
424      * @param collapsibleHeaderCount the collapsible header count
425      */
426     private void writeSiteReportDependencyVulnerabilities(Dependency d, Sink sink, int collapsibleHeaderCount) {
427         int cnt = collapsibleHeaderCount;
428         if (d.getVulnerabilities() != null && !d.getVulnerabilities().isEmpty()) {
429             for (Vulnerability v : d.getVulnerabilities()) {
430 
431                 sink.paragraph();
432                 sink.bold();
433                 try {
434                     sink.link("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + URLEncoder.encode(v.getName(), "US-ASCII"));
435                     sink.text(v.getName());
436                     sink.link_();
437                     sink.bold_();
438                 } catch (UnsupportedEncodingException ex) {
439                     sink.text(v.getName());
440                     sink.bold_();
441                     sink.lineBreak();
442                     sink.text("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + v.getName());
443                 }
444                 sink.paragraph_();
445                 sink.paragraph();
446                 sink.text("Severity: ");
447                 if (v.getCvssScore() < 4.0) {
448                     sink.text("Low");
449                 } else {
450                     if (v.getCvssScore() >= 7.0) {
451                         sink.text("High");
452                     } else {
453                         sink.text("Medium");
454                     }
455                 }
456                 sink.lineBreak();
457                 sink.text("CVSS Score: " + v.getCvssScore());
458                 if (v.getCwe() != null && !v.getCwe().isEmpty()) {
459                     sink.lineBreak();
460                     sink.text("CWE: ");
461                     sink.text(v.getCwe());
462                 }
463                 sink.paragraph_();
464                 sink.paragraph();
465                 sink.text(v.getDescription());
466                 if (v.getReferences() != null && !v.getReferences().isEmpty()) {
467                     sink.list();
468                     for (Reference ref : v.getReferences()) {
469                         sink.listItem();
470                         sink.text(ref.getSource());
471                         sink.text(" - ");
472                         sink.link(ref.getUrl());
473                         sink.text(ref.getName());
474                         sink.link_();
475                         sink.listItem_();
476                     }
477                     sink.list_();
478                 }
479                 sink.paragraph_();
480                 if (v.getVulnerableSoftware() != null && !v.getVulnerableSoftware().isEmpty()) {
481                     sink.paragraph();
482 
483                     cnt += 1;
484                     sink.rawText("Vulnerable Software <a href=\"javascript:toggleElement(this, 'vulnSoft" + cnt + "')\">[-]</a>");
485                     sink.rawText("<div id=\"vulnSoft" + cnt + "\" style=\"display:block\">");
486                     sink.list();
487                     for (VulnerableSoftware vs : v.getVulnerableSoftware()) {
488                         sink.listItem();
489                         try {
490                             sink.link("http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + URLEncoder.encode(vs.getName(), "US-ASCII"));
491                             sink.text(vs.getName());
492                             sink.link_();
493                             if (vs.hasPreviousVersion()) {
494                                 sink.text(" and all previous versions.");
495                             }
496                         } catch (UnsupportedEncodingException ex) {
497                             sink.text(vs.getName());
498                             if (vs.hasPreviousVersion()) {
499                                 sink.text(" and all previous versions.");
500                             }
501                             sink.text(" (http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + vs.getName() + ")");
502                         }
503 
504                         sink.listItem_();
505                     }
506                     sink.list_();
507                     sink.rawText("</div>");
508                     sink.paragraph_();
509                 }
510             }
511         }
512     }
513 
514     /**
515      * Writes the identifiers to the site report.
