View Javadoc
1   /*
2    * This file is part of dependency-check-ant.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.taskdefs;
19  
20  import java.io.File;
21  import java.util.ArrayList;
22  import java.util.List;
23  import java.util.stream.Collectors;
24  import java.util.stream.Stream;
25  import javax.annotation.concurrent.NotThreadSafe;
26  
27  import org.apache.tools.ant.BuildException;
28  import org.apache.tools.ant.Project;
29  import org.apache.tools.ant.types.EnumeratedAttribute;
30  import org.apache.tools.ant.types.Reference;
31  import org.apache.tools.ant.types.Resource;
32  import org.apache.tools.ant.types.ResourceCollection;
33  import org.apache.tools.ant.types.resources.FileProvider;
34  import org.apache.tools.ant.types.resources.Resources;
35  import org.owasp.dependencycheck.Engine;
36  import org.owasp.dependencycheck.agent.DependencyCheckScanAgent;
37  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
38  import org.owasp.dependencycheck.dependency.Dependency;
39  import org.owasp.dependencycheck.dependency.Vulnerability;
40  import org.owasp.dependencycheck.dependency.naming.Identifier;
41  import org.owasp.dependencycheck.exception.ExceptionCollection;
42  import org.owasp.dependencycheck.exception.ReportException;
43  import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
44  import org.owasp.dependencycheck.utils.Downloader;
45  import org.owasp.dependencycheck.utils.InvalidSettingException;
46  import org.owasp.dependencycheck.utils.Settings;
47  import org.owasp.dependencycheck.utils.SeverityUtil;
48  import org.owasp.dependencycheck.utils.scarf.TelemetryCollector;
49  import org.owasp.dependencycheck.ant.logging.AntTaskHolder;
50  
51  //CSOFF: MethodCount
52  /**
53   * An Ant task definition to execute dependency-check during an Ant build.
54   *
55   * @author Jeremy Long
56   */
57  @NotThreadSafe
58  public class Check extends Update {
59  
60      /**
61       * System specific new line character.
62       */
63      private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
64  
65      /**
66       * Whether the ruby gemspec analyzer should be enabled.
67       */
68      private Boolean rubygemsAnalyzerEnabled;
69      /**
70       * Whether or not the Node.js Analyzer is enabled.
71       */
72      private Boolean nodeAnalyzerEnabled;
73      /**
74       * Whether or not the Node Audit Analyzer is enabled.
75       */
76      private Boolean nodeAuditAnalyzerEnabled;
77      /**
78       * Whether or not the Yarn Audit Analyzer is enabled.
79       */
80      private Boolean yarnAuditAnalyzerEnabled;
81      /**
82       * Whether or not the Pnpm Audit Analyzer is enabled.
83       */
84      private Boolean pnpmAuditAnalyzerEnabled;
85      /**
86       * Sets whether or not the Node Audit Analyzer should use a local cache.
87       */
88      private Boolean nodeAuditAnalyzerUseCache;
89      /**
90       * Sets whether or not the Node Package Analyzer should skip dev
91       * dependencies.
92       */
93      private Boolean nodePackageSkipDevDependencies;
94      /**
95       * Sets whether or not the Node Audit Analyzer should use a local cache.
96       */
97      private Boolean nodeAuditSkipDevDependencies;
98      /**
99       * The list of filters (regular expressions) used by the RetireJS Analyzer
100      * to exclude files that contain matching content..
101      */
102     @SuppressWarnings("CanBeFinal")
103     private final List<String> retireJsFilters = new ArrayList<>();
104     /**
105      * Whether or not the RetireJS Analyzer filters non-vulnerable JS files from
106      * the report; default is false.
107      */
108     private Boolean retireJsFilterNonVulnerable;
109     /**
110      * Whether or not the Ruby Bundle Audit Analyzer is enabled.
111      */
112     private Boolean bundleAuditAnalyzerEnabled;
113     /**
114      * Whether the CMake analyzer should be enabled.
115      */
116     private Boolean cmakeAnalyzerEnabled;
117     /**
118      * Whether or not the Open SSL analyzer is enabled.
119      */
120     private Boolean opensslAnalyzerEnabled;
121     /**
122      * Whether the python package analyzer should be enabled.
123      */
124     private Boolean pyPackageAnalyzerEnabled;
125     /**
126      * Whether the python distribution analyzer should be enabled.
127      */
128     private Boolean pyDistributionAnalyzerEnabled;
129     /**
130      * Whether or not the mix audit analyzer is enabled.
131      */
132     private Boolean mixAuditAnalyzerEnabled;
133     /**
134      * Whether or not the central analyzer is enabled.
135      */
136     private Boolean centralAnalyzerEnabled;
137     /**
138      * Whether or not the Central Analyzer should use a local cache.
139      */
140     private Boolean centralAnalyzerUseCache;
141     /**
142      * Whether or not the nexus analyzer is enabled.
143      */
144     private Boolean nexusAnalyzerEnabled;
145     /**
146      * The URL of a Nexus server's REST API end point
147      * (http://domain/nexus/service/local).
148      */
149     private String nexusUrl;
150     /**
151      * The username to authenticate to the Nexus Server's REST API Endpoint.
152      */
153     private String nexusUser;
154     /**
155      * The password to authenticate to the Nexus Server's REST API Endpoint.
156      */
157     private String nexusPassword;
158     /**
159      * Whether or not the defined proxy should be used when connecting to Nexus.
160      */
161     private Boolean nexusUsesProxy;
162 
163     /**
164      * Sets whether the Golang Dependency analyzer is enabled. Default is true.
165      */
166     private Boolean golangDepEnabled;
167     /**
168      * Sets whether Golang Module Analyzer is enabled; this requires `go` to be
169      * installed. Default is true.
170      */
171     private Boolean golangModEnabled;
172     /**
173      * Sets the path to `go`.
174      */
175     private String pathToGo;
176     /**
177      * Sets whether the Dart analyzer is enabled. Default is true.
178      */
179     private Boolean dartAnalyzerEnabled;
180     /**
181      * The path to `yarn`.
182      */
183     private String pathToYarn;
184     /**
185      * The path to `pnpm`.
186      */
187     private String pathToPnpm;
188     /**
189      * Additional ZIP File extensions to add analyze. This should be a
190      * comma-separated list of file extensions to treat like ZIP files.
191      */
192     private String zipExtensions;
193     /**
194      * The path to dotnet core for .NET assembly analysis.
195      */
196     private String pathToCore;
197     /**
198      * The name of the project being analyzed.
199      */
200     private String projectName = "dependency-check";
201     /**
202      * Specifies the destination directory for the generated Dependency-Check
203      * report.
204      */
205     private String reportOutputDirectory;
206     /**
207      * If using the JUNIT report format the junitFailOnCVSS sets the CVSS score
208      * threshold that is considered a failure. The default is 0.
209      */
210     private float junitFailOnCVSS = 0;
211     /**
212      * Specifies if the build should be failed if a CVSS score above a specified
213      * level is identified. The default is 11 which means since the CVSS scores
214      * are 0-10, by default the build will never fail and the CVSS score is set
215      * to 11. The valid range for the fail build on CVSS is 0 to 11, where
216      * anything above 10 will not cause the build to fail.
217      */
218     private float failBuildOnCVSS = 11;
219     /**
220      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
221      * recommended that this be turned to false. Default is true.
222      */
223     private Boolean autoUpdate;
224     /**
225      * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
226      * JENKINS, GITLAB, ALL). Default is HTML.
227      */
228     private String reportFormat = "HTML";
229     /**
230      * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
231      * JENKINS, GITLAB, ALL). Default is HTML.
232      */
233     private final List<String> reportFormats = new ArrayList<>();
234     /**
235      * Whether the JSON and XML reports should be pretty printed; the default is
236      * false.
237      */
238     private Boolean prettyPrint = null;
239 
240     /**
241      * Suppression file paths.
242      */
243     @SuppressWarnings("CanBeFinal")
244     private final List<String> suppressionFiles = new ArrayList<>();
245 
246     /**
247      * The path to the suppression file.
