View Javadoc
1   /*
2    * This file is part of dependency-check-ant.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.taskdefs;
19  
20  import java.io.File;
21  import java.util.ArrayList;
22  import java.util.List;
23  import java.util.stream.Collectors;
24  import java.util.stream.Stream;
25  import javax.annotation.concurrent.NotThreadSafe;
26  
27  import org.apache.tools.ant.BuildException;
28  import org.apache.tools.ant.Project;
29  import org.apache.tools.ant.types.EnumeratedAttribute;
30  import org.apache.tools.ant.types.Reference;
31  import org.apache.tools.ant.types.Resource;
32  import org.apache.tools.ant.types.ResourceCollection;
33  import org.apache.tools.ant.types.resources.FileProvider;
34  import org.apache.tools.ant.types.resources.Resources;
35  import org.owasp.dependencycheck.Engine;
36  import org.owasp.dependencycheck.agent.DependencyCheckScanAgent;
37  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
38  import org.owasp.dependencycheck.dependency.Dependency;
39  import org.owasp.dependencycheck.dependency.Vulnerability;
40  import org.owasp.dependencycheck.dependency.naming.Identifier;
41  import org.owasp.dependencycheck.exception.ExceptionCollection;
42  import org.owasp.dependencycheck.exception.ReportException;
43  import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
44  import org.owasp.dependencycheck.utils.Downloader;
45  import org.owasp.dependencycheck.utils.InvalidSettingException;
46  import org.owasp.dependencycheck.utils.Settings;
47  import org.owasp.dependencycheck.utils.SeverityUtil;
48  import org.owasp.dependencycheck.utils.scarf.TelemetryCollector;
49  import org.slf4j.impl.StaticLoggerBinder;
50  
51  //CSOFF: MethodCount
52  /**
53   * An Ant task definition to execute dependency-check during an Ant build.
54   *
55   * @author Jeremy Long
56   */
57  @NotThreadSafe
58  public class Check extends Update {
59  
60      /**
61       * System specific new line character.
62       */
63      private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
64  
65      /**
66       * Whether the ruby gemspec analyzer should be enabled.
67       */
68      private Boolean rubygemsAnalyzerEnabled;
69      /**
70       * Whether or not the Node.js Analyzer is enabled.
71       */
72      private Boolean nodeAnalyzerEnabled;
73      /**
74       * Whether or not the Node Audit Analyzer is enabled.
75       */
76      private Boolean nodeAuditAnalyzerEnabled;
77      /**
78       * Whether or not the Yarn Audit Analyzer is enabled.
79       */
80      private Boolean yarnAuditAnalyzerEnabled;
81      /**
82       * Whether or not the Pnpm Audit Analyzer is enabled.
83       */
84      private Boolean pnpmAuditAnalyzerEnabled;
85      /**
86       * Sets whether or not the Node Audit Analyzer should use a local cache.
87       */
88      private Boolean nodeAuditAnalyzerUseCache;
89      /**
90       * Sets whether or not the Node Package Analyzer should skip dev
91       * dependencies.
92       */
93      private Boolean nodePackageSkipDevDependencies;
94      /**
95       * Sets whether or not the Node Audit Analyzer should use a local cache.
96       */
97      private Boolean nodeAuditSkipDevDependencies;
98      /**
99       * The list of filters (regular expressions) used by the RetireJS Analyzer
100      * to exclude files that contain matching content..
101      */
102     @SuppressWarnings("CanBeFinal")
103     private final List<String> retirejsFilters = new ArrayList<>();
104     /**
105      * Whether or not the RetireJS Analyzer filters non-vulnerable JS files from
106      * the report; default is false.
107      */
108     private Boolean retirejsFilterNonVulnerable;
109     /**
110      * Whether or not the Ruby Bundle Audit Analyzer is enabled.
111      */
112     private Boolean bundleAuditAnalyzerEnabled;
113     /**
114      * Whether the CMake analyzer should be enabled.
115      */
116     private Boolean cmakeAnalyzerEnabled;
117     /**
118      * Whether or not the Open SSL analyzer is enabled.
119      */
120     private Boolean opensslAnalyzerEnabled;
121     /**
122      * Whether the python package analyzer should be enabled.
123      */
124     private Boolean pyPackageAnalyzerEnabled;
125     /**
126      * Whether the python distribution analyzer should be enabled.
127      */
128     private Boolean pyDistributionAnalyzerEnabled;
129     /**
130      * Whether or not the mix audit analyzer is enabled.
131      */
132     private Boolean mixAuditAnalyzerEnabled;
133     /**
134      * Whether or not the central analyzer is enabled.
135      */
136     private Boolean centralAnalyzerEnabled;
137     /**
138      * Whether or not the Central Analyzer should use a local cache.
139      */
140     private Boolean centralAnalyzerUseCache;
141     /**
142      * Whether or not the nexus analyzer is enabled.
143      */
144     private Boolean nexusAnalyzerEnabled;
145     /**
146      * The URL of a Nexus server's REST API end point
147      * (http://domain/nexus/service/local).
148      */
149     private String nexusUrl;
150     /**
151      * The username to authenticate to the Nexus Server's REST API Endpoint.
152      */
153     private String nexusUser;
154     /**
155      * The password to authenticate to the Nexus Server's REST API Endpoint.
156      */
157     private String nexusPassword;
158     /**
159      * Whether or not the defined proxy should be used when connecting to Nexus.
160      */
161     private Boolean nexusUsesProxy;
162 
163     /**
164      * Sets whether the Golang Dependency analyzer is enabled. Default is true.
165      */
166     private Boolean golangDepEnabled;
167     /**
168      * Sets whether Golang Module Analyzer is enabled; this requires `go` to be
169      * installed. Default is true.
170      */
171     private Boolean golangModEnabled;
172     /**
173      * Sets the path to `go`.
174      */
175     private String pathToGo;
176     /**
177      * Sets whether the Dart analyzer is enabled. Default is true.
178      */
179     private Boolean dartAnalyzerEnabled;
180     /**
181      * The path to `yarn`.
182      */
183     private String pathToYarn;
184     /**
185      * The path to `pnpm`.
186      */
187     private String pathToPnpm;
188     /**
189      * Additional ZIP File extensions to add analyze. This should be a
190      * comma-separated list of file extensions to treat like ZIP files.
191      */
192     private String zipExtensions;
193     /**
194      * The path to dotnet core for .NET assembly analysis.
195      */
196     private String pathToCore;
197     /**
198      * The name of the project being analyzed.
199      */
200     private String projectName = "dependency-check";
201     /**
202      * Specifies the destination directory for the generated Dependency-Check
203      * report.
204      */
205     private String reportOutputDirectory;
206     /**
207      * If using the JUNIT report format the junitFailOnCVSS sets the CVSS score
208      * threshold that is considered a failure. The default is 0.
209      */
210     private float junitFailOnCVSS = 0;
211     /**
212      * Specifies if the build should be failed if a CVSS score above a specified
213      * level is identified. The default is 11 which means since the CVSS scores
214      * are 0-10, by default the build will never fail and the CVSS score is set
215      * to 11. The valid range for the fail build on CVSS is 0 to 11, where
216      * anything above 10 will not cause the build to fail.
217      */
218     private float failBuildOnCVSS = 11;
219     /**
220      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
221      * recommended that this be turned to false. Default is true.
