package org.owasp.dependencycheck.maven;

import com.github.packageurl.MalformedPackageURLException;
import com.github.packageurl.PackageURL.StandardTypes;
import com.github.packageurl.PackageURL;
import io.github.jeremylong.jcs3.slf4j.Slf4jAdapter;

import org.apache.commons.lang3.StringUtils;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.artifact.DefaultArtifact;
import org.apache.maven.artifact.handler.DefaultArtifactHandler;
import org.apache.maven.artifact.versioning.ArtifactVersion;
import org.apache.maven.doxia.sink.Sink;
import org.apache.maven.execution.MavenSession;
import org.apache.maven.model.License;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.project.DefaultProjectBuildingRequest;
import org.apache.maven.project.MavenProject;
import org.apache.maven.project.ProjectBuildingRequest;
import org.apache.maven.reporting.MavenReport;
import org.apache.maven.reporting.MavenReportException;
import org.apache.maven.settings.Proxy;
import org.apache.maven.settings.Server;
import org.apache.maven.settings.building.SettingsProblem;
import org.apache.maven.settings.crypto.DefaultSettingsDecryptionRequest;
import org.apache.maven.settings.crypto.SettingsDecrypter;
import org.apache.maven.settings.crypto.SettingsDecryptionResult;
import org.apache.maven.shared.transfer.artifact.DefaultArtifactCoordinate;
import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolver;
import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolverException;
import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResult;
import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolver;
import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolverException;
import org.eclipse.aether.artifact.ArtifactType;
import org.apache.maven.shared.artifact.filter.PatternExcludesArtifactFilter;
import org.apache.maven.shared.dependency.graph.DependencyGraphBuilder;
import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException;
import org.apache.maven.shared.dependency.graph.DependencyNode;
import org.apache.maven.shared.dependency.graph.filter.ArtifactDependencyNodeFilter;
import org.apache.maven.shared.dependency.graph.internal.DefaultDependencyNode;
import org.apache.maven.shared.model.fileset.FileSet;
import org.apache.maven.shared.model.fileset.util.FileSetManager;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.analyzer.JarAnalyzer;
import org.owasp.dependencycheck.dependency.Confidence;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.EvidenceType;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.exception.DependencyNotFoundException;
import org.owasp.dependencycheck.exception.ExceptionCollection;
import org.owasp.dependencycheck.exception.InitializationException;
import org.owasp.dependencycheck.exception.ReportException;
import org.owasp.dependencycheck.utils.Checksum;
import org.owasp.dependencycheck.utils.Filter;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.InvalidSettingException;
import org.owasp.dependencycheck.utils.Settings;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import org.apache.maven.artifact.repository.ArtifactRepository;

import org.apache.maven.artifact.resolver.filter.ExcludesArtifactFilter;
import org.apache.maven.artifact.versioning.InvalidVersionSpecificationException;
import org.apache.maven.artifact.versioning.Restriction;
import org.apache.maven.artifact.versioning.VersionRange;

import org.owasp.dependencycheck.agent.DependencyCheckScanAgent;
import org.owasp.dependencycheck.dependency.naming.GenericIdentifier;
import org.owasp.dependencycheck.dependency.naming.Identifier;
import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
import org.apache.maven.shared.dependency.graph.traversal.DependencyNodeVisitor;
import org.apache.maven.shared.dependency.graph.traversal.FilteringDependencyNodeVisitor;
import org.apache.maven.shared.transfer.dependencies.DefaultDependableCoordinate;
import org.apache.maven.shared.transfer.dependencies.DependableCoordinate;
import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.SeverityUtil;
import org.owasp.dependencycheck.xml.pom.Model;
import org.owasp.dependencycheck.xml.pom.PomUtils;

 * @author Jeremy Long
public abstract class BaseDependencyCheckMojo extends AbstractMojo implements MavenReport {

     * The properties file location.
    private static final String PROPERTIES_FILE = "";
     * System specific new line character.
    private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
     * Pattern to include all files in a FileSet.
    private static final String INCLUDE_ALL = "**/*";
     * Constant for the HTTPS protocol string.
    public static final String PROTOCOL_HTTPS = "https";
     * Constant for the HTTP protocol string.
    public static final String PROTOCOL_HTTP = "http";
     * A flag indicating whether or not the Maven site is being generated.
    private boolean generatingSite = false;
     * The configured settings.
    private Settings settings = null;
     * The list of files that have been scanned.
    private final List<File> scannedFiles = new ArrayList<>();
     * Sets whether or not the mojo should fail if an error occurs.
    @Parameter(property = "failOnError", defaultValue = "true", required = true)
    private boolean failOnError;

     * The Maven Project Object.
    @Parameter(property = "project", required = true, readonly = true)
    private MavenProject project;
     * List of Maven project of the current build
    @Parameter(readonly = true, required = true, property = "reactorProjects")
    private List<MavenProject> reactorProjects;
     * The entry point towards a Maven version independent way of resolving
     * artifacts (handles both Maven 3.0 Sonatype and Maven 3.1+ eclipse Aether
     * implementations).
    private ArtifactResolver artifactResolver;
     * The entry point towards a Maven version independent way of resolving
     * dependencies (handles both Maven 3.0 Sonatype and Maven 3.1+ eclipse
     * Aether implementations). Contrary to the ArtifactResolver this resolver
     * also takes into account the additional repositories defined in the
     * dependency-path towards transitive dependencies.
    private DependencyResolver dependencyResolver;

     * The Maven Session.
    @Parameter(defaultValue = "${session}", readonly = true, required = true)
    private MavenSession session;

     * Component within Maven to build the dependency graph.
    private DependencyGraphBuilder dependencyGraphBuilder;

     * The output directory. This generally maps to "target".
    @Parameter(defaultValue = "${}", required = true, property = "odc.outputDirectory")
    private File outputDirectory;
     * This is a reference to the &gt;reporting&lt; sections
     * <code>outputDirectory</code>. This cannot be configured in the
     * dependency-check mojo directly. This generally maps to "target/site".
    @Parameter(property = "project.reporting.outputDirectory", readonly = true)
    private File reportOutputDirectory;
     * Specifies if the build should be failed if a CVSS score above a specified
     * level is identified. The default is 11 which means since the CVSS scores
     * are 0-10, by default the build will never fail.
    @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
    private float failBuildOnCVSS = 11f;
     * Specifies the CVSS score that is considered a "test" failure when
     * generating a jUnit style report. The default value is 0 - all
     * vulnerabilities are considered a failure.
    @Parameter(property = "junitFailOnCVSS", defaultValue = "0", required = true)
    private float junitFailOnCVSS = 0;
     * Fail the build if any dependency has a vulnerability listed.
     * @deprecated use {@link BaseDependencyCheckMojo#failBuildOnCVSS} with a
     * value of 0 instead
    @Parameter(property = "failBuildOnAnyVulnerability", defaultValue = "false", required = true)
    private boolean failBuildOnAnyVulnerability = false;
     * Sets whether auto-updating of the NVD CVE data is enabled. It is not
     * recommended that this be turned to false. Default is true.
    @Parameter(property = "autoUpdate")
    private Boolean autoUpdate;
     * Sets whether Experimental analyzers are enabled. Default is false.
    @Parameter(property = "enableExperimental")
    private Boolean enableExperimental;
     * Sets whether retired analyzers are enabled. Default is false.
    @Parameter(property = "enableRetired")
    private Boolean enableRetired;
     * Sets whether the Golang Dependency analyzer is enabled. Default is true.
    @Parameter(property = "golangDepEnabled")
    private Boolean golangDepEnabled;
     * Sets whether Golang Module Analyzer is enabled; this requires `go` to be
     * installed. Default is true.
    @Parameter(property = "golangModEnabled")
    private Boolean golangModEnabled;
     * Sets the path to `go`.
    @Parameter(property = "pathToGo")
    private String pathToGo;

     * Sets the path to `yarn`.
    @Parameter(property = "pathToYarn")
    private String pathToYarn;
     * Sets the path to `pnpm`.
    @Parameter(property = "pathToPnpm")
    private String pathToPnpm;
     * Use pom dependency information for snapshot dependencies that are part of
     * the Maven reactor while aggregate scanning a multi-module project.
    @Parameter(property = "dependency-check.virtualSnapshotsFromReactor", defaultValue = "true")
    private Boolean virtualSnapshotsFromReactor;
     * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
     * JENKINS, GITLAB, ALL). Multiple formats can be selected using a comma
     * delineated list.
    @Parameter(property = "format", defaultValue = "HTML", required = true)
    private String format = "HTML";

     * Whether or not the XML and JSON report formats should be pretty printed.
     * The default is false.
    @Parameter(property = "prettyPrint")
    private Boolean prettyPrint;
     * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
     * JENKINS, GITLAB, ALL). Multiple formats can be selected using a comma
     * delineated list.
    @Parameter(property = "formats", required = true)
    private String[] formats;
     * The Maven settings.
    @Parameter(property = "mavenSettings", defaultValue = "${settings}")
    private org.apache.maven.settings.Settings mavenSettings;

     * The maven settings proxy id.
    @Parameter(property = "mavenSettingsProxyId")
    private String mavenSettingsProxyId;

     * The Connection Timeout.
    @Parameter(property = "connectionTimeout")
    private String connectionTimeout;
     * The Read Timeout.
    @Parameter(property = "readTimeout")
    private String readTimeout;
     * Sets whether dependency-check should check if there is a new version
     * available.
    @Parameter(property = "versionCheckEnabled", defaultValue = "true")
    private boolean versionCheckEnabled;
     * The paths to the suppression files. The parameter value can be a local
     * file path, a URL to a suppression file, or even a reference to a file on
     * the class path (see
    @Parameter(property = "suppressionFiles")
    private String[] suppressionFiles;
     * The paths to the suppression file. The parameter value can be a local
     * file path, a URL to a suppression file, or even a reference to a file on
     * the class path (see
    @Parameter(property = "suppressionFile")
    private String suppressionFile;
     * The username used when connecting to the suppressionFiles.
    @Parameter(property = "suppressionFileUser")
    private String suppressionFileUser;
     * The password used for Basic auth to the suppressionFiles. The `suppressionFileServerId` with user/password should be used instead otherwise maven debug logging could expose the password.
    @Parameter(property = "suppressionFilePassword")
    private String suppressionFilePassword;
     * The token used for Bearer auth to the suppressionFiles. The `suppressionFileServerId` with only password should be used instead otherwise maven debug logging could expose the token.
    @Parameter(property = "suppressionFileBearerToken")
    private String suppressionFileBearerToken;
     * The server id in the settings.xml; used to retrieve encrypted passwords
     * from the settings.xml for suppressionFile(s).
    @Parameter(property = "suppressionFileServerId")
    private String suppressionFileServerId;
     * The path to the hints file.
    @Parameter(property = "hintsFile")
    private String hintsFile;

     * Flag indicating whether or not to show a summary in the output.
    @Parameter(property = "showSummary", defaultValue = "true")
    private boolean showSummary = true;

     * Whether or not the Jar Analyzer is enabled.
    @Parameter(property = "jarAnalyzerEnabled")
    private Boolean jarAnalyzerEnabled;

     * Sets whether the Dart analyzer is enabled. Default is true.
    @Parameter(property = "dartAnalyzerEnabled")
    private Boolean dartAnalyzerEnabled;

