View Javadoc
1   /*
2    * This file is part of dependency-check-ant.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.taskdefs;
19  
20  import java.io.File;
21  import java.util.ArrayList;
22  import java.util.List;
23  import java.util.stream.Collectors;
24  import java.util.stream.Stream;
25  import javax.annotation.concurrent.NotThreadSafe;
26  
27  import org.apache.tools.ant.BuildException;
28  import org.apache.tools.ant.Project;
29  import org.apache.tools.ant.types.EnumeratedAttribute;
30  import org.apache.tools.ant.types.Reference;
31  import org.apache.tools.ant.types.Resource;
32  import org.apache.tools.ant.types.ResourceCollection;
33  import org.apache.tools.ant.types.resources.FileProvider;
34  import org.apache.tools.ant.types.resources.Resources;
35  import org.owasp.dependencycheck.Engine;
36  import org.owasp.dependencycheck.agent.DependencyCheckScanAgent;
37  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
38  import org.owasp.dependencycheck.dependency.Dependency;
39  import org.owasp.dependencycheck.dependency.Vulnerability;
40  import org.owasp.dependencycheck.dependency.naming.Identifier;
41  import org.owasp.dependencycheck.exception.ExceptionCollection;
42  import org.owasp.dependencycheck.exception.ReportException;
43  import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
44  import org.owasp.dependencycheck.utils.Downloader;
45  import org.owasp.dependencycheck.utils.InvalidSettingException;
46  import org.owasp.dependencycheck.utils.Settings;
47  import org.owasp.dependencycheck.utils.SeverityUtil;
48  import org.slf4j.impl.StaticLoggerBinder;
49  
50  //CSOFF: MethodCount
51  /**
52   * An Ant task definition to execute dependency-check during an Ant build.
53   *
54   * @author Jeremy Long
55   */
56  @NotThreadSafe
57  public class Check extends Update {
58  
59      /**
60       * System specific new line character.
61       */
62      private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
63  
64      /**
65       * Whether the ruby gemspec analyzer should be enabled.
66       */
67      private Boolean rubygemsAnalyzerEnabled;
68      /**
69       * Whether or not the Node.js Analyzer is enabled.
70       */
71      private Boolean nodeAnalyzerEnabled;
72      /**
73       * Whether or not the Node Audit Analyzer is enabled.
74       */
75      private Boolean nodeAuditAnalyzerEnabled;
76      /**
77       * Whether or not the Yarn Audit Analyzer is enabled.
78       */
79      private Boolean yarnAuditAnalyzerEnabled;
80      /**
81       * Whether or not the Pnpm Audit Analyzer is enabled.
82       */
83      private Boolean pnpmAuditAnalyzerEnabled;
84      /**
85       * Sets whether or not the Node Audit Analyzer should use a local cache.
86       */
87      private Boolean nodeAuditAnalyzerUseCache;
88      /**
89       * Sets whether or not the Node Package Analyzer should skip dev
90       * dependencies.
91       */
92      private Boolean nodePackageSkipDevDependencies;
93      /**
94       * Sets whether or not the Node Audit Analyzer should use a local cache.
95       */
96      private Boolean nodeAuditSkipDevDependencies;
97      /**
98       * The list of filters (regular expressions) used by the RetireJS Analyzer
99       * to exclude files that contain matching content..
100      */
101     @SuppressWarnings("CanBeFinal")
102     private final List<String> retirejsFilters = new ArrayList<>();
103     /**
104      * Whether or not the RetireJS Analyzer filters non-vulnerable JS files from
105      * the report; default is false.
106      */
107     private Boolean retirejsFilterNonVulnerable;
108     /**
109      * Whether or not the Ruby Bundle Audit Analyzer is enabled.
110      */
111     private Boolean bundleAuditAnalyzerEnabled;
112     /**
113      * Whether the CMake analyzer should be enabled.
114      */
115     private Boolean cmakeAnalyzerEnabled;
116     /**
117      * Whether or not the Open SSL analyzer is enabled.
118      */
119     private Boolean opensslAnalyzerEnabled;
120     /**
121      * Whether the python package analyzer should be enabled.
122      */
123     private Boolean pyPackageAnalyzerEnabled;
124     /**
125      * Whether the python distribution analyzer should be enabled.
126      */
127     private Boolean pyDistributionAnalyzerEnabled;
128     /**
129      * Whether or not the mix audit analyzer is enabled.
130      */
131     private Boolean mixAuditAnalyzerEnabled;
132     /**
133      * Whether or not the central analyzer is enabled.
134      */
135     private Boolean centralAnalyzerEnabled;
136     /**
137      * Whether or not the Central Analyzer should use a local cache.
138      */
139     private Boolean centralAnalyzerUseCache;
140     /**
141      * Whether or not the nexus analyzer is enabled.
142      */
143     private Boolean nexusAnalyzerEnabled;
144     /**
145      * The URL of a Nexus server's REST API end point
146      * (http://domain/nexus/service/local).
147      */
148     private String nexusUrl;
149     /**
150      * The username to authenticate to the Nexus Server's REST API Endpoint.
151      */
152     private String nexusUser;
153     /**
154      * The password to authenticate to the Nexus Server's REST API Endpoint.
155      */
156     private String nexusPassword;
157     /**
158      * Whether or not the defined proxy should be used when connecting to Nexus.
159      */
160     private Boolean nexusUsesProxy;
161 
162     /**
163      * Sets whether the Golang Dependency analyzer is enabled. Default is true.
164      */
165     private Boolean golangDepEnabled;
166     /**
167      * Sets whether Golang Module Analyzer is enabled; this requires `go` to be
168      * installed. Default is true.
169      */
170     private Boolean golangModEnabled;
171     /**
172      * Sets the path to `go`.
173      */
174     private String pathToGo;
175     /**
176      * Sets whether the Dart analyzer is enabled. Default is true.
177      */
178     private Boolean dartAnalyzerEnabled;
179     /**
180      * The path to `yarn`.
181      */
182     private String pathToYarn;
183     /**
184      * The path to `pnpm`.
185      */
186     private String pathToPnpm;
187     /**
188      * Additional ZIP File extensions to add analyze. This should be a
189      * comma-separated list of file extensions to treat like ZIP files.
190      */
191     private String zipExtensions;
192     /**
193      * The path to dotnet core for .NET assembly analysis.
194      */
195     private String pathToCore;
196     /**
197      * The name of the project being analyzed.
198      */
199     private String projectName = "dependency-check";
200     /**
201      * Specifies the destination directory for the generated Dependency-Check
202      * report.
203      */
204     private String reportOutputDirectory = ".";
205     /**
206      * If using the JUNIT report format the junitFailOnCVSS sets the CVSS score
207      * threshold that is considered a failure. The default is 0.
208      */
209     private float junitFailOnCVSS = 0;
210     /**
211      * Specifies if the build should be failed if a CVSS score above a specified
212      * level is identified. The default is 11 which means since the CVSS scores
213      * are 0-10, by default the build will never fail and the CVSS score is set
214      * to 11. The valid range for the fail build on CVSS is 0 to 11, where
215      * anything above 10 will not cause the build to fail.
216      */
217     private float failBuildOnCVSS = 11;
218     /**
219      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
220      * recommended that this be turned to false. Default is true.
