Check.java

  1. /*
  2.  * This file is part of dependency-check-ant.
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *     http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  *
  16.  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  17.  */
  18. package org.owasp.dependencycheck.taskdefs;

  19. import java.io.File;
  20. import java.util.ArrayList;
  21. import java.util.List;
  22. import java.util.stream.Collectors;
  23. import java.util.stream.Stream;
  24. import javax.annotation.concurrent.NotThreadSafe;

  25. import org.apache.tools.ant.BuildException;
  26. import org.apache.tools.ant.Project;
  27. import org.apache.tools.ant.types.EnumeratedAttribute;
  28. import org.apache.tools.ant.types.Reference;
  29. import org.apache.tools.ant.types.Resource;
  30. import org.apache.tools.ant.types.ResourceCollection;
  31. import org.apache.tools.ant.types.resources.FileProvider;
  32. import org.apache.tools.ant.types.resources.Resources;
  33. import org.owasp.dependencycheck.Engine;
  34. import org.owasp.dependencycheck.agent.DependencyCheckScanAgent;
  35. import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
  36. import org.owasp.dependencycheck.dependency.Dependency;
  37. import org.owasp.dependencycheck.dependency.Vulnerability;
  38. import org.owasp.dependencycheck.dependency.naming.Identifier;
  39. import org.owasp.dependencycheck.exception.ExceptionCollection;
  40. import org.owasp.dependencycheck.exception.ReportException;
  41. import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
  42. import org.owasp.dependencycheck.utils.Downloader;
  43. import org.owasp.dependencycheck.utils.InvalidSettingException;
  44. import org.owasp.dependencycheck.utils.Settings;
  45. import org.owasp.dependencycheck.utils.SeverityUtil;
  46. import org.slf4j.impl.StaticLoggerBinder;

  47. //CSOFF: MethodCount
  48. /**
  49.  * An Ant task definition to execute dependency-check during an Ant build.
  50.  *
  51.  * @author Jeremy Long
  52.  */
  53. @NotThreadSafe
  54. public class Check extends Update {

  55.     /**
  56.      * System specific new line character.
  57.      */
  58.     private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();

  59.     /**
  60.      * Whether the ruby gemspec analyzer should be enabled.
  61.      */
  62.     private Boolean rubygemsAnalyzerEnabled;
  63.     /**
  64.      * Whether or not the Node.js Analyzer is enabled.
  65.      */
  66.     private Boolean nodeAnalyzerEnabled;
  67.     /**
  68.      * Whether or not the Node Audit Analyzer is enabled.
  69.      */
  70.     private Boolean nodeAuditAnalyzerEnabled;
  71.     /**
  72.      * Whether or not the Yarn Audit Analyzer is enabled.
  73.      */
  74.     private Boolean yarnAuditAnalyzerEnabled;
  75.     /**
  76.      * Whether or not the Pnpm Audit Analyzer is enabled.
  77.      */
  78.     private Boolean pnpmAuditAnalyzerEnabled;
  79.     /**
  80.      * Sets whether or not the Node Audit Analyzer should use a local cache.
  81.      */
  82.     private Boolean nodeAuditAnalyzerUseCache;
  83.     /**
  84.      * Sets whether or not the Node Package Analyzer should skip dev
  85.      * dependencies.
  86.      */
  87.     private Boolean nodePackageSkipDevDependencies;
  88.     /**
  89.      * Sets whether or not the Node Audit Analyzer should use a local cache.
  90.      */
  91.     private Boolean nodeAuditSkipDevDependencies;
  92.     /**
  93.      * The list of filters (regular expressions) used by the RetireJS Analyzer
  94.      * to exclude files that contain matching content..
  95.      */
  96.     @SuppressWarnings("CanBeFinal")
  97.     private final List<String> retirejsFilters = new ArrayList<>();
  98.     /**
  99.      * Whether or not the RetireJS Analyzer filters non-vulnerable JS files from
  100.      * the report; default is false.
  101.      */
  102.     private Boolean retirejsFilterNonVulnerable;
  103.     /**
  104.      * Whether or not the Ruby Bundle Audit Analyzer is enabled.
  105.      */
  106.     private Boolean bundleAuditAnalyzerEnabled;
  107.     /**
  108.      * Whether the CMake analyzer should be enabled.
  109.      */
  110.     private Boolean cmakeAnalyzerEnabled;
  111.     /**
  112.      * Whether or not the Open SSL analyzer is enabled.
  113.      */
  114.     private Boolean opensslAnalyzerEnabled;
  115.     /**
  116.      * Whether the python package analyzer should be enabled.
  117.      */
  118.     private Boolean pyPackageAnalyzerEnabled;
  119.     /**
  120.      * Whether the python distribution analyzer should be enabled.
  121.      */
  122.     private Boolean pyDistributionAnalyzerEnabled;
  123.     /**
  124.      * Whether or not the mix audit analyzer is enabled.
  125.      */
  126.     private Boolean mixAuditAnalyzerEnabled;
  127.     /**
  128.      * Whether or not the central analyzer is enabled.
  129.      */
  130.     private Boolean centralAnalyzerEnabled;
  131.     /**
  132.      * Whether or not the Central Analyzer should use a local cache.
  133.      */
  134.     private Boolean centralAnalyzerUseCache;
  135.     /**
  136.      * Whether or not the nexus analyzer is enabled.
  137.      */
  138.     private Boolean nexusAnalyzerEnabled;
  139.     /**
  140.      * The URL of a Nexus server's REST API end point
  141.      * (http://domain/nexus/service/local).
  142.      */
  143.     private String nexusUrl;
  144.     /**
  145.      * The username to authenticate to the Nexus Server's REST API Endpoint.
  146.      */
  147.     private String nexusUser;
  148.     /**
  149.      * The password to authenticate to the Nexus Server's REST API Endpoint.
  150.      */
  151.     private String nexusPassword;
  152.     /**
  153.      * Whether or not the defined proxy should be used when connecting to Nexus.
  154.      */
  155.     private Boolean nexusUsesProxy;