     * Whether or not the Archive Analyzer is enabled.
    @Parameter(property = "archiveAnalyzerEnabled")
    private Boolean archiveAnalyzerEnabled;
     * Whether or not the Known Exploited Vulnerability Analyzer is enabled.
    @Parameter(property = "knownExploitedEnabled")
    private Boolean knownExploitedEnabled;
     * The URL to the CISA Known Exploited Vulnerabilities JSON datafeed.
    @Parameter(property = "knownExploitedUrl")
    private String knownExploitedUrl;
     * The server id in the settings.xml; used to retrieve encrypted passwords
     * from the settings.xml for mirror of CISA Known Exploited Vulnerabilities JSON datafeed.
     * Credentials with only a password will be used for Bearer auth, credentials with both user and password for Basic auth.
    @Parameter(property = "knownExploitedServerId")
    private String knownExploitedServerId;
     * The username for basic auth mirror of CISA Known Exploited Vulnerabilities JSON datafeed. A `knownExploitedServerId` with user/password set should be used instead otherwise maven debug logging could expose the password.
    @Parameter(property = "knownExploitedUser")
    private String knownExploitedUser;
     * The password for basic auth mirror of CISA Known Exploited Vulnerabilities JSON datafeed. A `knownExploitedServerId` with user/password set should be used instead otherwise maven debug logging could expose the password.
    @Parameter(property = "knownExploitedPassword")
    private String knownExploitedPassword;
     * The token for bearer auth mirror of CISA Known Exploited Vulnerabilities JSON datafeed. A `knownExploitedServerId` with only password set should be used instead otherwise maven debug logging could expose the token.
    @Parameter(property = "knownExploitedBearerToken")
    private String knownExploitedBearerToken;
     * Sets whether the Python Distribution Analyzer will be used.
    @Parameter(property = "pyDistributionAnalyzerEnabled")
    private Boolean pyDistributionAnalyzerEnabled;
     * Sets whether the Python Package Analyzer will be used.
    @Parameter(property = "pyPackageAnalyzerEnabled")
    private Boolean pyPackageAnalyzerEnabled;
     * Sets whether the Ruby Gemspec Analyzer will be used.
    @Parameter(property = "rubygemsAnalyzerEnabled")
    private Boolean rubygemsAnalyzerEnabled;
     * Sets whether or not the openssl Analyzer should be used.
    @Parameter(property = "opensslAnalyzerEnabled")
    private Boolean opensslAnalyzerEnabled;
     * Sets whether or not the CMake Analyzer should be used.
    @Parameter(property = "cmakeAnalyzerEnabled")
    private Boolean cmakeAnalyzerEnabled;
     * Sets whether or not the autoconf Analyzer should be used.
    @Parameter(property = "autoconfAnalyzerEnabled")
    private Boolean autoconfAnalyzerEnabled;
     * Sets whether or not the Maven install Analyzer should be used.
    @Parameter(property = "mavenInstallAnalyzerEnabled")
    private Boolean mavenInstallAnalyzerEnabled;
     * Sets whether or not the pip Analyzer should be used.
    @Parameter(property = "pipAnalyzerEnabled")
    private Boolean pipAnalyzerEnabled;
     * Sets whether or not the pipfile Analyzer should be used.
    @Parameter(property = "pipfileAnalyzerEnabled")
    private Boolean pipfileAnalyzerEnabled;
     * Sets whether or not the poetry Analyzer should be used.
    @Parameter(property = "poetryAnalyzerEnabled")
    private Boolean poetryAnalyzerEnabled;
     * Sets whether or not the PHP Composer Lock File Analyzer should be used.
    @Parameter(property = "composerAnalyzerEnabled")
    private Boolean composerAnalyzerEnabled;
     * Sets whether or not the PHP Composer Lock File Analyzer will scan "packages-dev".
    @Parameter(property = "composerAnalyzerSkipDev")
    private boolean composerAnalyzerSkipDev;
     * Whether or not the Perl CPAN File Analyzer is enabled.
    @Parameter(property = "cpanfileAnalyzerEnabled")
    private Boolean cpanfileAnalyzerEnabled;
     * Sets whether or not the Node.js Analyzer should be used.
    @Parameter(property = "nodeAnalyzerEnabled")
    private Boolean nodeAnalyzerEnabled;
     * Sets whether or not the Node Audit Analyzer should be used.
    @Parameter(property = "nodeAuditAnalyzerEnabled")
    private Boolean nodeAuditAnalyzerEnabled;

     * The Node Audit API URL for the Node Audit Analyzer.
    @Parameter(property = "nodeAuditAnalyzerUrl")
    private String nodeAuditAnalyzerUrl;

     * Sets whether or not the Yarn Audit Analyzer should be used.
    @Parameter(property = "yarnAuditAnalyzerEnabled")
    private Boolean yarnAuditAnalyzerEnabled;

     * Sets whether or not the Pnpm Audit Analyzer should be used.
    @Parameter(property = "pnpmAuditAnalyzerEnabled")
    private Boolean pnpmAuditAnalyzerEnabled;

     * Sets whether or not the Node Audit Analyzer should use a local cache.
    @Parameter(property = "nodeAuditAnalyzerUseCache")
    private Boolean nodeAuditAnalyzerUseCache;
     * Sets whether or not the Node Audit Analyzer should skip devDependencies.
    @Parameter(property = "nodeAuditSkipDevDependencies")
    private Boolean nodeAuditSkipDevDependencies;
     * Sets whether or not the Node.js Analyzer should skip devDependencies.
    @Parameter(property = "nodePackageSkipDevDependencies")
    private Boolean nodePackageSkipDevDependencies;
     * Sets whether or not the Retirejs Analyzer should be used.
    @Parameter(property = "retireJsAnalyzerEnabled")
    private Boolean retireJsAnalyzerEnabled;
     * The Retire JS repository URL.
    @Parameter(property = "retireJsUrl")
    private String retireJsUrl;
     * The username for Basic auth to the retireJsUrl.
    @Parameter(property = "retireJsUser")
    private String retireJsUser;
     * The password for Basic auth to the retireJsUrl. The `retireJsUrlServerId` with user/password set should be used instead otherwise maven debug logging could expose the password.
    @Parameter(property = "retireJsPassword")
    private String retireJsPassword;
     * The token for Bearer auth to the retireJsUrl. The `retireJsUrlServerId` with only password set should be used instead otherwise maven debug logging could expose the token.
    @Parameter(property = "retireJsBearerToken")
    private String retireJsBearerToken;
     * The server id in the settings.xml; used to retrieve encrypted passwords
     * from the settings.xml for retireJsUrl.
    @Parameter(property = "retireJsUrlServerId")
    private String retireJsUrlServerId;
     * Whether the Retire JS repository will be updated regardless of the
     * `autoupdate` settings.
    @Parameter(property = "retireJsForceUpdate")
    private Boolean retireJsForceUpdate;
     * Whether or not the .NET Assembly Analyzer is enabled.
    @Parameter(property = "assemblyAnalyzerEnabled")
    private Boolean assemblyAnalyzerEnabled;
     * Whether or not the MS Build Analyzer is enabled.
    @Parameter(property = "msbuildAnalyzerEnabled")
    private Boolean msbuildAnalyzerEnabled;
     * Whether or not the .NET Nuspec Analyzer is enabled.
    @Parameter(property = "nuspecAnalyzerEnabled")
    private Boolean nuspecAnalyzerEnabled;

     * Whether or not the .NET packages.config Analyzer is enabled.
    @Parameter(property = "nugetconfAnalyzerEnabled")
    private Boolean nugetconfAnalyzerEnabled;

     * Whether or not the Libman Analyzer is enabled.
    @Parameter(property = "libmanAnalyzerEnabled")
    private Boolean libmanAnalyzerEnabled;

     * Whether or not the Central Analyzer is enabled.
    @Parameter(property = "centralAnalyzerEnabled")
    private Boolean centralAnalyzerEnabled;

     * Whether or not the Central Analyzer should use a local cache.
    @Parameter(property = "centralAnalyzerUseCache")
    private Boolean centralAnalyzerUseCache;

     * Whether or not the Artifactory Analyzer is enabled.
    @Parameter(property = "artifactoryAnalyzerEnabled")
    private Boolean artifactoryAnalyzerEnabled;
     * The serverId inside the settings.xml containing the username and token to
     * access artifactory
    @Parameter(property = "artifactoryAnalyzerServerId")
    private String artifactoryAnalyzerServerId;
     * The username (only used with API token) to connect to Artifactory
     * instance
    @Parameter(property = "artifactoryAnalyzerUsername")
    private String artifactoryAnalyzerUsername;
     * The API token to connect to Artifactory instance
    @Parameter(property = "artifactoryAnalyzerApiToken")
    private String artifactoryAnalyzerApiToken;
     * The bearer token to connect to Artifactory instance
    @Parameter(property = "artifactoryAnalyzerBearerToken")
    private String artifactoryAnalyzerBearerToken;
     * The Artifactory URL for the Artifactory analyzer.
    @Parameter(property = "artifactoryAnalyzerUrl")
    private String artifactoryAnalyzerUrl;
     * Whether Artifactory should be accessed through a proxy or not
    @Parameter(property = "artifactoryAnalyzerUseProxy")
    private Boolean artifactoryAnalyzerUseProxy;
     * Whether the Artifactory analyzer should be run in parallel or not.
    @Parameter(property = "artifactoryAnalyzerParallelAnalysis", defaultValue = "true")
    private Boolean artifactoryAnalyzerParallelAnalysis;
     * Whether the Unused Suppression Rule analyzer should fail if there are unused rules.
    @Parameter(property = "failBuildOnUnusedSuppressionRule", defaultValue = "false")
    private Boolean failBuildOnUnusedSuppressionRule;
     * Whether or not the Nexus Analyzer is enabled.
    @Parameter(property = "nexusAnalyzerEnabled")
    private Boolean nexusAnalyzerEnabled;

     * Whether or not the Sonatype OSS Index analyzer is enabled.
    @Parameter(property = "ossindexAnalyzerEnabled")
    private Boolean ossindexAnalyzerEnabled;
     * Whether or not the Sonatype OSS Index analyzer should cache results.
    @Parameter(property = "ossindexAnalyzerUseCache")
    private Boolean ossindexAnalyzerUseCache;
     * URL of the Sonatype OSS Index service.
    @Parameter(property = "ossindexAnalyzerUrl")
    private String ossindexAnalyzerUrl;

     * The id of a server defined in the settings.xml that configures the
     * credentials (username and password) for a OSS Index service.
    @Parameter(property = "ossIndexServerId")
    private String ossIndexServerId;

     * Whether we should only warn about Sonatype OSS Index remote errors
     * instead of failing the goal completely.
    @Parameter(property = "ossIndexWarnOnlyOnRemoteErrors")
    private Boolean ossIndexWarnOnlyOnRemoteErrors;

     * Whether or not the Elixir Mix Audit Analyzer is enabled.
    @Parameter(property = "mixAuditAnalyzerEnabled")
    private Boolean mixAuditAnalyzerEnabled;

     * Sets the path for the mix_audit binary.
    @Parameter(property = "mixAuditPath")
    private String mixAuditPath;

     * Whether or not the Ruby Bundle Audit Analyzer is enabled.
    @Parameter(property = "bundleAuditAnalyzerEnabled")
    private Boolean bundleAuditAnalyzerEnabled;

     * Sets the path for the bundle-audit binary.
    @Parameter(property = "bundleAuditPath")
    private String bundleAuditPath;

     * Sets the path for the working directory that the bundle-audit binary
     * should be executed from.
    @Parameter(property = "bundleAuditWorkingDirectory")
    private String bundleAuditWorkingDirectory;

     * Whether or not the CocoaPods Analyzer is enabled.
    @Parameter(property = "cocoapodsAnalyzerEnabled")
    private Boolean cocoapodsAnalyzerEnabled;

     * Whether or not the Carthage Analyzer is enabled.
    @Parameter(property = "carthageAnalyzerEnabled")
    private Boolean carthageAnalyzerEnabled;

     * Whether or not the Swift package Analyzer is enabled.
    @Parameter(property = "swiftPackageManagerAnalyzerEnabled")
    private Boolean swiftPackageManagerAnalyzerEnabled;
     * Whether or not the Swift package resolved Analyzer is enabled.
    @Parameter(property = "swiftPackageResolvedAnalyzerEnabled")
    private Boolean swiftPackageResolvedAnalyzerEnabled;
     * The URL of a Nexus server's REST API end point
     * (http://domain/nexus/service/local).
    @Parameter(property = "nexusUrl")
    private String nexusUrl;
     * The id of a server defined in the settings.xml that configures the
     * credentials (username and password) for a Nexus server's REST API end
     * point. When not specified the communication with the Nexus server's REST
     * API will be unauthenticated.
    @Parameter(property = "nexusServerId")
    private String nexusServerId;
     * Whether or not the configured proxy is used to connect to Nexus.
    @Parameter(property = "nexusUsesProxy")
    private Boolean nexusUsesProxy;
     * The database connection string.
    @Parameter(property = "connectionString")
    private String connectionString;

     * The database driver name. An example would be org.h2.Driver.
    @Parameter(property = "databaseDriverName")
    private String databaseDriverName;
     * The path to the database driver if it is not on the class path.
    @Parameter(property = "databaseDriverPath")
    private String databaseDriverPath;
     * A reference to the settings.xml settings.
    @Parameter(defaultValue = "${settings}", readonly = true, required = true)
    private org.apache.maven.settings.Settings settingsXml;

     * The settingsDecryptor from Maven to decrypt passwords from Settings.xml servers section
    private SettingsDecrypter settingsDecrypter;