222      */
223     private Boolean autoUpdate;
224     /**
225      * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
226      * JENKINS, GITLAB, ALL). Default is HTML.
227      */
228     private String reportFormat = "HTML";
229     /**
230      * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
231      * JENKINS, GITLAB, ALL). Default is HTML.
232      */
233     private final List<String> reportFormats = new ArrayList<>();
234     /**
235      * Whether the JSON and XML reports should be pretty printed; the default is
236      * false.
237      */
238     private Boolean prettyPrint = null;
239 
240     /**
241      * Suppression file paths.
242      */
243     @SuppressWarnings("CanBeFinal")
244     private final List<String> suppressionFiles = new ArrayList<>();
245 
246     /**
247      * The path to the suppression file.
248      */
249     private String hintsFile;
250     /**
251      * flag indicating whether or not to show a summary of findings.
252      */
253     private boolean showSummary = true;
254     /**
255      * Whether experimental analyzers are enabled.
256      */
257     private Boolean enableExperimental;
258     /**
259      * Whether retired analyzers are enabled.
260      */
261     private Boolean enableRetired;
262     /**
263      * Whether or not the Jar Analyzer is enabled.
264      */
265     private Boolean jarAnalyzerEnabled;
266     /**
267      * Whether or not the Archive Analyzer is enabled.
268      */
269     private Boolean archiveAnalyzerEnabled;
270     /**
271      * Whether or not the .NET Nuspec Analyzer is enabled.
272      */
273     private Boolean nuspecAnalyzerEnabled;
274     /**
275      * Whether or not the .NET Nuget packages.config file Analyzer is enabled.
276      */
277     private Boolean nugetconfAnalyzerEnabled;
278     /**
279      * Whether or not the Libman Analyzer is enabled.
280      */
281     private Boolean libmanAnalyzerEnabled;
282     /**
283      * Whether or not the PHP Composer Analyzer is enabled.
284      */
285     private Boolean composerAnalyzerEnabled;
286     /**
287      * Whether or not the PHP Composer Analyzer will skip "packages-dev".
288      */
289     private Boolean composerAnalyzerSkipDev;
290     /**
291      * Whether or not the Perl CPAN File Analyzer is enabled.
292      */
293     private Boolean cpanfileAnalyzerEnabled;
294 
295     /**
296      * Whether or not the .NET Assembly Analyzer is enabled.
297      */
298     private Boolean assemblyAnalyzerEnabled;
299     /**
300      * Whether or not the MS Build Assembly Analyzer is enabled.
301      */
302     private Boolean msbuildAnalyzerEnabled;
303     /**
304      * Whether the autoconf analyzer should be enabled.
305      */
306     private Boolean autoconfAnalyzerEnabled;
307     /**
308      * Whether the pip analyzer should be enabled.
309      */
310     private Boolean pipAnalyzerEnabled;
311     /**
312      * Whether the Maven install.json analyzer should be enabled.
313      */
314     private Boolean mavenInstallAnalyzerEnabled;
315     /**
316      * Whether the pipfile analyzer should be enabled.
317      */
318     private Boolean pipfileAnalyzerEnabled;
319     /**
320      * Whether the Poetry analyzer should be enabled.
321      */
322     private Boolean poetryAnalyzerEnabled;
323     /**
324      * Sets the path for the mix_audit binary.
325      */
326     private String mixAuditPath;
327     /**
328      * Sets the path for the bundle-audit binary.
329      */
330     private String bundleAuditPath;
331     /**
332      * Sets the path for the working directory that the bundle-audit binary
333      * should be executed from.
334      */
335     private String bundleAuditWorkingDirectory;
336     /**
337      * Whether or not the CocoaPods Analyzer is enabled.
338      */
339     private Boolean cocoapodsAnalyzerEnabled;
340     /**
341      * Whether or not the Carthage Analyzer is enabled.
342      */
343     private Boolean carthageAnalyzerEnabled;
344 
345     /**
346      * Whether or not the Swift package Analyzer is enabled.
347      */
348     private Boolean swiftPackageManagerAnalyzerEnabled;
349     /**
350      * Whether or not the Swift package Analyzer is enabled.
351      */
352     private Boolean swiftPackageResolvedAnalyzerEnabled;
353 
354     /**
355      * Whether or not the Sonatype OSS Index analyzer is enabled.
356      */
357     private Boolean ossindexAnalyzerEnabled;
358     /**
359      * Whether or not the Sonatype OSS Index analyzer should cache results.
360      */
361     private Boolean ossindexAnalyzerUseCache;
362     /**
363      * URL of the Sonatype OSS Index service.
364      */
365     private String ossindexAnalyzerUrl;
366     /**
367      * The username to use for the Sonatype OSS Index service.
368      */
369     private String ossindexAnalyzerUsername;
370     /**
371      * The password to use for the Sonatype OSS Index service.
372      */
373     private String ossindexAnalyzerPassword;
374     /**
375      * Whether we should only warn about Sonatype OSS Index remote errors
376      * instead of failing completely.
377      */
378     private Boolean ossIndexAnalyzerWarnOnlyOnRemoteErrors;
379 
380     /**
381      * Whether or not the Artifactory Analyzer is enabled.
382      */
383     private Boolean artifactoryAnalyzerEnabled;
384     /**
385      * The URL to Artifactory.
386      */
387     private String artifactoryAnalyzerUrl;
388     /**
389      * Whether or not Artifactory analysis should use the proxy..
390      */
391     private Boolean artifactoryAnalyzerUseProxy;
392     /**
393      * Whether or not Artifactory analysis should be parallelized.
394      */
395     private Boolean artifactoryAnalyzerParallelAnalysis;
396     /**
397      * The Artifactory username needed to connect.
398      */
399     private String artifactoryAnalyzerUsername;
400     /**
401      * The Artifactory API token needed to connect.
402      */
403     private String artifactoryAnalyzerApiToken;
404     /**
405      * The Artifactory bearer token.
406      */
407     private String artifactoryAnalyzerBearerToken;
408     /**
409      * Whether the version check is enabled
410      */
411     private Boolean versionCheckEnabled;
412 
413     /**
414      * whether an unused suppression rule should get force the build to fail
415      */
416     private boolean failBuildOnUnusedSuppressionRule = false;
417 
418     /**
419      * The username to download user-authored suppression files from an HTTP Basic auth protected location.
420      */
421     private String suppressionFileUser;
422     /**
423      * The password to download user-authored suppression files from an HTTP Basic auth protected location.
424      */
425     private String suppressionFilePassword;
426     /**
427      * The token to download user-authored suppression files from an HTTP Bearer auth protected location.
428      */
429     private String suppressionFileBearerToken;
430 
431     //region Code copied from org.apache.tools.ant.taskdefs.PathConvert
432     //The following code was copied Apache Ant PathConvert
433     /**
434      * Path to be converted
435      */
436     private Resources path = null;
437     /**
438      * Reference to path/file set to convert
439      */
440     private Reference refId = null;
441 
442     /**
443      * Add an arbitrary ResourceCollection.
444      *
445      * @param rc the ResourceCollection to add.
446      * @since Ant 1.7
447      */
448     public void add(ResourceCollection rc) {
449         if (isReference()) {
450             throw new BuildException("Nested elements are not allowed when using the refId attribute.");
451         }
452         getPath().add(rc);
453     }
454 
455     /**
456      * Returns the path. If the path has not been initialized yet, this class is
457      * synchronized, and will instantiate the path object.
