Class BaseDependencyCheckMojo

java.lang.Object

org.apache.maven.plugin.AbstractMojo

org.owasp.dependencycheck.maven.BaseDependencyCheckMojo

All Implemented Interfaces:

org.apache.maven.plugin.ContextEnabled, org.apache.maven.plugin.Mojo, org.apache.maven.reporting.MavenReport

Direct Known Subclasses:

AggregateMojo, CheckMojo, PurgeMojo, UpdateMojo

public abstract class BaseDependencyCheckMojo
extends org.apache.maven.plugin.AbstractMojo
implements org.apache.maven.reporting.MavenReport

Author:

Jeremy Long

Field Summary

Fields

Modifier and Type	Field	Description
static final String	PROTOCOL_HTTP	Constant for the HTTP protocol string.
static final String	PROTOCOL_HTTPS	Constant for the HTTPS protocol string.

Fields inherited from interface org.apache.maven.reporting.MavenReport

CATEGORY_PROJECT_INFORMATION, CATEGORY_PROJECT_REPORTS, ROLE

Fields inherited from interface org.apache.maven.plugin.Mojo

ROLE

Constructor Summary

Constructors

Constructor	Description
BaseDependencyCheckMojo()

Method Summary

Modifier and Type	Method	Description
protected void	checkForFailure(Dependency[] dependencies)	Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the configuration.
protected String	createProjectReferenceName(org.apache.maven.project.MavenProject project, org.apache.maven.shared.dependency.graph.DependencyNode dependencyNode)
void	execute()	Executes dependency-check.
void	generate(org.apache.maven.doxia.sink.Sink sink, Locale locale)	Generates the Dependency-Check Site Report.
protected Filter<String>	getArtifactScopeExcluded()	Returns the artifact scope excluded filter.
String	getCategoryName()	Returns the category name.
protected String	getConnectionString()	Returns the connection string.
protected File	getCorrectOutputDirectory()	Returns the correct output directory depending on if a site is being executed or not.
protected File	getCorrectOutputDirectory(org.apache.maven.project.MavenProject current)	Returns the correct output directory depending on if a site is being executed or not.
List<String>	getExcludes()	Returns the list of excluded artifacts based on either artifact id or group id and artifact id.
File	getOutputDirectory()	Returns the output directory.
String	getOutputName()	Returns the output name.
protected org.apache.maven.project.MavenProject	getProject()	Returns a reference to the current project.
protected List<org.apache.maven.project.MavenProject>	getReactorProjects()	Returns the list of Maven Projects in this build.
File	getReportOutputDirectory()	Returns the report output directory.
protected Settings	getSettings()	Returns the configured settings.
protected Engine	initializeEngine()	Initializes a new Engine that can be used for scanning.
final boolean	isExternalReport()	Returns whether this is an external report.
protected boolean	isFailOnError()	Returns if the mojo should fail the build if an exception occurs.
protected boolean	isGeneratingSite()	Returns true if the Maven site is being generated.
org.apache.maven.project.ProjectBuildingRequest	newResolveArtifactProjectBuildingRequest(org.apache.maven.project.MavenProject project, List<org.apache.maven.artifact.repository.ArtifactRepository> repos)
protected void	populateSettings()	Takes the properties supplied and updates the dependency-check settings.
protected Set<org.apache.maven.artifact.Artifact>	resolveArtifactDependencies(org.apache.maven.shared.transfer.dependencies.DependableCoordinate artifact, org.apache.maven.project.MavenProject project)
protected void	runCheck()	Executes the dependency-check scan and generates the necessary report.
protected ExceptionCollection	scanArtifacts(org.apache.maven.project.MavenProject project, Engine engine)	Scans the project's artifacts and adds them to the engine's dependency list.
protected ExceptionCollection	scanArtifacts(org.apache.maven.project.MavenProject project, Engine engine, boolean aggregate)	Scans the project's artifacts and adds them to the engine's dependency list.
protected abstract ExceptionCollection	scanDependencies(Engine engine)	Scans the dependencies of the projects.
protected ExceptionCollection	scanPlugins(org.apache.maven.project.MavenProject project, Engine engine, ExceptionCollection exCollection)	Scans the project's artifacts for plugin-dependencies and adds them to the engine's dependency list.
protected abstract ExceptionCollection	scanPlugins(Engine engine, ExceptionCollection exCol)	Scans the plugins of the projects.
void	setReportOutputDirectory(File directory)	Sets the Reporting output directory.
protected void	showSummary(org.apache.maven.project.MavenProject mp, Dependency[] dependencies)	Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.