248      */
249     private String hintsFile;
250     /**
251      * flag indicating whether or not to show a summary of findings.
252      */
253     private boolean showSummary = true;
254     /**
255      * Whether experimental analyzers are enabled.
256      */
257     private Boolean enableExperimental;
258     /**
259      * Whether retired analyzers are enabled.
260      */
261     private Boolean enableRetired;
262     /**
263      * Whether or not the Jar Analyzer is enabled.
264      */
265     private Boolean jarAnalyzerEnabled;
266     /**
267      * Whether or not the Archive Analyzer is enabled.
268      */
269     private Boolean archiveAnalyzerEnabled;
270     /**
271      * Whether or not the .NET Nuspec Analyzer is enabled.
272      */
273     private Boolean nuspecAnalyzerEnabled;
274     /**
275      * Whether or not the .NET Nuget packages.config file Analyzer is enabled.
276      */
277     private Boolean nugetconfAnalyzerEnabled;
278     /**
279      * Whether or not the Libman Analyzer is enabled.
280      */
281     private Boolean libmanAnalyzerEnabled;
282     /**
283      * Whether or not the PHP Composer Analyzer is enabled.
284      */
285     private Boolean composerAnalyzerEnabled;
286     /**
287      * Whether or not the PHP Composer Analyzer will skip "packages-dev".
288      */
289     private Boolean composerAnalyzerSkipDev;
290     /**
291      * Whether or not the Perl CPAN File Analyzer is enabled.
292      */
293     private Boolean cpanfileAnalyzerEnabled;
294 
295     /**
296      * Whether or not the .NET Assembly Analyzer is enabled.
297      */
298     private Boolean assemblyAnalyzerEnabled;
299     /**
300      * Whether or not the MS Build Assembly Analyzer is enabled.
301      */
302     private Boolean msbuildAnalyzerEnabled;
303     /**
304      * Whether the autoconf analyzer should be enabled.
305      */
306     private Boolean autoconfAnalyzerEnabled;
307     /**
308      * Whether the pip analyzer should be enabled.
309      */
310     private Boolean pipAnalyzerEnabled;
311     /**
312      * Whether the Maven install.json analyzer should be enabled.
313      */
314     private Boolean mavenInstallAnalyzerEnabled;
315     /**
316      * Whether the pipfile analyzer should be enabled.
317      */
318     private Boolean pipfileAnalyzerEnabled;
319     /**
320      * Whether the Poetry analyzer should be enabled.
321      */
322     private Boolean poetryAnalyzerEnabled;
323     /**
324      * Sets the path for the mix_audit binary.
325      */
326     private String mixAuditPath;
327     /**
328      * Sets the path for the bundle-audit binary.
329      */
330     private String bundleAuditPath;
331     /**
332      * Sets the path for the working directory that the bundle-audit binary
333      * should be executed from.
334      */
335     private String bundleAuditWorkingDirectory;
336     /**
337      * Whether or not the CocoaPods Analyzer is enabled.
338      */
339     private Boolean cocoapodsAnalyzerEnabled;
340     /**
341      * Whether or not the Carthage Analyzer is enabled.
342      */
343     private Boolean carthageAnalyzerEnabled;
344 
345     /**
346      * Whether or not the Swift package Analyzer is enabled.
347      */
348     private Boolean swiftPackageManagerAnalyzerEnabled;
349     /**
350      * Whether or not the Swift package Analyzer is enabled.
351      */
352     private Boolean swiftPackageResolvedAnalyzerEnabled;
353 
354     /**
355      * Whether or not the Sonatype OSS Index analyzer is enabled.
356      */
357     private Boolean ossindexAnalyzerEnabled;
358     /**
359      * Whether or not the Sonatype OSS Index analyzer should cache results.
360      */
361     private Boolean ossindexAnalyzerUseCache;
362     /**
363      * URL of the Sonatype OSS Index service.
364      */
365     private String ossindexAnalyzerUrl;
366     /**
367      * The username to use for the Sonatype OSS Index service.
368      */
369     private String ossindexAnalyzerUsername;
370     /**
371      * The password to use for the Sonatype OSS Index service.
372      */
373     private String ossindexAnalyzerPassword;
374     /**
375      * Whether we should only warn about Sonatype OSS Index remote errors
376      * instead of failing completely.
377      */
378     private Boolean ossIndexAnalyzerWarnOnlyOnRemoteErrors;
379 
380     /**
381      * Whether or not the Artifactory Analyzer is enabled.
382      */
383     private Boolean artifactoryAnalyzerEnabled;
384     /**
385      * The URL to Artifactory.
386      */
387     private String artifactoryAnalyzerUrl;
388     /**
389      * Whether or not Artifactory analysis should use the proxy..
390      */
391     private Boolean artifactoryAnalyzerUseProxy;
392     /**
393      * Whether or not Artifactory analysis should be parallelized.
394      */
395     private Boolean artifactoryAnalyzerParallelAnalysis;
396     /**
397      * The Artifactory username needed to connect.
398      */
399     private String artifactoryAnalyzerUsername;
400     /**
401      * The Artifactory API token needed to connect.
402      */
403     private String artifactoryAnalyzerApiToken;
404     /**
405      * The Artifactory bearer token.
406      */
407     private String artifactoryAnalyzerBearerToken;
408     /**
409      * Whether the version check is enabled
410      */
411     private Boolean versionCheckEnabled;
412 
413     /**
414      * whether an unused suppression rule should get force the build to fail
415      */
416     private boolean failBuildOnUnusedSuppressionRule = false;
417 
418     /**
419      * The username to download user-authored suppression files from an HTTP Basic auth protected location.
420      */
421     private String suppressionFileUser;
422     /**
423      * The password to download user-authored suppression files from an HTTP Basic auth protected location.
424      */
425     private String suppressionFilePassword;
426     /**
427      * The token to download user-authored suppression files from an HTTP Bearer auth protected location.
428      */
429     private String suppressionFileBearerToken;
430 
431     //region Code copied from org.apache.tools.ant.taskdefs.PathConvert
432     //The following code was copied Apache Ant PathConvert
433     /**
434      * Path to be converted
435      */
436     private Resources path = null;
437     /**
438      * Reference to path/file set to convert
439      */
440     private Reference refId = null;
441 
442     /**
443      * Add an arbitrary ResourceCollection.
444      *
445      * @param rc the ResourceCollection to add.
446      * @since Ant 1.7
447      */
448     public void add(ResourceCollection rc) {
449         if (isReference()) {
450             throw new BuildException("Nested elements are not allowed when using the refId attribute.");
451         }
452         getPath().add(rc);
453     }
454 
455     /**
456      * Returns the path. If the path has not been initialized yet, this class is
457      * synchronized, and will instantiate the path object.
458      *
459      * @return the path
460      */
461     private synchronized Resources getPath() {
462         if (path == null) {
463             path = new Resources(getProject());
464             path.setCache(true);
465         }
466         return path;
467     }
468 
469     /**
470      * Learn whether the refId attribute of this element been set.
471      *
472      * @return true if refId is valid.
473      */
474     public boolean isReference() {
475         return refId != null;
476     }
477 
478     /**
479      * Add a reference to a Path, FileSet, DirSet, or FileList defined
480      * elsewhere.
481      *
482      * @param r the reference to a path, fileset, dirset or filelist.
483      */
484     public synchronized void setRefId(Reference r) {
485         if (path != null) {
486             throw new BuildException("Nested elements are not allowed when using the refId attribute.");
487         }
488         refId = r;
489     }
490 
491     /**
492      * If this is a reference, this method will add the referenced resource
493      * collection to the collection of paths.
494      *
495      * @throws BuildException if the reference is not to a resource collection
496      */
497     //declaring a throw that extends runtime exception may be a bad practice
498     //but seems to be an ingrained practice within Ant as even the base `Task`
499     //contains an `execute() throws BuildExecption`.