516      *
517      * @param d the dependency
518      * @param sink the sink to write the data to
519      */
520     private void writeSiteReportDependencyIdentifiers(Dependency d, Sink sink) {
521         if (d.getIdentifiers() != null && !d.getIdentifiers().isEmpty()) {
522             sink.sectionTitle4();
523             sink.text("Identifiers");
524             sink.sectionTitle4_();
525             sink.list();
526             for (Identifier i : d.getIdentifiers()) {
527                 sink.listItem();
528                 sink.text(i.getType());
529                 sink.text(": ");
530                 if (i.getUrl() != null && i.getUrl().length() > 0) {
531                     sink.link(i.getUrl());
532                     sink.text(i.getValue());
533                     sink.link_();
534                 } else {
535                     sink.text(i.getValue());
536                 }
537                 if (i.getDescription() != null && i.getDescription().length() > 0) {
538                     sink.lineBreak();
539                     sink.text(i.getDescription());
540                 }
541                 sink.listItem_();
542             }
543             sink.list_();
544         }
545     }
546 
547     /**
548      * Writes the related dependencies to the site report.
549      *
550      * @param d the dependency
551      * @param sink the sink to write the data to
552      * @param collapsibleHeaderCount the collapsible header count
553      * @return the collapsible header count
554      */
555     private int writeSiteReportDependencyRelatedDependencies(Dependency d, int collapsibleHeaderCount, Sink sink) {
556         int cnt = collapsibleHeaderCount;
557         if (d.getRelatedDependencies() != null && !d.getRelatedDependencies().isEmpty()) {
558             cnt += 1;
559             sink.sectionTitle4();
560             sink.rawText("Related Dependencies <a href=\"javascript:toggleElement(this, 'related" + cnt + "')\">[+]</a>");
561             sink.sectionTitle4_();
562             sink.rawText("<div id=\"related" + cnt + "\" style=\"display:none\">");
563             sink.list();
564             for (Dependency r : d.getRelatedDependencies()) {
565                 sink.listItem();
566                 sink.text(r.getFileName());
567                 sink.list();
568                 writeListItem(sink, "File Path: " + r.getFilePath());
569                 writeListItem(sink, "SHA1: " + r.getSha1sum());
570                 writeListItem(sink, "MD5: " + r.getMd5sum());
571                 sink.list_();
572                 sink.listItem_();
573             }
574             sink.list_();
575             sink.rawText("</div>");
576         }
577         return cnt;
578     }
579 
580     /**
581      * Writes the evidence used to the site report.
582      *
583      * @param d the dependency
584      * @param sink the sink to write the data to
585      * @param collapsibleHeaderCount the collapsible header count
586      * @return the collapsible header count
587      */
588     private int writeSiteReportDependencyEvidenceUsed(Dependency d, int collapsibleHeaderCount, Sink sink) {
589         int cnt = collapsibleHeaderCount;
590         final Set<Evidence> evidence = d.getEvidenceForDisplay();
591         if (evidence != null && evidence.size() > 0) {
592             cnt += 1;
593             sink.sectionTitle4();
594             sink.rawText("Evidence Collected <a href=\"javascript:toggleElement(this, 'evidence" + cnt + "')\">[+]</a>");
595             sink.sectionTitle4_();
596             sink.rawText("<div id=\"evidence" + cnt + "\" style=\"display:none\">");
597             sink.table();
598             sink.tableRow();
599             writeTableHeaderCell(sink, "Source");
600             writeTableHeaderCell(sink, "Name");
601             writeTableHeaderCell(sink, "Value");
602             sink.tableRow_();
603             for (Evidence e : evidence) {
604                 sink.tableRow();
605                 writeTableCell(sink, e.getSource());
606                 writeTableCell(sink, e.getName());
607                 writeTableCell(sink, e.getValue());
608                 sink.tableRow_();
609             }
610             sink.table_();
611             sink.rawText("</div>");
612         }
613         return cnt;
614     }
615 
616     /**
617      * Writes the dependency header to the site report.