  156.     /**
  157.      * Sets whether the Golang Dependency analyzer is enabled. Default is true.
  158.      */
  159.     private Boolean golangDepEnabled;
  160.     /**
  161.      * Sets whether Golang Module Analyzer is enabled; this requires `go` to be
  162.      * installed. Default is true.
  163.      */
  164.     private Boolean golangModEnabled;
  165.     /**
  166.      * Sets the path to `go`.
  167.      */
  168.     private String pathToGo;
  169.     /**
  170.      * Sets whether the Dart analyzer is enabled. Default is true.
  171.      */
  172.     private Boolean dartAnalyzerEnabled;
  173.     /**
  174.      * The path to `yarn`.
  175.      */
  176.     private String pathToYarn;
  177.     /**
  178.      * The path to `pnpm`.
  179.      */
  180.     private String pathToPnpm;
  181.     /**
  182.      * Additional ZIP File extensions to add analyze. This should be a
  183.      * comma-separated list of file extensions to treat like ZIP files.
  184.      */
  185.     private String zipExtensions;
  186.     /**
  187.      * The path to dotnet core for .NET assembly analysis.
  188.      */
  189.     private String pathToCore;
  190.     /**
  191.      * The name of the project being analyzed.
  192.      */
  193.     private String projectName = "dependency-check";
  194.     /**
  195.      * Specifies the destination directory for the generated Dependency-Check
  196.      * report.
  197.      */
  198.     private String reportOutputDirectory = ".";
  199.     /**
  200.      * If using the JUNIT report format the junitFailOnCVSS sets the CVSS score
  201.      * threshold that is considered a failure. The default is 0.
  202.      */
  203.     private float junitFailOnCVSS = 0;
  204.     /**
  205.      * Specifies if the build should be failed if a CVSS score above a specified
  206.      * level is identified. The default is 11 which means since the CVSS scores
  207.      * are 0-10, by default the build will never fail and the CVSS score is set
  208.      * to 11. The valid range for the fail build on CVSS is 0 to 11, where
  209.      * anything above 10 will not cause the build to fail.
  210.      */
  211.     private float failBuildOnCVSS = 11;
  212.     /**
  213.      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
  214.      * recommended that this be turned to false. Default is true.
  215.      */
  216.     private Boolean autoUpdate;
  217.     /**
  218.      * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
  219.      * JENKINS, GITLAB, ALL). Default is HTML.
  220.      */
  221.     private String reportFormat = "HTML";
  222.     /**
  223.      * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
  224.      * JENKINS, GITLAB, ALL). Default is HTML.
  225.      */
  226.     private final List<String> reportFormats = new ArrayList<>();
  227.     /**
  228.      * Whether the JSON and XML reports should be pretty printed; the default is
  229.      * false.
  230.      */
  231.     private Boolean prettyPrint = null;

  232.     /**
  233.      * Suppression file paths.
  234.      */
  235.     @SuppressWarnings("CanBeFinal")
  236.     private final List<String> suppressionFiles = new ArrayList<>();

  237.     /**
  238.      * The path to the suppression file.
  239.      */
  240.     private String hintsFile;
  241.     /**
  242.      * flag indicating whether or not to show a summary of findings.
  243.      */
  244.     private boolean showSummary = true;
  245.     /**
  246.      * Whether experimental analyzers are enabled.
  247.      */
  248.     private Boolean enableExperimental;
  249.     /**
  250.      * Whether retired analyzers are enabled.
  251.      */
  252.     private Boolean enableRetired;
  253.     /**
  254.      * Whether or not the Jar Analyzer is enabled.
  255.      */
  256.     private Boolean jarAnalyzerEnabled;
  257.     /**
  258.      * Whether or not the Archive Analyzer is enabled.
  259.      */
  260.     private Boolean archiveAnalyzerEnabled;
  261.     /**
  262.      * Whether or not the .NET Nuspec Analyzer is enabled.
  263.      */
  264.     private Boolean nuspecAnalyzerEnabled;
  265.     /**
  266.      * Whether or not the .NET Nuget packages.config file Analyzer is enabled.
  267.      */
  268.     private Boolean nugetconfAnalyzerEnabled;
  269.     /**
  270.      * Whether or not the Libman Analyzer is enabled.
  271.      */
  272.     private Boolean libmanAnalyzerEnabled;
  273.     /**
  274.      * Whether or not the PHP Composer Analyzer is enabled.
  275.      */
  276.     private Boolean composerAnalyzerEnabled;
  277.     /**
  278.      * Whether or not the PHP Composer Analyzer will skip "packages-dev".
  279.      */
  280.     private Boolean composerAnalyzerSkipDev;
  281.     /**
  282.      * Whether or not the Perl CPAN File Analyzer is enabled.
  283.      */
  284.     private Boolean cpanfileAnalyzerEnabled;