     * The database user name.
    @Parameter(property = "databaseUser")
    private String databaseUser;
     * The password to use when connecting to the database. The `serverId` should be used instead otherwise maven debug logging could expose the password.
    @Parameter(property = "databasePassword")
    private String databasePassword;
     * A comma-separated list of file extensions to add to analysis next to jar,
     * zip, ....
    @Parameter(property = "zipExtensions")
    private String zipExtensions;
     * Skip Dependency Check altogether.
    @Parameter(property = "dependency-check.skip", defaultValue = "false")
    private boolean skip = false;
     * Skip Analysis for Test Scope Dependencies.
    @Parameter(property = "skipTestScope", defaultValue = "true")
    private boolean skipTestScope = true;
     * Skip Analysis for Runtime Scope Dependencies.
    @Parameter(property = "skipRuntimeScope", defaultValue = "false")
    private boolean skipRuntimeScope = false;
     * Skip Analysis for Provided Scope Dependencies.
    @Parameter(property = "skipProvidedScope", defaultValue = "false")
    private boolean skipProvidedScope = false;

     * Skip Analysis for System Scope Dependencies.
    @Parameter(property = "skipSystemScope", defaultValue = "false")
    private boolean skipSystemScope = false;

     * Skip Analysis for dependencyManagement section.
    @Parameter(property = "skipDependencyManagement", defaultValue = "true")
    private boolean skipDependencyManagement = true;

     * Skip analysis for dependencies which type matches this regular
     * expression. This filters on the `type` of dependency as defined in the
     * dependency section: jar, pom, test-jar, etc.
    @Parameter(property = "skipArtifactType")
    private String skipArtifactType;

     * The data directory, hold DC SQL DB.
    @Parameter(property = "dataDirectory")
    private String dataDirectory;

     * The name of the DC DB.
    @Parameter(property = "dbFilename")
    private String dbFilename;
     * The server id in the settings.xml; used to retrieve encrypted passwords
     * from the settings.xml. This is used for the database username and
     * password.
    @Parameter(property = "serverId")
    private String serverId;
     * The NVD API Key. The parameters {@link #nvdApiKeyEnvironmentVariable} or {@link #nvdApiServerId} should be used instead otherwise
     * Maven debug logging could expose the API Key (see <a href="">GHSA-qqhq-8r2c-c3f5</a>).
     * This takes precedence over {@link #nvdApiServerId} and {@link #nvdApiKeyEnvironmentVariable}.
    @Parameter(property = "nvdApiKey")
    private String nvdApiKey;
     * The maximum number of retry requests for a single call to the NVD API.
    @Parameter(property = "nvdMaxRetryCount")
    private Integer nvdMaxRetryCount;
     * The server id in the settings.xml; used to retrieve encrypted API Key
     * from the settings.xml for the NVD API Key. Note that the password is used
     * as the API Key.
     * Is potentially overwritten by {@link #nvdApiKeyEnvironmentVariable} or {@link #nvdApiKey}.
    @Parameter(property = "nvdApiServerId")
    private String nvdApiServerId;
     * The environment variable from which to retrieve the API key for the NVD API.
     * Takes precedence over {@link #nvdApiServerId} but is potentially overwritten by {@link #nvdApiKey}.
     * This is the recommended option to pass the API key in CI builds.
    @Parameter(property = "nvdApiKeyEnvironmentVariable")
    private String nvdApiKeyEnvironmentVariable;
     * The number of hours to wait before checking for new updates from the NVD.
    @Parameter(property = "nvdValidForHours")
    private Integer nvdValidForHours;
     * The NVD API Endpoint; setting this is uncommon.
    @Parameter(property = "nvdApiEndpoint")
    private String nvdApiEndpoint;
     * The NVD API Data Feed URL.
    @Parameter(property = "nvdDatafeedUrl")
    private String nvdDatafeedUrl;

     * The server id in the settings.xml; used to retrieve encrypted credentials
     * from the settings.xml for the NVD Data Feed.<br/>
     * Credentials with only a password will be used for Bearer auth, credentials with both user and password for Basic auth.
    @Parameter(property = "nvdDatafeedServerId")
    private String nvdDatafeedServerId;
     * The username for basic auth to the NVD Data Feed. A `nvdDatafeedServerId` with user/password set should be used instead otherwise maven debug logging could expose the password.
    @Parameter(property = "nvdUser")
    private String nvdUser;
     * The password for basic auth to the NVD Data Feed. A `nvdDatafeedServerId` with user/password set should be used instead otherwise maven debug logging could expose the password.
    @Parameter(property = "nvdPassword")
    private String nvdPassword;
     * The token for bearer auth to the NVD Data Feed. A `nvdDatafeedServerId` with only password set should be used instead otherwise maven debug logging could expose the token.
    @Parameter(property = "nvdBearerToken")
    private String nvdBearerToken;
     * The time in milliseconds to wait between downloading NVD API data.
    @Parameter(property = "nvdApiDelay")
    private Integer nvdApiDelay;

     * The number records for a single page from NVD API (must be <=2000).
    @Parameter(property = "nvdApiResultsPerPage")
    private Integer nvdApiResultsPerPage;

     * The path to dotnet core.
    @Parameter(property = "pathToCore")
    private String pathToCore;
     * The hosted suppressions file URL.
    @Parameter(property = "hostedSuppressionsUrl")
    private String hostedSuppressionsUrl;
     * The password used for Basic auth to the suppressionFiles.
    @Parameter(property = "hostedSuppressionsUser")
    private String hostedSuppressionsUser;
     * The password used for Basic auth to the suppressionFiles. The `hostedSuppressionsServerId` with user/password should be used instead otherwise maven debug logging could expose the password.
    @Parameter(property = "hostedSuppressionsPassword")
    private String hostedSuppressionsPassword;
     * The token used for Bearer auth to the suppressionFiles. The `hostedSuppressionsServerId` with only password should be used instead otherwise maven debug logging could expose the token.
    @Parameter(property = "hostedSuppressionsBearerToken")
    private String hostedSuppressionsBearerToken;
     * The server id in the settings.xml used to retrieve encrypted passwords
     * from the settings.xml for a mirror of the HostedSuppressions XML file.
    @Parameter(property = "hostedSuppressionsServerId")
    private String hostedSuppressionsServerId;
     * Whether the hosted suppressions file will be updated regardless of the
     * `autoupdate` settings.
    @Parameter(property = "hostedSuppressionsForceUpdate")
    private Boolean hostedSuppressionsForceUpdate;
     * Whether the hosted suppressions file will be used.
    @Parameter(property = "hostedSuppressionsEnabled")
    private Boolean hostedSuppressionsEnabled;
     * Skip excessive hosted suppression file update checks for a designated
     * duration in hours (defaults to 2 hours).
    @Parameter(property = "hostedSuppressionsValidForHours")
    private Integer hostedSuppressionsValidForHours;

     * The RetireJS Analyzer configuration:
     * <pre>
     *   filters: an array of filter patterns that are used to exclude JS files that contain a match
     *   filterNonVulnerable: a boolean that when true will remove non-vulnerable JS from the report
     * Example:
     *   &lt;retirejs&gt;
     *     &lt;filters&gt;
     *       &lt;filter&gt;copyright 2018\(c\) Jeremy Long&lt;/filter&gt;
     *     &lt;/filters&gt;
     *     &lt;filterNonVulnerable&gt;true&lt;/filterNonVulnerable&gt;
     *   &lt;/retirejs&gt;
     * </pre>
    @Parameter(property = "retirejs")
    private Retirejs retirejs;

     * The list of artifacts (and their transitive dependencies) to exclude from
     * the check.
    @Parameter(property = "odc.excludes")
    private List<String> excludes;

     * The artifact scope filter.
    private Filter<String> artifactScopeExcluded;

     * Filter for artifact type.
    private Filter<String> artifactTypeExcluded;

     * An collection of <code>fileSet</code>s that specify additional files
     * and/or directories (from the basedir) to analyze as part of the scan. If
     * not specified, defaults to Maven conventions of: src/main/resources,
     * src/main/filters, and src/main/webapp. Note, this cannot be set via the
     * command line - use `scanDirectory` instead.
    private List<FileSet> scanSet;
     * A list of directories to scan. Note, this should only be used via the
     * command line - if configuring the directories to scan consider using the
     * `scanSet` instead.
    @Parameter(property = "scanDirectory")
    private List<String> scanDirectory;

     * Whether the project's plugins should also be scanned.
    @Parameter(property = "odc.plugins.scan", defaultValue = "false", required = false)
    private boolean scanPlugins = false;
     * Whether the project's dependencies should also be scanned.
    @Parameter(property = "odc.dependencies.scan", defaultValue = "true", required = false)
    private boolean scanDependencies = true;
     * The proxy configuration.
    private ProxyConfig proxy;

     * Determines if the groupId, artifactId, and version of the Maven
     * dependency and artifact match.
     * @param d the Maven dependency
     * @param a the Maven artifact
     * @return true if the groupId, artifactId, and version match
    private static boolean artifactsMatch(org.apache.maven.model.Dependency d, Artifact a) {
        return isEqualOrNull(a.getArtifactId(), d.getArtifactId())
                && isEqualOrNull(a.getGroupId(), d.getGroupId())
                && isEqualOrNull(a.getVersion(), d.getVersion());

     * Compares two strings for equality; if both strings are null they are
     * considered equal.
     * @param left the first string to compare
     * @param right the second string to compare
     * @return true if the strings are equal or if they are both null; otherwise
     * false.
    private static boolean isEqualOrNull(String left, String right) {
        return (left != null && left.equals(right)) || (left == null && right == null);

     * Executes dependency-check.
     * @throws MojoExecutionException thrown if there is an exception executing
     * the mojo
     * @throws MojoFailureException thrown if dependency-check failed the build
    public void execute() throws MojoExecutionException, MojoFailureException {
        generatingSite = false;
        final boolean shouldSkip = Boolean.parseBoolean(System.getProperty("dependency-check.skip", Boolean.toString(skip)));
        if (shouldSkip) {
            getLog().info("Skipping " + getName(Locale.US));
        } else {
            project.setContextValue("dependency-check-output-dir", this.outputDirectory);

     * Returns true if the Maven site is being generated.
     * @return true if the Maven site is being generated
    protected boolean isGeneratingSite() {
        return generatingSite;

     * Returns the connection string.
     * @return the connection string
    protected String getConnectionString() {
        return connectionString;

     * Returns if the mojo should fail the build if an exception occurs.
     * @return whether or not the mojo should fail the build
    protected boolean isFailOnError() {
        return failOnError;

     * Generates the Dependency-Check Site Report.
     * @param sink the sink to write the report to
     * @param locale the locale to use when generating the report
     * @throws MavenReportException if a maven report exception occurs
    public void generate(Sink sink, Locale locale) throws MavenReportException {
        final boolean shouldSkip = Boolean.parseBoolean(System.getProperty("dependency-check.skip", Boolean.toString(skip)));
        if (shouldSkip) {
            getLog().info("Skipping report generation " + getName(Locale.US));

        generatingSite = true;
        project.setContextValue("dependency-check-output-dir", getReportOutputDirectory());
        try {
        } catch (MojoExecutionException ex) {
            throw new MavenReportException(ex.getMessage(), ex);
        } catch (MojoFailureException ex) {
            getLog().warn("Vulnerabilities were identifies that exceed the CVSS threshold for failing the build");

     * Returns the correct output directory depending on if a site is being
     * executed or not.
     * @return the directory to write the report(s)
     * @throws MojoExecutionException thrown if there is an error loading the
     * file path
    protected File getCorrectOutputDirectory() throws MojoExecutionException {
        return getCorrectOutputDirectory(this.project);

     * Returns the correct output directory depending on if a site is being
     * executed or not.
     * @param current the Maven project to get the output directory from
     * @return the directory to write the report(s)
    protected File getCorrectOutputDirectory(MavenProject current) {
        final Object obj = current.getContextValue("dependency-check-output-dir");
        if (obj != null && obj instanceof File) {
            return (File) obj;
        //else we guess
        File target = new File(current.getBuild().getDirectory());
        if (target.getParentFile() != null && "target".equals(target.getParentFile().getName())) {
            target = target.getParentFile();
        return target;

     * Scans the project's artifacts and adds them to the engine's dependency
     * list.
     * @param project the project to scan the dependencies of
     * @param engine the engine to use to scan the dependencies
     * @return a collection of exceptions that may have occurred while resolving
     * and scanning the dependencies
    protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine) {
        return scanArtifacts(project, engine, false);

     * Scans the project's artifacts and adds them to the engine's dependency
     * list.
     * @param project the project to scan the dependencies of
     * @param engine the engine to use to scan the dependencies
     * @param aggregate whether the scan is part of an aggregate build
     * @return a collection of exceptions that may have occurred while resolving
     * and scanning the dependencies
    protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine, boolean aggregate) {
        try {
            final List<String> filterItems = Collections.singletonList(String.format("%s:%s", project.getGroupId(), project.getArtifactId()));
            final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project, project.getRemoteArtifactRepositories());
            //For some reason the filter does not filter out the project being analyzed
            //if we pass in the filter below instead of null to the dependencyGraphBuilder
            final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(buildingRequest, null);

            final CollectingRootDependencyGraphVisitor collectorVisitor = new CollectingRootDependencyGraphVisitor();