221      */
222     private Boolean autoUpdate;
223     /**
224      * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
225      * JENKINS, GITLAB, ALL). Default is HTML.
226      */
227     private String reportFormat = "HTML";
228     /**
229      * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
230      * JENKINS, GITLAB, ALL). Default is HTML.
231      */
232     private final List<String> reportFormats = new ArrayList<>();
233     /**
234      * Whether the JSON and XML reports should be pretty printed; the default is
235      * false.
236      */
237     private Boolean prettyPrint = null;
238 
239     /**
240      * Suppression file paths.
241      */
242     @SuppressWarnings("CanBeFinal")
243     private final List<String> suppressionFiles = new ArrayList<>();
244 
245     /**
246      * The path to the suppression file.
247      */
248     private String hintsFile;
249     /**
250      * flag indicating whether or not to show a summary of findings.
251      */
252     private boolean showSummary = true;
253     /**
254      * Whether experimental analyzers are enabled.
255      */
256     private Boolean enableExperimental;
257     /**
258      * Whether retired analyzers are enabled.
259      */
260     private Boolean enableRetired;
261     /**
262      * Whether or not the Jar Analyzer is enabled.
263      */
264     private Boolean jarAnalyzerEnabled;
265     /**
266      * Whether or not the Archive Analyzer is enabled.
267      */
268     private Boolean archiveAnalyzerEnabled;
269     /**
270      * Whether or not the .NET Nuspec Analyzer is enabled.
271      */
272     private Boolean nuspecAnalyzerEnabled;
273     /**
274      * Whether or not the .NET Nuget packages.config file Analyzer is enabled.
275      */
276     private Boolean nugetconfAnalyzerEnabled;
277     /**
278      * Whether or not the Libman Analyzer is enabled.
279      */
280     private Boolean libmanAnalyzerEnabled;
281     /**
282      * Whether or not the PHP Composer Analyzer is enabled.
283      */
284     private Boolean composerAnalyzerEnabled;
285     /**
286      * Whether or not the PHP Composer Analyzer will skip "packages-dev".
287      */
288     private Boolean composerAnalyzerSkipDev;
289     /**
290      * Whether or not the Perl CPAN File Analyzer is enabled.
291      */
292     private Boolean cpanfileAnalyzerEnabled;
293 
294     /**
295      * Whether or not the .NET Assembly Analyzer is enabled.
296      */
297     private Boolean assemblyAnalyzerEnabled;
298     /**
299      * Whether or not the MS Build Assembly Analyzer is enabled.
300      */
301     private Boolean msbuildAnalyzerEnabled;
302     /**
303      * Whether the autoconf analyzer should be enabled.
304      */
305     private Boolean autoconfAnalyzerEnabled;
306     /**
307      * Whether the pip analyzer should be enabled.
308      */
309     private Boolean pipAnalyzerEnabled;
310     /**
311      * Whether the Maven install.json analyzer should be enabled.
312      */
313     private Boolean mavenInstallAnalyzerEnabled;
314     /**
315      * Whether the pipfile analyzer should be enabled.
316      */
317     private Boolean pipfileAnalyzerEnabled;
318     /**
319      * Whether the Poetry analyzer should be enabled.
320      */
321     private Boolean poetryAnalyzerEnabled;
322     /**
323      * Sets the path for the mix_audit binary.
324      */
325     private String mixAuditPath;
326     /**
327      * Sets the path for the bundle-audit binary.
328      */
329     private String bundleAuditPath;
330     /**
331      * Sets the path for the working directory that the bundle-audit binary
332      * should be executed from.
333      */
334     private String bundleAuditWorkingDirectory;
335     /**
336      * Whether or not the CocoaPods Analyzer is enabled.
337      */
338     private Boolean cocoapodsAnalyzerEnabled;
339     /**
340      * Whether or not the Carthage Analyzer is enabled.
341      */
342     private Boolean carthageAnalyzerEnabled;
343 
344     /**
345      * Whether or not the Swift package Analyzer is enabled.
346      */
347     private Boolean swiftPackageManagerAnalyzerEnabled;
348     /**
349      * Whether or not the Swift package Analyzer is enabled.
350      */
351     private Boolean swiftPackageResolvedAnalyzerEnabled;
352 
353     /**
354      * Whether or not the Sonatype OSS Index analyzer is enabled.
355      */
356     private Boolean ossindexAnalyzerEnabled;
357     /**
358      * Whether or not the Sonatype OSS Index analyzer should cache results.
359      */
360     private Boolean ossindexAnalyzerUseCache;
361     /**
362      * URL of the Sonatype OSS Index service.
363      */
364     private String ossindexAnalyzerUrl;
365     /**
366      * The username to use for the Sonatype OSS Index service.
367      */
368     private String ossindexAnalyzerUsername;
369     /**
370      * The password to use for the Sonatype OSS Index service.
371      */
372     private String ossindexAnalyzerPassword;
373     /**
374      * Whether we should only warn about Sonatype OSS Index remote errors
375      * instead of failing completely.
376      */
377     private Boolean ossIndexAnalyzerWarnOnlyOnRemoteErrors;
378 
379     /**
380      * Whether or not the Artifactory Analyzer is enabled.
381      */
382     private Boolean artifactoryAnalyzerEnabled;
383     /**
384      * The URL to Artifactory.
385      */
386     private String artifactoryAnalyzerUrl;
387     /**
388      * Whether or not Artifactory analysis should use the proxy..
389      */
390     private Boolean artifactoryAnalyzerUseProxy;
391     /**
392      * Whether or not Artifactory analysis should be parallelized.
393      */
394     private Boolean artifactoryAnalyzerParallelAnalysis;
395     /**
396      * The Artifactory username needed to connect.
397      */
398     private String artifactoryAnalyzerUsername;
399     /**
400      * The Artifactory API token needed to connect.
401      */
402     private String artifactoryAnalyzerApiToken;
403     /**
404      * The Artifactory bearer token.
405      */
406     private String artifactoryAnalyzerBearerToken;
407     /**
408      * Whether the version check is enabled
409      */
410     private Boolean versionCheckEnabled;
411 
412     /**
413      * whether an unsused suppression rule should get force the build to fail
414      */
415     private boolean failBuildOnUnusedSuppressionRule = false;
416 
417     /**
418      * The username to download user-authored suppression files from an HTTP Basic auth protected location.
419      */
420     private String suppressionFileUser;
421     /**
422      * The password to download user-authored suppression files from an HTTP Basic auth protected location.
423      */
424     private String suppressionFilePassword;
425     /**
426      * The token to download user-authored suppression files from an HTTP Bearer auth protected location.
427      */
428     private String suppressionFileBearerToken;
429 
430     //region Code copied from org.apache.tools.ant.taskdefs.PathConvert
431     //The following code was copied Apache Ant PathConvert
432     /**
433      * Path to be converted
434      */
435     private Resources path = null;
436     /**
437      * Reference to path/file set to convert
438      */
439     private Reference refId = null;
440 
441     /**
442      * Add an arbitrary ResourceCollection.
443      *
444      * @param rc the ResourceCollection to add.
445      * @since Ant 1.7
446      */
447     public void add(ResourceCollection rc) {
448         if (isReference()) {
449             throw new BuildException("Nested elements are not allowed when using the refId attribute.");
450         }
451         getPath().add(rc);
452     }
453 
454     /**
455      * Returns the path. If the path has not been initialized yet, this class is
456      * synchronized, and will instantiate the path object.