  285.     /**
  286.      * Whether or not the .NET Assembly Analyzer is enabled.
  287.      */
  288.     private Boolean assemblyAnalyzerEnabled;
  289.     /**
  290.      * Whether or not the MS Build Assembly Analyzer is enabled.
  291.      */
  292.     private Boolean msbuildAnalyzerEnabled;
  293.     /**
  294.      * Whether the autoconf analyzer should be enabled.
  295.      */
  296.     private Boolean autoconfAnalyzerEnabled;
  297.     /**
  298.      * Whether the pip analyzer should be enabled.
  299.      */
  300.     private Boolean pipAnalyzerEnabled;
  301.     /**
  302.      * Whether the Maven install.json analyzer should be enabled.
  303.      */
  304.     private Boolean mavenInstallAnalyzerEnabled;
  305.     /**
  306.      * Whether the pipfile analyzer should be enabled.
  307.      */
  308.     private Boolean pipfileAnalyzerEnabled;
  309.     /**
  310.      * Whether the Poetry analyzer should be enabled.
  311.      */
  312.     private Boolean poetryAnalyzerEnabled;
  313.     /**
  314.      * Sets the path for the mix_audit binary.
  315.      */
  316.     private String mixAuditPath;
  317.     /**
  318.      * Sets the path for the bundle-audit binary.
  319.      */
  320.     private String bundleAuditPath;
  321.     /**
  322.      * Sets the path for the working directory that the bundle-audit binary
  323.      * should be executed from.
  324.      */
  325.     private String bundleAuditWorkingDirectory;
  326.     /**
  327.      * Whether or not the CocoaPods Analyzer is enabled.
  328.      */
  329.     private Boolean cocoapodsAnalyzerEnabled;
  330.     /**
  331.      * Whether or not the Carthage Analyzer is enabled.
  332.      */
  333.     private Boolean carthageAnalyzerEnabled;

  334.     /**
  335.      * Whether or not the Swift package Analyzer is enabled.
  336.      */
  337.     private Boolean swiftPackageManagerAnalyzerEnabled;
  338.     /**
  339.      * Whether or not the Swift package Analyzer is enabled.
  340.      */
  341.     private Boolean swiftPackageResolvedAnalyzerEnabled;

  342.     /**
  343.      * Whether or not the Sonatype OSS Index analyzer is enabled.
  344.      */
  345.     private Boolean ossindexAnalyzerEnabled;
  346.     /**
  347.      * Whether or not the Sonatype OSS Index analyzer should cache results.
  348.      */
  349.     private Boolean ossindexAnalyzerUseCache;
  350.     /**
  351.      * URL of the Sonatype OSS Index service.
  352.      */
  353.     private String ossindexAnalyzerUrl;
  354.     /**
  355.      * The username to use for the Sonatype OSS Index service.
  356.      */
  357.     private String ossindexAnalyzerUsername;
  358.     /**
  359.      * The password to use for the Sonatype OSS Index service.
  360.      */
  361.     private String ossindexAnalyzerPassword;
  362.     /**
  363.      * Whether we should only warn about Sonatype OSS Index remote errors
  364.      * instead of failing completely.
  365.      */
  366.     private Boolean ossIndexAnalyzerWarnOnlyOnRemoteErrors;

  367.     /**
  368.      * Whether or not the Artifactory Analyzer is enabled.
  369.      */
  370.     private Boolean artifactoryAnalyzerEnabled;
  371.     /**
  372.      * The URL to Artifactory.
  373.      */
  374.     private String artifactoryAnalyzerUrl;
  375.     /**
  376.      * Whether or not Artifactory analysis should use the proxy..
  377.      */
  378.     private Boolean artifactoryAnalyzerUseProxy;
  379.     /**
  380.      * Whether or not Artifactory analysis should be parallelized.
  381.      */
  382.     private Boolean artifactoryAnalyzerParallelAnalysis;
  383.     /**
  384.      * The Artifactory username needed to connect.
  385.      */
  386.     private String artifactoryAnalyzerUsername;
  387.     /**
  388.      * The Artifactory API token needed to connect.
  389.      */
  390.     private String artifactoryAnalyzerApiToken;
  391.     /**
  392.      * The Artifactory bearer token.
  393.      */
  394.     private String artifactoryAnalyzerBearerToken;
  395.     /**
  396.      * Whether the version check is enabled
  397.      */
  398.     private Boolean versionCheckEnabled;

  399.     /**
  400.      * whether an unsused suppression rule should get force the build to fail
  401.      */
  402.     private boolean failBuildOnUnusedSuppressionRule = false;

  403.     /**
  404.      * The username to download user-authored suppression files from an HTTP Basic auth protected location.
  405.      */
  406.     private String suppressionFileUser;
  407.     /**
  408.      * The password to download user-authored suppression files from an HTTP Basic auth protected location.
  409.      */
  410.     private String suppressionFilePassword;
  411.     /**
  412.      * The token to download user-authored suppression files from an HTTP Bearer auth protected location.
  413.      */
  414.     private String suppressionFileBearerToken;

  415.     //region Code copied from org.apache.tools.ant.taskdefs.PathConvert
  416.     //The following code was copied Apache Ant PathConvert
  417.     /**
  418.      * Path to be converted
  419.      */
  420.     private Resources path = null;
  421.     /**
  422.      * Reference to path/file set to convert
  423.      */
  424.     private Reference refId = null;

  425.     /**
  426.      * Add an arbitrary ResourceCollection.
  427.      *
  428.      * @param rc the ResourceCollection to add.
  429.      * @since Ant 1.7
  430.      */
  431.     public void add(ResourceCollection rc) {
  432.         if (isReference()) {
  433.             throw new BuildException("Nested elements are not allowed when using the refId attribute.");
  434.         }
  435.         getPath().add(rc);
  436.     }

  437.     /**
  438.      * Returns the path. If the path has not been initialized yet, this class is
  439.      * synchronized, and will instantiate the path object.
  440.      *
  441.      * @return the path
  442.      */
  443.     private synchronized Resources getPath() {
  444.         if (path == null) {
  445.             path = new Resources(getProject());
  446.             path.setCache(true);
  447.         }
  448.         return path;
  449.     }

  450.     /**
  451.      * Learn whether the refId attribute of this element been set.
  452.      *
  453.      * @return true if refId is valid.
  454.      */
  455.     public boolean isReference() {
  456.         return refId != null;
  457.     }

  458.     /**
  459.      * Add a reference to a Path, FileSet, DirSet, or FileList defined
  460.      * elsewhere.
  461.      *
  462.      * @param r the reference to a path, fileset, dirset or filelist.
  463.      */
  464.     public synchronized void setRefId(Reference r) {
  465.         if (path != null) {
  466.             throw new BuildException("Nested elements are not allowed when using the refId attribute.");
  467.         }
  468.         refId = r;
  469.     }