            // exclude artifact by pattern and its dependencies
            final DependencyNodeVisitor transitiveFilterVisitor = new FilteringDependencyTransitiveNodeVisitor(collectorVisitor,
                    new ArtifactDependencyNodeFilter(new PatternExcludesArtifactFilter(getExcludes())));
            // exclude exact artifact but not its dependencies, this filter must be appied on the root for first otherwise
            // in case the exclude has the same groupId of the current bundle its direct dependencies are not visited
            final DependencyNodeVisitor artifactFilter = new FilteringDependencyNodeVisitor(transitiveFilterVisitor,
                    new ArtifactDependencyNodeFilter(new ExcludesArtifactFilter(filterItems)));

            //collect dependencies with the filter - see comment above.
            final Map<DependencyNode, List<DependencyNode>> nodes = collectorVisitor.getNodes();

            return collectDependencies(engine, project, nodes, buildingRequest, aggregate);
        } catch (DependencyGraphBuilderException ex) {
            final String msg = String.format("Unable to build dependency graph on project %s", project.getName());
            getLog().debug(msg, ex);
            return new ExceptionCollection(ex);

     * Scans the project's artifacts for plugin-dependencies and adds them to
     * the engine's dependency list.
     * @param project the project to scan the plugin-dependencies of
     * @param engine the engine to use to scan the plugin-dependencies
     * @param exCollection the collection of exceptions that have previously
     * occurred
     * @return a collection of exceptions that may have occurred while resolving
     * and scanning the plugins and their dependencies
    protected ExceptionCollection scanPlugins(MavenProject project, Engine engine, ExceptionCollection exCollection) {
        ExceptionCollection exCol = exCollection;
        final Set<Artifact> plugins = new HashSet<>();
        final Set<Artifact> buildPlugins = getProject().getPluginArtifacts();
        final Set<Artifact> reportPlugins = getProject().getReportArtifacts();
        final Set<Artifact> extensions = getProject().getExtensionArtifacts();


        final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project, project.getPluginArtifactRepositories());
        for (Artifact plugin : plugins) {
            try {
                final Artifact resolved = artifactResolver.resolveArtifact(buildingRequest, plugin).getArtifact();

                exCol = addPluginToDependencies(project, engine, resolved, "pom.xml (plugins)", exCol);

                final DefaultDependableCoordinate pluginCoordinate = new DefaultDependableCoordinate();

                final String parent = buildReference(resolved.getGroupId(), resolved.getArtifactId(), resolved.getVersion());
                for (Artifact artifact : resolveArtifactDependencies(pluginCoordinate, project)) {
                    exCol = addPluginToDependencies(project, engine, artifact, parent, exCol);
            } catch (ArtifactResolverException ex) {
                throw new RuntimeException(ex);
            } catch (IllegalArgumentException ex) {
                throw new RuntimeException(ex);
            } catch (DependencyResolverException ex) {
                throw new RuntimeException(ex);

        return null;


    private ExceptionCollection addPluginToDependencies(MavenProject project, Engine engine, Artifact artifact, String parent, ExceptionCollection exCollection) {
        ExceptionCollection exCol = exCollection;
        final String groupId = artifact.getGroupId();
        final String artifactId = artifact.getArtifactId();
        final String version = artifact.getVersion();
        final File artifactFile = artifact.getFile();
        if (artifactFile.isFile()) {
            final List<ArtifactVersion> availableVersions = artifact.getAvailableVersions();

            final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
                    project.getName() + " (plugins)");
            if (deps != null) {
                Dependency d = null;
                if (deps.size() == 1) {
                    d = deps.get(0);
                } else {
                    for (Dependency possible : deps) {
                        if (artifactFile.getAbsoluteFile().equals(possible.getActualFile())) {
                            d = possible;
                    for (Dependency dep : deps) {
                        if (d != null && d != dep) {
                            final String includedBy = buildReference(groupId, artifactId, version);
                            dep.addIncludedBy(includedBy, "plugins");
                if (d != null) {
                    final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
                    d.addAsEvidence("pom", ma, Confidence.HIGHEST);
                    if (parent != null) {
                        d.addIncludedBy(parent, "plugins");
                    } else {
                        final String includedby = buildReference(
                        d.addIncludedBy(includedby, "plugins");
                    if (availableVersions != null) {
                        for (ArtifactVersion av : availableVersions) {
        } else {
            if (exCol == null) {
                exCol = new ExceptionCollection();
            exCol.addException(new DependencyNotFoundException("Unable to resolve plugin: "
                    + groupId + ":" + artifactId + ":" + version));

        return exCol;

    private String buildReference(final String groupId, final String artifactId, final String version) {
        String includedBy;
        try {
            final PackageURL purl = new PackageURL("maven", groupId, artifactId, version, null, null);
            includedBy = purl.toString();
        } catch (MalformedPackageURLException ex) {
            getLog().warn("Unable to generate build reference for " + groupId
                    + ":" + artifactId + ":" + version, ex);
            includedBy = groupId + ":" + artifactId + ":" + version;
        return includedBy;

    protected Set<Artifact> resolveArtifactDependencies(final DependableCoordinate artifact, MavenProject project)
            throws DependencyResolverException {
        final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project, project.getRemoteArtifactRepositories());

        final Iterable<ArtifactResult> artifactResults = dependencyResolver.resolveDependencies(buildingRequest, artifact, null);

        final Set<Artifact> artifacts = new HashSet<>();

        for (ArtifactResult artifactResult : artifactResults) {

        return artifacts;


     * Converts the dependency to a dependency node object.
     * @param nodes the list of dependency nodes
     * @param buildingRequest the Maven project building request
     * @param parent the parent node
     * @param dependency the dependency to convert
     * @return the resulting dependency node
     * @throws ArtifactResolverException thrown if the artifact could not be
     * retrieved
    private DependencyNode toDependencyNode(List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest,
            DependencyNode parent, org.apache.maven.model.Dependency dependency) throws ArtifactResolverException {

        final DefaultArtifactCoordinate coordinate = new DefaultArtifactCoordinate();

        String version = null;
        final VersionRange vr;
        try {
            vr = VersionRange.createFromVersionSpec(dependency.getVersion());
        } catch (InvalidVersionSpecificationException ex) {
            throw new ArtifactResolverException("Invalid version specification: "
                    + dependency.getGroupId() + ":"
                    + dependency.getArtifactId() + ":"
                    + dependency.getVersion(), ex);
        if (vr.hasRestrictions()) {
            version = findVersion(nodes, dependency.getGroupId(), dependency.getArtifactId());
            if (version == null) {
                //TODO - this still may fail if the restriction is not a valid version number (i.e. only 2.9 instead of 2.9.1)
                //need to get available versions and filter on the restrictions.
                if (vr.getRecommendedVersion() != null) {
                    version = vr.getRecommendedVersion().toString();
                } else if (vr.hasRestrictions()) {
                    for (Restriction restriction : vr.getRestrictions()) {
                        if (restriction.getLowerBound() != null) {
                            version = restriction.getLowerBound().toString();
                        if (restriction.getUpperBound() != null) {
                            version = restriction.getUpperBound().toString();
                } else {
                    version = vr.toString();
        if (version == null) {
            version = dependency.getVersion();

        final ArtifactType type = session.getRepositorySession().getArtifactTypeRegistry().get(dependency.getType());
        coordinate.setClassifier((null == dependency.getClassifier() || dependency.getClassifier().isEmpty())
                ? type.getClassifier() : dependency.getClassifier());
        final Artifact artifact = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
        return new DefaultDependencyNode(parent, artifact, dependency.getVersion(), dependency.getScope(), null);

     * Returns the version from the list of nodes that match the given groupId
     * and artifactID.
     * @param nodes the nodes to search
     * @param groupId the group id to find
     * @param artifactId the artifact id to find
     * @return the version from the list of nodes that match the given groupId
     * and artifactID; otherwise <code>null</code> is returned
    private String findVersion(List<DependencyNode> nodes, String groupId, String artifactId) {
        final Optional<DependencyNode> f =
                -> groupId.equals(p.getArtifact().getGroupId())
                && artifactId.equals(p.getArtifact().getArtifactId())).findFirst();
        if (f.isPresent()) {
            return f.get().getArtifact().getVersion();
        return null;

     * Collect dependencies from the dependency management section.
     * @param engine reference to the ODC engine
     * @param buildingRequest the Maven project building request
     * @param project the project being analyzed
     * @param nodes the list of dependency nodes
     * @param aggregate whether or not this is an aggregate analysis
     * @return a collection of exceptions if any occurred; otherwise
     * <code>null</code>
    private ExceptionCollection collectDependencyManagementDependencies(Engine engine, ProjectBuildingRequest buildingRequest,
            MavenProject project, List<DependencyNode> nodes, boolean aggregate) {
        if (skipDependencyManagement || project.getDependencyManagement() == null) {
            return null;

        ExceptionCollection exCol = null;
        for (org.apache.maven.model.Dependency dependency : project.getDependencyManagement().getDependencies()) {
            try {
                nodes.add(toDependencyNode(nodes, buildingRequest, null, dependency));
            } catch (ArtifactResolverException ex) {
                getLog().debug(String.format("Aggregate : %s", aggregate));
                boolean addException = true;
                if (!aggregate) {
                    // do nothing, exception is to be reported
                } else if (addReactorDependency(engine,
                        new DefaultArtifact(dependency.getGroupId(), dependency.getArtifactId(),
                                dependency.getVersion(), dependency.getScope(), dependency.getType(), dependency.getClassifier(),
                                new DefaultArtifactHandler()), project)) {
                    addException = false;
                if (addException) {
                    if (exCol == null) {
                        exCol = new ExceptionCollection();
        return exCol;

     * Resolves the projects artifacts using Aether and scans the resulting
     * dependencies.
     * @param engine the core dependency-check engine
     * @param project the project being scanned
     * @param nodeMap the map of dependency nodes, generally obtained via the
     * DependencyGraphBuilder using the CollectingRootDependencyGraphVisitor
     * @param buildingRequest the Maven project building request
     * @param aggregate whether the scan is part of an aggregate build
     * @return a collection of exceptions that may have occurred while resolving
     * and scanning the dependencies
    private ExceptionCollection collectMavenDependencies(Engine engine, MavenProject project,
            Map<DependencyNode, List<DependencyNode>> nodeMap, ProjectBuildingRequest buildingRequest, boolean aggregate) {

        final List<ArtifactResult> allResolvedDeps = new ArrayList<>();

        //dependency management
        final List<DependencyNode> dmNodes = new ArrayList<>();
        ExceptionCollection exCol = collectDependencyManagementDependencies(engine, buildingRequest, project, dmNodes, aggregate);
        for (DependencyNode dependencyNode : dmNodes) {
            exCol = scanDependencyNode(dependencyNode, null, engine, project, allResolvedDeps, buildingRequest, aggregate, exCol);

        for (Map.Entry<DependencyNode, List<DependencyNode>> entry : nodeMap.entrySet()) {
            exCol = scanDependencyNode(entry.getKey(), null, engine, project, allResolvedDeps, buildingRequest, aggregate, exCol);
            for (DependencyNode dependencyNode : entry.getValue()) {
                exCol = scanDependencyNode(dependencyNode, entry.getKey(), engine, project, allResolvedDeps, buildingRequest, aggregate, exCol);
        return exCol;
     * Utility method for a work-around to MSHARED-998
     * @param allDeps The List of ArtifactResults for all dependencies
     * @param unresolvedArtifact The ArtifactCoordinate of the artifact we're
     * looking for
     * @param project The project in whose context resolution was attempted
     * @return the resolved artifact matching with {@code unresolvedArtifact}
     * @throws DependencyNotFoundException If {@code unresolvedArtifact} could
     * not be found within {@code allDeps}
    private Artifact findInAllDeps(final List<ArtifactResult> allDeps, final Artifact unresolvedArtifact,
            final MavenProject project)
            throws DependencyNotFoundException {
        Artifact result = null;
        for (final ArtifactResult res : allDeps) {
            if (sameArtifact(res, unresolvedArtifact)) {
                result = res.getArtifact();
        if (result == null) {
            throw new DependencyNotFoundException(String.format("Expected dependency not found in resolved artifacts for "
                    + "dependency %s of project-artifact %s", unresolvedArtifact, project.getArtifactId()));
        return result;

