org.owasp.dependencycheck.maven

Class BaseDependencyCheckMojo

java.lang.Object

org.apache.maven.plugin.AbstractMojo

org.owasp.dependencycheck.maven.BaseDependencyCheckMojo

All Implemented Interfaces:

org.apache.maven.plugin.ContextEnabled, org.apache.maven.plugin.Mojo, org.apache.maven.reporting.MavenReport

Direct Known Subclasses:

AggregateMojo, CheckMojo, PurgeMojo, UpdateMojo

public abstract class BaseDependencyCheckMojo
extends org.apache.maven.plugin.AbstractMojo
implements org.apache.maven.reporting.MavenReport

Author:

Jeremy Long

Field Summary

Fields inherited from interface org.apache.maven.reporting.MavenReport

CATEGORY_PROJECT_INFORMATION, CATEGORY_PROJECT_REPORTS, ROLE

Fields inherited from interface org.apache.maven.plugin.Mojo

ROLE

Constructor Summary

Constructors

Constructor and Description
BaseDependencyCheckMojo()

Method Summary

Methods

Modifier and Type	Method and Description
protected void	checkForFailure(List<Dependency> dependencies) Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the configuration.
protected boolean	excludeFromScan(org.apache.maven.artifact.Artifact a) Tests is the artifact should be included in the scan (i.e.
void	execute() Executes dependency-check.
void	generate(org.codehaus.doxia.sink.Sink sink, Locale locale) Deprecated. use generate(org.apache.maven.doxia.sink.Sink, java.util.Locale) instead.
void	generate(org.apache.maven.doxia.sink.Sink sink, Locale locale) Generates the Dependency-Check Site Report.
String	getCategoryName() Returns the category name.
protected String	getConnectionString() Returns the connection string.
protected File	getCorrectOutputDirectory() Returns the correct output directory depending on if a site is being executed or not.
protected File	getCorrectOutputDirectory(org.apache.maven.project.MavenProject current) Returns the correct output directory depending on if a site is being executed or not.
protected File	getDataFile(org.apache.maven.project.MavenProject current) Returns the correct output directory depending on if a site is being executed or not.
protected String	getDataFileContextKey() Returns the key used to store the path to the data file that is saved by writeDataFile().
protected String	getFormat() Returns the report format.
File	getOutputDirectory() Returns the output directory.
protected String	getOutputDirectoryContextKey() Returns the key used to store the path to the output directory.
String	getOutputName() Returns the output name.
protected org.apache.maven.project.MavenProject	getProject() Returns a reference to the current project.
protected List<org.apache.maven.project.MavenProject>	getReactorProjects() Returns the list of Maven Projects in this build.
File	getReportOutputDirectory() Returns the report output directory.
protected Engine	initializeEngine() Initializes a new Engine that can be used for scanning.
boolean	isExternalReport() Returns whether this is an external report.
protected void	populateSettings() Takes the properties supplied and updates the dependency-check settings.
protected List<Dependency>	readDataFile(org.apache.maven.project.MavenProject project) Reads the serialized scan data from disk.
abstract void	runCheck() Executes the dependency-check scan and generates the necassary report.
protected void	scanArtifacts(org.apache.maven.project.MavenProject project, Engine engine) Scans the project's artifacts and adds them to the engine's dependency list.
void	setReportOutputDirectory(File directory) Sets the Reporting output directory.
protected void	showSummary(org.apache.maven.project.MavenProject mp, List<Dependency> dependencies) Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
protected void	writeDataFile(org.apache.maven.project.MavenProject mp, File writeTo, List<Dependency> dependencies) Writes the scan data to disk.
protected void	writeReports(Engine engine, org.apache.maven.project.MavenProject p, File outputDir) Generates the reports for a given dependency-check engine.

Methods inherited from class org.apache.maven.plugin.AbstractMojo

getLog, getPluginContext, setLog, setPluginContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.maven.reporting.MavenReport

canGenerateReport, getDescription, getName

Constructor Detail

BaseDependencyCheckMojo

public BaseDependencyCheckMojo()

Method Detail

getConnectionString

protected String getConnectionString()

Returns the connection string.

Returns:

the connection string

execute

public void execute()
             throws org.apache.maven.plugin.MojoExecutionException,
                    org.apache.maven.plugin.MojoFailureException

Executes dependency-check.

Specified by:

execute in interface org.apache.maven.plugin.Mojo

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an exception executing the mojo

org.apache.maven.plugin.MojoFailureException - thrown if dependency-check failed the build

generate

@Deprecated
public final void generate(org.codehaus.doxia.sink.Sink sink,
                       Locale locale)
                    throws org.apache.maven.reporting.MavenReportException

Deprecated. use generate(org.apache.maven.doxia.sink.Sink, java.util.Locale) instead.

Generates the Dependency-Check Site Report.

Specified by:

generate in interface org.apache.maven.reporting.MavenReport

Parameters:

sink - the sink to write the report to

locale - the locale to use when generating the report

Throws:

org.apache.maven.reporting.MavenReportException - if a maven report exception occurs

generate

public void generate(org.apache.maven.doxia.sink.Sink sink,
            Locale locale)
              throws org.apache.maven.reporting.MavenReportException

Generates the Dependency-Check Site Report.

Parameters:

sink - the sink to write the report to

locale - the locale to use when generating the report

Throws:

org.apache.maven.reporting.MavenReportException - if a maven report exception occurs

getCorrectOutputDirectory

protected File getCorrectOutputDirectory()
                                  throws org.apache.maven.plugin.MojoExecutionException

Returns the correct output directory depending on if a site is being executed or not.