500     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
501     private void dealWithReferences() throws BuildException {
502         if (isReference()) {
503             final Object o = refId.getReferencedObject(getProject());
504             if (!(o instanceof ResourceCollection)) {
505                 throw new BuildException("refId '" + refId.getRefId()
506                         + "' does not refer to a resource collection.");
507             }
508             getPath().add((ResourceCollection) o);
509         }
510     }
511     //endregion COPIED from org.apache.tools.ant.taskdefs
512 
513     /**
514      * Construct a new DependencyCheckTask.
515      */
516     public Check() {
517         super();
518         // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
519         // core end up coming through this tasks logger
520         AntTaskHolder.setTask(this);
521     }
522 
523     /**
524      * Add a suppression file.
525      * <p>
526      * This is called by Ant with the configured {@link SuppressionFile}.
527      *
528      * @param suppressionFile the suppression file to add.
529      */
530     public void addConfiguredSuppressionFile(final SuppressionFile suppressionFile) {
531         suppressionFiles.add(resolveRelative(suppressionFile.getPath()));
532     }
533 
534     /**
535      * Add a report format.
536      * <p>
537      * This is called by Ant with the configured {@link ReportFormat}.
538      *
539      * @param reportFormat the reportFormat to add.
540      */
541     public void addConfiguredReportFormat(final ReportFormat reportFormat) {
542         reportFormats.add(reportFormat.getFormat());
543     }
544 
545     /**
546      * Sets whether the version check is enabled.
547      *
548      * @param versionCheckEnabled a Boolean indicating if the version check is
549      * enabled.
550      */
551     public void setVersionCheckEnabled(Boolean versionCheckEnabled) {
552         this.versionCheckEnabled = versionCheckEnabled;
553     }
554 
555     /**
556      * Get the value of projectName.
557      *
558      * @return the value of projectName
559      */
560     public String getProjectName() {
561         if (projectName == null) {
562             projectName = "";
563         }
564         return projectName;
565     }
566 
567     /**
568      * Set the value of projectName.
569      *
570      * @param projectName new value of projectName
571      */
572     public void setProjectName(String projectName) {
573         this.projectName = projectName;
574     }
575 
576     private String resolveRelative(String path) {
577         if (path == null) {
578             return null;
579         }
580 
581         File file = new File(path);
582         if (file.isAbsolute()) {
583             return path;
584         }
585 
586         return new File(getProject().getBaseDir(), path).getPath();
587     }
588 
589     /**
590      * Set the value of reportOutputDirectory.
591      *
592      * @param reportOutputDirectory new value of reportOutputDirectory
593      */
594     public void setReportOutputDirectory(String reportOutputDirectory) {
595         this.reportOutputDirectory = resolveRelative(reportOutputDirectory);
596     }
597 
598     /**
599      * Set the value of failBuildOnCVSS.
600      *
601      * @param failBuildOnCVSS new value of failBuildOnCVSS
602      */
603     public void setFailBuildOnCVSS(float failBuildOnCVSS) {
604         this.failBuildOnCVSS = failBuildOnCVSS;
605     }
606 
607     /**
608      * Set the value of junitFailOnCVSS.
609      *
610      * @param junitFailOnCVSS new value of junitFailOnCVSS
611      */
612     public void setJunitFailOnCVSS(float junitFailOnCVSS) {
613         this.junitFailOnCVSS = junitFailOnCVSS;
614     }
615 
616     /**
617      * Set the value of autoUpdate.
618      *
619      * @param autoUpdate new value of autoUpdate
620      */
621     public void setAutoUpdate(Boolean autoUpdate) {
622         this.autoUpdate = autoUpdate;
623     }
624 
625     /**
626      * Set the value of prettyPrint.
627      *
628      * @param prettyPrint new value of prettyPrint
629      */
630     public void setPrettyPrint(boolean prettyPrint) {
631         this.prettyPrint = prettyPrint;
632     }
633 
634     /**
635      * Set the value of reportFormat.
636      *
637      * @param reportFormat new value of reportFormat
638      */
639     public void setReportFormat(ReportFormats reportFormat) {
640         this.reportFormat = reportFormat.getValue();
641         this.reportFormats.add(this.reportFormat);
642     }
643 
644     /**
645      * Get the value of reportFormats.
646      *
647      * @return the value of reportFormats
648      */
649     public List<String> getReportFormats() {
650         if (reportFormats.isEmpty()) {
651             this.reportFormats.add(this.reportFormat);
652         }
653         return this.reportFormats;
654     }
655 
656     /**
657      * Set the value of suppressionFile.
658      *
659      * @param suppressionFile new value of suppressionFile
660      */
661     public void setSuppressionFile(String suppressionFile) {
662         suppressionFiles.add(resolveRelative(suppressionFile));
663     }
664 
665     /**
666      * Sets the username to download user-authored suppression files from an HTTP Basic auth protected location.
667      *
668      * @param suppressionFileUser The username
669      */
670     public void setSuppressionFileUser(String suppressionFileUser) {
671         this.suppressionFileUser = suppressionFileUser;
672     }
673 
674     /**
675      * Sets the password/token to download user-authored suppression files from an HTTP Basic auth protected location.
676      *
677      * @param suppressionFilePassword The password/token
678      */
679     public void setSuppressionFilePassword(String suppressionFilePassword) {
680         this.suppressionFilePassword = suppressionFilePassword;
681     }
682 
683     /**
684      * Sets the token to download user-authored suppression files from an HTTP Bearer auth protected location.
685      *
686      * @param suppressionFileBearerToken The token
687      */
688     public void setSuppressionFileBearerToken(String suppressionFileBearerToken) {
689         this.suppressionFileBearerToken = suppressionFileBearerToken;
690     }
691 
692     /**
693      * Set the value of hintsFile.
694      *
695      * @param hintsFile new value of hintsFile
696      */
697     public void setHintsFile(String hintsFile) {
698         this.hintsFile = hintsFile;
699     }
700 
701     /**
702      * Set the value of showSummary.
703      *
704      * @param showSummary new value of showSummary
705      */
706     public void setShowSummary(boolean showSummary) {
707         this.showSummary = showSummary;
708     }
709 
710     /**
711      * Set the value of enableExperimental.
712      *
713      * @param enableExperimental new value of enableExperimental
714      */
715     public void setEnableExperimental(Boolean enableExperimental) {
716         this.enableExperimental = enableExperimental;
717     }
718 
719     /**
720      * Set the value of enableRetired.
721      *
722      * @param enableRetired new value of enableRetired
723      */
724     public void setEnableRetired(Boolean enableRetired) {
725         this.enableRetired = enableRetired;
726     }
727 
728     /**
729      * Sets whether or not the analyzer is enabled.
730      *
731      * @param jarAnalyzerEnabled the value of the new setting
732      */
733     public void setJarAnalyzerEnabled(Boolean jarAnalyzerEnabled) {
734         this.jarAnalyzerEnabled = jarAnalyzerEnabled;
735     }
736 
737     /**
738      * Sets whether the analyzer is enabled.
739      *
740      * @param archiveAnalyzerEnabled the value of the new setting
741      */
742     public void setArchiveAnalyzerEnabled(Boolean archiveAnalyzerEnabled) {
743         this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
744     }
745 
746     /**
747      * Sets whether or not the analyzer is enabled.
748      *
749      * @param assemblyAnalyzerEnabled the value of the new setting
750      */
751     public void setAssemblyAnalyzerEnabled(Boolean assemblyAnalyzerEnabled) {
752         this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
753     }
754 
755     /**
756      * Sets whether or not the analyzer is enabled.
757      *
758      * @param msbuildAnalyzerEnabled the value of the new setting
759      */
760     public void setMSBuildAnalyzerEnabled(Boolean msbuildAnalyzerEnabled) {
761         this.msbuildAnalyzerEnabled = msbuildAnalyzerEnabled;
762     }
763 
764     /**
765      * Sets whether or not the analyzer is enabled.
766      *
767      * @param nuspecAnalyzerEnabled the value of the new setting
768      */
769     public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) {
770         this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
771     }
772 
773     /**
774      * Sets whether or not the analyzer is enabled.