457      *
458      * @return the path
459      */
460     private synchronized Resources getPath() {
461         if (path == null) {
462             path = new Resources(getProject());
463             path.setCache(true);
464         }
465         return path;
466     }
467 
468     /**
469      * Learn whether the refId attribute of this element been set.
470      *
471      * @return true if refId is valid.
472      */
473     public boolean isReference() {
474         return refId != null;
475     }
476 
477     /**
478      * Add a reference to a Path, FileSet, DirSet, or FileList defined
479      * elsewhere.
480      *
481      * @param r the reference to a path, fileset, dirset or filelist.
482      */
483     public synchronized void setRefId(Reference r) {
484         if (path != null) {
485             throw new BuildException("Nested elements are not allowed when using the refId attribute.");
486         }
487         refId = r;
488     }
489 
490     /**
491      * If this is a reference, this method will add the referenced resource
492      * collection to the collection of paths.
493      *
494      * @throws BuildException if the reference is not to a resource collection
495      */
496     //declaring a throw that extends runtime exception may be a bad practice
497     //but seems to be an ingrained practice within Ant as even the base `Task`
498     //contains an `execute() throws BuildExecption`.
499     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
500     private void dealWithReferences() throws BuildException {
501         if (isReference()) {
502             final Object o = refId.getReferencedObject(getProject());
503             if (!(o instanceof ResourceCollection)) {
504                 throw new BuildException("refId '" + refId.getRefId()
505                         + "' does not refer to a resource collection.");
506             }
507             getPath().add((ResourceCollection) o);
508         }
509     }
510     //endregion COPIED from org.apache.tools.ant.taskdefs
511 
512     /**
513      * Construct a new DependencyCheckTask.
514      */
515     public Check() {
516         super();
517         // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
518         // core end up coming through this tasks logger
519         StaticLoggerBinder.getSingleton().setTask(this);
520     }
521 
522     /**
523      * Add a suppression file.
524      * <p>
525      * This is called by Ant with the configured {@link SuppressionFile}.
526      *
527      * @param suppressionFile the suppression file to add.
528      */
529     public void addConfiguredSuppressionFile(final SuppressionFile suppressionFile) {
530         suppressionFiles.add(suppressionFile.getPath());
531     }
532 
533     /**
534      * Add a report format.
535      * <p>
536      * This is called by Ant with the configured {@link ReportFormat}.
537      *
538      * @param reportFormat the reportFormat to add.
539      */
540     public void addConfiguredReportFormat(final ReportFormat reportFormat) {
541         reportFormats.add(reportFormat.getFormat());
542     }
543 
544     /**
545      * Sets whether the version check is enabled.
546      *
547      * @param versionCheckEnabled a Boolean indicating if the version check is
548      * enabled.
549      */
550     public void setVersionCheckEnabled(Boolean versionCheckEnabled) {
551         this.versionCheckEnabled = versionCheckEnabled;
552     }
553 
554     /**
555      * Get the value of projectName.
556      *
557      * @return the value of projectName
558      */
559     public String getProjectName() {
560         if (projectName == null) {
561             projectName = "";
562         }
563         return projectName;
564     }
565 
566     /**
567      * Set the value of projectName.
568      *
569      * @param projectName new value of projectName
570      */
571     public void setProjectName(String projectName) {
572         this.projectName = projectName;
573     }
574 
575     /**
576      * Set the value of reportOutputDirectory.
577      *
578      * @param reportOutputDirectory new value of reportOutputDirectory
579      */
580     public void setReportOutputDirectory(String reportOutputDirectory) {
581         this.reportOutputDirectory = reportOutputDirectory;
582     }
583 
584     /**
585      * Set the value of failBuildOnCVSS.
586      *
587      * @param failBuildOnCVSS new value of failBuildOnCVSS
588      */
589     public void setFailBuildOnCVSS(float failBuildOnCVSS) {
590         this.failBuildOnCVSS = failBuildOnCVSS;
591     }
592 
593     /**
594      * Set the value of junitFailOnCVSS.
595      *
596      * @param junitFailOnCVSS new value of junitFailOnCVSS
597      */
598     public void setJunitFailOnCVSS(float junitFailOnCVSS) {
599         this.junitFailOnCVSS = junitFailOnCVSS;
600     }
601 
602     /**
603      * Set the value of autoUpdate.
604      *
605      * @param autoUpdate new value of autoUpdate
606      */
607     public void setAutoUpdate(Boolean autoUpdate) {
608         this.autoUpdate = autoUpdate;
609     }
610 
611     /**
612      * Set the value of prettyPrint.
613      *
614      * @param prettyPrint new value of prettyPrint
615      */
616     public void setPrettyPrint(boolean prettyPrint) {
617         this.prettyPrint = prettyPrint;
618     }
619 
620     /**
621      * Set the value of reportFormat.
622      *
623      * @param reportFormat new value of reportFormat
624      */
625     public void setReportFormat(ReportFormats reportFormat) {
626         this.reportFormat = reportFormat.getValue();
627         this.reportFormats.add(this.reportFormat);
628     }
629 
630     /**
631      * Get the value of reportFormats.
632      *
633      * @return the value of reportFormats
634      */
635     public List<String> getReportFormats() {
636         if (reportFormats.isEmpty()) {
637             this.reportFormats.add(this.reportFormat);
638         }
639         return this.reportFormats;
640     }
641 
642     /**
643      * Set the value of suppressionFile.
644      *
645      * @param suppressionFile new value of suppressionFile
646      */
647     public void setSuppressionFile(String suppressionFile) {
648         suppressionFiles.add(suppressionFile);
649     }
650 
651     /**
652      * Sets the username to download user-authored suppression files from an HTTP Basic auth protected location.
653      *
654      * @param suppressionFileUser The username
655      */
656     public void setSuppressionFileUser(String suppressionFileUser) {
657         this.suppressionFileUser = suppressionFileUser;
658     }
659 
660     /**
661      * Sets the password/token to download user-authored suppression files from an HTTP Basic auth protected location.
662      *
663      * @param suppressionFilePassword The password/token
664      */
665     public void setSuppressionFilePassword(String suppressionFilePassword) {
666         this.suppressionFilePassword = suppressionFilePassword;
667     }
668 
669     /**
670      * Sets the token to download user-authored suppression files from an HTTP Bearer auth protected location.
671      *
672      * @param suppressionFileBearerToken The token
673      */
674     public void setSuppressionFileBearerToken(String suppressionFileBearerToken) {
675         this.suppressionFileBearerToken = suppressionFileBearerToken;
676     }
677 
678     /**
679      * Set the value of hintsFile.
680      *
681      * @param hintsFile new value of hintsFile
682      */
683     public void setHintsFile(String hintsFile) {
684         this.hintsFile = hintsFile;
685     }
686 
687     /**
688      * Set the value of showSummary.
689      *
690      * @param showSummary new value of showSummary
691      */
692     public void setShowSummary(boolean showSummary) {
693         this.showSummary = showSummary;
694     }
695 
696     /**
697      * Set the value of enableExperimental.
698      *
699      * @param enableExperimental new value of enableExperimental
700      */
701     public void setEnableExperimental(Boolean enableExperimental) {
702         this.enableExperimental = enableExperimental;
703     }
704 
705     /**
706      * Set the value of enableRetired.