     * Utility method for a work-around to MSHARED-998
     * @param res A single ArtifactResult obtained from the DependencyResolver
     * @param unresolvedArtifact The unresolved Artifact from the
     * dependencyGraph that we try to find
     * @return {@code true} when unresolvedArtifact is non-null and matches with
     * the artifact of res
    private boolean sameArtifact(final ArtifactResult res, final Artifact unresolvedArtifact) {
        if (res == null || res.getArtifact() == null || unresolvedArtifact == null) {
            return false;
        boolean result = Objects.equals(res.getArtifact().getGroupId(), unresolvedArtifact.getGroupId());
        result &= Objects.equals(res.getArtifact().getArtifactId(), unresolvedArtifact.getArtifactId());
        // accept any version as matching "LATEST" and any non-snapshot version as matching "RELEASE" meta-version
        if ("RELEASE".equals(unresolvedArtifact.getBaseVersion())) {
            result &= !res.getArtifact().isSnapshot();
        } else if (!"LATEST".equals(unresolvedArtifact.getBaseVersion())) {
            result &= Objects.equals(res.getArtifact().getBaseVersion(), unresolvedArtifact.getBaseVersion());
        result &= Objects.equals(res.getArtifact().getClassifier(), unresolvedArtifact.getClassifier());
        result &= Objects.equals(res.getArtifact().getType(), unresolvedArtifact.getType());
        return result;

     * @param project the {@link MavenProject}
     * @param dependencyNode the {@link DependencyNode}
     * @return the name to be used when creating a
     * {@link Dependency#getProjectReferences() project reference} in a
     * {@link Dependency}. The behavior of this method returns {@link MavenProject#getName() project.getName()}<code> + ":" +
     * </code>
     * {@link DependencyNode#getArtifact() dependencyNode.getArtifact()}{@link Artifact#getScope() .getScope()}.
    protected String createProjectReferenceName(MavenProject project, DependencyNode dependencyNode) {
        return project.getName() + ":" + dependencyNode.getArtifact().getScope();

     * Scans the projects dependencies including the default (or defined)
     * FileSets.
     * @param engine the core dependency-check engine
     * @param project the project being scanned
     * @param nodes the list of dependency nodes, generally obtained via the
     * DependencyGraphBuilder
     * @param buildingRequest the Maven project building request
     * @param aggregate whether the scan is part of an aggregate build
     * @return a collection of exceptions that may have occurred while resolving
     * and scanning the dependencies
    private ExceptionCollection collectDependencies(Engine engine, MavenProject project,
            Map<DependencyNode, List<DependencyNode>> nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) {

        ExceptionCollection exCol;
        exCol = collectMavenDependencies(engine, project, nodes, buildingRequest, aggregate);

        final List<FileSet> projectScan;

        if (scanDirectory != null && !scanDirectory.isEmpty()) {
            if (scanSet == null) {
                scanSet = new ArrayList<>();
            scanDirectory.forEach(d -> {
                final FileSet fs = new FileSet();

        if (scanSet == null || scanSet.isEmpty()) {
            // Define the default FileSets
            final FileSet resourcesSet = new FileSet();
            final FileSet filtersSet = new FileSet();
            final FileSet webappSet = new FileSet();
            final FileSet mixedLangSet = new FileSet();
            try {
                resourcesSet.setDirectory(new File(project.getBasedir(), "src/main/resources").getCanonicalPath());
                filtersSet.setDirectory(new File(project.getBasedir(), "src/main/filters").getCanonicalPath());
                webappSet.setDirectory(new File(project.getBasedir(), "src/main/webapp").getCanonicalPath());
            } catch (IOException ex) {
                if (exCol == null) {
                    exCol = new ExceptionCollection();
            projectScan = new ArrayList<>();

        } else if (aggregate) {
            projectScan = new ArrayList<>();
            for (FileSet copyFrom : scanSet) {
                //deep copy of the FileSet - modifying the directory if it is not absolute.
                final FileSet fsCopy = new FileSet();
                final File f = new File(copyFrom.getDirectory());
                if (f.isAbsolute()) {
                } else {
                    try {
                        fsCopy.setDirectory(new File(project.getBasedir(), copyFrom.getDirectory()).getCanonicalPath());
                    } catch (IOException ex) {
                        if (exCol == null) {
                            exCol = new ExceptionCollection();
        } else {
            projectScan = scanSet;

        // Iterate through FileSets and scan included files
        final FileSetManager fileSetManager = new FileSetManager();
        for (FileSet fileSet : projectScan) {
            getLog().debug("Scanning fileSet: " + fileSet.getDirectory());
            final String[] includedFiles = fileSetManager.getIncludedFiles(fileSet);
            for (String include : includedFiles) {
                final File includeFile = new File(fileSet.getDirectory(), include).getAbsoluteFile();
                if (includeFile.exists()) {
                    engine.scan(includeFile, project.getName());
        return exCol;

     * Checks if the current artifact is actually in the reactor projects that
     * have not yet been built. If true a virtual dependency is created based on
     * the evidence in the project.
     * @param engine a reference to the engine being used to scan
     * @param artifact the artifact being analyzed in the mojo
     * @param depender The project that depends on this virtual dependency
     * @return <code>true</code> if the artifact is in the reactor; otherwise
     * <code>false</code>
    private boolean addReactorDependency(Engine engine, Artifact artifact, final MavenProject depender) {
        return addVirtualDependencyFromReactor(engine, artifact, depender, "Unable to resolve %s as it has not been built yet "
                + "- creating a virtual dependency instead.");

     * Checks if the current artifact is actually in the reactor projects. If
     * true a virtual dependency is created based on the evidence in the
     * project.
     * @param engine a reference to the engine being used to scan
     * @param artifact the artifact being analyzed in the mojo
     * @param depender The project that depends on this virtual dependency
     * @param infoLogTemplate the template for the infoLog entry written when a
     * virtual dependency is added. Needs a single %s placeholder for the
     * location of the displayName in the message
     * @return <code>true</code> if the artifact is in the reactor; otherwise
     * <code>false</code>
    private boolean addVirtualDependencyFromReactor(Engine engine, Artifact artifact,
            final MavenProject depender, String infoLogTemplate) {

        getLog().debug(String.format("Checking the reactor projects (%d) for %s:%s:%s",
                artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion()));

        for (MavenProject prj : reactorProjects) {

            getLog().debug(String.format("Comparing %s:%s:%s to %s:%s:%s",
                    artifact.getGroupId(), artifact.getArtifactId(), artifact.getBaseVersion(),
                    prj.getGroupId(), prj.getArtifactId(), prj.getVersion()));

            if (prj.getArtifactId().equals(artifact.getArtifactId())
                    && prj.getGroupId().equals(artifact.getGroupId())
                    && prj.getVersion().equals(artifact.getBaseVersion())) {

                final String displayName = String.format("%s:%s:%s",
                        prj.getGroupId(), prj.getArtifactId(), prj.getVersion());
                final Dependency d = newDependency(prj);
                final String key = String.format("%s:%s:%s", prj.getGroupId(), prj.getArtifactId(), prj.getVersion());
                final String includedby = buildReference(
                d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", prj.getArtifactId(), Confidence.HIGHEST);
                d.addEvidence(EvidenceType.VENDOR, "project", "artifactid", prj.getArtifactId(), Confidence.LOW);

                d.addEvidence(EvidenceType.VENDOR, "project", "groupid", prj.getGroupId(), Confidence.HIGHEST);
                d.addEvidence(EvidenceType.PRODUCT, "project", "groupid", prj.getGroupId(), Confidence.LOW);
                Identifier id;
                try {
                    id = new PurlIdentifier(StandardTypes.MAVEN, artifact.getGroupId(),
                            artifact.getArtifactId(), artifact.getVersion(), Confidence.HIGHEST);
                } catch (MalformedPackageURLException ex) {
                    getLog().debug("Unable to create PackageURL object:" + key);
                    id = new GenericIdentifier("maven:" + key, Confidence.HIGHEST);
                //TODO unify the setName/version and package path - they are equivelent ideas submitted by two seperate committers
                d.setName(String.format("%s:%s", prj.getGroupId(), prj.getArtifactId()));
                if (prj.getDescription() != null) {
                    JarAnalyzer.addDescription(d, prj.getDescription(), "project", "description");
                for (License l : prj.getLicenses()) {
                    final StringBuilder license = new StringBuilder();
                    if (l.getName() != null) {
                    if (l.getUrl() != null) {
                        license.append(" ").append(l.getUrl());
                    if (d.getLicense() == null) {
                    } else if (!d.getLicense().contains(license)) {
                        d.setLicense(String.format("%s%n%s", d.getLicense(), license));
                return true;
        return false;

    Dependency newDependency(MavenProject prj) {
        final File pom = new File(prj.getBasedir(), "pom.xml");

        if (pom.isFile()) {
            getLog().debug("Adding virtual dependency from pom.xml");
            return new Dependency(pom, true);
        } else if (prj.getFile().isFile()) {
            getLog().debug("Adding virtual dependency from file");
            return new Dependency(prj.getFile(), true);
        } else {
            return new Dependency(true);

     * Checks if the current artifact is actually in the reactor projects. If
     * true a virtual dependency is created based on the evidence in the
     * project.
     * @param engine a reference to the engine being used to scan
     * @param artifact the artifact being analyzed in the mojo
     * @param depender The project that depends on this virtual dependency
     * @return <code>true</code> if the artifact is a snapshot artifact in the
     * reactor; otherwise <code>false</code>
    private boolean addSnapshotReactorDependency(Engine engine, Artifact artifact, final MavenProject depender) {
        if (!artifact.isSnapshot()) {
            return false;
        return addVirtualDependencyFromReactor(engine, artifact, depender, "Found snapshot reactor project in aggregate for %s - "
                + "creating a virtual dependency as the snapshot found in the repository may contain outdated dependencies.");

     * @param project The target project to create a building request for.
     * @param repos the artifact repositories to use.
     * @return Returns a new ProjectBuildingRequest populated from the current
     * session and the target project remote repositories, used to resolve
     * artifacts.
    public ProjectBuildingRequest newResolveArtifactProjectBuildingRequest(MavenProject project, List<ArtifactRepository> repos) {
        final ProjectBuildingRequest buildingRequest = new DefaultProjectBuildingRequest(session.getProjectBuildingRequest());
        return buildingRequest;

     * Executes the dependency-check scan and generates the necessary report.
     * @throws MojoExecutionException thrown if there is an exception running
     * the scan
     * @throws MojoFailureException thrown if dependency-check is configured to
     * fail the build
    protected void runCheck() throws MojoExecutionException, MojoFailureException {
        try (Engine engine = initializeEngine()) {
            ExceptionCollection exCol = null;
            if (scanDependencies) {
                exCol = scanDependencies(engine);
            if (scanPlugins) {
                exCol = scanPlugins(engine, exCol);
            try {
            } catch (ExceptionCollection ex) {
                exCol = handleAnalysisExceptions(exCol, ex);
            if (exCol == null || !exCol.isFatal()) {

                File outputDir = getCorrectOutputDirectory(this.getProject());
                if (outputDir == null) {
                    //in some regards we shouldn't be writing this, but we are anyway.
                    //we shouldn't write this because nothing is configured to generate this report.
                    outputDir = new File(this.getProject().getBuild().getDirectory());
                try {
                    final MavenProject p = this.getProject();
                    for (String f : getFormats()) {
                        engine.writeReports(p.getName(), p.getGroupId(), p.getArtifactId(), p.getVersion(), outputDir, f, exCol);
                } catch (ReportException ex) {
                    if (exCol == null) {
                        exCol = new ExceptionCollection(ex);
                    } else {
                    if (this.isFailOnError()) {
                        throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol);
                    } else {
                        getLog().debug("Error writing the report", ex);
                showSummary(this.getProject(), engine.getDependencies());
                if (exCol != null && this.isFailOnError()) {
                    throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol);
        } catch (DatabaseException ex) {
            if (getLog().isDebugEnabled()) {
                getLog().debug("Database connection error", ex);
            final String msg = "An exception occurred connecting to the local database. Please see the log file for more details.";
            if (this.isFailOnError()) {
                throw new MojoExecutionException(msg, ex);
            getLog().error(msg, ex);
        } finally {