775      *
776      * @param nugetconfAnalyzerEnabled the value of the new setting
777      */
778     public void setNugetconfAnalyzerEnabled(Boolean nugetconfAnalyzerEnabled) {
779         this.nugetconfAnalyzerEnabled = nugetconfAnalyzerEnabled;
780     }
781 
782     /**
783      * Sets whether or not the analyzer is enabled.
784      *
785      * @param libmanAnalyzerEnabled the value of the new setting
786      */
787     public void setLibmanAnalyzerEnabled(Boolean libmanAnalyzerEnabled) {
788         this.libmanAnalyzerEnabled = libmanAnalyzerEnabled;
789     }
790 
791     /**
792      * Set the value of composerAnalyzerEnabled.
793      *
794      * @param composerAnalyzerEnabled new value of composerAnalyzerEnabled
795      */
796     public void setComposerAnalyzerEnabled(Boolean composerAnalyzerEnabled) {
797         this.composerAnalyzerEnabled = composerAnalyzerEnabled;
798     }
799 
800     /**
801      * Set the value of composerAnalyzerSkipDev.
802      *
803      * @param composerAnalyzerSkipDev new value of composerAnalyzerSkipDev
804      */
805     public void setComposerAnalyzerSkipDev(Boolean composerAnalyzerSkipDev) {
806         this.composerAnalyzerSkipDev = composerAnalyzerSkipDev;
807     }
808 
809     /**
810      * Set the value of cpanfileAnalyzerEnabled.
811      *
812      * @param cpanfileAnalyzerEnabled new value of cpanfileAnalyzerEnabled
813      */
814     public void setCpanfileAnalyzerEnabled(Boolean cpanfileAnalyzerEnabled) {
815         this.cpanfileAnalyzerEnabled = cpanfileAnalyzerEnabled;
816     }
817 
818     /**
819      * Set the value of autoconfAnalyzerEnabled.
820      *
821      * @param autoconfAnalyzerEnabled new value of autoconfAnalyzerEnabled
822      */
823     public void setAutoconfAnalyzerEnabled(Boolean autoconfAnalyzerEnabled) {
824         this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled;
825     }
826 
827     /**
828      * Set the value of pipAnalyzerEnabled.
829      *
830      * @param pipAnalyzerEnabled new value of pipAnalyzerEnabled
831      */
832     public void setPipAnalyzerEnabled(Boolean pipAnalyzerEnabled) {
833         this.pipAnalyzerEnabled = pipAnalyzerEnabled;
834     }
835 
836     /**
837      * Set the value of pipfileAnalyzerEnabled.
838      *
839      * @param pipfileAnalyzerEnabled new value of pipfileAnalyzerEnabled
840      */
841     public void setPipfileAnalyzerEnabled(Boolean pipfileAnalyzerEnabled) {
842         this.pipfileAnalyzerEnabled = pipfileAnalyzerEnabled;
843     }
844 
845     /**
846      * Set the value of poetryAnalyzerEnabled.
847      *
848      * @param poetryAnalyzerEnabled new value of poetryAnalyzerEnabled
849      */
850     public void setPoetryAnalyzerEnabled(Boolean poetryAnalyzerEnabled) {
851         this.poetryAnalyzerEnabled = poetryAnalyzerEnabled;
852     }
853 
854     /**
855      * Sets if the Bundle Audit Analyzer is enabled.
856      *
857      * @param bundleAuditAnalyzerEnabled whether or not the analyzer should be
858      * enabled
859      */
860     public void setBundleAuditAnalyzerEnabled(Boolean bundleAuditAnalyzerEnabled) {
861         this.bundleAuditAnalyzerEnabled = bundleAuditAnalyzerEnabled;
862     }
863 
864     /**
865      * Sets the path to the bundle audit executable.
866      *
867      * @param bundleAuditPath the path to the bundle audit executable
868      */
869     public void setBundleAuditPath(String bundleAuditPath) {
870         this.bundleAuditPath = bundleAuditPath;
871     }
872 
873     /**
874      * Sets the path to the working directory that the bundle audit executable
875      * should be executed from.
876      *
877      * @param bundleAuditWorkingDirectory the path to the working directory that
878      * the bundle audit executable should be executed from.
879      */
880     public void setBundleAuditWorkingDirectory(String bundleAuditWorkingDirectory) {
881         this.bundleAuditWorkingDirectory = bundleAuditWorkingDirectory;
882     }
883 
884     /**
885      * Sets whether or not the cocoapods analyzer is enabled.
886      *
887      * @param cocoapodsAnalyzerEnabled the state of the cocoapods analyzer
888      */
889     public void setCocoapodsAnalyzerEnabled(Boolean cocoapodsAnalyzerEnabled) {
890         this.cocoapodsAnalyzerEnabled = cocoapodsAnalyzerEnabled;
891     }
892 
893     /**
894      * Sets whether or not the Carthage analyzer is enabled.
895      *
896      * @param carthageAnalyzerEnabled the state of the Carthage analyzer
897      */
898     public void setCarthageAnalyzerEnabled(Boolean carthageAnalyzerEnabled) {
899         this.carthageAnalyzerEnabled = carthageAnalyzerEnabled;
900     }
901 
902     /**
903      * Sets the enabled state of the swift package manager analyzer.
904      *
905      * @param swiftPackageManagerAnalyzerEnabled the enabled state of the swift
906      * package manager
907      */
908     public void setSwiftPackageManagerAnalyzerEnabled(Boolean swiftPackageManagerAnalyzerEnabled) {
909         this.swiftPackageManagerAnalyzerEnabled = swiftPackageManagerAnalyzerEnabled;
910     }
911 
912     /**
913      * Sets the enabled state of the swift package manager analyzer.
914      *
915      * @param swiftPackageResolvedAnalyzerEnabled the enabled state of the swift
916      * package resolved analyzer
917      */
918     public void setSwiftPackageResolvedAnalyzerEnabled(Boolean swiftPackageResolvedAnalyzerEnabled) {
919         this.swiftPackageResolvedAnalyzerEnabled = swiftPackageResolvedAnalyzerEnabled;
920     }
921 
922     /**
923      * Set the value of opensslAnalyzerEnabled.
924      *
925      * @param opensslAnalyzerEnabled new value of opensslAnalyzerEnabled
926      */
927     public void setOpensslAnalyzerEnabled(Boolean opensslAnalyzerEnabled) {
928         this.opensslAnalyzerEnabled = opensslAnalyzerEnabled;
929     }
930 
931     /**
932      * Set the value of nodeAnalyzerEnabled.
933      *
934      * @param nodeAnalyzerEnabled new value of nodeAnalyzerEnabled
935      */
936     public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) {
937         this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
938     }
939 
940     /**
941      * Set the value of nodeAuditAnalyzerEnabled.
942      *
943      * @param nodeAuditAnalyzerEnabled new value of nodeAuditAnalyzerEnabled
944      */
945     public void setNodeAuditAnalyzerEnabled(Boolean nodeAuditAnalyzerEnabled) {
946         this.nodeAuditAnalyzerEnabled = nodeAuditAnalyzerEnabled;
947     }
948 
949     /**
950      * Set the value of yarnAuditAnalyzerEnabled.
951      *
952      * @param yarnAuditAnalyzerEnabled new value of yarnAuditAnalyzerEnabled
953      */
954     public void setYarnAuditAnalyzerEnabled(Boolean yarnAuditAnalyzerEnabled) {
955         this.yarnAuditAnalyzerEnabled = yarnAuditAnalyzerEnabled;
956     }
957 
958     /**
959      * Set the value of pnpmAuditAnalyzerEnabled.
960      *
961      * @param pnpmAuditAnalyzerEnabled new value of pnpmAuditAnalyzerEnabled
962      */
963     public void setPnpmAuditAnalyzerEnabled(Boolean pnpmAuditAnalyzerEnabled) {
964         this.pnpmAuditAnalyzerEnabled = pnpmAuditAnalyzerEnabled;
965     }
966 
967     /**
968      * Set the value of nodeAuditAnalyzerUseCache.