Methods inherited from class org.apache.maven.plugin.AbstractMojo

getLog, getPluginContext, setLog, setPluginContext

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.maven.reporting.MavenReport

canGenerateReport, getDescription, getName, getOutputPath

Field Details

PROTOCOL_HTTPS

public static final String PROTOCOL_HTTPS

Constant for the HTTPS protocol string.

See Also:

• Constant Field Values

PROTOCOL_HTTP

public static final String PROTOCOL_HTTP

Constant for the HTTP protocol string.

See Also:

• Constant Field Values

Constructor Details

BaseDependencyCheckMojo

public BaseDependencyCheckMojo()

Method Details

execute

public void execute()
             throws org.apache.maven.plugin.MojoExecutionException,
org.apache.maven.plugin.MojoFailureException

Executes dependency-check.

Specified by:

execute in interface org.apache.maven.plugin.Mojo

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an exception executing the mojo

org.apache.maven.plugin.MojoFailureException - thrown if dependency-check failed the build

isGeneratingSite

protected boolean isGeneratingSite()

Returns true if the Maven site is being generated.

Returns:

true if the Maven site is being generated

getConnectionString

protected String getConnectionString()

Returns the connection string.

Returns:

the connection string

isFailOnError

protected boolean isFailOnError()

Returns if the mojo should fail the build if an exception occurs.

Returns:

whether or not the mojo should fail the build

generate

public void generate(org.apache.maven.doxia.sink.Sink sink,
 Locale locale)
              throws org.apache.maven.reporting.MavenReportException

Generates the Dependency-Check Site Report.

Specified by:

generate in interface org.apache.maven.reporting.MavenReport

Parameters:

sink - the sink to write the report to

locale - the locale to use when generating the report

Throws:

org.apache.maven.reporting.MavenReportException - if a maven report exception occurs

getCorrectOutputDirectory

protected File getCorrectOutputDirectory()
                                  throws org.apache.maven.plugin.MojoExecutionException

Returns the correct output directory depending on if a site is being executed or not.

Returns:

the directory to write the report(s)

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an error loading the file path

getCorrectOutputDirectory

protected File getCorrectOutputDirectory(org.apache.maven.project.MavenProject current)

Returns the correct output directory depending on if a site is being executed or not.

Parameters:

current - the Maven project to get the output directory from

Returns:

the directory to write the report(s)

scanArtifacts

protected ExceptionCollection scanArtifacts(org.apache.maven.project.MavenProject project,
 Engine engine)

Scans the project's artifacts and adds them to the engine's dependency list.

Parameters:

project - the project to scan the dependencies of

engine - the engine to use to scan the dependencies

Returns:

a collection of exceptions that may have occurred while resolving and scanning the dependencies

scanArtifacts

protected ExceptionCollection scanArtifacts(org.apache.maven.project.MavenProject project,
 Engine engine,
 boolean aggregate)

Scans the project's artifacts and adds them to the engine's dependency list.

Parameters:

project - the project to scan the dependencies of

engine - the engine to use to scan the dependencies

aggregate - whether the scan is part of an aggregate build

Returns:

a collection of exceptions that may have occurred while resolving and scanning the dependencies

scanPlugins

protected ExceptionCollection scanPlugins(org.apache.maven.project.MavenProject project,
 Engine engine,
 ExceptionCollection exCollection)

Scans the project's artifacts for plugin-dependencies and adds them to the engine's dependency list.

Parameters:

project - the project to scan the plugin-dependencies of

engine - the engine to use to scan the plugin-dependencies

exCollection - the collection of exceptions that have previously occurred

Returns:

a collection of exceptions that may have occurred while resolving and scanning the plugins and their dependencies

resolveArtifactDependencies

protected Set<org.apache.maven.artifact.Artifact> resolveArtifactDependencies(org.apache.maven.shared.transfer.dependencies.DependableCoordinate artifact,
 org.apache.maven.project.MavenProject project)
                                                                       throws org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolverException

Throws:

org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolverException

createProjectReferenceName

protected String createProjectReferenceName(org.apache.maven.project.MavenProject project,
 org.apache.maven.shared.dependency.graph.DependencyNode dependencyNode)

Parameters:

project - the MavenProject

dependencyNode - the DependencyNode

Returns:

the name to be used when creating a project reference in a Dependency. The behavior of this method returns project.getName() + ":" + dependencyNode.getArtifact().getScope().

newResolveArtifactProjectBuildingRequest

public org.apache.maven.project.ProjectBuildingRequest newResolveArtifactProjectBuildingRequest(org.apache.maven.project.MavenProject project,
 List<org.apache.maven.artifact.repository.ArtifactRepository> repos)

Parameters:

project - The target project to create a building request for.

repos - the artifact repositories to use.