458      *
459      * @return the path
460      */
461     private synchronized Resources getPath() {
462         if (path == null) {
463             path = new Resources(getProject());
464             path.setCache(true);
465         }
466         return path;
467     }
468 
469     /**
470      * Learn whether the refId attribute of this element been set.
471      *
472      * @return true if refId is valid.
473      */
474     public boolean isReference() {
475         return refId != null;
476     }
477 
478     /**
479      * Add a reference to a Path, FileSet, DirSet, or FileList defined
480      * elsewhere.
481      *
482      * @param r the reference to a path, fileset, dirset or filelist.
483      */
484     public synchronized void setRefId(Reference r) {
485         if (path != null) {
486             throw new BuildException("Nested elements are not allowed when using the refId attribute.");
487         }
488         refId = r;
489     }
490 
491     /**
492      * If this is a reference, this method will add the referenced resource
493      * collection to the collection of paths.
494      *
495      * @throws BuildException if the reference is not to a resource collection
496      */
497     //declaring a throw that extends runtime exception may be a bad practice
498     //but seems to be an ingrained practice within Ant as even the base `Task`
499     //contains an `execute() throws BuildExecption`.
500     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
501     private void dealWithReferences() throws BuildException {
502         if (isReference()) {
503             final Object o = refId.getReferencedObject(getProject());
504             if (!(o instanceof ResourceCollection)) {
505                 throw new BuildException("refId '" + refId.getRefId()
506                         + "' does not refer to a resource collection.");
507             }
508             getPath().add((ResourceCollection) o);
509         }
510     }
511     //endregion COPIED from org.apache.tools.ant.taskdefs
512 
513     /**
514      * Construct a new DependencyCheckTask.
515      */
516     public Check() {
517         super();
518         // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
519         // core end up coming through this tasks logger
520         StaticLoggerBinder.getSingleton().setTask(this);
521     }
522 
523     /**
524      * Add a suppression file.
525      * <p>
526      * This is called by Ant with the configured {@link SuppressionFile}.
527      *
528      * @param suppressionFile the suppression file to add.
529      */
530     public void addConfiguredSuppressionFile(final SuppressionFile suppressionFile) {
531         suppressionFiles.add(resolveRelative(suppressionFile.getPath()));
532     }
533 
534     /**
535      * Add a report format.
536      * <p>
537      * This is called by Ant with the configured {@link ReportFormat}.
538      *
539      * @param reportFormat the reportFormat to add.
540      */
541     public void addConfiguredReportFormat(final ReportFormat reportFormat) {
542         reportFormats.add(reportFormat.getFormat());
543     }
544 
545     /**
546      * Sets whether the version check is enabled.
547      *
548      * @param versionCheckEnabled a Boolean indicating if the version check is
549      * enabled.
550      */
551     public void setVersionCheckEnabled(Boolean versionCheckEnabled) {
552         this.versionCheckEnabled = versionCheckEnabled;
553     }
554 
555     /**
556      * Get the value of projectName.
557      *
558      * @return the value of projectName
559      */
560     public String getProjectName() {
561         if (projectName == null) {
562             projectName = "";
563         }
564         return projectName;
565     }
566 
567     /**
568      * Set the value of projectName.
569      *
570      * @param projectName new value of projectName
571      */
572     public void setProjectName(String projectName) {
573         this.projectName = projectName;
574     }
575 
576     private String resolveRelative(String path) {
577         if (path == null) {
578             return null;
579         }
580 
581         File file = new File(path);
582         if (file.isAbsolute()) {
583             return path;
584         }
585 
586         return new File(getProject().getBaseDir(), path).getPath();
587     }
588 
589     /**
590      * Set the value of reportOutputDirectory.
591      *
592      * @param reportOutputDirectory new value of reportOutputDirectory
593      */
594     public void setReportOutputDirectory(String reportOutputDirectory) {
595         this.reportOutputDirectory = resolveRelative(reportOutputDirectory);
596     }
597 
598     /**
599      * Set the value of failBuildOnCVSS.
600      *
601      * @param failBuildOnCVSS new value of failBuildOnCVSS
602      */
603     public void setFailBuildOnCVSS(float failBuildOnCVSS) {
604         this.failBuildOnCVSS = failBuildOnCVSS;
605     }
606 
607     /**
608      * Set the value of junitFailOnCVSS.
609      *
610      * @param junitFailOnCVSS new value of junitFailOnCVSS
611      */
612     public void setJunitFailOnCVSS(float junitFailOnCVSS) {
613         this.junitFailOnCVSS = junitFailOnCVSS;
614     }
615 
616     /**
617      * Set the value of autoUpdate.
618      *
619      * @param autoUpdate new value of autoUpdate
620      */
621     public void setAutoUpdate(Boolean autoUpdate) {
622         this.autoUpdate = autoUpdate;
623     }
624 
625     /**
626      * Set the value of prettyPrint.
627      *
628      * @param prettyPrint new value of prettyPrint
629      */
630     public void setPrettyPrint(boolean prettyPrint) {
631         this.prettyPrint = prettyPrint;
632     }
633 
634     /**
635      * Set the value of reportFormat.
636      *
637      * @param reportFormat new value of reportFormat
638      */
639     public void setReportFormat(ReportFormats reportFormat) {
640         this.reportFormat = reportFormat.getValue();
641         this.reportFormats.add(this.reportFormat);
642     }
643 
644     /**
645      * Get the value of reportFormats.
646      *
647      * @return the value of reportFormats
648      */
649     public List<String> getReportFormats() {
650         if (reportFormats.isEmpty()) {
651             this.reportFormats.add(this.reportFormat);
652         }
653         return this.reportFormats;
654     }
655 
656     /**
657      * Set the value of suppressionFile.
658      *
659      * @param suppressionFile new value of suppressionFile
660      */
661     public void setSuppressionFile(String suppressionFile) {
662         suppressionFiles.add(resolveRelative(suppressionFile));
663     }
664 
665     /**
666      * Sets the username to download user-authored suppression files from an HTTP Basic auth protected location.
667      *
668      * @param suppressionFileUser The username
669      */
670     public void setSuppressionFileUser(String suppressionFileUser) {
671         this.suppressionFileUser = suppressionFileUser;
672     }
673 
674     /**
675      * Sets the password/token to download user-authored suppression files from an HTTP Basic auth protected location.
676      *
677      * @param suppressionFilePassword The password/token
678      */
679     public void setSuppressionFilePassword(String suppressionFilePassword) {
680         this.suppressionFilePassword = suppressionFilePassword;
681     }
682 
683     /**
684      * Sets the token to download user-authored suppression files from an HTTP Bearer auth protected location.
685      *
686      * @param suppressionFileBearerToken The token
687      */
688     public void setSuppressionFileBearerToken(String suppressionFileBearerToken) {
689         this.suppressionFileBearerToken = suppressionFileBearerToken;
690     }
691 
692     /**
693      * Set the value of hintsFile.
694      *
695      * @param hintsFile new value of hintsFile
696      */
697     public void setHintsFile(String hintsFile) {
698         this.hintsFile = hintsFile;
699     }
700 
701     /**
702      * Set the value of showSummary.
703      *
704      * @param showSummary new value of showSummary
705      */
706     public void setShowSummary(boolean showSummary) {
707         this.showSummary = showSummary;
708     }
709 
710     /**
711      * Set the value of enableExperimental.