969      *
970      * @param nodeAuditAnalyzerUseCache new value of nodeAuditAnalyzerUseCache
971      */
972     public void setNodeAuditAnalyzerUseCache(Boolean nodeAuditAnalyzerUseCache) {
973         this.nodeAuditAnalyzerUseCache = nodeAuditAnalyzerUseCache;
974     }
975 
976     /**
977      * Set the value of nodePackageSkipDevDependencies.
978      *
979      * @param nodePackageSkipDevDependencies new value of
980      * nodePackageSkipDevDependencies
981      */
982     public void setNodePackageSkipDevDependencies(Boolean nodePackageSkipDevDependencies) {
983         this.nodePackageSkipDevDependencies = nodePackageSkipDevDependencies;
984     }
985 
986     /**
987      * Set the value of nodeAuditSkipDevDependencies.
988      *
989      * @param nodeAuditSkipDevDependencies new value of
990      * nodeAuditSkipDevDependencies
991      */
992     public void setNodeAuditSkipDevDependencies(Boolean nodeAuditSkipDevDependencies) {
993         this.nodeAuditSkipDevDependencies = nodeAuditSkipDevDependencies;
994     }
995 
996     /**
997      * Set the value of retirejsFilterNonVulnerable.
998      *
999      * @param retireJsFilterNonVulnerable new value of
1000      * retirejsFilterNonVulnerable
1001      * @deprecated Use {@link #setRetireJsFilterNonVulnerable(Boolean)} instead.
1002      */
1003     @Deprecated
1004     public void setRetirejsFilterNonVulnerable(Boolean retireJsFilterNonVulnerable) {
1005         log("'retirejsFilterNonVulnerable' is deprecated and may be removed in the next major release, please migrate to 'retireJsFilterNonVulnerable'",
1006                 Project.MSG_WARN);
1007         this.retireJsFilterNonVulnerable = retireJsFilterNonVulnerable;
1008     }
1009 
1010     /**
1011      * Set the value of retireJsFilterNonVulnerable.
1012      *
1013      * @param retireJsFilterNonVulnerable new value of
1014      * retireJsFilterNonVulnerable
1015      */
1016     public void setRetireJsFilterNonVulnerable(Boolean retireJsFilterNonVulnerable) {
1017         this.retireJsFilterNonVulnerable = retireJsFilterNonVulnerable;
1018     }
1019 
1020     /**
1021      * Add a regular expression to the set of retire JS content filters.
1022      * <p>
1023      * This is called by Ant.
1024      *
1025      * @param retireJsFilter the regular expression used to filter based on file
1026      * content
1027      * @deprecated Use {@link #addConfiguredRetireJsFilter(RetirejsFilter)} instead.
1028      */
1029     @Deprecated
1030     public void addConfiguredRetirejsFilter(final RetirejsFilter retireJsFilter) {
1031         log("'retirejsFilter' is deprecated and may be removed in the next major release, please migrate to 'retireJsFilter'",
1032                 Project.MSG_WARN);
1033         retireJsFilters.add(retireJsFilter.getRegex());
1034     }
1035 
1036     /**
1037      * Add a regular expression to the set of retire JS content filters.
1038      * <p>
1039      * This is called by Ant.
1040      *
1041      * @param retireJsFilter the regular expression used to filter based on file
1042      * content
1043      */
1044     public void addConfiguredRetireJsFilter(final RetirejsFilter retireJsFilter) {
1045         retireJsFilters.add(retireJsFilter.getRegex());
1046     }
1047 
1048     /**
1049      * Set the value of rubygemsAnalyzerEnabled.
1050      *
1051      * @param rubygemsAnalyzerEnabled new value of rubygemsAnalyzerEnabled
1052      */
1053     public void setRubygemsAnalyzerEnabled(Boolean rubygemsAnalyzerEnabled) {
1054         this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled;
1055     }
1056 
1057     /**
1058      * Set the value of pyPackageAnalyzerEnabled.
1059      *
1060      * @param pyPackageAnalyzerEnabled new value of pyPackageAnalyzerEnabled
1061      */
1062     public void setPyPackageAnalyzerEnabled(Boolean pyPackageAnalyzerEnabled) {
1063         this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled;
1064     }
1065 
1066     /**
1067      * Set the value of pyDistributionAnalyzerEnabled.
1068      *
1069      * @param pyDistributionAnalyzerEnabled new value of
1070      * pyDistributionAnalyzerEnabled
1071      */
1072     public void setPyDistributionAnalyzerEnabled(Boolean pyDistributionAnalyzerEnabled) {
1073         this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
1074     }
1075 
1076     /**
1077      * Set the value of mixAuditAnalyzerEnabled.
1078      *
1079      * @param mixAuditAnalyzerEnabled new value of mixAuditAnalyzerEnabled
1080      */
1081     public void setMixAuditAnalyzerEnabled(Boolean mixAuditAnalyzerEnabled) {
1082         this.mixAuditAnalyzerEnabled = mixAuditAnalyzerEnabled;
1083     }
1084 
1085     /**
1086      * Sets the path to the mix audit executable.
1087      *
1088      * @param mixAuditPath the path to the bundle audit executable
1089      */
1090     public void setMixAuditPath(String mixAuditPath) {
1091         this.mixAuditPath = mixAuditPath;
1092     }
1093     /**
1094      * Set the value of centralAnalyzerEnabled.
1095      *
1096      * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
1097      */
1098     public void setCentralAnalyzerEnabled(Boolean centralAnalyzerEnabled) {
1099         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
1100     }
1101 
1102     /**
1103      * Set the value of centralAnalyzerUseCache.
1104      *
1105      * @param centralAnalyzerUseCache new value of centralAnalyzerUseCache
1106      */
1107     public void setCentralAnalyzerUseCache(Boolean centralAnalyzerUseCache) {
1108         this.centralAnalyzerUseCache = centralAnalyzerUseCache;
1109     }
1110 
1111     /**
1112      * Set the value of nexusAnalyzerEnabled.
1113      *
1114      * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
1115      */
1116     public void setNexusAnalyzerEnabled(Boolean nexusAnalyzerEnabled) {
1117         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
1118     }
1119 
1120     /**
1121      * Set the value of golangDepEnabled.
1122      *
1123      * @param golangDepEnabled new value of golangDepEnabled
1124      */
1125     public void setGolangDepEnabled(Boolean golangDepEnabled) {
1126         this.golangDepEnabled = golangDepEnabled;
1127     }
1128 
1129     /**
1130      * Set the value of golangModEnabled.
1131      *
1132      * @param golangModEnabled new value of golangModEnabled
1133      */
1134     public void setGolangModEnabled(Boolean golangModEnabled) {
1135         this.golangModEnabled = golangModEnabled;
1136     }
1137 
1138     /**
1139      * Set the value of dartAnalyzerEnabled.
1140      *
1141      * @param dartAnalyzerEnabled new value of dartAnalyzerEnabled
1142      */
1143     public void setDartAnalyzerEnabled(Boolean dartAnalyzerEnabled) {
1144         this.dartAnalyzerEnabled = dartAnalyzerEnabled;
1145     }
1146 
1147     /**
1148      * Set the value of pathToYarn.
1149      *
1150      * @param pathToYarn new value of pathToYarn
1151      */
1152     public void setPathToYarn(String pathToYarn) {
1153         this.pathToYarn = pathToYarn;
1154     }
1155 
1156     /**
1157      * Set the value of pathToPnpm.
1158      *
1159      * @param pathToPnpm new value of pathToPnpm
1160      */
1161     public void setPathToPnpm(String pathToPnpm) {
1162         this.pathToPnpm = pathToPnpm;
1163     }
1164 
1165     /**
1166      * Set the value of pathToGo.
1167      *
1168      * @param pathToGo new value of pathToGo
1169      */
1170     public void setPathToGo(String pathToGo) {
1171         this.pathToGo = pathToGo;
1172     }
1173 
1174     /**
1175      * Set the value of nexusUrl.