     * Combines the two exception collections and if either are fatal, throw an
     * MojoExecutionException
     * @param currentEx the primary exception collection
     * @param newEx the new exception collection to add
     * @return the combined exception collection
     * @throws MojoExecutionException thrown if dependency-check is configured
     * to fail on errors
    private ExceptionCollection handleAnalysisExceptions(ExceptionCollection currentEx, ExceptionCollection newEx) throws MojoExecutionException {
        ExceptionCollection returnEx = currentEx;
        if (returnEx == null) {
            returnEx = newEx;
        } else {
            if (newEx.isFatal()) {
        if (returnEx.isFatal()) {
            final String msg = String.format("Fatal exception(s) analyzing %s", getProject().getName());
            if (this.isFailOnError()) {
                throw new MojoExecutionException(msg, returnEx);
            if (getLog().isDebugEnabled()) {
        } else {
            final String msg = String.format("Exception(s) analyzing %s", getProject().getName());
            if (getLog().isDebugEnabled()) {
                getLog().debug(msg, returnEx);
        return returnEx;

     * Scans the dependencies of the projects.
     * @param engine the engine used to perform the scanning
     * @return a collection of exceptions
     * @throws MojoExecutionException thrown if a fatal exception occurs
    protected abstract ExceptionCollection scanDependencies(Engine engine) throws MojoExecutionException;

     * Scans the plugins of the projects.
     * @param engine the engine used to perform the scanning
     * @param exCol the collection of any exceptions that have previously been
     * captured.
     * @return a collection of exceptions
     * @throws MojoExecutionException thrown if a fatal exception occurs
    protected abstract ExceptionCollection scanPlugins(Engine engine, ExceptionCollection exCol) throws MojoExecutionException;

     * Returns the report output directory.
     * @return the report output directory
    public File getReportOutputDirectory() {
        return reportOutputDirectory;

     * Sets the Reporting output directory.
     * @param directory the output directory
    public void setReportOutputDirectory(File directory) {
        reportOutputDirectory = directory;

     * Returns the output directory.
     * @return the output directory
    public File getOutputDirectory() {
        return outputDirectory;

     * Returns whether this is an external report. This method always returns
     * true.
     * @return <code>true</code>
    public final boolean isExternalReport() {
        return true;

     * Returns the output name.
     * @return the output name
    public String getOutputName() {
        final Set<String> selectedFormats = getFormats();
        if (selectedFormats.contains("HTML") || selectedFormats.contains("ALL") || selectedFormats.size() > 1) {
            return "dependency-check-report";
        } else if (selectedFormats.contains("JENKINS")) {
            return "dependency-check-jenkins.html";
        } else if (selectedFormats.contains("XML")) {
            return "dependency-check-report.xml";
        } else if (selectedFormats.contains("JUNIT")) {
            return "dependency-check-junit.xml";
        } else if (selectedFormats.contains("JSON")) {
            return "dependency-check-report.json";
        } else if (selectedFormats.contains("SARIF")) {
            return "dependency-check-report.sarif";
        } else if (selectedFormats.contains("CSV")) {
            return "dependency-check-report.csv";
        } else {
            getLog().warn("Unknown report format used during site generation.");
            return "dependency-check-report";

     * Returns the category name.
     * @return the category name
    public String getCategoryName() {
        return MavenReport.CATEGORY_PROJECT_REPORTS;

     * Initializes a new <code>Engine</code> that can be used for scanning. This
     * method should only be called in a try-with-resources to ensure that the
     * engine is properly closed.
     * @return a newly instantiated <code>Engine</code>
     * @throws DatabaseException thrown if there is a database exception
     * @throws MojoExecutionException on configuration errors when failOnError is true
     * @throws MojoFailureException on configuration errors when failOnError is false
    protected Engine initializeEngine() throws DatabaseException, MojoExecutionException, MojoFailureException {
        try {
        } catch (InvalidSettingException e) {
            if (this.failOnError) {
                throw new MojoFailureException(e.getMessage(), e);
            } else {
                throw new MojoExecutionException(e.getMessage(), e);
        return new Engine(settings);

     * Takes the properties supplied and updates the dependency-check settings.
     * Additionally, this sets the system properties required to change the
     * proxy URL, port, and connection timeout.
    protected void populateSettings() throws MojoFailureException, MojoExecutionException {
        settings = new Settings();
        InputStream mojoProperties = null;
        try {
            mojoProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
        } catch (IOException ex) {
            getLog().warn("Unable to load the dependency-check maven file.");
            if (getLog().isDebugEnabled()) {
                getLog().debug("", ex);
        } finally {
            if (mojoProperties != null) {
                try {
                } catch (IOException ex) {
                    if (getLog().isDebugEnabled()) {
                        getLog().debug("", ex);
        settings.setStringIfNotEmpty(Settings.KEYS.MAVEN_LOCAL_REPO, mavenSettings.getLocalRepository());
        settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, enableRetired);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_DEP_ENABLED, golangDepEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_MOD_ENABLED, golangModEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_DART_ENABLED, dartAnalyzerEnabled);
        settings.setStringIfNotNull(Settings.KEYS.ANALYZER_GOLANG_PATH, pathToGo);
        settings.setStringIfNotNull(Settings.KEYS.ANALYZER_YARN_PATH, pathToYarn);
        settings.setStringIfNotNull(Settings.KEYS.ANALYZER_PNPM_PATH, pathToPnpm);

        // use global maven proxy if provided and system properties are not set
        final Proxy mavenProxyHttp = getMavenProxy(PROTOCOL_HTTP);
        final Proxy mavenProxyHttps = getMavenProxy(PROTOCOL_HTTPS);
        String httpsNonProxyHosts = null;
        String httpNonProxyHosts = null;
        boolean proxySetFromMavenSettings = false;
        if (mavenProxyHttps != null || mavenProxyHttp != null) {
            final String existingHttps = StringUtils.trimToNull(System.getProperty("https.proxyHost"));
            if (existingHttps == null) {
                proxySetFromMavenSettings = true;
                if (mavenProxyHttps != null) {
                    setProxyServerSysPropsFromMavenProxy(mavenProxyHttps, PROTOCOL_HTTPS);
                    if (mavenProxyHttps.getNonProxyHosts() != null && !mavenProxyHttps.getNonProxyHosts().isEmpty()) {
                        httpsNonProxyHosts = mavenProxyHttps.getNonProxyHosts();
                } else {
                    setProxyServerSysPropsFromMavenProxy(mavenProxyHttp, PROTOCOL_HTTPS);
                    httpsNonProxyHosts = mavenProxyHttp.getNonProxyHosts();
            final String existingHttp = StringUtils.trimToNull(System.getProperty("http.proxyHost"));
            if (mavenProxyHttp != null && existingHttp == null) {
                proxySetFromMavenSettings = true;
                setProxyServerSysPropsFromMavenProxy(mavenProxyHttp, PROTOCOL_HTTP);
                httpNonProxyHosts = mavenProxyHttp.getNonProxyHosts();
            if (proxySetFromMavenSettings) {
                final String existingNonProxyHosts = System.getProperty("http.nonProxyHosts");
                System.setProperty("http.nonProxyHosts", mergeNonProxyHosts(existingNonProxyHosts, httpNonProxyHosts, httpsNonProxyHosts));
        } else if (this.proxy != null && this.proxy.getHost() != null) {
            // or use configured <proxy>
            settings.setString(Settings.KEYS.PROXY_SERVER, this.proxy.getHost());
            settings.setString(Settings.KEYS.PROXY_PORT, Integer.toString(this.proxy.getPort()));
            // user name and password from <server> entry settings.xml
            configureServerCredentials(this.proxy.getServerId(), Settings.KEYS.PROXY_USERNAME, Settings.KEYS.PROXY_PASSWORD);

        final String[] suppressions = determineSuppressions();
        settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressions);
        settings.setBooleanIfNotNull(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, versionCheckEnabled);
        settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
        settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_READ_TIMEOUT, readTimeout);
        settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
        settings.setFloat(Settings.KEYS.JUNIT_FAIL_ON_CVSS, junitFailOnCVSS);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, nugetconfAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_LIBMAN_ENABLED, libmanAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE, centralAnalyzerUseCache);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED, artifactoryAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED, msbuildAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_KNOWN_EXPLOITED_ENABLED, knownExploitedEnabled);
        settings.setStringIfNotEmpty(Settings.KEYS.KEV_URL, knownExploitedUrl);
        try {
            configureCredentials(knownExploitedServerId, knownExploitedUser, knownExploitedPassword, knownExploitedBearerToken,
                    Settings.KEYS.KEV_USER, Settings.KEYS.KEV_PASSWORD, Settings.KEYS.KEV_BEARER_TOKEN);
        } catch (InitializationException ex) {
            if (this.failOnError) {
                throw new MojoFailureException("Invalid plugin configuration specified for Known Exploited data feed authentication", ex);
            } else {
                throw new MojoExecutionException("Invalid plugin configuration specified for Known Exploited data feed authentication", ex);
        settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
        settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_DOTNET_PATH, pathToCore);
        settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
        configureServerCredentials(nexusServerId, Settings.KEYS.ANALYZER_NEXUS_USER, Settings.KEYS.ANALYZER_NEXUS_PASSWORD);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
        settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_URL, artifactoryAnalyzerUrl);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY, artifactoryAnalyzerUseProxy);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS, artifactoryAnalyzerParallelAnalysis);
        settings.setBooleanIfNotNull(Settings.KEYS.FAIL_ON_UNUSED_SUPPRESSION_RULE, failBuildOnUnusedSuppressionRule);
        if (Boolean.TRUE.equals(artifactoryAnalyzerEnabled)) {
            if (artifactoryAnalyzerServerId != null) {
                configureServerCredentials(artifactoryAnalyzerServerId, Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME,
            } else {
                settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME, artifactoryAnalyzerUsername);
                settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN, artifactoryAnalyzerApiToken);
            settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_BEARER_TOKEN, artifactoryAnalyzerBearerToken);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, mavenInstallAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIP_ENABLED, pipAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, pipfileAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_POETRY_ENABLED, poetryAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_SKIP_DEV, composerAnalyzerSkipDev);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CPANFILE_ENABLED, cpanfileAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, nodeAuditAnalyzerEnabled);
        settings.setStringIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_URL, nodeAuditAnalyzerUrl);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, nodeAuditAnalyzerUseCache);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, nodePackageSkipDevDependencies);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED, yarnAuditAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PNPM_AUDIT_ENABLED, pnpmAuditAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_ENABLED, retireJsAnalyzerEnabled);
        settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_URL, retireJsUrl);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FORCEUPDATE, retireJsForceUpdate);

        try {
            configureCredentials(retireJsUrlServerId, retireJsUser, retireJsPassword, retireJsBearerToken,
        } catch (InitializationException ex) {
            if (this.failOnError) {
                throw new MojoFailureException("Invalid plugin configuration specified for retireJsUrl authentication", ex);
            } else {
                throw new MojoExecutionException("Invalid plugin configuration specified for retireJsUrl authentication", ex);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED, mixAuditAnalyzerEnabled);
        settings.setStringIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_PATH, mixAuditPath);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
        settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
        settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, bundleAuditWorkingDirectory);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CARTHAGE_ENABLED, carthageAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, ossindexAnalyzerEnabled);
        settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, ossindexAnalyzerUrl);
        configureServerCredentials(ossIndexServerId, Settings.KEYS.ANALYZER_OSSINDEX_USER, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE, ossindexAnalyzerUseCache);
        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, ossIndexWarnOnlyOnRemoteErrors);
        if (retirejs != null) {
            settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, retirejs.getFilterNonVulnerable());
            settings.setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, retirejs.getFilters());
        //Database configuration
        settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
        settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
        settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
        if (databaseUser == null && databasePassword == null && serverId != null) {
            configureServerCredentials(serverId, Settings.KEYS.DB_USER, Settings.KEYS.DB_PASSWORD);
        } else {
            settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
            settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
        settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
        settings.setStringIfNotEmpty(Settings.KEYS.DB_FILE_NAME, dbFilename);
        settings.setStringIfNotNull(Settings.KEYS.NVD_API_ENDPOINT, nvdApiEndpoint);
        settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, nvdApiDelay);
        settings.setIntIfNotNull(Settings.KEYS.NVD_API_RESULTS_PER_PAGE, nvdApiResultsPerPage);
        settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, nvdDatafeedUrl);
        settings.setIntIfNotNull(Settings.KEYS.NVD_API_VALID_FOR_HOURS, nvdValidForHours);
        settings.setIntIfNotNull(Settings.KEYS.NVD_API_MAX_RETRY_COUNT, nvdMaxRetryCount);
        if (nvdApiKey == null) {
            if (nvdApiKeyEnvironmentVariable != null) {
                settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, System.getenv(nvdApiKeyEnvironmentVariable));
                getLog().debug("Using NVD API key from environment variable " + nvdApiKeyEnvironmentVariable);
            } else if (nvdApiServerId != null) {
                try {
                    configureServerCredentialsApiKey(nvdApiServerId, Settings.KEYS.NVD_API_KEY);
                } catch (InitializationException ex) {
                    if (this.failOnError) {
                        throw new MojoFailureException("Invalid plugin configuration specified for NVD API authentication", ex);
                    } else {
                        throw new MojoExecutionException("Invalid plugin configuration specified for NVD API authentication", ex);
                getLog().debug("Using NVD API key from server's password with id " + nvdApiServerId + " in settings.xml");
        } else {
            settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, nvdApiKey);
        try {
            configureCredentials(nvdDatafeedServerId, nvdUser, nvdPassword, nvdBearerToken,
        } catch (InitializationException ex) {
            if (this.failOnError) {
                throw new MojoFailureException("Invalid plugin configuration specified for NVD Datafeed authentication", ex);
            } else {
                throw new MojoExecutionException("Invalid plugin configuration specified for NVD Datafeed authentication", ex);
        settings.setBooleanIfNotNull(Settings.KEYS.PRETTY_PRINT, prettyPrint);
        artifactScopeExcluded = new ArtifactScopeExcluded(skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope);
        artifactTypeExcluded = new ArtifactTypeExcluded(skipArtifactType);
        try {
            configureCredentials(suppressionFileServerId, suppressionFileUser, suppressionFilePassword, suppressionFileBearerToken,
        } catch (InitializationException ex) {
            if (this.failOnError) {
                throw new MojoFailureException("Invalid plugin configuration specified for suppression file authentication", ex);
            } else {
                throw new MojoExecutionException("Invalid plugin configuration specified for suppression file authentication", ex);