707      *
708      * @param enableRetired new value of enableRetired
709      */
710     public void setEnableRetired(Boolean enableRetired) {
711         this.enableRetired = enableRetired;
712     }
713 
714     /**
715      * Sets whether or not the analyzer is enabled.
716      *
717      * @param jarAnalyzerEnabled the value of the new setting
718      */
719     public void setJarAnalyzerEnabled(Boolean jarAnalyzerEnabled) {
720         this.jarAnalyzerEnabled = jarAnalyzerEnabled;
721     }
722 
723     /**
724      * Sets whether the analyzer is enabled.
725      *
726      * @param archiveAnalyzerEnabled the value of the new setting
727      */
728     public void setArchiveAnalyzerEnabled(Boolean archiveAnalyzerEnabled) {
729         this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
730     }
731 
732     /**
733      * Sets whether or not the analyzer is enabled.
734      *
735      * @param assemblyAnalyzerEnabled the value of the new setting
736      */
737     public void setAssemblyAnalyzerEnabled(Boolean assemblyAnalyzerEnabled) {
738         this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
739     }
740 
741     /**
742      * Sets whether or not the analyzer is enabled.
743      *
744      * @param msbuildAnalyzerEnabled the value of the new setting
745      */
746     public void setMSBuildAnalyzerEnabled(Boolean msbuildAnalyzerEnabled) {
747         this.msbuildAnalyzerEnabled = msbuildAnalyzerEnabled;
748     }
749 
750     /**
751      * Sets whether or not the analyzer is enabled.
752      *
753      * @param nuspecAnalyzerEnabled the value of the new setting
754      */
755     public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) {
756         this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
757     }
758 
759     /**
760      * Sets whether or not the analyzer is enabled.
761      *
762      * @param nugetconfAnalyzerEnabled the value of the new setting
763      */
764     public void setNugetconfAnalyzerEnabled(Boolean nugetconfAnalyzerEnabled) {
765         this.nugetconfAnalyzerEnabled = nugetconfAnalyzerEnabled;
766     }
767 
768     /**
769      * Sets whether or not the analyzer is enabled.
770      *
771      * @param libmanAnalyzerEnabled the value of the new setting
772      */
773     public void setLibmanAnalyzerEnabled(Boolean libmanAnalyzerEnabled) {
774         this.libmanAnalyzerEnabled = libmanAnalyzerEnabled;
775     }
776 
777     /**
778      * Set the value of composerAnalyzerEnabled.
779      *
780      * @param composerAnalyzerEnabled new value of composerAnalyzerEnabled
781      */
782     public void setComposerAnalyzerEnabled(Boolean composerAnalyzerEnabled) {
783         this.composerAnalyzerEnabled = composerAnalyzerEnabled;
784     }
785 
786     /**
787      * Set the value of composerAnalyzerSkipDev.
788      *
789      * @param composerAnalyzerSkipDev new value of composerAnalyzerSkipDev
790      */
791     public void setComposerAnalyzerSkipDev(Boolean composerAnalyzerSkipDev) {
792         this.composerAnalyzerSkipDev = composerAnalyzerSkipDev;
793     }
794 
795     /**
796      * Set the value of cpanfileAnalyzerEnabled.
797      *
798      * @param cpanfileAnalyzerEnabled new value of cpanfileAnalyzerEnabled
799      */
800     public void setCpanfileAnalyzerEnabled(Boolean cpanfileAnalyzerEnabled) {
801         this.cpanfileAnalyzerEnabled = cpanfileAnalyzerEnabled;
802     }
803 
804     /**
805      * Set the value of autoconfAnalyzerEnabled.
806      *
807      * @param autoconfAnalyzerEnabled new value of autoconfAnalyzerEnabled
808      */
809     public void setAutoconfAnalyzerEnabled(Boolean autoconfAnalyzerEnabled) {
810         this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled;
811     }
812 
813     /**
814      * Set the value of pipAnalyzerEnabled.
815      *
816      * @param pipAnalyzerEnabled new value of pipAnalyzerEnabled
817      */
818     public void setPipAnalyzerEnabled(Boolean pipAnalyzerEnabled) {
819         this.pipAnalyzerEnabled = pipAnalyzerEnabled;
820     }
821 
822     /**
823      * Set the value of pipfileAnalyzerEnabled.
824      *
825      * @param pipfileAnalyzerEnabled new value of pipfileAnalyzerEnabled
826      */
827     public void setPipfileAnalyzerEnabled(Boolean pipfileAnalyzerEnabled) {
828         this.pipfileAnalyzerEnabled = pipfileAnalyzerEnabled;
829     }
830 
831     /**
832      * Set the value of poetryAnalyzerEnabled.
833      *
834      * @param poetryAnalyzerEnabled new value of poetryAnalyzerEnabled
835      */
836     public void setPoetryAnalyzerEnabled(Boolean poetryAnalyzerEnabled) {
837         this.poetryAnalyzerEnabled = poetryAnalyzerEnabled;
838     }
839 
840     /**
841      * Sets if the Bundle Audit Analyzer is enabled.
842      *
843      * @param bundleAuditAnalyzerEnabled whether or not the analyzer should be
844      * enabled
845      */
846     public void setBundleAuditAnalyzerEnabled(Boolean bundleAuditAnalyzerEnabled) {
847         this.bundleAuditAnalyzerEnabled = bundleAuditAnalyzerEnabled;
848     }
849 
850     /**
851      * Sets the path to the bundle audit executable.
852      *
853      * @param bundleAuditPath the path to the bundle audit executable
854      */
855     public void setBundleAuditPath(String bundleAuditPath) {
856         this.bundleAuditPath = bundleAuditPath;
857     }
858 
859     /**
860      * Sets the path to the working directory that the bundle audit executable
861      * should be executed from.
862      *
863      * @param bundleAuditWorkingDirectory the path to the working directory that
864      * the bundle audit executable should be executed from.
865      */
866     public void setBundleAuditWorkingDirectory(String bundleAuditWorkingDirectory) {
867         this.bundleAuditWorkingDirectory = bundleAuditWorkingDirectory;
868     }
869 
870     /**
871      * Sets whether or not the cocoapods analyzer is enabled.
872      *
873      * @param cocoapodsAnalyzerEnabled the state of the cocoapods analyzer
874      */
875     public void setCocoapodsAnalyzerEnabled(Boolean cocoapodsAnalyzerEnabled) {
876         this.cocoapodsAnalyzerEnabled = cocoapodsAnalyzerEnabled;
877     }
878 
879     /**
880      * Sets whether or not the Carthage analyzer is enabled.
881      *
882      * @param carthageAnalyzerEnabled the state of the Carthage analyzer
883      */
884     public void setCarthageAnalyzerEnabled(Boolean carthageAnalyzerEnabled) {
885         this.carthageAnalyzerEnabled = carthageAnalyzerEnabled;
886     }
887 
888     /**
889      * Sets the enabled state of the swift package manager analyzer.
890      *
891      * @param swiftPackageManagerAnalyzerEnabled the enabled state of the swift
892      * package manager
893      */
894     public void setSwiftPackageManagerAnalyzerEnabled(Boolean swiftPackageManagerAnalyzerEnabled) {
895         this.swiftPackageManagerAnalyzerEnabled = swiftPackageManagerAnalyzerEnabled;
896     }
897 
898     /**
899      * Sets the enabled state of the swift package manager analyzer.