1176      *
1177      * @param nexusUrl new value of nexusUrl
1178      */
1179     public void setNexusUrl(String nexusUrl) {
1180         this.nexusUrl = nexusUrl;
1181     }
1182 
1183     /**
1184      * Set the value of nexusUser.
1185      *
1186      * @param nexusUser new value of nexusUser
1187      */
1188     public void setNexusUser(String nexusUser) {
1189         this.nexusUser = nexusUser;
1190     }
1191 
1192     /**
1193      * Set the value of nexusPassword.
1194      *
1195      * @param nexusPassword new value of nexusPassword
1196      */
1197     public void setNexusPassword(String nexusPassword) {
1198         this.nexusPassword = nexusPassword;
1199     }
1200 
1201     /**
1202      * Set the value of nexusUsesProxy.
1203      *
1204      * @param nexusUsesProxy new value of nexusUsesProxy
1205      */
1206     public void setNexusUsesProxy(Boolean nexusUsesProxy) {
1207         this.nexusUsesProxy = nexusUsesProxy;
1208     }
1209 
1210     /**
1211      * Set the value of zipExtensions.
1212      *
1213      * @param zipExtensions new value of zipExtensions
1214      */
1215     public void setZipExtensions(String zipExtensions) {
1216         this.zipExtensions = zipExtensions;
1217     }
1218 
1219     /**
1220      * Set the value of pathToCore.
1221      *
1222      * @param pathToCore new value of pathToCore
1223      */
1224     public void setPathToDotnetCore(String pathToCore) {
1225         this.pathToCore = pathToCore;
1226     }
1227 
1228     /**
1229      * Set value of {@link #ossindexAnalyzerEnabled}.
1230      *
1231      * @param ossindexAnalyzerEnabled new value of ossindexAnalyzerEnabled
1232      * @deprecated Use {@link #setOssIndexAnalyzerEnabled(Boolean)} instead.
1233      */
1234     @Deprecated
1235     public void setOssindexAnalyzerEnabled(Boolean ossindexAnalyzerEnabled) {
1236         log("'ossindexAnalyzerEnabled' is deprecated and may be removed in the next major release, please migrate to 'ossIndexAnalyzerEnabled'",
1237                 Project.MSG_WARN);
1238         this.ossindexAnalyzerEnabled = ossindexAnalyzerEnabled;
1239     }
1240 
1241     /**
1242      * Set value of ossIndexAnalyzerEnabled.
1243      *
1244      * @param ossIndexAnalyzerEnabled new value of ossIndexAnalyzerEnabled
1245      */
1246     public void setOssIndexAnalyzerEnabled(Boolean ossIndexAnalyzerEnabled) {
1247         this.ossindexAnalyzerEnabled = ossIndexAnalyzerEnabled;
1248     }
1249 
1250     /**
1251      * Set value of {@link #ossindexAnalyzerUseCache}.
1252      *
1253      * @param ossindexAnalyzerUseCache new value of ossindexAnalyzerUseCache
1254      * @deprecated Use {@link #setOssIndexAnalyzerUseCache(Boolean)} instead.
1255      */
1256     @Deprecated
1257     public void setOssindexAnalyzerUseCache(Boolean ossindexAnalyzerUseCache) {
1258         log("'ossindexAnalyzerUseCache' is deprecated and may be removed in the next major release, please migrate to 'ossIndexAnalyzerUseCache'",
1259                 Project.MSG_WARN);
1260         this.ossindexAnalyzerUseCache = ossindexAnalyzerUseCache;
1261     }
1262 
1263     /**
1264      * Set value of ossIndexAnalyzerUseCache.
1265      *
1266      * @param ossIndexAnalyzerUseCache new value of ossIndexAnalyzerUseCache
1267      */
1268     public void setOssIndexAnalyzerUseCache(Boolean ossIndexAnalyzerUseCache) {
1269         this.ossindexAnalyzerUseCache = ossIndexAnalyzerUseCache;
1270     }
1271 
1272     /**
1273      * Set value of {@link #ossindexAnalyzerUrl}.
1274      *
1275      * @param ossindexAnalyzerUrl new value of ossindexAnalyzerUrl
1276      * @deprecated Use {@link #setOssIndexAnalyzerUrl(String)} instead.
1277      */
1278     @Deprecated
1279     public void setOssindexAnalyzerUrl(String ossindexAnalyzerUrl) {
1280         log("'ossindexAnalyzerUrl' is deprecated and may be removed in the next major release, please migrate to 'ossIndexAnalyzerUrl'",
1281                 Project.MSG_WARN);
1282         this.ossindexAnalyzerUrl = ossindexAnalyzerUrl;
1283     }
1284 
1285     /**
1286      * Set value of ossIndexAnalyzerUrl.
1287      *
1288      * @param ossIndexAnalyzerUrl new value of ossIndexAnalyzerUrl
1289      */
1290     public void setOssIndexAnalyzerUrl(String ossIndexAnalyzerUrl) {
1291         this.ossindexAnalyzerUrl = ossIndexAnalyzerUrl;
1292     }
1293 
1294     /**
1295      * Set value of {@link #ossindexAnalyzerUsername}.
1296      *
1297      * @param ossindexAnalyzerUsername new value of ossindexAnalyzerUsername
1298      * @deprecated Use {@link #setOssIndexAnalyzerUsername(String)} instead.
1299      */
1300     @Deprecated
1301     public void setOssindexAnalyzerUsername(String ossindexAnalyzerUsername) {
1302         log("'ossindexAnalyzerUsername' is deprecated and may be removed in the next major release, please migrate to 'ossIndexAnalyzerUsername'",
1303                 Project.MSG_WARN);
1304         this.ossindexAnalyzerUsername = ossindexAnalyzerUsername;
1305     }
1306 
1307     /**
1308      * Set value of ossIndexAnalyzerUsername.
1309      *
1310      * @param ossIndexAnalyzerUsername new value of ossIndexAnalyzerUsername
1311      */
1312     public void setOssIndexAnalyzerUsername(String ossIndexAnalyzerUsername) {
1313         this.ossindexAnalyzerUsername = ossIndexAnalyzerUsername;
1314     }
1315 
1316     /**
1317      * Set value of {@link #ossindexAnalyzerPassword}.
1318      *
1319      * @param ossindexAnalyzerPassword new value of ossindexAnalyzerPassword
1320      * @deprecated Use {@link #setOssIndexAnalyzerPassword(String)} instead.
1321      */
1322     @Deprecated
1323     public void setOssindexAnalyzerPassword(String ossindexAnalyzerPassword) {
1324         log("'ossindexAnalyzerPassword' is deprecated and may be removed in the next major release, please migrate to 'ossIndexAnalyzerPassword'",
1325                 Project.MSG_WARN);
1326         this.ossindexAnalyzerPassword = ossindexAnalyzerPassword;
1327     }
1328 
1329     /**
1330      * Set value of ossIndexAnalyzerPassword.
1331      *
1332      * @param ossIndexAnalyzerPassword new value of ossIndexAnalyzerPassword
1333      */
1334     public void setOssIndexAnalyzerPassword(String ossIndexAnalyzerPassword) {
1335         this.ossindexAnalyzerPassword = ossIndexAnalyzerPassword;
1336     }
1337 
1338     /**
1339      * Set value of {@link #ossIndexAnalyzerWarnOnlyOnRemoteErrors}.
1340      *
1341      * @param ossIndexWarnOnlyOnRemoteErrors the value of
1342      * ossIndexWarnOnlyOnRemoteErrors
1343      */
1344     public void setOssIndexWarnOnlyOnRemoteErrors(Boolean ossIndexWarnOnlyOnRemoteErrors) {
1345         this.ossIndexAnalyzerWarnOnlyOnRemoteErrors = ossIndexWarnOnlyOnRemoteErrors;
1346     }
1347 
1348     /**
1349      * Set the value of cmakeAnalyzerEnabled.