Returns:

the directory to write the report(s)

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an error loading the file path

getCorrectOutputDirectory

protected File getCorrectOutputDirectory(org.apache.maven.project.MavenProject current)

Returns the correct output directory depending on if a site is being executed or not.

Parameters:

current - the Maven project to get the output directory from

Returns:

the directory to write the report(s)

getDataFile

protected File getDataFile(org.apache.maven.project.MavenProject current)

Returns the correct output directory depending on if a site is being executed or not.

Parameters:

current - the Maven project to get the output directory from

Returns:

the directory to write the report(s)

scanArtifacts

protected void scanArtifacts(org.apache.maven.project.MavenProject project,
                 Engine engine)

Scans the project's artifacts and adds them to the engine's dependency list.

Parameters:

project - the project to scan the dependencies of

engine - the engine to use to scan the dependencies

runCheck

public abstract void runCheck()
                       throws org.apache.maven.plugin.MojoExecutionException,
                              org.apache.maven.plugin.MojoFailureException

Executes the dependency-check scan and generates the necassary report.

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an exception running the scan

org.apache.maven.plugin.MojoFailureException - thrown if dependency-check is configured to fail the build

setReportOutputDirectory

public void setReportOutputDirectory(File directory)

Sets the Reporting output directory.

Specified by:

setReportOutputDirectory in interface org.apache.maven.reporting.MavenReport

Parameters:

directory - the output directory

getReportOutputDirectory

public File getReportOutputDirectory()

Returns the report output directory.

Specified by:

getReportOutputDirectory in interface org.apache.maven.reporting.MavenReport

Returns:

the report output directory

getOutputDirectory

public File getOutputDirectory()

Returns the output directory.

Returns:

the output directory

isExternalReport

public final boolean isExternalReport()

Returns whether this is an external report. This method always returns true.

Specified by:

isExternalReport in interface org.apache.maven.reporting.MavenReport

Returns:

true

getOutputName

public String getOutputName()

Returns the output name.

Specified by:

getOutputName in interface org.apache.maven.reporting.MavenReport

Returns:

the output name

getCategoryName

public String getCategoryName()

Returns the category name.

Specified by:

getCategoryName in interface org.apache.maven.reporting.MavenReport

Returns:

the category name

initializeEngine

protected Engine initializeEngine()
                           throws DatabaseException

Initializes a new Engine that can be used for scanning.

Returns:

a newly instantiated Engine

Throws:

DatabaseException - thrown if there is a database exception

populateSettings

protected void populateSettings()

Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties required to change the proxy url, port, and connection timeout.

excludeFromScan

protected boolean excludeFromScan(org.apache.maven.artifact.Artifact a)

Tests is the artifact should be included in the scan (i.e. is the dependency in a scope that is being scanned).

Parameters:

a - the Artifact to test

Returns:

true if the artifact is in an excluded scope; otherwise false

getProject

protected org.apache.maven.project.MavenProject getProject()

Returns a reference to the current project. This method is used instead of auto-binding the project via component annotation in concrete implementations of this. If the child has a @Component MavenProject project; defined then the abstract class (i.e. this class) will not have access to the current project (just the way Maven works with the binding).

Returns:

returns a reference to the current project

getReactorProjects

protected List<org.apache.maven.project.MavenProject> getReactorProjects()

Returns the list of Maven Projects in this build.

Returns:

the list of Maven Projects in this build

getFormat

protected String getFormat()

Returns the report format.

Returns:

the report format

writeReports

protected void writeReports(Engine engine,
                org.apache.maven.project.MavenProject p,
                File outputDir)

Generates the reports for a given dependency-check engine.

Parameters:

engine - a dependency-check engine

p - the maven project

outputDir - the directory path to write the report(s).

checkForFailure

protected void checkForFailure(List<Dependency> dependencies)
                        throws org.apache.maven.plugin.MojoFailureException

Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the configuration.

Parameters:

dependencies - the list of dependency objects

Throws:

org.apache.maven.plugin.MojoFailureException - thrown if a CVSS score is found that is higher then the threshold set

showSummary

protected void showSummary(org.apache.maven.project.MavenProject mp,
               List<Dependency> dependencies)

Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.

Parameters:

mp - the Maven project for which the summary is shown

dependencies - a list of dependency objects

getDataFileContextKey

protected String getDataFileContextKey()

Returns the key used to store the path to the data file that is saved by writeDataFile(). This key is used in the MavenProject.(set|get)ContextValue.

Returns:

the key used to store the path to the data file

getOutputDirectoryContextKey

protected String getOutputDirectoryContextKey()

Returns the key used to store the path to the output directory. When generating the report in the executeAggregateReport() the output directory should be obtained by using this key.

Returns:

the key used to store the path to the output directory

writeDataFile

protected void writeDataFile(org.apache.maven.project.MavenProject mp,
                 File writeTo,
                 List<Dependency> dependencies)

Writes the scan data to disk. This is used to serialize the scan data between the "check" and "aggregate" phase.

Parameters:

mp - the mMven project for which the data file was created

writeTo - the directory to write the data file

dependencies - the list of dependencies to serialize

readDataFile

protected List<Dependency> readDataFile(org.apache.maven.project.MavenProject project)

Reads the serialized scan data from disk. This is used to serialize the scan data between the "check" and "aggregate" phase.

Parameters:

project - the Maven project to read the data file from

Returns:

a Engine object populated with dependencies if the serialized data file exists; otherwise null is returned