900      *
901      * @param swiftPackageResolvedAnalyzerEnabled the enabled state of the swift
902      * package resolved analyzer
903      */
904     public void setSwiftPackageResolvedAnalyzerEnabled(Boolean swiftPackageResolvedAnalyzerEnabled) {
905         this.swiftPackageResolvedAnalyzerEnabled = swiftPackageResolvedAnalyzerEnabled;
906     }
907 
908     /**
909      * Set the value of opensslAnalyzerEnabled.
910      *
911      * @param opensslAnalyzerEnabled new value of opensslAnalyzerEnabled
912      */
913     public void setOpensslAnalyzerEnabled(Boolean opensslAnalyzerEnabled) {
914         this.opensslAnalyzerEnabled = opensslAnalyzerEnabled;
915     }
916 
917     /**
918      * Set the value of nodeAnalyzerEnabled.
919      *
920      * @param nodeAnalyzerEnabled new value of nodeAnalyzerEnabled
921      */
922     public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) {
923         this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
924     }
925 
926     /**
927      * Set the value of nodeAuditAnalyzerEnabled.
928      *
929      * @param nodeAuditAnalyzerEnabled new value of nodeAuditAnalyzerEnabled
930      */
931     public void setNodeAuditAnalyzerEnabled(Boolean nodeAuditAnalyzerEnabled) {
932         this.nodeAuditAnalyzerEnabled = nodeAuditAnalyzerEnabled;
933     }
934 
935     /**
936      * Set the value of yarnAuditAnalyzerEnabled.
937      *
938      * @param yarnAuditAnalyzerEnabled new value of yarnAuditAnalyzerEnabled
939      */
940     public void setYarnAuditAnalyzerEnabled(Boolean yarnAuditAnalyzerEnabled) {
941         this.yarnAuditAnalyzerEnabled = yarnAuditAnalyzerEnabled;
942     }
943 
944     /**
945      * Set the value of pnpmAuditAnalyzerEnabled.
946      *
947      * @param pnpmAuditAnalyzerEnabled new value of pnpmAuditAnalyzerEnabled
948      */
949     public void setPnpmAuditAnalyzerEnabled(Boolean pnpmAuditAnalyzerEnabled) {
950         this.pnpmAuditAnalyzerEnabled = pnpmAuditAnalyzerEnabled;
951     }
952 
953     /**
954      * Set the value of nodeAuditAnalyzerUseCache.
955      *
956      * @param nodeAuditAnalyzerUseCache new value of nodeAuditAnalyzerUseCache
957      */
958     public void setNodeAuditAnalyzerUseCache(Boolean nodeAuditAnalyzerUseCache) {
959         this.nodeAuditAnalyzerUseCache = nodeAuditAnalyzerUseCache;
960     }
961 
962     /**
963      * Set the value of nodePackageSkipDevDependencies.
964      *
965      * @param nodePackageSkipDevDependencies new value of
966      * nodePackageSkipDevDependencies
967      */
968     public void setNodePackageSkipDevDependencies(Boolean nodePackageSkipDevDependencies) {
969         this.nodePackageSkipDevDependencies = nodePackageSkipDevDependencies;
970     }
971 
972     /**
973      * Set the value of nodeAuditSkipDevDependencies.
974      *
975      * @param nodeAuditSkipDevDependencies new value of
976      * nodeAuditSkipDevDependencies
977      */
978     public void setNodeAuditSkipDevDependencies(Boolean nodeAuditSkipDevDependencies) {
979         this.nodeAuditSkipDevDependencies = nodeAuditSkipDevDependencies;
980     }
981 
982     /**
983      * Set the value of retirejsFilterNonVulnerable.
984      *
985      * @param retirejsFilterNonVulnerable new value of
986      * retirejsFilterNonVulnerable
987      */
988     public void setRetirejsFilterNonVulnerable(Boolean retirejsFilterNonVulnerable) {
989         this.retirejsFilterNonVulnerable = retirejsFilterNonVulnerable;
990     }
991 
992     /**
993      * Add a regular expression to the set of retire JS content filters.
994      * <p>
995      * This is called by Ant.
996      *
997      * @param retirejsFilter the regular expression used to filter based on file
998      * content
999      */
1000     public void addConfiguredRetirejsFilter(final RetirejsFilter retirejsFilter) {
1001         retirejsFilters.add(retirejsFilter.getRegex());
1002     }
1003 
1004     /**
1005      * Set the value of rubygemsAnalyzerEnabled.
1006      *
1007      * @param rubygemsAnalyzerEnabled new value of rubygemsAnalyzerEnabled
1008      */
1009     public void setRubygemsAnalyzerEnabled(Boolean rubygemsAnalyzerEnabled) {
1010         this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled;
1011     }
1012 
1013     /**
1014      * Set the value of pyPackageAnalyzerEnabled.
1015      *
1016      * @param pyPackageAnalyzerEnabled new value of pyPackageAnalyzerEnabled
1017      */
1018     public void setPyPackageAnalyzerEnabled(Boolean pyPackageAnalyzerEnabled) {
1019         this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled;
1020     }
1021 
1022     /**
1023      * Set the value of pyDistributionAnalyzerEnabled.
1024      *
1025      * @param pyDistributionAnalyzerEnabled new value of
1026      * pyDistributionAnalyzerEnabled
1027      */
1028     public void setPyDistributionAnalyzerEnabled(Boolean pyDistributionAnalyzerEnabled) {
1029         this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
1030     }
1031 
1032     /**
1033      * Set the value of mixAuditAnalyzerEnabled.
1034      *
1035      * @param mixAuditAnalyzerEnabled new value of mixAuditAnalyzerEnabled
1036      */
1037     public void setMixAuditAnalyzerEnabled(Boolean mixAuditAnalyzerEnabled) {
1038         this.mixAuditAnalyzerEnabled = mixAuditAnalyzerEnabled;
1039     }
1040 
1041     /**
1042      * Sets the path to the mix audit executable.
1043      *
1044      * @param mixAuditPath the path to the bundle audit executable
1045      */
1046     public void setMixAuditPath(String mixAuditPath) {
1047         this.mixAuditPath = mixAuditPath;
1048     }
1049     /**
1050      * Set the value of centralAnalyzerEnabled.
1051      *
1052      * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
1053      */
1054     public void setCentralAnalyzerEnabled(Boolean centralAnalyzerEnabled) {
1055         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
1056     }
1057 
1058     /**
1059      * Set the value of centralAnalyzerUseCache.
1060      *
1061      * @param centralAnalyzerUseCache new value of centralAnalyzerUseCache
1062      */
1063     public void setCentralAnalyzerUseCache(Boolean centralAnalyzerUseCache) {
1064         this.centralAnalyzerUseCache = centralAnalyzerUseCache;
1065     }
1066 
1067     /**
1068      * Set the value of nexusAnalyzerEnabled.
1069      *
1070      * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
1071      */
1072     public void setNexusAnalyzerEnabled(Boolean nexusAnalyzerEnabled) {
1073         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
1074     }
1075 
1076     /**
1077      * Set the value of golangDepEnabled.