618      *
619      * @param d the dependency
620      * @param sink the sink to write the data to
621      */
622     private void writeSiteReportDependencyHeader(Sink sink, Dependency d) {
623         sink.sectionTitle2();
624         sink.anchor("sha1" + d.getSha1sum());
625         sink.text(d.getFileName());
626         sink.anchor_();
627         sink.sectionTitle2_();
628         if (d.getDescription() != null && d.getDescription().length() > 0) {
629             sink.paragraph();
630             sink.bold();
631             sink.text("Description: ");
632             sink.bold_();
633             sink.text(d.getDescription());
634             sink.paragraph_();
635         }
636         if (d.getLicense() != null && d.getLicense().length() > 0) {
637             sink.paragraph();
638             sink.bold();
639             sink.text("License: ");
640             sink.bold_();
641             if (d.getLicense().startsWith("http://") && !d.getLicense().contains(" ")) {
642                 sink.link(d.getLicense());
643                 sink.text(d.getLicense());
644                 sink.link_();
645             } else {
646                 sink.text(d.getLicense());
647             }
648             sink.paragraph_();
649         }
650     }
651 
652     /**
653      * Adds a list item to the site report.
654      *
655      * @param sink the sink to write the data to
656      * @param text the text to write
657      */
658     private void writeListItem(Sink sink, String text) {
659         sink.listItem();
660         sink.text(text);
661         sink.listItem_();
662     }
663 
664     /**
665      * Adds a table cell to the site report.
666      *
667      * @param sink the sink to write the data to
668      * @param text the text to write
669      */
670     private void writeTableCell(Sink sink, String text) {
671         sink.tableCell();
672         sink.text(text);
673         sink.tableCell_();
674     }
675 
676     /**
677      * Adds a table header cell to the site report.
678      *
679      * @param sink the sink to write the data to
680      * @param text the text to write
681      */
682     private void writeTableHeaderCell(Sink sink, String text) {
683         sink.tableHeaderCell();
684         sink.text(text);
685         sink.tableHeaderCell_();
686     }
687 
688     /**
689      * Writes the TOC for the site report.
690      *
691      * @param sink the sink to write the data to
692      * @param dependencies the dependencies that are being reported on
693      */
694     private void writeSiteReportTOC(Sink sink, final List<Dependency> dependencies) {
695         sink.list();
696         for (Dependency d : dependencies) {
697             sink.listItem();
698             sink.link("#sha1" + d.getSha1sum());
699             sink.text(d.getFileName());
700             sink.link_();
701             if (!d.getVulnerabilities().isEmpty()) {
702                 sink.rawText(" <font style=\"color:red\">•</font>");
703             }
704             if (!d.getRelatedDependencies().isEmpty()) {
705                 sink.list();
706                 for (Dependency r : d.getRelatedDependencies()) {
707                     writeListItem(sink, r.getFileName());
708                 }
709                 sink.list_();
710             }
711             sink.listItem_();
712         }
713         sink.list_();
714     }
715 
716     /**
717      * Writes the site report header.
718      *
719      * @param sink the sink to write the data to
720      * @param projectName the name of the project
721      */
722     private void writeSiteReportHeader(Sink sink, String projectName) {
723         sink.head();
724         sink.title();
725         sink.text("Dependency-Check Report: " + projectName);
726         sink.title_();
727         sink.head_();
728         sink.body();
729         sink.rawText("<script type=\"text/javascript\">");
730         sink.rawText("function toggleElement(el, targetId) {");
731         sink.rawText("if (el.innerText == '[+]') {");
732         sink.rawText("    el.innerText = '[-]';");
733         sink.rawText("    document.getElementById(targetId).style.display='block';");
734         sink.rawText("} else {");
735         sink.rawText("    el.innerText = '[+]';");
736         sink.rawText("    document.getElementById(targetId).style.display='none';");
737         sink.rawText("}");
738 
739         sink.rawText("}");
740         sink.rawText("</script>");
741         sink.section1();
742         sink.sectionTitle1();
743         sink.text("Project: " + projectName);
744         sink.sectionTitle1_();
745         sink.date();
746         final Date now = new Date();
747         sink.text(DateFormat.getDateTimeInstance().format(now));
748         sink.date_();
749         sink.section1_();
750     }
751     // </editor-fold>
752 
753     /**
754      * Returns the maven settings proxy server.
