View Javadoc
1   /*
2    * This file is part of dependency-check-maven.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.maven;
19  
20  import java.util.Locale;
21  import org.apache.maven.artifact.Artifact;
22  import org.apache.maven.plugin.MojoExecutionException;
23  import org.apache.maven.plugin.MojoFailureException;
24  import org.apache.maven.plugins.annotations.LifecyclePhase;
25  import org.apache.maven.plugins.annotations.Mojo;
26  import org.apache.maven.plugins.annotations.Parameter;
27  import org.apache.maven.plugins.annotations.ResolutionScope;
28  import org.owasp.dependencycheck.Engine;
29  import org.owasp.dependencycheck.exception.ExceptionCollection;
30  import org.owasp.dependencycheck.utils.scarf.TelemetryCollector;
31  
32  /**
33   * Maven Plugin that checks the project dependencies to see if they have any
34   * known published vulnerabilities.
35   *
36   * @author Jeremy Long
37   */
38  @Mojo(
39          name = "check",
40          defaultPhase = LifecyclePhase.VERIFY,
41          threadSafe = true,
42          requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
43          requiresOnline = true
44  )
45  public class CheckMojo extends BaseDependencyCheckMojo {
46  
47      /**
48       * The name of the report in the site.
49       */
50      @SuppressWarnings("CanBeFinal")
51      @Parameter(property = "name", defaultValue = "dependency-check", required = true)
52      private String name = "dependency-check";
53  
54      /**
55       * Returns whether or not a the report can be generated.
56       *
57       * @return <code>true</code> if the report can be generated; otherwise
58       * <code>false</code>
59       */
60      @Override
61      public boolean canGenerateReport() {
62          try {
63              populateSettings();
64          } catch (MojoFailureException | MojoExecutionException e) {
65              return false;
66          }
67          boolean isCapable = false;
68          for (Artifact a : getProject().getArtifacts()) {
69              if (!getArtifactScopeExcluded().passes(a.getScope())) {
70                  isCapable = true;
71                  break;
72              }
73          }
74          return isCapable;
75      }
76  
77      /**
78       * Returns the report name.
79       *
80       * @param locale the location
81       * @return the report name
82       */
83      @Override
84      public String getName(Locale locale) {
85          return name;
86      }
87  
88      /**
89       * Gets the description of the Dependency-Check report to be displayed in
90       * the Maven Generated Reports page.
91       *
92       * @param locale The Locale to get the description for
93       * @return the description
94       */
95      @Override
96      public String getDescription(Locale locale) {
97          return "Generates a report providing details on any published vulnerabilities within project dependencies. "
98                  + "This report is a best effort and may contain false positives and false negatives.";
99      }
100 
101     /**
102      * Scans the dependencies of the project.
103      *
104      * @param engine the engine used to perform the scanning
105      * @return a collection of exceptions
106      * @throws MojoExecutionException thrown if a fatal exception occurs
107      */
108     @Override
109     protected ExceptionCollection scanDependencies(final Engine engine) throws MojoExecutionException {
110         TelemetryCollector.send(getSettings());
111         return scanArtifacts(getProject(), engine);
112     }
113 
114     /**
115      * Scans the plugins of the project.
116      *
117      * @param engine the engine used to perform the scanning
118      * @param exCollection the collection of exceptions that might have occurred
119      * previously
120      * @return a collection of exceptions
121      * @throws MojoExecutionException thrown if a fatal exception occurs
122      */
123     @Override
124     protected ExceptionCollection scanPlugins(final Engine engine, final ExceptionCollection exCollection) throws MojoExecutionException {
125         final ExceptionCollection exCol = scanPlugins(getProject(), engine, exCollection);
126         return exCol;
127     }
128 
129 }