Added new ODC scans for Java libraries. Those can scan even transitive dependencies and can be run before adding a new library to a project.

app/views/libraryAdvisor/notEnabled.scala.html

@@ -0,0 +1,7 @@
+@()(implicit header: DefaultRequest, mainTemplateData: MainTemplateData)
+
+@main(
+    title = s"OWASP Dependency Check not configured"
+){
+    <div class="alert alert-danger">OWASP Dependency Check is not configured, so you cannot run it right now. Contact your administrator, please.</div>
+}

app/views/libraryAdvisor/notFound.scala.html

@@ -0,0 +1,2 @@
+@(dependency: String)
+<div class="alert alert-danger">Dependency @dependency was not found.</div>

app/views/libraryAdvisor/scanInputError.scala.html

@@ -0,0 +1,3 @@
+@(message: String)(implicit header: DefaultRequest, mainTemplateData: MainTemplateData)
+
+<div class="alert alert-danger">I did not scan the library, because I was unable to understand what library you mean. @message</div>

app/views/libraryAdvisor/scanLibrary.scala.html

@@ -0,0 +1,82 @@
+@(identifier: Option[String], inputHints: Seq[Html])(implicit header: DefaultRequest, mainTemplateData: MainTemplateData)
+
+@main(
+  title = s"Library check"
+){
+
+    <script type="text/javascript">
+        var LibraryAdvisorUI = {
+            scan: function(){
+                var submitButton = $("#submit-button");
+                var resultsArea = $("#scan-results");
+                var identifierArea = $("#library-identifier");
+                var identifier = identifierArea.val();
+                function disableSubmit(){
+                    submitButton.attr({disabled: true});
+                    identifierArea.attr({disabled: true});
+                }
+                function enableSubmit(){
+                    submitButton.attr({disabled: false});
+                    identifierArea.attr({disabled: false});
+                }
+                disableSubmit();
+                resultsArea.html($('<div class="progress">')
+                    .append(
+                        $('<div class="progress-bar progress-bar-striped active" role="progressbar" style="width: 100%;">Scanning, please wait a minute…</div>')
+                    )
+                );
+                $.ajax({
+                    url: Routes.controllers.LibraryAdvisor.scan().url,
+                    data: JSON.stringify(identifier),
+                    method: 'POST',
+                    dataType: "text",
+                    contentType : 'application/json',
+                    success: function(res){
+                        resultsArea.html(res);
+                        enableSubmit();
+                    },
+                    error: function(x, e){
+                        if(x.status === 404){
+                            resultsArea.html(x.responseText);
+                        }else{
+                            resultsArea.html($('<div class="alert alert-danger">An error has happened during scan. Check logs for more information.</div>'))
+                            console.log("error", e)
+                        }
+                        enableSubmit();
+                    }
+                });
+            }
+        };
+
+        $(function(){
+            $('#library-identifier').keydown(function (e) {
+                var isEnter = (e.keyCode === 13 || e.keyCode === 10);
+                if (isEnter && !e.shiftKey) { // capture enter, pass shift+enter
+                    LibraryAdvisorUI.scan();
+                };
+            }).on("input", function(){
+                var $this = $(this);
+                $this.scrollTop($this.height());
+            });
+            $('[data-toggle="tooltip"]').tooltip();
+        });
+    </script>
+    <div class="alert alert-info">This tool helps you with selecting a new libraries (or with choosing the right library version for update) by automating a boring part of the process: It can look for known vulnerabilities.</div>
+    <div class="input-group">
+        <div id="library-identifier-wrapper">
+            <textarea
+                class="form-control" id="library-identifier"
+                placeholder="Specification of one library"
+                data-toggle="tooltip" data-placement="bottom"
+                title="Supported formats:<ul>@for(hint <- inputHints){<li>@hint.toString()</li>}</ul>"
+                data-html="true"
+                style="height: 46px;"
+            >@identifier</textarea>
+        </div>
+        <span class="input-group-btn">
+            <button id="submit-button" class="btn btn-primary btn-lg" onclick="LibraryAdvisorUI.scan()">Scan</button>
+        </span>
+    </div>
+
+    <div id="scan-results"></div>
+}

app/views/libraryAdvisor/scanResults.scala.html

@@ -0,0 +1,35 @@
+@import services.SingleLibraryScanResult
+@(isDbOld: Boolean, singleLibraryScanResult: SingleLibraryScanResult)(implicit header: DefaultRequest, mainTemplateData: MainTemplateData)
+@import singleLibraryScanResult.{transitiveDependencies, includesTransitive, mainDependency}
+<h2>Overall result</h2>
+@vulnerableTransitive = @{transitiveDependencies.exists(_.isVulnerable)}
+@vulnerableMain = @{mainDependency.isVulnerable}
+@if(isDbOld){
+    <div class="alert alert-warning">The vulnerability database seems to be outdated. Result might be thus inaccurate. Contact the administrator, please.</div>
+}
+@(vulnerableMain, vulnerableTransitive) match {
+    case (false, false) => {
+        <div class="alert alert-success">No vulnerability has been found in the library@if(includesTransitive){ or in its transitive dependencies}.</div>
+    }
+    case (false, true) => {<div class="alert alert-warning">While there is no vulnerability found in the library itself, but scan has identified some issues in its transitive dependencies. Maybe you should evict some dependency with a fixed version. @vulnerabilityAdvice()</div>}
+    case (true, false) => {<div class="alert alert-danger">There is a vulnerability found in the main dependency. Transitive dependencies are OK. Please consider using a patched version or consider impact of the vulnerabilities. @vulnerabilityAdvice()</div>}
+    case (true, true) => {<div class="alert alert-danger">There is a vulnerability found in both the main dependency and transitive dependencies. Please consider using a patched version or consider impact of the vulnerabilities. @vulnerabilityAdvice()</div>}
+}
+@if(!includesTransitive){
+    <div class="alert alert-warning">This type of scan does not scan transitive dependencies.</div>
+}
+<h2>The library itself</h2>
+@dependencyList("id", Seq(mainDependency), None, expand = _.isVulnerable, addButtons = false, lazyLoad = false, showAffectedProjects = false, expandVulnerabilities = true, vulnerabilitySearch = false)
+@if(includesTransitive) {
+    <h2>Transitive dependencies</h2>
+    @if(transitiveDependencies.nonEmpty) {
+        @if(vulnerableTransitive){
+            <div class="alert alert-info">Those vulnerabilities are primarily sorted by highest-rated known vulnerability. Transitive dependencies without a known vulnerability are at the end of the list.</div>
+        }else{
+            <div class="alert alert-info">There is no known vulnerability in transitive dependencies. They are listed just for your information.</div>
+        }
+        @dependencyList("id", transitiveDependencies.sorted(severityOrdering), None, expand = _.isVulnerable, addButtons = false, lazyLoad = false, showAffectedProjects = false, expandVulnerabilities = true, vulnerabilitySearch = true)
+    }else{
+        This library has no transitive dependencies.
+    }
+}

app/views/libraryAdvisor/vulnerabilityAdvice.scala.html

@@ -0,0 +1,4 @@
+@()(implicit mainTemplateData: MainTemplateData)
+@for(msg <- mainTemplateData.templateCustomization.vulnerableLibraryAdvice){
+    @msg
+}