755      *
756      * @param proxy the maven proxy
757      * @return the proxy url
758      */
759     private String getMavenSettingsProxyServer(Proxy proxy) {
760         return new StringBuilder(proxy.getProtocol()).append("://").append(proxy.getHost()).toString();
761     }
762 
763     /**
764      * Returns the maven proxy.
765      *
766      * @return the maven proxy
767      */
768     private Proxy getMavenProxy() {
769         if (mavenSettings != null) {
770             final List<Proxy> proxies = mavenSettings.getProxies();
771             if (proxies != null && proxies.size() > 0) {
772                 if (mavenSettingsProxyId != null) {
773                     for (Proxy proxy : proxies) {
774                         if (mavenSettingsProxyId.equalsIgnoreCase(proxy.getId())) {
775                             return proxy;
776                         }
777                     }
778                 } else if (proxies.size() == 1) {
779                     return proxies.get(0);
780                 } else {
781                     throw new IllegalStateException("Ambiguous proxy definition");
782                 }
783             }
784         }
785         return null;
786     }
787 
788     /**
789      * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
790      * properties required to change the proxy url, port, and connection timeout.
791      */
792     private void populateSettings() {
793         Settings.initialize();
794         InputStream mojoProperties = null;
795         try {
796             mojoProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
797             Settings.mergeProperties(mojoProperties);
798         } catch (IOException ex) {
799             logger.log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
800             logger.log(Level.FINE, null, ex);
801         } finally {
802             if (mojoProperties != null) {
803                 try {
804                     mojoProperties.close();
805                 } catch (IOException ex) {
806                     logger.log(Level.FINEST, null, ex);
807                 }
808             }
809         }
810 
811         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
812 
813         if (proxyUrl != null && !proxyUrl.isEmpty()) {
814             logger.warning("Deprecated configuration detected, proxyUrl will be ignored; use the maven settings to configure the proxy instead");
815         }
816 
817         final Proxy proxy = getMavenProxy();
818         if (proxy != null) {
819             Settings.setString(Settings.KEYS.PROXY_SERVER, getMavenSettingsProxyServer(proxy));
820             Settings.setString(Settings.KEYS.PROXY_PORT, Integer.toString(proxy.getPort()));
821             final String userName = proxy.getUsername();
822             final String password = proxy.getPassword();
823             if (userName != null && password != null) {
824                 Settings.setString(Settings.KEYS.PROXY_USERNAME, userName);
825                 Settings.setString(Settings.KEYS.PROXY_PASSWORD, password);
826             }
827         }
828 
829         if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
830             Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
831         }
832         if (suppressionFile != null && !suppressionFile.isEmpty()) {
833             Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
834         }
835 
836         //File Type Analyzer Settings
837         //JAR ANALYZER
838         Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
839         //NUSPEC ANALYZER
840         Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
841         //NEXUS ANALYZER
842         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
843         if (nexusUrl != null && !nexusUrl.isEmpty()) {
844             Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
845         }
846         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
847         //ARCHIVE ANALYZER
848         Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
849         if (zipExtensions != null && !zipExtensions.isEmpty()) {
850             Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
851         }
852         //ASSEMBLY ANALYZER
853         Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
854         if (pathToMono != null && !pathToMono.isEmpty()) {
855             Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
856         }
857 
858         //Database configuration
859         if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
860             Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
861         }
862         if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
863             Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
864         }
865         if (connectionString != null && !connectionString.isEmpty()) {
866             Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
867         }
868         if (databaseUser != null && !databaseUser.isEmpty()) {
869             Settings.setString(Settings.KEYS.DB_USER, databaseUser);
870         }
871         if (databasePassword != null && !databasePassword.isEmpty()) {
872             Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
873         }
874         // Data Directory
875         if (dataDirectory != null && !dataDirectory.isEmpty()) {
876             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
877         }
878 
879         // Scope Exclusion
880         Settings.setBoolean(Settings.KEYS.SKIP_TEST_SCOPE, skipTestScope);
881         Settings.setBoolean(Settings.KEYS.SKIP_RUNTIME_SCOPE, skipRuntimeScope);
882         Settings.setBoolean(Settings.KEYS.SKIP_PROVIDED_SCOPE, skipProvidedScope);
883 
884         // CVE Data Mirroring
885         if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
886             Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
887         }
888         if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
889             Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
890         }
891         if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
892             Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
893         }
894         if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
895             Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
896         }
897 
898     }
899 
900     /**
901      * Executes the dependency-check and generates the report.