1078      *
1079      * @param golangDepEnabled new value of golangDepEnabled
1080      */
1081     public void setGolangDepEnabled(Boolean golangDepEnabled) {
1082         this.golangDepEnabled = golangDepEnabled;
1083     }
1084 
1085     /**
1086      * Set the value of golangModEnabled.
1087      *
1088      * @param golangModEnabled new value of golangModEnabled
1089      */
1090     public void setGolangModEnabled(Boolean golangModEnabled) {
1091         this.golangModEnabled = golangModEnabled;
1092     }
1093 
1094     /**
1095      * Set the value of dartAnalyzerEnabled.
1096      *
1097      * @param dartAnalyzerEnabled new value of dartAnalyzerEnabled
1098      */
1099     public void setDartAnalyzerEnabled(Boolean dartAnalyzerEnabled) {
1100         this.dartAnalyzerEnabled = dartAnalyzerEnabled;
1101     }
1102 
1103     /**
1104      * Set the value of pathToYarn.
1105      *
1106      * @param pathToYarn new value of pathToYarn
1107      */
1108     public void setPathToYarn(String pathToYarn) {
1109         this.pathToYarn = pathToYarn;
1110     }
1111 
1112     /**
1113      * Set the value of pathToPnpm.
1114      *
1115      * @param pathToPnpm new value of pathToPnpm
1116      */
1117     public void setPathToPnpm(String pathToPnpm) {
1118         this.pathToPnpm = pathToPnpm;
1119     }
1120 
1121     /**
1122      * Set the value of pathToGo.
1123      *
1124      * @param pathToGo new value of pathToGo
1125      */
1126     public void setPathToGo(String pathToGo) {
1127         this.pathToGo = pathToGo;
1128     }
1129 
1130     /**
1131      * Set the value of nexusUrl.
1132      *
1133      * @param nexusUrl new value of nexusUrl
1134      */
1135     public void setNexusUrl(String nexusUrl) {
1136         this.nexusUrl = nexusUrl;
1137     }
1138 
1139     /**
1140      * Set the value of nexusUser.
1141      *
1142      * @param nexusUser new value of nexusUser
1143      */
1144     public void setNexusUser(String nexusUser) {
1145         this.nexusUser = nexusUser;
1146     }
1147 
1148     /**
1149      * Set the value of nexusPassword.
1150      *
1151      * @param nexusPassword new value of nexusPassword
1152      */
1153     public void setNexusPassword(String nexusPassword) {
1154         this.nexusPassword = nexusPassword;
1155     }
1156 
1157     /**
1158      * Set the value of nexusUsesProxy.
1159      *
1160      * @param nexusUsesProxy new value of nexusUsesProxy
1161      */
1162     public void setNexusUsesProxy(Boolean nexusUsesProxy) {
1163         this.nexusUsesProxy = nexusUsesProxy;
1164     }
1165 
1166     /**
1167      * Set the value of zipExtensions.
1168      *
1169      * @param zipExtensions new value of zipExtensions
1170      */
1171     public void setZipExtensions(String zipExtensions) {
1172         this.zipExtensions = zipExtensions;
1173     }
1174 
1175     /**
1176      * Set the value of pathToCore.
1177      *
1178      * @param pathToCore new value of pathToCore
1179      */
1180     public void setPathToDotnetCore(String pathToCore) {
1181         this.pathToCore = pathToCore;
1182     }
1183 
1184     /**
1185      * Set value of {@link #ossindexAnalyzerEnabled}.
1186      *
1187      * @param ossindexAnalyzerEnabled new value of ossindexAnalyzerEnabled
1188      */
1189     public void setOssindexAnalyzerEnabled(Boolean ossindexAnalyzerEnabled) {
1190         this.ossindexAnalyzerEnabled = ossindexAnalyzerEnabled;
1191     }
1192 
1193     /**
1194      * Set value of {@link #ossindexAnalyzerUseCache}.
1195      *
1196      * @param ossindexAnalyzerUseCache new value of ossindexAnalyzerUseCache
1197      */
1198     public void setOssindexAnalyzerUseCache(Boolean ossindexAnalyzerUseCache) {
1199         this.ossindexAnalyzerUseCache = ossindexAnalyzerUseCache;
1200     }
1201 
1202     /**
1203      * Set value of {@link #ossindexAnalyzerUrl}.
1204      *
1205      * @param ossindexAnalyzerUrl new value of ossindexAnalyzerUrl
1206      */
1207     public void setOssindexAnalyzerUrl(String ossindexAnalyzerUrl) {
1208         this.ossindexAnalyzerUrl = ossindexAnalyzerUrl;
1209     }
1210 
1211     /**
1212      * Set value of {@link #ossindexAnalyzerUsername}.
1213      *
1214      * @param ossindexAnalyzerUsername new value of ossindexAnalyzerUsername
1215      */
1216     public void setOssindexAnalyzerUsername(String ossindexAnalyzerUsername) {
1217         this.ossindexAnalyzerUsername = ossindexAnalyzerUsername;
1218     }
1219 
1220     /**
1221      * Set value of {@link #ossindexAnalyzerPassword}.
1222      *
1223      * @param ossindexAnalyzerPassword new value of ossindexAnalyzerPassword
1224      */
1225     public void setOssindexAnalyzerPassword(String ossindexAnalyzerPassword) {
1226         this.ossindexAnalyzerPassword = ossindexAnalyzerPassword;
1227     }
1228 
1229     /**
1230      * Set value of {@link #ossIndexAnalyzerWarnOnlyOnRemoteErrors}.
1231      *
1232      * @param ossIndexWarnOnlyOnRemoteErrors the value of
1233      * ossIndexWarnOnlyOnRemoteErrors
1234      */
1235     public void setOssIndexWarnOnlyOnRemoteErrors(Boolean ossIndexWarnOnlyOnRemoteErrors) {
1236         this.ossIndexAnalyzerWarnOnlyOnRemoteErrors = ossIndexWarnOnlyOnRemoteErrors;
1237     }
1238 
1239     /**
1240      * Set the value of cmakeAnalyzerEnabled.
1241      *
1242      * @param cmakeAnalyzerEnabled new value of cmakeAnalyzerEnabled
1243      */
1244     public void setCmakeAnalyzerEnabled(Boolean cmakeAnalyzerEnabled) {
1245         this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
1246     }
1247 
1248     /**
1249      * Set the value of artifactoryAnalyzerEnabled.
1250      *
1251      * @param artifactoryAnalyzerEnabled new value of artifactoryAnalyzerEnabled
1252      */
1253     public void setArtifactoryAnalyzerEnabled(Boolean artifactoryAnalyzerEnabled) {
1254         this.artifactoryAnalyzerEnabled = artifactoryAnalyzerEnabled;
1255     }
1256 
1257     /**
1258      * Set the value of artifactoryAnalyzerUrl.
1259      *
1260      * @param artifactoryAnalyzerUrl new value of artifactoryAnalyzerUrl
1261      */
1262     public void setArtifactoryAnalyzerUrl(String artifactoryAnalyzerUrl) {
1263         this.artifactoryAnalyzerUrl = artifactoryAnalyzerUrl;
1264     }
1265 
1266     /**
1267      * Set the value of artifactoryAnalyzerUseProxy.