712      *
713      * @param enableExperimental new value of enableExperimental
714      */
715     public void setEnableExperimental(Boolean enableExperimental) {
716         this.enableExperimental = enableExperimental;
717     }
718 
719     /**
720      * Set the value of enableRetired.
721      *
722      * @param enableRetired new value of enableRetired
723      */
724     public void setEnableRetired(Boolean enableRetired) {
725         this.enableRetired = enableRetired;
726     }
727 
728     /**
729      * Sets whether or not the analyzer is enabled.
730      *
731      * @param jarAnalyzerEnabled the value of the new setting
732      */
733     public void setJarAnalyzerEnabled(Boolean jarAnalyzerEnabled) {
734         this.jarAnalyzerEnabled = jarAnalyzerEnabled;
735     }
736 
737     /**
738      * Sets whether the analyzer is enabled.
739      *
740      * @param archiveAnalyzerEnabled the value of the new setting
741      */
742     public void setArchiveAnalyzerEnabled(Boolean archiveAnalyzerEnabled) {
743         this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
744     }
745 
746     /**
747      * Sets whether or not the analyzer is enabled.
748      *
749      * @param assemblyAnalyzerEnabled the value of the new setting
750      */
751     public void setAssemblyAnalyzerEnabled(Boolean assemblyAnalyzerEnabled) {
752         this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
753     }
754 
755     /**
756      * Sets whether or not the analyzer is enabled.
757      *
758      * @param msbuildAnalyzerEnabled the value of the new setting
759      */
760     public void setMSBuildAnalyzerEnabled(Boolean msbuildAnalyzerEnabled) {
761         this.msbuildAnalyzerEnabled = msbuildAnalyzerEnabled;
762     }
763 
764     /**
765      * Sets whether or not the analyzer is enabled.
766      *
767      * @param nuspecAnalyzerEnabled the value of the new setting
768      */
769     public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) {
770         this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
771     }
772 
773     /**
774      * Sets whether or not the analyzer is enabled.
775      *
776      * @param nugetconfAnalyzerEnabled the value of the new setting
777      */
778     public void setNugetconfAnalyzerEnabled(Boolean nugetconfAnalyzerEnabled) {
779         this.nugetconfAnalyzerEnabled = nugetconfAnalyzerEnabled;
780     }
781 
782     /**
783      * Sets whether or not the analyzer is enabled.
784      *
785      * @param libmanAnalyzerEnabled the value of the new setting
786      */
787     public void setLibmanAnalyzerEnabled(Boolean libmanAnalyzerEnabled) {
788         this.libmanAnalyzerEnabled = libmanAnalyzerEnabled;
789     }
790 
791     /**
792      * Set the value of composerAnalyzerEnabled.
793      *
794      * @param composerAnalyzerEnabled new value of composerAnalyzerEnabled
795      */
796     public void setComposerAnalyzerEnabled(Boolean composerAnalyzerEnabled) {
797         this.composerAnalyzerEnabled = composerAnalyzerEnabled;
798     }
799 
800     /**
801      * Set the value of composerAnalyzerSkipDev.
802      *
803      * @param composerAnalyzerSkipDev new value of composerAnalyzerSkipDev
804      */
805     public void setComposerAnalyzerSkipDev(Boolean composerAnalyzerSkipDev) {
806         this.composerAnalyzerSkipDev = composerAnalyzerSkipDev;
807     }
808 
809     /**
810      * Set the value of cpanfileAnalyzerEnabled.
811      *
812      * @param cpanfileAnalyzerEnabled new value of cpanfileAnalyzerEnabled
813      */
814     public void setCpanfileAnalyzerEnabled(Boolean cpanfileAnalyzerEnabled) {
815         this.cpanfileAnalyzerEnabled = cpanfileAnalyzerEnabled;
816     }
817 
818     /**
819      * Set the value of autoconfAnalyzerEnabled.
820      *
821      * @param autoconfAnalyzerEnabled new value of autoconfAnalyzerEnabled
822      */
823     public void setAutoconfAnalyzerEnabled(Boolean autoconfAnalyzerEnabled) {
824         this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled;
825     }
826 
827     /**
828      * Set the value of pipAnalyzerEnabled.
829      *
830      * @param pipAnalyzerEnabled new value of pipAnalyzerEnabled
831      */
832     public void setPipAnalyzerEnabled(Boolean pipAnalyzerEnabled) {
833         this.pipAnalyzerEnabled = pipAnalyzerEnabled;
834     }
835 
836     /**
837      * Set the value of pipfileAnalyzerEnabled.
838      *
839      * @param pipfileAnalyzerEnabled new value of pipfileAnalyzerEnabled
840      */
841     public void setPipfileAnalyzerEnabled(Boolean pipfileAnalyzerEnabled) {
842         this.pipfileAnalyzerEnabled = pipfileAnalyzerEnabled;
843     }
844 
845     /**
846      * Set the value of poetryAnalyzerEnabled.
847      *
848      * @param poetryAnalyzerEnabled new value of poetryAnalyzerEnabled
849      */
850     public void setPoetryAnalyzerEnabled(Boolean poetryAnalyzerEnabled) {
851         this.poetryAnalyzerEnabled = poetryAnalyzerEnabled;
852     }
853 
854     /**
855      * Sets if the Bundle Audit Analyzer is enabled.
856      *
857      * @param bundleAuditAnalyzerEnabled whether or not the analyzer should be
858      * enabled
859      */
860     public void setBundleAuditAnalyzerEnabled(Boolean bundleAuditAnalyzerEnabled) {
861         this.bundleAuditAnalyzerEnabled = bundleAuditAnalyzerEnabled;
862     }
863 
864     /**
865      * Sets the path to the bundle audit executable.
866      *
867      * @param bundleAuditPath the path to the bundle audit executable
868      */
869     public void setBundleAuditPath(String bundleAuditPath) {
870         this.bundleAuditPath = bundleAuditPath;
871     }
872 
873     /**
874      * Sets the path to the working directory that the bundle audit executable
875      * should be executed from.
876      *
877      * @param bundleAuditWorkingDirectory the path to the working directory that
878      * the bundle audit executable should be executed from.
879      */
880     public void setBundleAuditWorkingDirectory(String bundleAuditWorkingDirectory) {
881         this.bundleAuditWorkingDirectory = bundleAuditWorkingDirectory;
882     }
883 
884     /**
885      * Sets whether or not the cocoapods analyzer is enabled.
886      *
887      * @param cocoapodsAnalyzerEnabled the state of the cocoapods analyzer
888      */
889     public void setCocoapodsAnalyzerEnabled(Boolean cocoapodsAnalyzerEnabled) {
890         this.cocoapodsAnalyzerEnabled = cocoapodsAnalyzerEnabled;
891     }
892 
893     /**
894      * Sets whether or not the Carthage analyzer is enabled.
895      *
896      * @param carthageAnalyzerEnabled the state of the Carthage analyzer
897      */
898     public void setCarthageAnalyzerEnabled(Boolean carthageAnalyzerEnabled) {
899         this.carthageAnalyzerEnabled = carthageAnalyzerEnabled;
900     }
901 
902     /**
903      * Sets the enabled state of the swift package manager analyzer.