        settings.setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, hostedSuppressionsValidForHours);
        settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_URL, hostedSuppressionsUrl);
        settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, hostedSuppressionsForceUpdate);
        settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled);
        try {
            configureCredentials(hostedSuppressionsServerId, hostedSuppressionsUser, hostedSuppressionsPassword, hostedSuppressionsBearerToken,
        } catch (InitializationException ex) {
            if (this.failOnError) {
                throw new MojoFailureException("Invalid plugin configuration specified for hostedSuppressions authentication", ex);
            } else {
                throw new MojoExecutionException("Invalid plugin configuration specified for hostedSuppressions authentication", ex);
     * Configure the credentials in the settings for a certain connection.<br/>
     * <p>
     * When a serverId is given, then its values are used instead of the less secure direct values.<br />
     * A serverId with username/password will fill the `userKey` and `passwordKey` settings for Basic Auth. A serverId with only password
     * filled will fill the `tokenKey` fro Bearer Auth.<br/>
     * In absence of the serverId any non-null value will be transferred to the settings.
     * @param serverId      The serverId specified for the connection or {@code null}
     * @param usernameValue The username specified for the connection or {@code null}
     * @param passwordValue The password specified for the connection or {@code null}
     * @param tokenValue    The token specified for the connection or {@code null}
     * @param userKey       The settings key that configures the user or {@code null} when Basic auth is not configurable for the connection
     * @param passwordKey   The settings key that configures the password or {@code null} when Basic auth is not configurable for the connection
     * @param tokenKey      The settings key that configures the token or {@code null} when Bearer auth is not configurable for the connection
     * @throws InitializationException When both serverId and at least one other property value are filled.
    private void configureCredentials(String serverId, String usernameValue, String passwordValue, String tokenValue,
                                      String userKey, String passwordKey, String tokenKey) throws InitializationException {
        if (serverId != null) {
            if (usernameValue != null || passwordValue != null || tokenValue != null) {
                throw new InitializationException(
                        "Username/password/token configurations should be left out when a serverId (" + serverId + ") is configured");
            final Server server = settingsXml.getServer(serverId);
            if (server != null) {
                configureFromServer(server, userKey, passwordKey, tokenKey, serverId);
            } else {
                getLog().error(String.format("Server '%s' not found in the settings.xml file", serverId));
        } else {
            settings.setStringIfNotEmpty(userKey, usernameValue);
            settings.setStringIfNotEmpty(passwordKey, passwordValue);
            settings.setStringIfNotEmpty(tokenKey, tokenValue);

     * Configure the credentials in the settings for a certain connection from a settings Server object.<br/>
     * <p>
     * A serverId with username/password will fill the `userKey` and `passwordKey` settings for Basic Auth.<br/>
     * A serverId with only password filled will fill the `tokenKey` fro Bearer Auth.<br/>
     * @param server        The server entry from the settings to configure authentication
     * @param userKey       The settings key that configures the user or {@code null} when Basic auth is not configurable for the connection
     * @param passwordKey   The settings key that configures the password or {@code null} when Basic auth is not configurable for the connection
     * @param tokenKey      The settings key that configures the token or {@code null} when Bearer auth is not configurable for the connection
     * @param serverId      The serverId specified for the connection or {@code null}
     * @throws InitializationException When both serverId and at least one other property value are filled.
    private void configureFromServer(Server server, String userKey, String passwordKey, String tokenKey, String serverId) throws InitializationException {
        final SettingsDecryptionResult result = settingsDecrypter.decrypt(new DefaultSettingsDecryptionRequest(server));
        final String username = server.getUsername();
        final String password;
        if (result.getProblems().isEmpty()) {
            password = result.getServer().getPassword();
        } else {
            logProblems(result.getProblems(), "server setting for " + serverId);
            getLog().debug("Using raw password from settings.xml for server " + serverId);
            password = server.getPassword();
        if (username != null) {
            if (userKey != null && passwordKey != null) {
                settings.setStringIfNotEmpty(userKey, username);
                settings.setStringIfNotEmpty(passwordKey, password);
            } else {
                getLog().warn("Basic type server authentication encountered in serverId " + serverId + ", but only Bearer authentication is "
                        + "supported for the resource. For Bearer authentication tokens you should leave out the username in the server-entry in"
                        + " settings.xml");
                settings.setStringIfNotEmpty(tokenKey, password);
        } else {
            if (tokenKey != null) {
                settings.setStringIfNotEmpty(tokenKey, password);
            } else {
                throw new InitializationException(
                        "Bearer type server authentication encountered in serverId " + serverId + ", but only Basic authentication is supported for "
                                + "the  resource. Looks like the username was forgotten to be added in the server-entry in settings.xml");

    private String mergeNonProxyHosts(String existingNonProxyHosts, String httpNonProxyHosts, String httpsNonProxyHosts) {
        final HashSet<String> mergedNonProxyHosts = new HashSet<>();
        return String.join("|", mergedNonProxyHosts);

    private void setProxyServerSysPropsFromMavenProxy(Proxy mavenProxy, String protocol) {
        System.setProperty(protocol + ".proxyHost", mavenProxy.getHost());
        if (mavenProxy.getPort() > 0) {
            System.setProperty(protocol + ".proxyPort", String.valueOf(mavenProxy.getPort()));
        if (mavenProxy.getUsername() != null && !mavenProxy.getUsername().isEmpty()) {
            System.setProperty(protocol + ".proxyUser", mavenProxy.getUsername());
        final SettingsDecryptionResult result = settingsDecrypter.decrypt(new DefaultSettingsDecryptionRequest(mavenProxy));
        final String password;
        if (result.getProblems().isEmpty()) {
            password = result.getProxy().getPassword();
        } else {
            logProblems(result.getProblems(), "proxy settings for " + mavenProxy.getId());
            getLog().debug("Using raw password from settings.xml for proxy " + mavenProxy.getId());
            password = mavenProxy.getPassword();
        if (password != null && !password.isEmpty()) {
            System.setProperty(protocol + ".proxyPassword", password);

     * Retrieves the server credentials from the settings.xml, decrypts the
     * password, and places the values into the settings under the given key
     * names.
     * @param serverId the server id
     * @param userSettingKey the property name for the username
     * @param passwordSettingKey the property name for the password
    private void configureServerCredentials(String serverId, String userSettingKey, String passwordSettingKey) throws MojoFailureException, MojoExecutionException {
        try {
            configureCredentials(serverId, null, null, null, userSettingKey, passwordSettingKey, null);
        } catch (InitializationException ex) {
            if (this.failOnError) {
                throw new MojoFailureException(String.format("Error setting credentials (%s, %s) from serverId %s", userSettingKey, passwordSettingKey, serverId), ex);
            } else {
                throw new MojoExecutionException(String.format("Error setting credentials (%s, %s) from serverId %s", userSettingKey, passwordSettingKey, serverId), ex);

     * Retrieves the server credentials from the settings.xml, decrypts the
     * password, and places the values into the settings under the given key
     * names. This is used to retrieve an encrypted password as an API key.
     * @param serverId the server id
     * @param apiKeySetting the property name for the API key
    private void configureServerCredentialsApiKey(String serverId, String apiKeySetting) throws InitializationException {
        configureCredentials(serverId, null, null, null, null, null, apiKeySetting);

     * Logs the problems encountered during settings decryption of a {@code <}server>} or {@code <proxy>} config
     * from the maven settings.<br/>
     * Logs a generic message about decryption problems at WARN level. If debug logging is enabled a additional message is logged at DEBUG level
     * detailing all the encountered problems and their underlying exceptions.
     * @param problems The problems as reported by the settingsDecrypter.
     * @param credentialDesc an identification of what was attempted to be decrypted
    private void logProblems(List<SettingsProblem> problems, String credentialDesc) {
        final String message = "Problems while decrypting " + credentialDesc;
        if (getLog().isDebugEnabled()) {
            final StringBuilder dbgMessage = new StringBuilder("Problems while decrypting ").append(credentialDesc).append(": ");
            boolean first = true;
            for (SettingsProblem problem : problems) {
                dbgMessage.append(first ? "" : ", ").append(problem.getMessage());
                dbgMessage.append("caused by ").append(problem.getException());
                first = false;

     * Combines the configured suppressionFile and suppressionFiles into a
     * single array.
     * @return an array of suppression file paths
    private String[] determineSuppressions() {
        String[] suppressions = suppressionFiles;
        if (suppressionFile != null) {
            if (suppressions == null) {
                suppressions = new String[]{suppressionFile};
            } else {
                suppressions = Arrays.copyOf(suppressions, suppressions.length + 1);
                suppressions[suppressions.length - 1] = suppressionFile;
        return suppressions;

     * Hacky method of muting the noisy logging from JCS
    private void muteNoisyLoggers() {
        System.setProperty("jcs.logSystem", "slf4j");
        if (!getLog().isDebugEnabled()) {

        final String[] noisyLoggers = {
        for (String loggerName : noisyLoggers) {
            System.setProperty("org.slf4j.simpleLogger.log." + loggerName, "error");

     * Returns the maven proxy.
     * @param protocol The protocol of the target URL.
     * @return the maven proxy configured for that protocol
    private Proxy getMavenProxy(String protocol) {
        if (mavenSettings != null) {
            final List<Proxy> proxies = mavenSettings.getProxies();
            if (proxies != null && !proxies.isEmpty()) {
                if (mavenSettingsProxyId != null) {
                    for (Proxy proxy : proxies) {
                        if (mavenSettingsProxyId.equalsIgnoreCase(proxy.getId())) {
                            return proxy;
                } else {
                    for (Proxy aProxy : proxies) {
                        if (aProxy.isActive() && aProxy.getProtocol().equals(protocol)) {
                            return aProxy;
        return null;

     * Returns a reference to the current project. This method is used instead
     * of auto-binding the project via component annotation in concrete
     * implementations of this. If the child has a
     * <code>@Component MavenProject project;</code> defined then the abstract
     * class (i.e. this class) will not have access to the current project (just
     * the way Maven works with the binding).
     * @return returns a reference to the current project
    protected MavenProject getProject() {
        return project;

     * Returns the list of Maven Projects in this build.
     * @return the list of Maven Projects in this build
    protected List<MavenProject> getReactorProjects() {
        return reactorProjects;

     * Combines the format and formats properties into a single collection.
     * @return the selected report formats
    private Set<String> getFormats() {
        final Set<String> invalid = new HashSet<>();
        final Set<String> selectedFormats = formats == null || formats.length == 0 ? new HashSet<>() : new HashSet<>(Arrays.asList(formats));
        selectedFormats.forEach((s) -> {
            try {
            } catch (IllegalArgumentException ex) {
        invalid.forEach((s) -> getLog().warn("Invalid report format specified: " + s));
        if (selectedFormats.contains("true")) {
        if (format != null && selectedFormats.isEmpty()) {
        return selectedFormats;

     * Returns the list of excluded artifacts based on either artifact id or
     * group id and artifact id.
     * @return a list of artifact to exclude
    public List<String> getExcludes() {
        if (excludes == null) {
            excludes = new ArrayList<>();
        return excludes;