  470.     /**
  471.      * If this is a reference, this method will add the referenced resource
  472.      * collection to the collection of paths.
  473.      *
  474.      * @throws BuildException if the reference is not to a resource collection
  475.      */
  476.     //declaring a throw that extends runtime exception may be a bad practice
  477.     //but seems to be an ingrained practice within Ant as even the base `Task`
  478.     //contains an `execute() throws BuildExecption`.
  479.     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
  480.     private void dealWithReferences() throws BuildException {
  481.         if (isReference()) {
  482.             final Object o = refId.getReferencedObject(getProject());
  483.             if (!(o instanceof ResourceCollection)) {
  484.                 throw new BuildException("refId '" + refId.getRefId()
  485.                         + "' does not refer to a resource collection.");
  486.             }
  487.             getPath().add((ResourceCollection) o);
  488.         }
  489.     }
  490.     //endregion COPIED from org.apache.tools.ant.taskdefs

  491.     /**
  492.      * Construct a new DependencyCheckTask.
  493.      */
  494.     public Check() {
  495.         super();
  496.         // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
  497.         // core end up coming through this tasks logger
  498.         StaticLoggerBinder.getSingleton().setTask(this);
  499.     }

  500.     /**
  501.      * Add a suppression file.
  502.      * <p>
  503.      * This is called by Ant with the configured {@link SuppressionFile}.
  504.      *
  505.      * @param suppressionFile the suppression file to add.
  506.      */
  507.     public void addConfiguredSuppressionFile(final SuppressionFile suppressionFile) {
  508.         suppressionFiles.add(suppressionFile.getPath());
  509.     }

  510.     /**
  511.      * Add a report format.
  512.      * <p>
  513.      * This is called by Ant with the configured {@link ReportFormat}.
  514.      *
  515.      * @param reportFormat the reportFormat to add.
  516.      */
  517.     public void addConfiguredReportFormat(final ReportFormat reportFormat) {
  518.         reportFormats.add(reportFormat.getFormat());
  519.     }

  520.     /**
  521.      * Sets whether the version check is enabled.
  522.      *
  523.      * @param versionCheckEnabled a Boolean indicating if the version check is
  524.      * enabled.
  525.      */
  526.     public void setVersionCheckEnabled(Boolean versionCheckEnabled) {
  527.         this.versionCheckEnabled = versionCheckEnabled;
  528.     }

  529.     /**
  530.      * Get the value of projectName.
  531.      *
  532.      * @return the value of projectName
  533.      */
  534.     public String getProjectName() {
  535.         if (projectName == null) {
  536.             projectName = "";
  537.         }
  538.         return projectName;
  539.     }

  540.     /**
  541.      * Set the value of projectName.
  542.      *
  543.      * @param projectName new value of projectName
  544.      */
  545.     public void setProjectName(String projectName) {
  546.         this.projectName = projectName;
  547.     }

  548.     /**
  549.      * Set the value of reportOutputDirectory.
  550.      *
  551.      * @param reportOutputDirectory new value of reportOutputDirectory
  552.      */
  553.     public void setReportOutputDirectory(String reportOutputDirectory) {
  554.         this.reportOutputDirectory = reportOutputDirectory;
  555.     }

  556.     /**
  557.      * Set the value of failBuildOnCVSS.
  558.      *
  559.      * @param failBuildOnCVSS new value of failBuildOnCVSS
  560.      */
  561.     public void setFailBuildOnCVSS(float failBuildOnCVSS) {
  562.         this.failBuildOnCVSS = failBuildOnCVSS;
  563.     }

  564.     /**
  565.      * Set the value of junitFailOnCVSS.
  566.      *
  567.      * @param junitFailOnCVSS new value of junitFailOnCVSS
  568.      */
  569.     public void setJunitFailOnCVSS(float junitFailOnCVSS) {
  570.         this.junitFailOnCVSS = junitFailOnCVSS;
  571.     }

  572.     /**
  573.      * Set the value of autoUpdate.
  574.      *
  575.      * @param autoUpdate new value of autoUpdate
  576.      */
  577.     public void setAutoUpdate(Boolean autoUpdate) {
  578.         this.autoUpdate = autoUpdate;
  579.     }

  580.     /**
  581.      * Set the value of prettyPrint.
  582.      *
  583.      * @param prettyPrint new value of prettyPrint
  584.      */
  585.     public void setPrettyPrint(boolean prettyPrint) {
  586.         this.prettyPrint = prettyPrint;
  587.     }

  588.     /**
  589.      * Set the value of reportFormat.
  590.      *
  591.      * @param reportFormat new value of reportFormat
  592.      */
  593.     public void setReportFormat(ReportFormats reportFormat) {
  594.         this.reportFormat = reportFormat.getValue();
  595.         this.reportFormats.add(this.reportFormat);
  596.     }

  597.     /**
  598.      * Get the value of reportFormats.
  599.      *
  600.      * @return the value of reportFormats
  601.      */
  602.     public List<String> getReportFormats() {
  603.         if (reportFormats.isEmpty()) {
  604.             this.reportFormats.add(this.reportFormat);
  605.         }
  606.         return this.reportFormats;
  607.     }

  608.     /**
  609.      * Set the value of suppressionFile.
  610.      *
  611.      * @param suppressionFile new value of suppressionFile
  612.      */
  613.     public void setSuppressionFile(String suppressionFile) {
  614.         suppressionFiles.add(suppressionFile);
  615.     }

  616.     /**
  617.      * Sets the username to download user-authored suppression files from an HTTP Basic auth protected location.
  618.      *
  619.      * @param suppressionFileUser The username
  620.      */
  621.     public void setSuppressionFileUser(String suppressionFileUser) {
  622.         this.suppressionFileUser = suppressionFileUser;
  623.     }