904      *
905      * @param swiftPackageManagerAnalyzerEnabled the enabled state of the swift
906      * package manager
907      */
908     public void setSwiftPackageManagerAnalyzerEnabled(Boolean swiftPackageManagerAnalyzerEnabled) {
909         this.swiftPackageManagerAnalyzerEnabled = swiftPackageManagerAnalyzerEnabled;
910     }
911 
912     /**
913      * Sets the enabled state of the swift package manager analyzer.
914      *
915      * @param swiftPackageResolvedAnalyzerEnabled the enabled state of the swift
916      * package resolved analyzer
917      */
918     public void setSwiftPackageResolvedAnalyzerEnabled(Boolean swiftPackageResolvedAnalyzerEnabled) {
919         this.swiftPackageResolvedAnalyzerEnabled = swiftPackageResolvedAnalyzerEnabled;
920     }
921 
922     /**
923      * Set the value of opensslAnalyzerEnabled.
924      *
925      * @param opensslAnalyzerEnabled new value of opensslAnalyzerEnabled
926      */
927     public void setOpensslAnalyzerEnabled(Boolean opensslAnalyzerEnabled) {
928         this.opensslAnalyzerEnabled = opensslAnalyzerEnabled;
929     }
930 
931     /**
932      * Set the value of nodeAnalyzerEnabled.
933      *
934      * @param nodeAnalyzerEnabled new value of nodeAnalyzerEnabled
935      */
936     public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) {
937         this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
938     }
939 
940     /**
941      * Set the value of nodeAuditAnalyzerEnabled.
942      *
943      * @param nodeAuditAnalyzerEnabled new value of nodeAuditAnalyzerEnabled
944      */
945     public void setNodeAuditAnalyzerEnabled(Boolean nodeAuditAnalyzerEnabled) {
946         this.nodeAuditAnalyzerEnabled = nodeAuditAnalyzerEnabled;
947     }
948 
949     /**
950      * Set the value of yarnAuditAnalyzerEnabled.
951      *
952      * @param yarnAuditAnalyzerEnabled new value of yarnAuditAnalyzerEnabled
953      */
954     public void setYarnAuditAnalyzerEnabled(Boolean yarnAuditAnalyzerEnabled) {
955         this.yarnAuditAnalyzerEnabled = yarnAuditAnalyzerEnabled;
956     }
957 
958     /**
959      * Set the value of pnpmAuditAnalyzerEnabled.
960      *
961      * @param pnpmAuditAnalyzerEnabled new value of pnpmAuditAnalyzerEnabled
962      */
963     public void setPnpmAuditAnalyzerEnabled(Boolean pnpmAuditAnalyzerEnabled) {
964         this.pnpmAuditAnalyzerEnabled = pnpmAuditAnalyzerEnabled;
965     }
966 
967     /**
968      * Set the value of nodeAuditAnalyzerUseCache.
969      *
970      * @param nodeAuditAnalyzerUseCache new value of nodeAuditAnalyzerUseCache
971      */
972     public void setNodeAuditAnalyzerUseCache(Boolean nodeAuditAnalyzerUseCache) {
973         this.nodeAuditAnalyzerUseCache = nodeAuditAnalyzerUseCache;
974     }
975 
976     /**
977      * Set the value of nodePackageSkipDevDependencies.
978      *
979      * @param nodePackageSkipDevDependencies new value of
980      * nodePackageSkipDevDependencies
981      */
982     public void setNodePackageSkipDevDependencies(Boolean nodePackageSkipDevDependencies) {
983         this.nodePackageSkipDevDependencies = nodePackageSkipDevDependencies;
984     }
985 
986     /**
987      * Set the value of nodeAuditSkipDevDependencies.
988      *
989      * @param nodeAuditSkipDevDependencies new value of
990      * nodeAuditSkipDevDependencies
991      */
992     public void setNodeAuditSkipDevDependencies(Boolean nodeAuditSkipDevDependencies) {
993         this.nodeAuditSkipDevDependencies = nodeAuditSkipDevDependencies;
994     }
995 
996     /**
997      * Set the value of retirejsFilterNonVulnerable.
998      *
999      * @param retirejsFilterNonVulnerable new value of
1000      * retirejsFilterNonVulnerable
1001      */
1002     public void setRetirejsFilterNonVulnerable(Boolean retirejsFilterNonVulnerable) {
1003         this.retirejsFilterNonVulnerable = retirejsFilterNonVulnerable;
1004     }
1005 
1006     /**
1007      * Add a regular expression to the set of retire JS content filters.
1008      * <p>
1009      * This is called by Ant.
1010      *
1011      * @param retirejsFilter the regular expression used to filter based on file
1012      * content
1013      */
1014     public void addConfiguredRetirejsFilter(final RetirejsFilter retirejsFilter) {
1015         retirejsFilters.add(retirejsFilter.getRegex());
1016     }
1017 
1018     /**
1019      * Set the value of rubygemsAnalyzerEnabled.
1020      *
1021      * @param rubygemsAnalyzerEnabled new value of rubygemsAnalyzerEnabled
1022      */
1023     public void setRubygemsAnalyzerEnabled(Boolean rubygemsAnalyzerEnabled) {
1024         this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled;
1025     }
1026 
1027     /**
1028      * Set the value of pyPackageAnalyzerEnabled.
1029      *
1030      * @param pyPackageAnalyzerEnabled new value of pyPackageAnalyzerEnabled
1031      */
1032     public void setPyPackageAnalyzerEnabled(Boolean pyPackageAnalyzerEnabled) {
1033         this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled;
1034     }
1035 
1036     /**
1037      * Set the value of pyDistributionAnalyzerEnabled.
1038      *
1039      * @param pyDistributionAnalyzerEnabled new value of
1040      * pyDistributionAnalyzerEnabled
1041      */
1042     public void setPyDistributionAnalyzerEnabled(Boolean pyDistributionAnalyzerEnabled) {
1043         this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
1044     }
1045 
1046     /**
1047      * Set the value of mixAuditAnalyzerEnabled.
1048      *
1049      * @param mixAuditAnalyzerEnabled new value of mixAuditAnalyzerEnabled
1050      */
1051     public void setMixAuditAnalyzerEnabled(Boolean mixAuditAnalyzerEnabled) {
1052         this.mixAuditAnalyzerEnabled = mixAuditAnalyzerEnabled;
1053     }
1054 
1055     /**
1056      * Sets the path to the mix audit executable.
1057      *
1058      * @param mixAuditPath the path to the bundle audit executable
1059      */
1060     public void setMixAuditPath(String mixAuditPath) {
1061         this.mixAuditPath = mixAuditPath;
1062     }
1063     /**
1064      * Set the value of centralAnalyzerEnabled.
1065      *
1066      * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
1067      */
1068     public void setCentralAnalyzerEnabled(Boolean centralAnalyzerEnabled) {
1069         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
1070     }
1071 
1072     /**
1073      * Set the value of centralAnalyzerUseCache.
1074      *
1075      * @param centralAnalyzerUseCache new value of centralAnalyzerUseCache
1076      */
1077     public void setCentralAnalyzerUseCache(Boolean centralAnalyzerUseCache) {
1078         this.centralAnalyzerUseCache = centralAnalyzerUseCache;
1079     }
1080 
1081     /**
1082      * Set the value of nexusAnalyzerEnabled.
1083      *
1084      * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
1085      */
1086     public void setNexusAnalyzerEnabled(Boolean nexusAnalyzerEnabled) {
1087         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
1088     }
1089 
1090     /**
1091      * Set the value of golangDepEnabled.