1268      *
1269      * @param artifactoryAnalyzerUseProxy new value of
1270      * artifactoryAnalyzerUseProxy
1271      */
1272     public void setArtifactoryAnalyzerUseProxy(Boolean artifactoryAnalyzerUseProxy) {
1273         this.artifactoryAnalyzerUseProxy = artifactoryAnalyzerUseProxy;
1274     }
1275 
1276     /**
1277      * Set the value of artifactoryAnalyzerParallelAnalysis.
1278      *
1279      * @param artifactoryAnalyzerParallelAnalysis new value of
1280      * artifactoryAnalyzerParallelAnalysis
1281      */
1282     public void setArtifactoryAnalyzerParallelAnalysis(Boolean artifactoryAnalyzerParallelAnalysis) {
1283         this.artifactoryAnalyzerParallelAnalysis = artifactoryAnalyzerParallelAnalysis;
1284     }
1285 
1286     /**
1287      * Set the value of artifactoryAnalyzerUsername.
1288      *
1289      * @param artifactoryAnalyzerUsername new value of
1290      * artifactoryAnalyzerUsername
1291      */
1292     public void setArtifactoryAnalyzerUsername(String artifactoryAnalyzerUsername) {
1293         this.artifactoryAnalyzerUsername = artifactoryAnalyzerUsername;
1294     }
1295 
1296     /**
1297      * Set the value of artifactoryAnalyzerApiToken.
1298      *
1299      * @param artifactoryAnalyzerApiToken new value of
1300      * artifactoryAnalyzerApiToken
1301      */
1302     public void setArtifactoryAnalyzerApiToken(String artifactoryAnalyzerApiToken) {
1303         this.artifactoryAnalyzerApiToken = artifactoryAnalyzerApiToken;
1304     }
1305 
1306     /**
1307      * Set the value of artifactoryAnalyzerBearerToken.
1308      *
1309      * @param artifactoryAnalyzerBearerToken new value of
1310      * artifactoryAnalyzerBearerToken
1311      */
1312     public void setArtifactoryAnalyzerBearerToken(String artifactoryAnalyzerBearerToken) {
1313         this.artifactoryAnalyzerBearerToken = artifactoryAnalyzerBearerToken;
1314     }
1315 
1316     /**
1317      * Set the value of failBuildOnUnusedSuppressionRule.
1318      *
1319      * @param failBuildOnUnusedSuppressionRule new value of
1320      * failBuildOnUnusedSuppressionRule
1321      */
1322     public void setFailBuildOnUnusedSuppressionRule(boolean failBuildOnUnusedSuppressionRule) {
1323         this.failBuildOnUnusedSuppressionRule = failBuildOnUnusedSuppressionRule;
1324     }
1325 
1326     //see note on `dealWithReferences()` for information on this suppression
1327     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1328     @Override
1329     protected void executeWithContextClassloader() throws BuildException {
1330         dealWithReferences();
1331         validateConfiguration();
1332         populateSettings();
1333         try {
1334             Downloader.getInstance().configure(getSettings());
1335         } catch (InvalidSettingException e) {
1336             throw new BuildException(e);
1337         }
1338         try (Engine engine = new Engine(Check.class.getClassLoader(), getSettings())) {
1339             for (Resource resource : getPath()) {
1340                 final FileProvider provider = resource.as(FileProvider.class);
1341                 if (provider != null) {
1342                     final File file = provider.getFile();
1343                     if (file != null && file.exists()) {
1344                         engine.scan(file);
1345                     }
1346                 }
1347             }
1348             final ExceptionCollection exceptions = callExecuteAnalysis(engine);
1349             if (exceptions == null || !exceptions.isFatal()) {
1350                 for (String format : getReportFormats()) {
1351                     engine.writeReports(getProjectName(), new File(reportOutputDirectory), format, exceptions);
1352                 }
1353                 if (this.failBuildOnCVSS <= 10) {
1354                     checkForFailure(engine.getDependencies());
1355                 }
1356                 if (this.showSummary) {
1357                     DependencyCheckScanAgent.showSummary(engine.getDependencies());
1358                 }
1359             }
1360         } catch (DatabaseException ex) {
1361             final String msg = "Unable to connect to the dependency-check database; analysis has stopped";
1362             if (this.isFailOnError()) {
1363                 throw new BuildException(msg, ex);
1364             }
1365             log(msg, ex, Project.MSG_ERR);
1366         } catch (ReportException ex) {
1367             final String msg = "Unable to generate the dependency-check report";
1368             if (this.isFailOnError()) {
1369                 throw new BuildException(msg, ex);
1370             }
1371             log(msg, ex, Project.MSG_ERR);
1372         } finally {
1373             getSettings().cleanup();
1374         }
1375     }
1376 
1377     /**
1378      * Wraps the call to `engine.analyzeDependencies()` and correctly handles
1379      * any exceptions
1380      *
1381      * @param engine a reference to the engine
1382      * @return the collection of any exceptions that occurred; otherwise
1383      * <code>null</code>
1384      * @throws BuildException thrown if configured to fail the build on errors
1385      */
1386     //see note on `dealWithReferences()` for information on this suppression
1387     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1388     private ExceptionCollection callExecuteAnalysis(final Engine engine) throws BuildException {
1389         ExceptionCollection exceptions = null;
1390         try {
1391             engine.analyzeDependencies();
1392         } catch (ExceptionCollection ex) {
1393             if (this.isFailOnError()) {
1394                 throw new BuildException(ex);
1395             }
1396             exceptions = ex;
1397         }
1398         return exceptions;
1399     }
1400 
1401     /**
1402      * Validate the configuration to ensure the parameters have been properly
1403      * configured/initialized.
1404      *
1405      * @throws BuildException if the task was not configured correctly.
1406      */
1407     //see note on `dealWithReferences()` for information on this suppression
1408     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1409     private synchronized void validateConfiguration() throws BuildException {
1410         if (path == null) {
1411             throw new BuildException("No project dependencies have been defined to analyze.");
1412         }
1413         if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) {
1414             throw new BuildException("Invalid configuration, failBuildOnCVSS must be between 0 and 11.");
1415         }
1416     }
1417 
1418     /**
1419      * Takes the properties supplied and updates the dependency-check settings.
1420      * Additionally, this sets the system properties required to change the
1421      * proxy server, port, and connection timeout.
1422      *
1423      * @throws BuildException thrown when an invalid setting is configured.