  624.     /**
  625.      * Sets the password/token to download user-authored suppression files from an HTTP Basic auth protected location.
  626.      *
  627.      * @param suppressionFilePassword The password/token
  628.      */
  629.     public void setSuppressionFilePassword(String suppressionFilePassword) {
  630.         this.suppressionFilePassword = suppressionFilePassword;
  631.     }

  632.     /**
  633.      * Sets the token to download user-authored suppression files from an HTTP Bearer auth protected location.
  634.      *
  635.      * @param suppressionFileBearerToken The token
  636.      */
  637.     public void setSuppressionFileBearerToken(String suppressionFileBearerToken) {
  638.         this.suppressionFileBearerToken = suppressionFileBearerToken;
  639.     }

  640.     /**
  641.      * Set the value of hintsFile.
  642.      *
  643.      * @param hintsFile new value of hintsFile
  644.      */
  645.     public void setHintsFile(String hintsFile) {
  646.         this.hintsFile = hintsFile;
  647.     }

  648.     /**
  649.      * Set the value of showSummary.
  650.      *
  651.      * @param showSummary new value of showSummary
  652.      */
  653.     public void setShowSummary(boolean showSummary) {
  654.         this.showSummary = showSummary;
  655.     }

  656.     /**
  657.      * Set the value of enableExperimental.
  658.      *
  659.      * @param enableExperimental new value of enableExperimental
  660.      */
  661.     public void setEnableExperimental(Boolean enableExperimental) {
  662.         this.enableExperimental = enableExperimental;
  663.     }

  664.     /**
  665.      * Set the value of enableRetired.
  666.      *
  667.      * @param enableRetired new value of enableRetired
  668.      */
  669.     public void setEnableRetired(Boolean enableRetired) {
  670.         this.enableRetired = enableRetired;
  671.     }

  672.     /**
  673.      * Sets whether or not the analyzer is enabled.
  674.      *
  675.      * @param jarAnalyzerEnabled the value of the new setting
  676.      */
  677.     public void setJarAnalyzerEnabled(Boolean jarAnalyzerEnabled) {
  678.         this.jarAnalyzerEnabled = jarAnalyzerEnabled;
  679.     }

  680.     /**
  681.      * Sets whether the analyzer is enabled.
  682.      *
  683.      * @param archiveAnalyzerEnabled the value of the new setting
  684.      */
  685.     public void setArchiveAnalyzerEnabled(Boolean archiveAnalyzerEnabled) {
  686.         this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
  687.     }

  688.     /**
  689.      * Sets whether or not the analyzer is enabled.
  690.      *
  691.      * @param assemblyAnalyzerEnabled the value of the new setting
  692.      */
  693.     public void setAssemblyAnalyzerEnabled(Boolean assemblyAnalyzerEnabled) {
  694.         this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
  695.     }

  696.     /**
  697.      * Sets whether or not the analyzer is enabled.
  698.      *
  699.      * @param msbuildAnalyzerEnabled the value of the new setting
  700.      */
  701.     public void setMSBuildAnalyzerEnabled(Boolean msbuildAnalyzerEnabled) {
  702.         this.msbuildAnalyzerEnabled = msbuildAnalyzerEnabled;
  703.     }

  704.     /**
  705.      * Sets whether or not the analyzer is enabled.
  706.      *
  707.      * @param nuspecAnalyzerEnabled the value of the new setting
  708.      */
  709.     public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) {
  710.         this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
  711.     }

  712.     /**
  713.      * Sets whether or not the analyzer is enabled.
  714.      *
  715.      * @param nugetconfAnalyzerEnabled the value of the new setting
  716.      */
  717.     public void setNugetconfAnalyzerEnabled(Boolean nugetconfAnalyzerEnabled) {
  718.         this.nugetconfAnalyzerEnabled = nugetconfAnalyzerEnabled;
  719.     }

  720.     /**
  721.      * Sets whether or not the analyzer is enabled.
  722.      *
  723.      * @param libmanAnalyzerEnabled the value of the new setting
  724.      */
  725.     public void setLibmanAnalyzerEnabled(Boolean libmanAnalyzerEnabled) {
  726.         this.libmanAnalyzerEnabled = libmanAnalyzerEnabled;
  727.     }

  728.     /**
  729.      * Set the value of composerAnalyzerEnabled.
  730.      *
  731.      * @param composerAnalyzerEnabled new value of composerAnalyzerEnabled
  732.      */
  733.     public void setComposerAnalyzerEnabled(Boolean composerAnalyzerEnabled) {
  734.         this.composerAnalyzerEnabled = composerAnalyzerEnabled;
  735.     }

  736.     /**
  737.      * Set the value of composerAnalyzerSkipDev.
  738.      *
  739.      * @param composerAnalyzerSkipDev new value of composerAnalyzerSkipDev
  740.      */
  741.     public void setComposerAnalyzerSkipDev(Boolean composerAnalyzerSkipDev) {
  742.         this.composerAnalyzerSkipDev = composerAnalyzerSkipDev;
  743.     }

  744.     /**
  745.      * Set the value of cpanfileAnalyzerEnabled.
  746.      *
  747.      * @param cpanfileAnalyzerEnabled new value of cpanfileAnalyzerEnabled
  748.      */
  749.     public void setCpanfileAnalyzerEnabled(Boolean cpanfileAnalyzerEnabled) {
  750.         this.cpanfileAnalyzerEnabled = cpanfileAnalyzerEnabled;
  751.     }

  752.     /**
  753.      * Set the value of autoconfAnalyzerEnabled.
  754.      *
  755.      * @param autoconfAnalyzerEnabled new value of autoconfAnalyzerEnabled
  756.      */
  757.     public void setAutoconfAnalyzerEnabled(Boolean autoconfAnalyzerEnabled) {
  758.         this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled;
  759.     }