902      *
903      * @throws MojoExecutionException if a maven exception occurs
904      * @throws MojoFailureException thrown if a CVSS score is found that is higher then the configured level
905      */
906     public void execute() throws MojoExecutionException, MojoFailureException {
907         Engine engine = null;
908         try {
909             engine = executeDependencyCheck();
910             generateExternalReports(engine, outputDirectory);
911             if (this.showSummary) {
912                 showSummary(engine.getDependencies());
913             }
914             if (this.failBuildOnCVSS <= 10) {
915                 checkForFailure(engine.getDependencies());
916             }
917         } catch (DatabaseException ex) {
918             logger.log(Level.SEVERE,
919                     "Unable to connect to the dependency-check database; analysis has stopped");
920             logger.log(Level.FINE, "", ex);
921         } finally {
922             Settings.cleanup(true);
923             if (engine != null) {
924                 engine.cleanup();
925             }
926         }
927     }
928 
929     /**
930      * Generates the Dependency-Check Site Report.
931      *
932      * @param sink the sink to write the report to
933      * @param locale the locale to use when generating the report
934      * @throws MavenReportException if a Maven report exception occurs
935      */
936     public void generate(@SuppressWarnings("deprecation") org.codehaus.doxia.sink.Sink sink,
937             Locale locale) throws MavenReportException {
938         generate((Sink) sink, null, locale);
939     }
940 
941     /**
942      * Generates the Dependency-Check Site Report.
943      *
944      * @param sink the sink to write the report to
945      * @param sinkFactory the sink factory
946      * @param locale the locale to use when generating the report
947      * @throws MavenReportException if a maven report exception occurs
948      */
949     public void generate(Sink sink, SinkFactory sinkFactory, Locale locale) throws MavenReportException {
950         Engine engine = null;
951         try {
952             engine = executeDependencyCheck();
953             if (this.externalReport) {
954                 generateExternalReports(engine, reportOutputDirectory);
955             } else {
956                 generateMavenSiteReport(engine, sink);
957             }
958         } catch (DatabaseException ex) {
959             logger.log(Level.SEVERE,
960                     "Unable to connect to the dependency-check database; analysis has stopped");
961             logger.log(Level.FINE, "", ex);
962         } finally {
963             Settings.cleanup(true);
964             if (engine != null) {
965                 engine.cleanup();
966             }
967         }
968     }
969 
970     // <editor-fold defaultstate="collapsed" desc="required setter/getter methods">
971     /**
972      * Returns the output name.
973      *
974      * @return the output name
975      */
976     public String getOutputName() {
977         if ("HTML".equalsIgnoreCase(this.format)
978                 || "ALL".equalsIgnoreCase(this.format)) {
979             return "dependency-check-report";
980         } else if ("XML".equalsIgnoreCase(this.format)) {
981             return "dependency-check-report.xml#";
982         } else if ("VULN".equalsIgnoreCase(this.format)) {
983             return "dependency-check-vulnerability";
984         } else {
985             logger.log(Level.WARNING, "Unknown report format used during site generation.");
986             return "dependency-check-report";
987         }
988     }
989 
990     /**
991      * Returns the category name.