     * Returns the artifact scope excluded filter.
     * @return the artifact scope excluded filter
    protected Filter<String> getArtifactScopeExcluded() {
        return artifactScopeExcluded;

     * Returns the configured settings.
     * @return the configured settings
    protected Settings getSettings() {
        return settings;

     * Checks to see if a vulnerability has been identified with a CVSS score
     * that is above the threshold set in the configuration.
     * @param dependencies the list of dependency objects
     * @throws MojoFailureException thrown if a CVSS score is found that is
     * higher than the threshold set
    protected void checkForFailure(Dependency[] dependencies) throws MojoFailureException {
        final StringBuilder ids = new StringBuilder();
        for (Dependency d : dependencies) {
            boolean addName = true;
            for (Vulnerability v : d.getVulnerabilities()) {
                final Double cvssV2 = v.getCvssV2() != null && v.getCvssV2().getCvssData() != null && v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1;
                final Double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null && v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1;
                final Double cvssV4 = v.getCvssV4() != null && v.getCvssV4().getCvssData() != null && v.getCvssV4().getCvssData().getBaseScore() != null ? v.getCvssV4().getCvssData().getBaseScore() : -1;
                final Double unscoredCvss = v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1;

                if (failBuildOnAnyVulnerability || cvssV2 >= failBuildOnCVSS
                        || cvssV3 >= failBuildOnCVSS
                        || cvssV4 >= failBuildOnCVSS
                        || unscoredCvss >= failBuildOnCVSS
                        //safety net to fail on any if for some reason the above misses on 0
                        || (failBuildOnCVSS <= 0.0)) {
                    String name = v.getName();
                    if (cvssV4 >= 0.0) {
                        name += "(" + cvssV4 + ")";
                    } else if (cvssV3 >= 0.0) {
                        name += "(" + cvssV3 + ")";
                    } else if (cvssV2 >= 0.0) {
                        name += "(" + cvssV2 + ")";
                    } else if (unscoredCvss >= 0.0) {
                        name += "(" + unscoredCvss + ")";
                    if (addName) {
                        addName = false;
                        ids.append(NEW_LINE).append(d.getFileName()).append(" (")
                           .append(Stream.concat(d.getSoftwareIdentifiers().stream(), d.getVulnerableSoftwareIdentifiers().stream())
                                         .collect(Collectors.joining(", ")))
                           .append("): ")
                    } else {
                        ids.append(", ").append(name);
        if (ids.length() > 0) {
            final String msg;
            if (showSummary) {
                if (failBuildOnAnyVulnerability) {
                    msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities: %n%s%n%n"
                            + "See the dependency-check report for more details.%n%n", ids);
                } else {
                    msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities that have a CVSS score greater than or "
                            + "equal to '%.1f': %n%s%n%nSee the dependency-check report for more details.%n%n", failBuildOnCVSS, ids);
            } else {
                msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities.%n%n"
                        + "See the dependency-check report for more details.%n%n");
            throw new MojoFailureException(msg);

     * Generates a warning message listing a summary of dependencies and their
     * associated CPE and CVE entries.
     * @param mp the Maven project for which the summary is shown
     * @param dependencies a list of dependency objects
    protected void showSummary(MavenProject mp, Dependency[] dependencies) {
        if (showSummary) {
            DependencyCheckScanAgent.showSummary(mp.getName(), dependencies);

    private ExceptionCollection scanDependencyNode(DependencyNode dependencyNode, DependencyNode root,
            Engine engine, MavenProject project, List<ArtifactResult> allResolvedDeps,
            ProjectBuildingRequest buildingRequest, boolean aggregate, ExceptionCollection exceptionCollection) {
        ExceptionCollection exCol = exceptionCollection;
        if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope())
                || artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) {
            return exCol;

        boolean isResolved = false;
        File artifactFile = null;
        String artifactId = null;
        String groupId = null;
        String version = null;
        List<ArtifactVersion> availableVersions = null;
        if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
            final Artifact a = dependencyNode.getArtifact();
            if (a.isResolved() && a.getFile().isFile()) {
                artifactFile = a.getFile();
                isResolved = artifactFile.isFile();
                groupId = a.getGroupId();
                artifactId = a.getArtifactId();
                version = a.getVersion();
                availableVersions = a.getAvailableVersions();
            } else {
                for (org.apache.maven.model.Dependency d : project.getDependencies()) {
                    if (d.getSystemPath() != null && artifactsMatch(d, a)) {
                        artifactFile = new File(d.getSystemPath());
                        isResolved = artifactFile.isFile();
                        groupId = a.getGroupId();
                        artifactId = a.getArtifactId();
                        version = a.getVersion();
                        availableVersions = a.getAvailableVersions();
            Throwable ignored = null;
            if (!isResolved) {
                // Issue #4969 Tycho appears to add System-scoped libraries in reactor projects in unresolved state
                // so attempt to do a resolution for system-scoped too if still nothing found
                try {
                    tryResolutionOnce(project, allResolvedDeps, buildingRequest);
                    final Artifact result = findInAllDeps(allResolvedDeps, dependencyNode.getArtifact(), project);
                    isResolved = result.isResolved();
                    artifactFile = result.getFile();
                    groupId = result.getGroupId();
                    artifactId = result.getArtifactId();
                    version = result.getVersion();
                    availableVersions = result.getAvailableVersions();
                } catch (DependencyNotFoundException | DependencyResolverException e) {
                    getLog().warn("Error performing last-resort System-scoped dependency resolution: " + e.getMessage());
                    ignored = e;
            if (!isResolved) {
                final StringBuilder message = new StringBuilder("Unable to resolve system scoped dependency: ");
                if (artifactFile != null) {
                    message.append(dependencyNode.toNodeString()).append(" at path ").append(artifactFile);
                } else {
                    message.append(dependencyNode.toNodeString()).append(" at path ").append(a.getFile());
                if (exCol == null) {
                    exCol = new ExceptionCollection();
                final Exception thrown = new DependencyNotFoundException(message.toString());
                if (ignored != null) {
        } else {
            final Artifact dependencyArtifact = dependencyNode.getArtifact();
            final Artifact result;
            if (dependencyArtifact.isResolved()) {
                //All transitive dependencies, excluding reactor and dependencyManagement artifacts should
                //have been resolved by Maven prior to invoking the plugin - resolving the dependencies
                //manually is unnecessary, and does not work in some cases (issue-1751)
                getLog().debug(String.format("Skipping artifact %s, already resolved", dependencyArtifact.getArtifactId()));
                result = dependencyArtifact;
            } else {
                try {
                    tryResolutionOnce(project, allResolvedDeps, buildingRequest);
                    result = findInAllDeps(allResolvedDeps, dependencyNode.getArtifact(), project);
                } catch (DependencyNotFoundException | DependencyResolverException ex) {
                    getLog().debug(String.format("Aggregate : %s", aggregate));
                    boolean addException = true;
                    if (!aggregate) {
                        // do nothing - the exception is to be reported
                    } else if (addReactorDependency(engine, dependencyNode.getArtifact(), project)) {
                        // successfully resolved as a reactor dependency - swallow the exception
                        addException = false;
                    if (addException) {
                        if (exCol == null) {
                            exCol = new ExceptionCollection();
                    return exCol;
            if (aggregate && virtualSnapshotsFromReactor
                    && dependencyNode.getArtifact().isSnapshot()
                    && addSnapshotReactorDependency(engine, dependencyNode.getArtifact(), project)) {
                return exCol;
            isResolved = result.isResolved();
            artifactFile = result.getFile();
            groupId = result.getGroupId();
            artifactId = result.getArtifactId();
            version = result.getVersion();
            availableVersions = result.getAvailableVersions();
        if (isResolved && artifactFile != null) {
            final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
                    createProjectReferenceName(project, dependencyNode));
            if (deps != null) {
                processResolvedArtifact(artifactFile, deps, groupId, artifactId, version, root, project, availableVersions, dependencyNode);
            } else if ("import".equals(dependencyNode.getArtifact().getScope())) {
                final String msg = String.format("Skipping '%s:%s' in project %s as it uses an `import` scope",
                        dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
            } else if ("pom".equals(dependencyNode.getArtifact().getType())) {
                exCol = processPomArtifact(artifactFile, root, project, engine, exCol);
            } else {
                if (!scannedFiles.contains(artifactFile)) {
                    final String msg = String.format("No analyzer could be found or the artifact has been scanned twice for '%s:%s' in project %s",
                            dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
        } else {
            final String msg = String.format("Unable to resolve '%s' in project %s",
                    dependencyNode.getArtifact().getId(), project.getName());
            if (exCol == null) {
                exCol = new ExceptionCollection();
        return exCol;

     * Try resolution of artifacts once, allowing for
     * DependencyResolutionException due to reactor-dependencies not being
     * resolvable.
     * <br>
     * The resolution is attempted only if allResolvedDeps is still empty. The
     * assumption is that for any given project at least one of the dependencies
     * will successfully resolve. If not, resolution will be attempted once for
     * every dependency (as allResolvedDeps remains empty).
     * @param project The project to dependencies for
     * @param allResolvedDeps The collection of successfully resolved
     * dependencies, will be filled with the successfully resolved dependencies,
     * even in case of resolution failures.
     * @param buildingRequest The buildingRequest to hand to Maven's
     * DependencyResolver.
     * @throws DependencyResolverException For any DependencyResolverException
     * other than an Eclipse Aether DependencyResolutionException
    private void tryResolutionOnce(MavenProject project, List<ArtifactResult> allResolvedDeps, ProjectBuildingRequest buildingRequest) throws DependencyResolverException {
        if (allResolvedDeps.isEmpty()) { // no (partially successful) resolution attempt done
            try {
                final List<org.apache.maven.model.Dependency> dependencies = project.getDependencies();
                final List<org.apache.maven.model.Dependency> managedDependencies = project
                        .getDependencyManagement() == null ? null : project.getDependencyManagement().getDependencies();
                final Iterable<ArtifactResult> allDeps = dependencyResolver
                        .resolveDependencies(buildingRequest, dependencies, managedDependencies, null);
            } catch (DependencyResolverException dre) {
                if (dre.getCause() instanceof org.eclipse.aether.resolution.DependencyResolutionException) {
                    final List<ArtifactResult> successResults = Mshared998Util
                            .getResolutionResults((org.eclipse.aether.resolution.DependencyResolutionException) dre.getCause());
                } else {
                    throw dre;
    //CSON: ParameterNumber

    private void processResolvedArtifact(File artifactFile, final List<Dependency> deps,
            String groupId, String artifactId, String version, DependencyNode root,
            MavenProject project1, List<ArtifactVersion> availableVersions,
            DependencyNode dependencyNode) {
        Dependency d = null;
        if (deps.size() == 1) {
            d = deps.get(0);

        } else {
            for (Dependency possible : deps) {
                if (artifactFile.getAbsoluteFile().equals(possible.getActualFile())) {
                    d = possible;
            for (Dependency dep : deps) {
                if (d != null && d != dep) {
                    final String includedBy = buildReference(groupId, artifactId, version);
        if (d != null) {
            final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
            d.addAsEvidence("pom", ma, Confidence.HIGHEST);
            if (root != null) {
                final String includedby = buildReference(
            } else {
                final String includedby = buildReference(project1.getGroupId(), project1.getArtifactId(), project1.getVersion());
            if (availableVersions != null) {
                for (ArtifactVersion av : availableVersions) {
            getLog().debug(String.format("Adding project reference %s on dependency %s", project1.getName(), d.getDisplayFileName()));
        } else if (getLog().isDebugEnabled()) {
            final String msg = String.format("More than 1 dependency was identified in first pass scan of '%s' in project %s", dependencyNode.getArtifact().getId(), project1.getName());
    //CSON: ParameterNumber

    private ExceptionCollection processPomArtifact(File artifactFile, DependencyNode root,
            MavenProject project1, Engine engine, ExceptionCollection exCollection) {
        ExceptionCollection exCol = exCollection;
        try {
            final Dependency d = new Dependency(artifactFile.getAbsoluteFile());
            final Model pom = PomUtils.readPom(artifactFile.getAbsoluteFile());
            JarAnalyzer.setPomEvidence(d, pom, null, true);
            if (root != null) {
                final String includedby = buildReference(
            } else {
                final String includedby = buildReference(project1.getGroupId(), project1.getArtifactId(), project1.getVersion());
        } catch (AnalysisException ex) {
            if (exCol == null) {
                exCol = new ExceptionCollection();
            getLog().debug("Error reading pom " + artifactFile.getAbsoluteFile(), ex);
        return exCol;