  760.     /**
  761.      * Set the value of pipAnalyzerEnabled.
  762.      *
  763.      * @param pipAnalyzerEnabled new value of pipAnalyzerEnabled
  764.      */
  765.     public void setPipAnalyzerEnabled(Boolean pipAnalyzerEnabled) {
  766.         this.pipAnalyzerEnabled = pipAnalyzerEnabled;
  767.     }

  768.     /**
  769.      * Set the value of pipfileAnalyzerEnabled.
  770.      *
  771.      * @param pipfileAnalyzerEnabled new value of pipfileAnalyzerEnabled
  772.      */
  773.     public void setPipfileAnalyzerEnabled(Boolean pipfileAnalyzerEnabled) {
  774.         this.pipfileAnalyzerEnabled = pipfileAnalyzerEnabled;
  775.     }

  776.     /**
  777.      * Set the value of poetryAnalyzerEnabled.
  778.      *
  779.      * @param poetryAnalyzerEnabled new value of poetryAnalyzerEnabled
  780.      */
  781.     public void setPoetryAnalyzerEnabled(Boolean poetryAnalyzerEnabled) {
  782.         this.poetryAnalyzerEnabled = poetryAnalyzerEnabled;
  783.     }

  784.     /**
  785.      * Sets if the Bundle Audit Analyzer is enabled.
  786.      *
  787.      * @param bundleAuditAnalyzerEnabled whether or not the analyzer should be
  788.      * enabled
  789.      */
  790.     public void setBundleAuditAnalyzerEnabled(Boolean bundleAuditAnalyzerEnabled) {
  791.         this.bundleAuditAnalyzerEnabled = bundleAuditAnalyzerEnabled;
  792.     }

  793.     /**
  794.      * Sets the path to the bundle audit executable.
  795.      *
  796.      * @param bundleAuditPath the path to the bundle audit executable
  797.      */
  798.     public void setBundleAuditPath(String bundleAuditPath) {
  799.         this.bundleAuditPath = bundleAuditPath;
  800.     }

  801.     /**
  802.      * Sets the path to the working directory that the bundle audit executable
  803.      * should be executed from.
  804.      *
  805.      * @param bundleAuditWorkingDirectory the path to the working directory that
  806.      * the bundle audit executable should be executed from.
  807.      */
  808.     public void setBundleAuditWorkingDirectory(String bundleAuditWorkingDirectory) {
  809.         this.bundleAuditWorkingDirectory = bundleAuditWorkingDirectory;
  810.     }

  811.     /**
  812.      * Sets whether or not the cocoapods analyzer is enabled.
  813.      *
  814.      * @param cocoapodsAnalyzerEnabled the state of the cocoapods analyzer
  815.      */
  816.     public void setCocoapodsAnalyzerEnabled(Boolean cocoapodsAnalyzerEnabled) {
  817.         this.cocoapodsAnalyzerEnabled = cocoapodsAnalyzerEnabled;
  818.     }

  819.     /**
  820.      * Sets whether or not the Carthage analyzer is enabled.
  821.      *
  822.      * @param carthageAnalyzerEnabled the state of the Carthage analyzer
  823.      */
  824.     public void setCarthageAnalyzerEnabled(Boolean carthageAnalyzerEnabled) {
  825.         this.carthageAnalyzerEnabled = carthageAnalyzerEnabled;
  826.     }

  827.     /**
  828.      * Sets the enabled state of the swift package manager analyzer.
  829.      *
  830.      * @param swiftPackageManagerAnalyzerEnabled the enabled state of the swift
  831.      * package manager
  832.      */
  833.     public void setSwiftPackageManagerAnalyzerEnabled(Boolean swiftPackageManagerAnalyzerEnabled) {
  834.         this.swiftPackageManagerAnalyzerEnabled = swiftPackageManagerAnalyzerEnabled;
  835.     }

  836.     /**
  837.      * Sets the enabled state of the swift package manager analyzer.
  838.      *
  839.      * @param swiftPackageResolvedAnalyzerEnabled the enabled state of the swift
  840.      * package resolved analyzer
  841.      */
  842.     public void setSwiftPackageResolvedAnalyzerEnabled(Boolean swiftPackageResolvedAnalyzerEnabled) {
  843.         this.swiftPackageResolvedAnalyzerEnabled = swiftPackageResolvedAnalyzerEnabled;
  844.     }

  845.     /**
  846.      * Set the value of opensslAnalyzerEnabled.
  847.      *
  848.      * @param opensslAnalyzerEnabled new value of opensslAnalyzerEnabled
  849.      */
  850.     public void setOpensslAnalyzerEnabled(Boolean opensslAnalyzerEnabled) {
  851.         this.opensslAnalyzerEnabled = opensslAnalyzerEnabled;
  852.     }

  853.     /**
  854.      * Set the value of nodeAnalyzerEnabled.
  855.      *
  856.      * @param nodeAnalyzerEnabled new value of nodeAnalyzerEnabled
  857.      */
  858.     public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) {
  859.         this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
  860.     }

  861.     /**
  862.      * Set the value of nodeAuditAnalyzerEnabled.
  863.      *
  864.      * @param nodeAuditAnalyzerEnabled new value of nodeAuditAnalyzerEnabled
  865.      */
  866.     public void setNodeAuditAnalyzerEnabled(Boolean nodeAuditAnalyzerEnabled) {
  867.         this.nodeAuditAnalyzerEnabled = nodeAuditAnalyzerEnabled;
  868.     }

  869.     /**
  870.      * Set the value of yarnAuditAnalyzerEnabled.
  871.      *
  872.      * @param yarnAuditAnalyzerEnabled new value of yarnAuditAnalyzerEnabled
  873.      */
  874.     public void setYarnAuditAnalyzerEnabled(Boolean yarnAuditAnalyzerEnabled) {
  875.         this.yarnAuditAnalyzerEnabled = yarnAuditAnalyzerEnabled;
  876.     }