Returns:

Returns a new ProjectBuildingRequest populated from the current session and the target project remote repositories, used to resolve artifacts.

runCheck

protected void runCheck()
                 throws org.apache.maven.plugin.MojoExecutionException,
org.apache.maven.plugin.MojoFailureException

Executes the dependency-check scan and generates the necessary report.

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an exception running the scan

org.apache.maven.plugin.MojoFailureException - thrown if dependency-check is configured to fail the build

scanDependencies

protected abstract ExceptionCollection scanDependencies(Engine engine)
                                                 throws org.apache.maven.plugin.MojoExecutionException

Scans the dependencies of the projects.

Parameters:

engine - the engine used to perform the scanning

Returns:

a collection of exceptions

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if a fatal exception occurs

scanPlugins

protected abstract ExceptionCollection scanPlugins(Engine engine,
 ExceptionCollection exCol)
                                            throws org.apache.maven.plugin.MojoExecutionException

Scans the plugins of the projects.

Parameters:

engine - the engine used to perform the scanning

exCol - the collection of any exceptions that have previously been captured.

Returns:

a collection of exceptions

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if a fatal exception occurs

getReportOutputDirectory

public File getReportOutputDirectory()

Returns the report output directory.

Specified by:

getReportOutputDirectory in interface org.apache.maven.reporting.MavenReport

Returns:

the report output directory

setReportOutputDirectory

public void setReportOutputDirectory(File directory)

Sets the Reporting output directory.

Specified by:

setReportOutputDirectory in interface org.apache.maven.reporting.MavenReport

Parameters:

directory - the output directory

getOutputDirectory

public File getOutputDirectory()

Returns the output directory.

Returns:

the output directory

isExternalReport

public final boolean isExternalReport()

Returns whether this is an external report. This method always returns true.

Specified by:

isExternalReport in interface org.apache.maven.reporting.MavenReport

Returns:

true

getOutputName

public String getOutputName()

Returns the output name.

Specified by:

getOutputName in interface org.apache.maven.reporting.MavenReport

Returns:

the output name

getCategoryName

public String getCategoryName()

Returns the category name.

Specified by:

getCategoryName in interface org.apache.maven.reporting.MavenReport

Returns:

the category name

initializeEngine

protected Engine initializeEngine()
                           throws DatabaseException,
org.apache.maven.plugin.MojoExecutionException,
org.apache.maven.plugin.MojoFailureException

Initializes a new Engine that can be used for scanning. This method should only be called in a try-with-resources to ensure that the engine is properly closed.

Returns:

a newly instantiated Engine

Throws:

DatabaseException - thrown if there is a database exception

org.apache.maven.plugin.MojoExecutionException - on configuration errors when failOnError is true

org.apache.maven.plugin.MojoFailureException - on configuration errors when failOnError is false

populateSettings

protected void populateSettings()
                         throws org.apache.maven.plugin.MojoFailureException,
org.apache.maven.plugin.MojoExecutionException

Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties required to change the proxy URL, port, and connection timeout.

Throws:

org.apache.maven.plugin.MojoFailureException

org.apache.maven.plugin.MojoExecutionException

getProject

protected org.apache.maven.project.MavenProject getProject()

Returns a reference to the current project. This method is used instead of auto-binding the project via component annotation in concrete implementations of this. If the child has a @Component MavenProject project; defined then the abstract class (i.e. this class) will not have access to the current project (just the way Maven works with the binding).

Returns:

returns a reference to the current project

getReactorProjects

protected List<org.apache.maven.project.MavenProject> getReactorProjects()

Returns the list of Maven Projects in this build.

Returns:

the list of Maven Projects in this build

getExcludes

public List<String> getExcludes()

Returns the list of excluded artifacts based on either artifact id or group id and artifact id.

Returns:

a list of artifact to exclude

getArtifactScopeExcluded

protected Filter<String> getArtifactScopeExcluded()

Returns the artifact scope excluded filter.

Returns:

the artifact scope excluded filter

getSettings

protected Settings getSettings()

Returns the configured settings.

Returns:

the configured settings

checkForFailure

protected void checkForFailure(Dependency[] dependencies)
                        throws org.apache.maven.plugin.MojoFailureException

Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the configuration.

Parameters:

dependencies - the list of dependency objects

Throws:

org.apache.maven.plugin.MojoFailureException - thrown if a CVSS score is found that is higher than the threshold set

showSummary

protected void showSummary(org.apache.maven.project.MavenProject mp,
 Dependency[] dependencies)

Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.

Parameters:

mp - the Maven project for which the summary is shown

dependencies - a list of dependency objects