1350      *
1351      * @param cmakeAnalyzerEnabled new value of cmakeAnalyzerEnabled
1352      */
1353     public void setCmakeAnalyzerEnabled(Boolean cmakeAnalyzerEnabled) {
1354         this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
1355     }
1356 
1357     /**
1358      * Set the value of artifactoryAnalyzerEnabled.
1359      *
1360      * @param artifactoryAnalyzerEnabled new value of artifactoryAnalyzerEnabled
1361      */
1362     public void setArtifactoryAnalyzerEnabled(Boolean artifactoryAnalyzerEnabled) {
1363         this.artifactoryAnalyzerEnabled = artifactoryAnalyzerEnabled;
1364     }
1365 
1366     /**
1367      * Set the value of artifactoryAnalyzerUrl.
1368      *
1369      * @param artifactoryAnalyzerUrl new value of artifactoryAnalyzerUrl
1370      */
1371     public void setArtifactoryAnalyzerUrl(String artifactoryAnalyzerUrl) {
1372         this.artifactoryAnalyzerUrl = artifactoryAnalyzerUrl;
1373     }
1374 
1375     /**
1376      * Set the value of artifactoryAnalyzerUseProxy.
1377      *
1378      * @param artifactoryAnalyzerUseProxy new value of
1379      * artifactoryAnalyzerUseProxy
1380      */
1381     public void setArtifactoryAnalyzerUseProxy(Boolean artifactoryAnalyzerUseProxy) {
1382         this.artifactoryAnalyzerUseProxy = artifactoryAnalyzerUseProxy;
1383     }
1384 
1385     /**
1386      * Set the value of artifactoryAnalyzerParallelAnalysis.
1387      *
1388      * @param artifactoryAnalyzerParallelAnalysis new value of
1389      * artifactoryAnalyzerParallelAnalysis
1390      */
1391     public void setArtifactoryAnalyzerParallelAnalysis(Boolean artifactoryAnalyzerParallelAnalysis) {
1392         this.artifactoryAnalyzerParallelAnalysis = artifactoryAnalyzerParallelAnalysis;
1393     }
1394 
1395     /**
1396      * Set the value of artifactoryAnalyzerUsername.
1397      *
1398      * @param artifactoryAnalyzerUsername new value of
1399      * artifactoryAnalyzerUsername
1400      */
1401     public void setArtifactoryAnalyzerUsername(String artifactoryAnalyzerUsername) {
1402         this.artifactoryAnalyzerUsername = artifactoryAnalyzerUsername;
1403     }
1404 
1405     /**
1406      * Set the value of artifactoryAnalyzerApiToken.
1407      *
1408      * @param artifactoryAnalyzerApiToken new value of
1409      * artifactoryAnalyzerApiToken
1410      */
1411     public void setArtifactoryAnalyzerApiToken(String artifactoryAnalyzerApiToken) {
1412         this.artifactoryAnalyzerApiToken = artifactoryAnalyzerApiToken;
1413     }
1414 
1415     /**
1416      * Set the value of artifactoryAnalyzerBearerToken.
1417      *
1418      * @param artifactoryAnalyzerBearerToken new value of
1419      * artifactoryAnalyzerBearerToken
1420      */
1421     public void setArtifactoryAnalyzerBearerToken(String artifactoryAnalyzerBearerToken) {
1422         this.artifactoryAnalyzerBearerToken = artifactoryAnalyzerBearerToken;
1423     }
1424 
1425     /**
1426      * Set the value of failBuildOnUnusedSuppressionRule.
1427      *
1428      * @param failBuildOnUnusedSuppressionRule new value of
1429      * failBuildOnUnusedSuppressionRule
1430      */
1431     public void setFailBuildOnUnusedSuppressionRule(boolean failBuildOnUnusedSuppressionRule) {
1432         this.failBuildOnUnusedSuppressionRule = failBuildOnUnusedSuppressionRule;
1433     }
1434 
1435     //see note on `dealWithReferences()` for information on this suppression
1436     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1437     @Override
1438     protected void executeWithContextClassloader() throws BuildException {
1439         dealWithReferences();
1440         validateConfiguration();
1441         populateSettings();
1442         try {
1443             Downloader.getInstance().configure(getSettings());
1444         } catch (InvalidSettingException e) {
1445             throw new BuildException(e);
1446         }
1447         TelemetryCollector.send(getSettings());
1448         try (Engine engine = new Engine(Check.class.getClassLoader(), getSettings())) {
1449             for (Resource resource : getPath()) {
1450                 final FileProvider provider = resource.as(FileProvider.class);
1451                 if (provider != null) {
1452                     final File file = provider.getFile();
1453                     if (file != null && file.exists()) {
1454                         engine.scan(file);
1455                     }
1456                 }
1457             }
1458             final ExceptionCollection exceptions = callExecuteAnalysis(engine);
1459             if (exceptions == null || !exceptions.isFatal()) {
1460                 for (String format : getReportFormats()) {
1461                     engine.writeReports(getProjectName(), new File(reportOutputDirectory), format, exceptions);
1462                 }
1463                 if (this.failBuildOnCVSS <= 10) {
1464                     checkForFailure(engine.getDependencies());
1465                 }
1466                 if (this.showSummary) {
1467                     DependencyCheckScanAgent.showSummary(engine.getDependencies());
1468                 }
1469             }
1470         } catch (DatabaseException ex) {
1471             final String msg = "Unable to connect to the dependency-check database; analysis has stopped";
1472             if (this.isFailOnError()) {
1473                 throw new BuildException(msg, ex);
1474             }
1475             log(msg, ex, Project.MSG_ERR);
1476         } catch (ReportException ex) {
1477             final String msg = "Unable to generate the dependency-check report";
1478             if (this.isFailOnError()) {
1479                 throw new BuildException(msg, ex);
1480             }
1481             log(msg, ex, Project.MSG_ERR);
1482         } finally {
1483             getSettings().cleanup();
1484         }
1485     }
1486 
1487     /**
1488      * Wraps the call to `engine.analyzeDependencies()` and correctly handles
1489      * any exceptions
1490      *
1491      * @param engine a reference to the engine
1492      * @return the collection of any exceptions that occurred; otherwise
1493      * <code>null</code>
1494      * @throws BuildException thrown if configured to fail the build on errors
1495      */
1496     //see note on `dealWithReferences()` for information on this suppression
1497     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1498     private ExceptionCollection callExecuteAnalysis(final Engine engine) throws BuildException {
1499         ExceptionCollection exceptions = null;
1500         try {
1501             engine.analyzeDependencies();
1502         } catch (ExceptionCollection ex) {
1503             if (this.isFailOnError()) {
1504                 throw new BuildException(ex);
1505             }
1506             exceptions = ex;
1507         }
1508         return exceptions;
1509     }
1510 
1511     /**
1512      * Validate the configuration to ensure the parameters have been properly
1513      * configured/initialized.
1514      *
1515      * @throws BuildException if the task was not configured correctly.
1516      */
1517     //see note on `dealWithReferences()` for information on this suppression
1518     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1519     private synchronized void validateConfiguration() throws BuildException {
1520         if (path == null) {
1521             throw new BuildException("No project dependencies have been defined to analyze.");
1522         }
1523         if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) {
1524             throw new BuildException("Invalid configuration, failBuildOnCVSS must be between 0 and 11.");
1525         }
1526     }
1527 
1528     /**
1529      * Takes the properties supplied and updates the dependency-check settings.
1530      * Additionally, this sets the system properties required to change the
1531      * proxy server, port, and connection timeout.
1532      *
1533      * @throws BuildException thrown when an invalid setting is configured.