1092      *
1093      * @param golangDepEnabled new value of golangDepEnabled
1094      */
1095     public void setGolangDepEnabled(Boolean golangDepEnabled) {
1096         this.golangDepEnabled = golangDepEnabled;
1097     }
1098 
1099     /**
1100      * Set the value of golangModEnabled.
1101      *
1102      * @param golangModEnabled new value of golangModEnabled
1103      */
1104     public void setGolangModEnabled(Boolean golangModEnabled) {
1105         this.golangModEnabled = golangModEnabled;
1106     }
1107 
1108     /**
1109      * Set the value of dartAnalyzerEnabled.
1110      *
1111      * @param dartAnalyzerEnabled new value of dartAnalyzerEnabled
1112      */
1113     public void setDartAnalyzerEnabled(Boolean dartAnalyzerEnabled) {
1114         this.dartAnalyzerEnabled = dartAnalyzerEnabled;
1115     }
1116 
1117     /**
1118      * Set the value of pathToYarn.
1119      *
1120      * @param pathToYarn new value of pathToYarn
1121      */
1122     public void setPathToYarn(String pathToYarn) {
1123         this.pathToYarn = pathToYarn;
1124     }
1125 
1126     /**
1127      * Set the value of pathToPnpm.
1128      *
1129      * @param pathToPnpm new value of pathToPnpm
1130      */
1131     public void setPathToPnpm(String pathToPnpm) {
1132         this.pathToPnpm = pathToPnpm;
1133     }
1134 
1135     /**
1136      * Set the value of pathToGo.
1137      *
1138      * @param pathToGo new value of pathToGo
1139      */
1140     public void setPathToGo(String pathToGo) {
1141         this.pathToGo = pathToGo;
1142     }
1143 
1144     /**
1145      * Set the value of nexusUrl.
1146      *
1147      * @param nexusUrl new value of nexusUrl
1148      */
1149     public void setNexusUrl(String nexusUrl) {
1150         this.nexusUrl = nexusUrl;
1151     }
1152 
1153     /**
1154      * Set the value of nexusUser.
1155      *
1156      * @param nexusUser new value of nexusUser
1157      */
1158     public void setNexusUser(String nexusUser) {
1159         this.nexusUser = nexusUser;
1160     }
1161 
1162     /**
1163      * Set the value of nexusPassword.
1164      *
1165      * @param nexusPassword new value of nexusPassword
1166      */
1167     public void setNexusPassword(String nexusPassword) {
1168         this.nexusPassword = nexusPassword;
1169     }
1170 
1171     /**
1172      * Set the value of nexusUsesProxy.
1173      *
1174      * @param nexusUsesProxy new value of nexusUsesProxy
1175      */
1176     public void setNexusUsesProxy(Boolean nexusUsesProxy) {
1177         this.nexusUsesProxy = nexusUsesProxy;
1178     }
1179 
1180     /**
1181      * Set the value of zipExtensions.
1182      *
1183      * @param zipExtensions new value of zipExtensions
1184      */
1185     public void setZipExtensions(String zipExtensions) {
1186         this.zipExtensions = zipExtensions;
1187     }
1188 
1189     /**
1190      * Set the value of pathToCore.
1191      *
1192      * @param pathToCore new value of pathToCore
1193      */
1194     public void setPathToDotnetCore(String pathToCore) {
1195         this.pathToCore = pathToCore;
1196     }
1197 
1198     /**
1199      * Set value of {@link #ossindexAnalyzerEnabled}.
1200      *
1201      * @param ossindexAnalyzerEnabled new value of ossindexAnalyzerEnabled
1202      */
1203     public void setOssindexAnalyzerEnabled(Boolean ossindexAnalyzerEnabled) {
1204         this.ossindexAnalyzerEnabled = ossindexAnalyzerEnabled;
1205     }
1206 
1207     /**
1208      * Set value of {@link #ossindexAnalyzerUseCache}.
1209      *
1210      * @param ossindexAnalyzerUseCache new value of ossindexAnalyzerUseCache
1211      */
1212     public void setOssindexAnalyzerUseCache(Boolean ossindexAnalyzerUseCache) {
1213         this.ossindexAnalyzerUseCache = ossindexAnalyzerUseCache;
1214     }
1215 
1216     /**
1217      * Set value of {@link #ossindexAnalyzerUrl}.
1218      *
1219      * @param ossindexAnalyzerUrl new value of ossindexAnalyzerUrl
1220      */
1221     public void setOssindexAnalyzerUrl(String ossindexAnalyzerUrl) {
1222         this.ossindexAnalyzerUrl = ossindexAnalyzerUrl;
1223     }
1224 
1225     /**
1226      * Set value of {@link #ossindexAnalyzerUsername}.
1227      *
1228      * @param ossindexAnalyzerUsername new value of ossindexAnalyzerUsername
1229      */
1230     public void setOssindexAnalyzerUsername(String ossindexAnalyzerUsername) {
1231         this.ossindexAnalyzerUsername = ossindexAnalyzerUsername;
1232     }
1233 
1234     /**
1235      * Set value of {@link #ossindexAnalyzerPassword}.
1236      *
1237      * @param ossindexAnalyzerPassword new value of ossindexAnalyzerPassword
1238      */
1239     public void setOssindexAnalyzerPassword(String ossindexAnalyzerPassword) {
1240         this.ossindexAnalyzerPassword = ossindexAnalyzerPassword;
1241     }
1242 
1243     /**
1244      * Set value of {@link #ossIndexAnalyzerWarnOnlyOnRemoteErrors}.
1245      *
1246      * @param ossIndexWarnOnlyOnRemoteErrors the value of
1247      * ossIndexWarnOnlyOnRemoteErrors
1248      */
1249     public void setOssIndexWarnOnlyOnRemoteErrors(Boolean ossIndexWarnOnlyOnRemoteErrors) {
1250         this.ossIndexAnalyzerWarnOnlyOnRemoteErrors = ossIndexWarnOnlyOnRemoteErrors;
1251     }
1252 
1253     /**
1254      * Set the value of cmakeAnalyzerEnabled.
1255      *
1256      * @param cmakeAnalyzerEnabled new value of cmakeAnalyzerEnabled
1257      */
1258     public void setCmakeAnalyzerEnabled(Boolean cmakeAnalyzerEnabled) {
1259         this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
1260     }
1261 
1262     /**
1263      * Set the value of artifactoryAnalyzerEnabled.
1264      *
1265      * @param artifactoryAnalyzerEnabled new value of artifactoryAnalyzerEnabled
1266      */
1267     public void setArtifactoryAnalyzerEnabled(Boolean artifactoryAnalyzerEnabled) {
1268         this.artifactoryAnalyzerEnabled = artifactoryAnalyzerEnabled;
1269     }
1270 
1271     /**
1272      * Set the value of artifactoryAnalyzerUrl.
1273      *
1274      * @param artifactoryAnalyzerUrl new value of artifactoryAnalyzerUrl
1275      */
1276     public void setArtifactoryAnalyzerUrl(String artifactoryAnalyzerUrl) {
1277         this.artifactoryAnalyzerUrl = artifactoryAnalyzerUrl;
1278     }
1279 
1280     /**
1281      * Set the value of artifactoryAnalyzerUseProxy.