992      *
993      * @return the category name
994      */
995     public String getCategoryName() {
996         return MavenReport.CATEGORY_PROJECT_REPORTS;
997     }
998 
999     /**
1000      * Returns the report name.
1001      *
1002      * @param locale the location
1003      * @return the report name
1004      */
1005     public String getName(Locale locale) {
1006         return name;
1007     }
1008 
1009     /**
1010      * Sets the Reporting output directory.
1011      *
1012      * @param directory the output directory
1013      */
1014     public void setReportOutputDirectory(File directory) {
1015         reportOutputDirectory = directory;
1016     }
1017 
1018     /**
1019      * Returns the output directory.
1020      *
1021      * @return the output directory
1022      */
1023     public File getReportOutputDirectory() {
1024         return reportOutputDirectory;
1025     }
1026 
1027     /**
1028      * Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
1029      *
1030      * @param locale The Locale to get the description for
1031      * @return the description
1032      */
1033     public String getDescription(Locale locale) {
1034         return description;
1035     }
1036 
1037     /**
1038      * Returns whether this is an external report.
1039      *
1040      * @return true or false;
1041      */
1042     public boolean isExternalReport() {
1043         return externalReport;
1044     }
1045 
1046     /**
1047      * Returns whether or not the plugin can generate a report.
1048      *
1049      * @return true
1050      */
1051     public boolean canGenerateReport() {
1052         return true;
1053     }
1054     // </editor-fold>
1055 
1056     /**
1057      * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
1058      * configuration.
1059      *
1060      * @param dependencies the list of dependency objects
1061      * @throws MojoFailureException thrown if a CVSS score is found that is higher then the threshold set
1062      */
1063     private void checkForFailure(List<Dependency> dependencies) throws MojoFailureException {
1064         final StringBuilder ids = new StringBuilder();
1065         for (Dependency d : dependencies) {
1066             boolean addName = true;
1067             for (Vulnerability v : d.getVulnerabilities()) {
1068                 if (v.getCvssScore() >= failBuildOnCVSS) {
1069                     if (addName) {
1070                         addName = false;
1071                         ids.append(NEW_LINE).append(d.getFileName()).append(": ");
1072                         ids.append(v.getName());
1073                     } else {
1074                         ids.append(", ").append(v.getName());
1075                     }
1076                 }
1077             }
1078         }
1079         if (ids.length() > 0) {
1080             final String msg = String.format("%n%nDependency-Check Failure:%n"
1081                     + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
1082                     + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
1083             throw new MojoFailureException(msg);
1084         }
1085     }
1086 
1087     /**
1088      * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
1089      *
1090      * @param dependencies a list of dependency objects
1091      */
1092     private void showSummary(List<Dependency> dependencies) {
1093         final StringBuilder summary = new StringBuilder();
1094         for (Dependency d : dependencies) {
1095             boolean firstEntry = true;
1096             final StringBuilder ids = new StringBuilder();
1097             for (Vulnerability v : d.getVulnerabilities()) {
1098                 if (firstEntry) {
1099                     firstEntry = false;
1100                 } else {
1101                     ids.append(", ");
1102                 }
1103                 ids.append(v.getName());
1104             }
1105             if (ids.length() > 0) {
1106                 summary.append(d.getFileName()).append(" (");
1107                 firstEntry = true;
1108                 for (Identifier id : d.getIdentifiers()) {
1109                     if (firstEntry) {
1110                         firstEntry = false;
1111                     } else {
1112                         summary.append(", ");
1113                     }
1114                     summary.append(id.getValue());
1115                 }
1116                 summary.append(") : ").append(ids).append(NEW_LINE);
1117             }
1118         }
1119         if (summary.length() > 0) {
1120             final String msg = String.format("%n%n"
1121                     + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
1122                     + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
1123             logger.log(Level.WARNING, msg);
1124         }
1125     }
1126 }