1534      */
1535     //see note on `dealWithReferences()` for information on this suppression
1536     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1537     @Override
1538     protected void populateSettings() throws BuildException {
1539         super.populateSettings();
1540         getSettings().setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
1541         getSettings().setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles);
1542         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_USER, suppressionFileUser);
1543         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_PASSWORD, suppressionFilePassword);
1544         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_BEARER_TOKEN, suppressionFileBearerToken);
1545         getSettings().setBooleanIfNotNull(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, versionCheckEnabled);
1546         getSettings().setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
1547         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
1548         getSettings().setBooleanIfNotNull(Settings.KEYS.PRETTY_PRINT, prettyPrint);
1549         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, enableRetired);
1550         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
1551         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
1552         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
1553         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
1554         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
1555         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
1556 
1557         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED, artifactoryAnalyzerEnabled);
1558         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_URL, artifactoryAnalyzerUrl);
1559         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY, artifactoryAnalyzerUseProxy);
1560         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS, artifactoryAnalyzerParallelAnalysis);
1561         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME, artifactoryAnalyzerUsername);
1562         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN, artifactoryAnalyzerApiToken);
1563         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_BEARER_TOKEN, artifactoryAnalyzerBearerToken);
1564 
1565         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
1566         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled);
1567         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
1568         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CARTHAGE_ENABLED, carthageAnalyzerEnabled);
1569         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
1570         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
1571         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, bundleAuditWorkingDirectory);
1572         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
1573         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, mavenInstallAnalyzerEnabled);
1574         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIP_ENABLED, pipAnalyzerEnabled);
1575         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, pipfileAnalyzerEnabled);
1576         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_POETRY_ENABLED, poetryAnalyzerEnabled);
1577         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
1578         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_SKIP_DEV, composerAnalyzerSkipDev);
1579         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CPANFILE_ENABLED, cpanfileAnalyzerEnabled);
1580         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
1581         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, nodePackageSkipDevDependencies);
1582         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, nodeAuditAnalyzerEnabled);
1583         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED, yarnAuditAnalyzerEnabled);
1584         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PNPM_AUDIT_ENABLED, pnpmAuditAnalyzerEnabled);
1585         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, nodeAuditAnalyzerUseCache);
1586         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies);
1587         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, retireJsFilterNonVulnerable);
1588         getSettings().setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, retireJsFilters);
1589         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_DEP_ENABLED, golangDepEnabled);
1590         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_MOD_ENABLED, golangModEnabled);
1591         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_DART_ENABLED, dartAnalyzerEnabled);
1592         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_GOLANG_PATH, pathToGo);
1593         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_YARN_PATH, pathToYarn);
1594         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_PNPM_PATH, pathToPnpm);
1595         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED, mixAuditAnalyzerEnabled);
1596         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_PATH, mixAuditPath);
1597         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
1598         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, nugetconfAnalyzerEnabled);
1599         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_LIBMAN_ENABLED, libmanAnalyzerEnabled);
1600         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
1601         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE, centralAnalyzerUseCache);
1602         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
1603         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
1604         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
1605         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED, msbuildAnalyzerEnabled);
1606         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
1607         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_USER, nexusUser);
1608         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_PASSWORD, nexusPassword);
1609         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
1610         getSettings().setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
1611         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_DOTNET_PATH, pathToCore);
1612         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, ossindexAnalyzerEnabled);
1613         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, ossindexAnalyzerUrl);
1614         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_USER, ossindexAnalyzerUsername);
1615         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD, ossindexAnalyzerPassword);
1616         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE, ossindexAnalyzerUseCache);
1617         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, ossIndexAnalyzerWarnOnlyOnRemoteErrors);
1618         getSettings().setFloat(Settings.KEYS.JUNIT_FAIL_ON_CVSS, junitFailOnCVSS);
1619         getSettings().setBooleanIfNotNull(Settings.KEYS.FAIL_ON_UNUSED_SUPPRESSION_RULE, failBuildOnUnusedSuppressionRule);
1620     }
1621 
1622     /**
1623      * Checks to see if a vulnerability has been identified with a CVSS score
1624      * that is above the threshold set in the configuration.
1625      *
1626      * @param dependencies the list of dependency objects
1627      * @throws BuildException thrown if a CVSS score is found that is higher
1628      * than the threshold set
1629      */
1630     //see note on `dealWithReferences()` for information on this suppression
1631     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1632     private void checkForFailure(Dependency[] dependencies) throws BuildException {
1633         final StringBuilder ids = new StringBuilder();
1634         for (Dependency d : dependencies) {
1635             boolean addName = true;
1636             for (Vulnerability v : d.getVulnerabilities()) {
1637                 final double cvssV2 = v.getCvssV2() != null && v.getCvssV2().getCvssData() != null
1638                         && v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1;
1639                 final double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null
1640                         && v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1;
1641                 final double cvssV4 = v.getCvssV4() != null && v.getCvssV4().getCvssData() != null
1642                         && v.getCvssV4().getCvssData().getBaseScore() != null ? v.getCvssV4().getCvssData().getBaseScore() : -1;
1643                 final boolean useUnscored = cvssV2 == -1 && cvssV3 == -1 && cvssV4 == -1;
1644                 final double unscoredCvss =
1645                         useUnscored && v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1;
1646 
1647                 if (cvssV2 >= failBuildOnCVSS
1648                         || cvssV3 >= failBuildOnCVSS
1649                         || cvssV4 >= failBuildOnCVSS
1650                         || unscoredCvss >= failBuildOnCVSS
1651                         //safety net to fail on any if for some reason the above misses on 0
1652                         || failBuildOnCVSS <= 0.0f
1653                 ) {
1654                     if (addName) {
1655                         addName = false;
1656                         ids.append(NEW_LINE).append(d.getFileName()).append(" (")
1657                            .append(Stream.concat(d.getSoftwareIdentifiers().stream(), d.getVulnerableSoftwareIdentifiers().stream())
1658                                          .map(Identifier::getValue)
1659                                          .collect(Collectors.joining(", ")))
1660                            .append("): ")
1661                            .append(v.getName());
1662                     } else {
1663                         ids.append(", ").append(v.getName());
1664                     }
1665                 }
1666             }
1667         }
1668         if (ids.length() > 0) {
1669             final String msg;
1670             if (showSummary) {
1671                 msg = String.format("%n%nDependency-Check Failure:%n"
1672                         + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '%.1f': %s%n"
1673                         + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids);
1674             } else {
1675                 msg = String.format("%n%nDependency-Check Failure:%n"
1676                         + "One or more dependencies were identified with vulnerabilities.%n%n"
1677                         + "See the dependency-check report for more details.%n%n");
1678             }
1679             throw new BuildException(msg);
1680         }
1681     }
1682 
1683     /**
1684      * An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV",
1685      * "JSON", "JUNIT", "SARIF", 'JENkINS', etc..
1686      */
1687     public static class ReportFormats extends EnumeratedAttribute {
1688 
1689         /**
1690          * Returns the list of values for the report format.
1691          *
1692          * @return the list of values for the report format
1693          */
1694         @Override
1695         public String[] getValues() {
1696             int i = 0;
1697             final Format[] formats = Format.values();
1698             final String[] values = new String[formats.length];
1699             for (Format format : formats) {
1700                 values[i++] = format.name();
1701             }
1702             return values;
1703         }
1704     }
1705 
1706     /**
1707      * A class for Ant to represent the
1708      * {@code <reportFormat format="<format>"/>} nested element to define
1709      * multiple report formats for the ant-task.
1710      */
1711     public static class ReportFormat {
1712 
1713         /**
1714          * The format of this ReportFormat.
1715          */
1716         private ReportFormats format;
1717 
1718         /**
1719          * Gets the format as a String.
1720          *
1721          * @return the String representing a report format
1722          */
1723         public String getFormat() {
1724             return this.format.getValue();
1725         }
1726 
1727         /**
1728          * Sets the format.
1729          *
1730          * @param format the String value for one of the {@link ReportFormats}
1731          * @throws BuildException When the offered String is not one of the
1732          * valid values of the {@link ReportFormats} EnumeratedAttribute
1733          */
1734         public void setFormat(final String format) {
1735             this.format = (ReportFormats) EnumeratedAttribute.getInstance(ReportFormats.class, format);
1736         }
1737     }
1738 }
1739 //CSON: MethodCount