1282      *
1283      * @param artifactoryAnalyzerUseProxy new value of
1284      * artifactoryAnalyzerUseProxy
1285      */
1286     public void setArtifactoryAnalyzerUseProxy(Boolean artifactoryAnalyzerUseProxy) {
1287         this.artifactoryAnalyzerUseProxy = artifactoryAnalyzerUseProxy;
1288     }
1289 
1290     /**
1291      * Set the value of artifactoryAnalyzerParallelAnalysis.
1292      *
1293      * @param artifactoryAnalyzerParallelAnalysis new value of
1294      * artifactoryAnalyzerParallelAnalysis
1295      */
1296     public void setArtifactoryAnalyzerParallelAnalysis(Boolean artifactoryAnalyzerParallelAnalysis) {
1297         this.artifactoryAnalyzerParallelAnalysis = artifactoryAnalyzerParallelAnalysis;
1298     }
1299 
1300     /**
1301      * Set the value of artifactoryAnalyzerUsername.
1302      *
1303      * @param artifactoryAnalyzerUsername new value of
1304      * artifactoryAnalyzerUsername
1305      */
1306     public void setArtifactoryAnalyzerUsername(String artifactoryAnalyzerUsername) {
1307         this.artifactoryAnalyzerUsername = artifactoryAnalyzerUsername;
1308     }
1309 
1310     /**
1311      * Set the value of artifactoryAnalyzerApiToken.
1312      *
1313      * @param artifactoryAnalyzerApiToken new value of
1314      * artifactoryAnalyzerApiToken
1315      */
1316     public void setArtifactoryAnalyzerApiToken(String artifactoryAnalyzerApiToken) {
1317         this.artifactoryAnalyzerApiToken = artifactoryAnalyzerApiToken;
1318     }
1319 
1320     /**
1321      * Set the value of artifactoryAnalyzerBearerToken.
1322      *
1323      * @param artifactoryAnalyzerBearerToken new value of
1324      * artifactoryAnalyzerBearerToken
1325      */
1326     public void setArtifactoryAnalyzerBearerToken(String artifactoryAnalyzerBearerToken) {
1327         this.artifactoryAnalyzerBearerToken = artifactoryAnalyzerBearerToken;
1328     }
1329 
1330     /**
1331      * Set the value of failBuildOnUnusedSuppressionRule.
1332      *
1333      * @param failBuildOnUnusedSuppressionRule new value of
1334      * failBuildOnUnusedSuppressionRule
1335      */
1336     public void setFailBuildOnUnusedSuppressionRule(boolean failBuildOnUnusedSuppressionRule) {
1337         this.failBuildOnUnusedSuppressionRule = failBuildOnUnusedSuppressionRule;
1338     }
1339 
1340     //see note on `dealWithReferences()` for information on this suppression
1341     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1342     @Override
1343     protected void executeWithContextClassloader() throws BuildException {
1344         dealWithReferences();
1345         validateConfiguration();
1346         populateSettings();
1347         try {
1348             Downloader.getInstance().configure(getSettings());
1349         } catch (InvalidSettingException e) {
1350             throw new BuildException(e);
1351         }
1352         TelemetryCollector.send(getSettings());
1353         try (Engine engine = new Engine(Check.class.getClassLoader(), getSettings())) {
1354             for (Resource resource : getPath()) {
1355                 final FileProvider provider = resource.as(FileProvider.class);
1356                 if (provider != null) {
1357                     final File file = provider.getFile();
1358                     if (file != null && file.exists()) {
1359                         engine.scan(file);
1360                     }
1361                 }
1362             }
1363             final ExceptionCollection exceptions = callExecuteAnalysis(engine);
1364             if (exceptions == null || !exceptions.isFatal()) {
1365                 for (String format : getReportFormats()) {
1366                     engine.writeReports(getProjectName(), new File(reportOutputDirectory), format, exceptions);
1367                 }
1368                 if (this.failBuildOnCVSS <= 10) {
1369                     checkForFailure(engine.getDependencies());
1370                 }
1371                 if (this.showSummary) {
1372                     DependencyCheckScanAgent.showSummary(engine.getDependencies());
1373                 }
1374             }
1375         } catch (DatabaseException ex) {
1376             final String msg = "Unable to connect to the dependency-check database; analysis has stopped";
1377             if (this.isFailOnError()) {
1378                 throw new BuildException(msg, ex);
1379             }
1380             log(msg, ex, Project.MSG_ERR);
1381         } catch (ReportException ex) {
1382             final String msg = "Unable to generate the dependency-check report";
1383             if (this.isFailOnError()) {
1384                 throw new BuildException(msg, ex);
1385             }
1386             log(msg, ex, Project.MSG_ERR);
1387         } finally {
1388             getSettings().cleanup();
1389         }
1390     }
1391 
1392     /**
1393      * Wraps the call to `engine.analyzeDependencies()` and correctly handles
1394      * any exceptions
1395      *
1396      * @param engine a reference to the engine
1397      * @return the collection of any exceptions that occurred; otherwise
1398      * <code>null</code>
1399      * @throws BuildException thrown if configured to fail the build on errors
1400      */
1401     //see note on `dealWithReferences()` for information on this suppression
1402     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1403     private ExceptionCollection callExecuteAnalysis(final Engine engine) throws BuildException {
1404         ExceptionCollection exceptions = null;
1405         try {
1406             engine.analyzeDependencies();
1407         } catch (ExceptionCollection ex) {
1408             if (this.isFailOnError()) {
1409                 throw new BuildException(ex);
1410             }
1411             exceptions = ex;
1412         }
1413         return exceptions;
1414     }
1415 
1416     /**
1417      * Validate the configuration to ensure the parameters have been properly
1418      * configured/initialized.
1419      *
1420      * @throws BuildException if the task was not configured correctly.
1421      */
1422     //see note on `dealWithReferences()` for information on this suppression
1423     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1424     private synchronized void validateConfiguration() throws BuildException {
1425         if (path == null) {
1426             throw new BuildException("No project dependencies have been defined to analyze.");
1427         }
1428         if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) {
1429             throw new BuildException("Invalid configuration, failBuildOnCVSS must be between 0 and 11.");
1430         }
1431     }
1432 
1433     /**
1434      * Takes the properties supplied and updates the dependency-check settings.
1435      * Additionally, this sets the system properties required to change the
1436      * proxy server, port, and connection timeout.
1437      *
1438      * @throws BuildException thrown when an invalid setting is configured.