  877.     /**
  878.      * Set the value of pnpmAuditAnalyzerEnabled.
  879.      *
  880.      * @param pnpmAuditAnalyzerEnabled new value of pnpmAuditAnalyzerEnabled
  881.      */
  882.     public void setPnpmAuditAnalyzerEnabled(Boolean pnpmAuditAnalyzerEnabled) {
  883.         this.pnpmAuditAnalyzerEnabled = pnpmAuditAnalyzerEnabled;
  884.     }

  885.     /**
  886.      * Set the value of nodeAuditAnalyzerUseCache.
  887.      *
  888.      * @param nodeAuditAnalyzerUseCache new value of nodeAuditAnalyzerUseCache
  889.      */
  890.     public void setNodeAuditAnalyzerUseCache(Boolean nodeAuditAnalyzerUseCache) {
  891.         this.nodeAuditAnalyzerUseCache = nodeAuditAnalyzerUseCache;
  892.     }

  893.     /**
  894.      * Set the value of nodePackageSkipDevDependencies.
  895.      *
  896.      * @param nodePackageSkipDevDependencies new value of
  897.      * nodePackageSkipDevDependencies
  898.      */
  899.     public void setNodePackageSkipDevDependencies(Boolean nodePackageSkipDevDependencies) {
  900.         this.nodePackageSkipDevDependencies = nodePackageSkipDevDependencies;
  901.     }

  902.     /**
  903.      * Set the value of nodeAuditSkipDevDependencies.
  904.      *
  905.      * @param nodeAuditSkipDevDependencies new value of
  906.      * nodeAuditSkipDevDependencies
  907.      */
  908.     public void setNodeAuditSkipDevDependencies(Boolean nodeAuditSkipDevDependencies) {
  909.         this.nodeAuditSkipDevDependencies = nodeAuditSkipDevDependencies;
  910.     }

  911.     /**
  912.      * Set the value of retirejsFilterNonVulnerable.
  913.      *
  914.      * @param retirejsFilterNonVulnerable new value of
  915.      * retirejsFilterNonVulnerable
  916.      */
  917.     public void setRetirejsFilterNonVulnerable(Boolean retirejsFilterNonVulnerable) {
  918.         this.retirejsFilterNonVulnerable = retirejsFilterNonVulnerable;
  919.     }

  920.     /**
  921.      * Add a regular expression to the set of retire JS content filters.
  922.      * <p>
  923.      * This is called by Ant.
  924.      *
  925.      * @param retirejsFilter the regular expression used to filter based on file
  926.      * content
  927.      */
  928.     public void addConfiguredRetirejsFilter(final RetirejsFilter retirejsFilter) {
  929.         retirejsFilters.add(retirejsFilter.getRegex());
  930.     }

  931.     /**
  932.      * Set the value of rubygemsAnalyzerEnabled.
  933.      *
  934.      * @param rubygemsAnalyzerEnabled new value of rubygemsAnalyzerEnabled
  935.      */
  936.     public void setRubygemsAnalyzerEnabled(Boolean rubygemsAnalyzerEnabled) {
  937.         this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled;
  938.     }

  939.     /**
  940.      * Set the value of pyPackageAnalyzerEnabled.
  941.      *
  942.      * @param pyPackageAnalyzerEnabled new value of pyPackageAnalyzerEnabled
  943.      */
  944.     public void setPyPackageAnalyzerEnabled(Boolean pyPackageAnalyzerEnabled) {
  945.         this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled;
  946.     }

  947.     /**
  948.      * Set the value of pyDistributionAnalyzerEnabled.
  949.      *
  950.      * @param pyDistributionAnalyzerEnabled new value of
  951.      * pyDistributionAnalyzerEnabled
  952.      */
  953.     public void setPyDistributionAnalyzerEnabled(Boolean pyDistributionAnalyzerEnabled) {
  954.         this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
  955.     }

  956.     /**
  957.      * Set the value of mixAuditAnalyzerEnabled.
  958.      *
  959.      * @param mixAuditAnalyzerEnabled new value of mixAuditAnalyzerEnabled
  960.      */
  961.     public void setMixAuditAnalyzerEnabled(Boolean mixAuditAnalyzerEnabled) {
  962.         this.mixAuditAnalyzerEnabled = mixAuditAnalyzerEnabled;
  963.     }

  964.     /**
  965.      * Sets the path to the mix audit executable.
  966.      *
  967.      * @param mixAuditPath the path to the bundle audit executable
  968.      */
  969.     public void setMixAuditPath(String mixAuditPath) {
  970.         this.mixAuditPath = mixAuditPath;
  971.     }
  972.     /**
  973.      * Set the value of centralAnalyzerEnabled.
  974.      *
  975.      * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
  976.      */
  977.     public void setCentralAnalyzerEnabled(Boolean centralAnalyzerEnabled) {
  978.         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
  979.     }

  980.     /**
  981.      * Set the value of centralAnalyzerUseCache.
  982.      *
  983.      * @param centralAnalyzerUseCache new value of centralAnalyzerUseCache
  984.      */
  985.     public void setCentralAnalyzerUseCache(Boolean centralAnalyzerUseCache) {
  986.         this.centralAnalyzerUseCache = centralAnalyzerUseCache;
  987.     }

  988.     /**
  989.      * Set the value of nexusAnalyzerEnabled.
  990.      *
  991.      * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
  992.      */
  993.     public void setNexusAnalyzerEnabled(Boolean nexusAnalyzerEnabled) {
  994.         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
  995.     }

  996.     /**
  997.      * Set the value of golangDepEnabled.
  998.      *
  999.      * @param golangDepEnabled new value of golangDepEnabled
  1000.      */
  1001.     public void setGolangDepEnabled(Boolean golangDepEnabled) {
  1002.         this.golangDepEnabled = golangDepEnabled;
  1003.     }