1424      */
1425     //see note on `dealWithReferences()` for information on this suppression
1426     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1427     @Override
1428     protected void populateSettings() throws BuildException {
1429         super.populateSettings();
1430         getSettings().setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
1431         getSettings().setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles);
1432         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_USER, suppressionFileUser);
1433         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_PASSWORD, suppressionFilePassword);
1434         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_BEARER_TOKEN, suppressionFileBearerToken);
1435         getSettings().setBooleanIfNotNull(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, versionCheckEnabled);
1436         getSettings().setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
1437         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
1438         getSettings().setBooleanIfNotNull(Settings.KEYS.PRETTY_PRINT, prettyPrint);
1439         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, enableRetired);
1440         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
1441         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
1442         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
1443         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
1444         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
1445         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
1446 
1447         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED, artifactoryAnalyzerEnabled);
1448         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_URL, artifactoryAnalyzerUrl);
1449         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY, artifactoryAnalyzerUseProxy);
1450         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS, artifactoryAnalyzerParallelAnalysis);
1451         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME, artifactoryAnalyzerUsername);
1452         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN, artifactoryAnalyzerApiToken);
1453         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_BEARER_TOKEN, artifactoryAnalyzerBearerToken);
1454 
1455         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
1456         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled);
1457         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
1458         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CARTHAGE_ENABLED, carthageAnalyzerEnabled);
1459         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
1460         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
1461         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, bundleAuditWorkingDirectory);
1462         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
1463         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, mavenInstallAnalyzerEnabled);
1464         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIP_ENABLED, pipAnalyzerEnabled);
1465         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, pipfileAnalyzerEnabled);
1466         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_POETRY_ENABLED, poetryAnalyzerEnabled);
1467         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
1468         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_SKIP_DEV, composerAnalyzerSkipDev);
1469         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CPANFILE_ENABLED, cpanfileAnalyzerEnabled);
1470         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
1471         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, nodePackageSkipDevDependencies);
1472         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, nodeAuditAnalyzerEnabled);
1473         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED, yarnAuditAnalyzerEnabled);
1474         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PNPM_AUDIT_ENABLED, pnpmAuditAnalyzerEnabled);
1475         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, nodeAuditAnalyzerUseCache);
1476         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies);
1477         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, retirejsFilterNonVulnerable);
1478         getSettings().setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, retirejsFilters);
1479         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_DEP_ENABLED, golangDepEnabled);
1480         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_MOD_ENABLED, golangModEnabled);
1481         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_DART_ENABLED, dartAnalyzerEnabled);
1482         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_GOLANG_PATH, pathToGo);
1483         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_YARN_PATH, pathToYarn);
1484         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_PNPM_PATH, pathToPnpm);
1485         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED, mixAuditAnalyzerEnabled);
1486         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_PATH, mixAuditPath);
1487         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
1488         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, nugetconfAnalyzerEnabled);
1489         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_LIBMAN_ENABLED, libmanAnalyzerEnabled);
1490         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
1491         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE, centralAnalyzerUseCache);
1492         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
1493         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
1494         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
1495         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED, msbuildAnalyzerEnabled);
1496         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
1497         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_USER, nexusUser);
1498         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_PASSWORD, nexusPassword);
1499         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
1500         getSettings().setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
1501         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_DOTNET_PATH, pathToCore);
1502         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, ossindexAnalyzerEnabled);
1503         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, ossindexAnalyzerUrl);
1504         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_USER, ossindexAnalyzerUsername);
1505         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD, ossindexAnalyzerPassword);
1506         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE, ossindexAnalyzerUseCache);
1507         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, ossIndexAnalyzerWarnOnlyOnRemoteErrors);
1508         getSettings().setFloat(Settings.KEYS.JUNIT_FAIL_ON_CVSS, junitFailOnCVSS);
1509         getSettings().setBooleanIfNotNull(Settings.KEYS.FAIL_ON_UNUSED_SUPPRESSION_RULE, failBuildOnUnusedSuppressionRule);
1510     }
1511 
1512     /**
1513      * Checks to see if a vulnerability has been identified with a CVSS score
1514      * that is above the threshold set in the configuration.
1515      *
1516      * @param dependencies the list of dependency objects
1517      * @throws BuildException thrown if a CVSS score is found that is higher
1518      * than the threshold set
1519      */
1520     //see note on `dealWithReferences()` for information on this suppression
1521     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1522     private void checkForFailure(Dependency[] dependencies) throws BuildException {
1523         final StringBuilder ids = new StringBuilder();
1524         for (Dependency d : dependencies) {
1525             boolean addName = true;
1526             for (Vulnerability v : d.getVulnerabilities()) {
1527                 final double cvssV2 = v.getCvssV2() != null && v.getCvssV2().getCvssData() != null
1528                         && v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1;
1529                 final double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null
1530                         && v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1;
1531                 final double cvssV4 = v.getCvssV4() != null && v.getCvssV4().getCvssData() != null
1532                         && v.getCvssV4().getCvssData().getBaseScore() != null ? v.getCvssV4().getCvssData().getBaseScore() : -1;
1533                 final boolean useUnscored = cvssV2 == -1 && cvssV3 == -1 && cvssV4 == -1;
1534                 final double unscoredCvss =
1535                         useUnscored && v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1;
1536 
1537                 if (cvssV2 >= failBuildOnCVSS
1538                         || cvssV3 >= failBuildOnCVSS
1539                         || cvssV4 >= failBuildOnCVSS
1540                         || unscoredCvss >= failBuildOnCVSS
1541                         //safety net to fail on any if for some reason the above misses on 0
1542                         || failBuildOnCVSS <= 0.0f
1543                 ) {
1544                     if (addName) {
1545                         addName = false;
1546                         ids.append(NEW_LINE).append(d.getFileName()).append(" (")
1547                            .append(Stream.concat(d.getSoftwareIdentifiers().stream(), d.getVulnerableSoftwareIdentifiers().stream())
1548                                          .map(Identifier::getValue)
1549                                          .collect(Collectors.joining(", ")))
1550                            .append("): ")
1551                            .append(v.getName());
1552                     } else {
1553                         ids.append(", ").append(v.getName());
1554                     }
1555                 }
1556             }
1557         }
1558         if (ids.length() > 0) {
1559             final String msg;
1560             if (showSummary) {
1561                 msg = String.format("%n%nDependency-Check Failure:%n"
1562                         + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '%.1f': %s%n"
1563                         + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids);
1564             } else {
1565                 msg = String.format("%n%nDependency-Check Failure:%n"
1566                         + "One or more dependencies were identified with vulnerabilities.%n%n"
1567                         + "See the dependency-check report for more details.%n%n");
1568             }
1569             throw new BuildException(msg);
1570         }
1571     }
1572 
1573     /**
1574      * An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV",
1575      * "JSON", "JUNIT", "SARIF", 'JENkINS', etc..
1576      */
1577     public static class ReportFormats extends EnumeratedAttribute {
1578 
1579         /**
1580          * Returns the list of values for the report format.
1581          *
1582          * @return the list of values for the report format
1583          */
1584         @Override
1585         public String[] getValues() {
1586             int i = 0;
1587             final Format[] formats = Format.values();
1588             final String[] values = new String[formats.length];
1589             for (Format format : formats) {
1590                 values[i++] = format.name();
1591             }
1592             return values;
1593         }
1594     }
1595 
1596     /**
1597      * A class for Ant to represent the
1598      * {@code <reportFormat format="<format>"/>} nested element to define
1599      * multiple report formats for the ant-task.
1600      */
1601     public static class ReportFormat {
1602 
1603         /**
1604          * The format of this ReportFormat.
1605          */
1606         private ReportFormats format;
1607 
1608         /**
1609          * Gets the format as a String.
1610          *
1611          * @return the String representing a report format
1612          */
1613         public String getFormat() {
1614             return this.format.getValue();
1615         }
1616 
1617         /**
1618          * Sets the format.
1619          *
1620          * @param format the String value for one of the {@link ReportFormats}
1621          * @throws BuildException When the offered String is not one of the
1622          * valid values of the {@link ReportFormats} EnumeratedAttribute
1623          */
1624         public void setFormat(final String format) {
1625             this.format = (ReportFormats) EnumeratedAttribute.getInstance(ReportFormats.class, format);
1626         }
1627     }
1628 }
1629 //CSON: MethodCount