1439      */
1440     //see note on `dealWithReferences()` for information on this suppression
1441     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1442     @Override
1443     protected void populateSettings() throws BuildException {
1444         super.populateSettings();
1445         getSettings().setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
1446         getSettings().setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles);
1447         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_USER, suppressionFileUser);
1448         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_PASSWORD, suppressionFilePassword);
1449         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_BEARER_TOKEN, suppressionFileBearerToken);
1450         getSettings().setBooleanIfNotNull(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, versionCheckEnabled);
1451         getSettings().setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
1452         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
1453         getSettings().setBooleanIfNotNull(Settings.KEYS.PRETTY_PRINT, prettyPrint);
1454         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, enableRetired);
1455         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
1456         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
1457         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
1458         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
1459         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
1460         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
1461 
1462         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED, artifactoryAnalyzerEnabled);
1463         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_URL, artifactoryAnalyzerUrl);
1464         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY, artifactoryAnalyzerUseProxy);
1465         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS, artifactoryAnalyzerParallelAnalysis);
1466         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME, artifactoryAnalyzerUsername);
1467         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN, artifactoryAnalyzerApiToken);
1468         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_BEARER_TOKEN, artifactoryAnalyzerBearerToken);
1469 
1470         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
1471         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled);
1472         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
1473         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CARTHAGE_ENABLED, carthageAnalyzerEnabled);
1474         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
1475         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
1476         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, bundleAuditWorkingDirectory);
1477         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
1478         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, mavenInstallAnalyzerEnabled);
1479         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIP_ENABLED, pipAnalyzerEnabled);
1480         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, pipfileAnalyzerEnabled);
1481         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_POETRY_ENABLED, poetryAnalyzerEnabled);
1482         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
1483         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_SKIP_DEV, composerAnalyzerSkipDev);
1484         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CPANFILE_ENABLED, cpanfileAnalyzerEnabled);
1485         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
1486         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, nodePackageSkipDevDependencies);
1487         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, nodeAuditAnalyzerEnabled);
1488         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED, yarnAuditAnalyzerEnabled);
1489         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PNPM_AUDIT_ENABLED, pnpmAuditAnalyzerEnabled);
1490         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, nodeAuditAnalyzerUseCache);
1491         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies);
1492         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, retirejsFilterNonVulnerable);
1493         getSettings().setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, retirejsFilters);
1494         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_DEP_ENABLED, golangDepEnabled);
1495         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_MOD_ENABLED, golangModEnabled);
1496         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_DART_ENABLED, dartAnalyzerEnabled);
1497         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_GOLANG_PATH, pathToGo);
1498         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_YARN_PATH, pathToYarn);
1499         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_PNPM_PATH, pathToPnpm);
1500         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED, mixAuditAnalyzerEnabled);
1501         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_PATH, mixAuditPath);
1502         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
1503         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, nugetconfAnalyzerEnabled);
1504         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_LIBMAN_ENABLED, libmanAnalyzerEnabled);
1505         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
1506         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE, centralAnalyzerUseCache);
1507         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
1508         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
1509         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
1510         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED, msbuildAnalyzerEnabled);
1511         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
1512         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_USER, nexusUser);
1513         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_PASSWORD, nexusPassword);
1514         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
1515         getSettings().setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
1516         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_DOTNET_PATH, pathToCore);
1517         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, ossindexAnalyzerEnabled);
1518         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, ossindexAnalyzerUrl);
1519         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_USER, ossindexAnalyzerUsername);
1520         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD, ossindexAnalyzerPassword);
1521         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE, ossindexAnalyzerUseCache);
1522         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, ossIndexAnalyzerWarnOnlyOnRemoteErrors);
1523         getSettings().setFloat(Settings.KEYS.JUNIT_FAIL_ON_CVSS, junitFailOnCVSS);
1524         getSettings().setBooleanIfNotNull(Settings.KEYS.FAIL_ON_UNUSED_SUPPRESSION_RULE, failBuildOnUnusedSuppressionRule);
1525     }
1526 
1527     /**
1528      * Checks to see if a vulnerability has been identified with a CVSS score
1529      * that is above the threshold set in the configuration.
1530      *
1531      * @param dependencies the list of dependency objects
1532      * @throws BuildException thrown if a CVSS score is found that is higher
1533      * than the threshold set
1534      */
1535     //see note on `dealWithReferences()` for information on this suppression
1536     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
1537     private void checkForFailure(Dependency[] dependencies) throws BuildException {
1538         final StringBuilder ids = new StringBuilder();
1539         for (Dependency d : dependencies) {
1540             boolean addName = true;
1541             for (Vulnerability v : d.getVulnerabilities()) {
1542                 final double cvssV2 = v.getCvssV2() != null && v.getCvssV2().getCvssData() != null
1543                         && v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1;
1544                 final double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null
1545                         && v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1;
1546                 final double cvssV4 = v.getCvssV4() != null && v.getCvssV4().getCvssData() != null
1547                         && v.getCvssV4().getCvssData().getBaseScore() != null ? v.getCvssV4().getCvssData().getBaseScore() : -1;
1548                 final boolean useUnscored = cvssV2 == -1 && cvssV3 == -1 && cvssV4 == -1;
1549                 final double unscoredCvss =
1550                         useUnscored && v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1;
1551 
1552                 if (cvssV2 >= failBuildOnCVSS
1553                         || cvssV3 >= failBuildOnCVSS
1554                         || cvssV4 >= failBuildOnCVSS
1555                         || unscoredCvss >= failBuildOnCVSS
1556                         //safety net to fail on any if for some reason the above misses on 0
1557                         || failBuildOnCVSS <= 0.0f
1558                 ) {
1559                     if (addName) {
1560                         addName = false;
1561                         ids.append(NEW_LINE).append(d.getFileName()).append(" (")
1562                            .append(Stream.concat(d.getSoftwareIdentifiers().stream(), d.getVulnerableSoftwareIdentifiers().stream())
1563                                          .map(Identifier::getValue)
1564                                          .collect(Collectors.joining(", ")))
1565                            .append("): ")
1566                            .append(v.getName());
1567                     } else {
1568                         ids.append(", ").append(v.getName());
1569                     }
1570                 }
1571             }
1572         }
1573         if (ids.length() > 0) {
1574             final String msg;
1575             if (showSummary) {
1576                 msg = String.format("%n%nDependency-Check Failure:%n"
1577                         + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '%.1f': %s%n"
1578                         + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids);
1579             } else {
1580                 msg = String.format("%n%nDependency-Check Failure:%n"
1581                         + "One or more dependencies were identified with vulnerabilities.%n%n"
1582                         + "See the dependency-check report for more details.%n%n");
1583             }
1584             throw new BuildException(msg);
1585         }
1586     }
1587 
1588     /**
1589      * An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV",
1590      * "JSON", "JUNIT", "SARIF", 'JENkINS', etc..
1591      */
1592     public static class ReportFormats extends EnumeratedAttribute {
1593 
1594         /**
1595          * Returns the list of values for the report format.
1596          *
1597          * @return the list of values for the report format
1598          */
1599         @Override
1600         public String[] getValues() {
1601             int i = 0;
1602             final Format[] formats = Format.values();
1603             final String[] values = new String[formats.length];
1604             for (Format format : formats) {
1605                 values[i++] = format.name();
1606             }
1607             return values;
1608         }
1609     }
1610 
1611     /**
1612      * A class for Ant to represent the
1613      * {@code <reportFormat format="<format>"/>} nested element to define
1614      * multiple report formats for the ant-task.
1615      */
1616     public static class ReportFormat {
1617 
1618         /**
1619          * The format of this ReportFormat.
1620          */
1621         private ReportFormats format;
1622 
1623         /**
1624          * Gets the format as a String.
1625          *
1626          * @return the String representing a report format
1627          */
1628         public String getFormat() {
1629             return this.format.getValue();
1630         }
1631 
1632         /**
1633          * Sets the format.
1634          *
1635          * @param format the String value for one of the {@link ReportFormats}
1636          * @throws BuildException When the offered String is not one of the
1637          * valid values of the {@link ReportFormats} EnumeratedAttribute
1638          */
1639         public void setFormat(final String format) {
1640             this.format = (ReportFormats) EnumeratedAttribute.getInstance(ReportFormats.class, format);
1641         }
1642     }
1643 }
1644 //CSON: MethodCount