  1004.     /**
  1005.      * Set the value of golangModEnabled.
  1006.      *
  1007.      * @param golangModEnabled new value of golangModEnabled
  1008.      */
  1009.     public void setGolangModEnabled(Boolean golangModEnabled) {
  1010.         this.golangModEnabled = golangModEnabled;
  1011.     }

  1012.     /**
  1013.      * Set the value of dartAnalyzerEnabled.
  1014.      *
  1015.      * @param dartAnalyzerEnabled new value of dartAnalyzerEnabled
  1016.      */
  1017.     public void setDartAnalyzerEnabled(Boolean dartAnalyzerEnabled) {
  1018.         this.dartAnalyzerEnabled = dartAnalyzerEnabled;
  1019.     }

  1020.     /**
  1021.      * Set the value of pathToYarn.
  1022.      *
  1023.      * @param pathToYarn new value of pathToYarn
  1024.      */
  1025.     public void setPathToYarn(String pathToYarn) {
  1026.         this.pathToYarn = pathToYarn;
  1027.     }

  1028.     /**
  1029.      * Set the value of pathToPnpm.
  1030.      *
  1031.      * @param pathToPnpm new value of pathToPnpm
  1032.      */
  1033.     public void setPathToPnpm(String pathToPnpm) {
  1034.         this.pathToPnpm = pathToPnpm;
  1035.     }

  1036.     /**
  1037.      * Set the value of pathToGo.
  1038.      *
  1039.      * @param pathToGo new value of pathToGo
  1040.      */
  1041.     public void setPathToGo(String pathToGo) {
  1042.         this.pathToGo = pathToGo;
  1043.     }

  1044.     /**
  1045.      * Set the value of nexusUrl.
  1046.      *
  1047.      * @param nexusUrl new value of nexusUrl
  1048.      */
  1049.     public void setNexusUrl(String nexusUrl) {
  1050.         this.nexusUrl = nexusUrl;
  1051.     }

  1052.     /**
  1053.      * Set the value of nexusUser.
  1054.      *
  1055.      * @param nexusUser new value of nexusUser
  1056.      */
  1057.     public void setNexusUser(String nexusUser) {
  1058.         this.nexusUser = nexusUser;
  1059.     }

  1060.     /**
  1061.      * Set the value of nexusPassword.
  1062.      *
  1063.      * @param nexusPassword new value of nexusPassword
  1064.      */
  1065.     public void setNexusPassword(String nexusPassword) {
  1066.         this.nexusPassword = nexusPassword;
  1067.     }

  1068.     /**
  1069.      * Set the value of nexusUsesProxy.
  1070.      *
  1071.      * @param nexusUsesProxy new value of nexusUsesProxy
  1072.      */
  1073.     public void setNexusUsesProxy(Boolean nexusUsesProxy) {
  1074.         this.nexusUsesProxy = nexusUsesProxy;
  1075.     }

  1076.     /**
  1077.      * Set the value of zipExtensions.
  1078.      *
  1079.      * @param zipExtensions new value of zipExtensions
  1080.      */
  1081.     public void setZipExtensions(String zipExtensions) {
  1082.         this.zipExtensions = zipExtensions;
  1083.     }

  1084.     /**
  1085.      * Set the value of pathToCore.
  1086.      *
  1087.      * @param pathToCore new value of pathToCore
  1088.      */
  1089.     public void setPathToDotnetCore(String pathToCore) {
  1090.         this.pathToCore = pathToCore;
  1091.     }

  1092.     /**
  1093.      * Set value of {@link #ossindexAnalyzerEnabled}.
  1094.      *
  1095.      * @param ossindexAnalyzerEnabled new value of ossindexAnalyzerEnabled
  1096.      */
  1097.     public void setOssindexAnalyzerEnabled(Boolean ossindexAnalyzerEnabled) {
  1098.         this.ossindexAnalyzerEnabled = ossindexAnalyzerEnabled;
  1099.     }

  1100.     /**
  1101.      * Set value of {@link #ossindexAnalyzerUseCache}.
  1102.      *
  1103.      * @param ossindexAnalyzerUseCache new value of ossindexAnalyzerUseCache
  1104.      */
  1105.     public void setOssindexAnalyzerUseCache(Boolean ossindexAnalyzerUseCache) {
  1106.         this.ossindexAnalyzerUseCache = ossindexAnalyzerUseCache;
  1107.     }

  1108.     /**
  1109.      * Set value of {@link #ossindexAnalyzerUrl}.
  1110.      *
  1111.      * @param ossindexAnalyzerUrl new value of ossindexAnalyzerUrl
  1112.      */
  1113.     public void setOssindexAnalyzerUrl(String ossindexAnalyzerUrl) {
  1114.         this.ossindexAnalyzerUrl = ossindexAnalyzerUrl;
  1115.     }

  1116.     /**
  1117.      * Set value of {@link #ossindexAnalyzerUsername}.
  1118.      *
  1119.      * @param ossindexAnalyzerUsername new value of ossindexAnalyzerUsername
  1120.      */
  1121.     public void setOssindexAnalyzerUsername(String ossindexAnalyzerUsername) {
  1122.         this.ossindexAnalyzerUsername = ossindexAnalyzerUsername;
  1123.     }

  1124.     /**
  1125.      * Set value of {@link #ossindexAnalyzerPassword}.
  1126.      *
  1127.      * @param ossindexAnalyzerPassword new value of ossindexAnalyzerPassword
  1128.      */
  1129.     public void setOssindexAnalyzerPassword(String ossindexAnalyzerPassword) {
  1130.         this.ossindexAnalyzerPassword = ossindexAnalyzerPassword;
  1131.     }

  1132.     /**
  1133.      * Set value of {@link #ossIndexAnalyzerWarnOnlyOnRemoteErrors}.
  1134.      *
  1135.      * @param ossIndexWarnOnlyOnRemoteErrors the value of
  1136.      * ossIndexWarnOnlyOnRemoteErrors
  1137.      */
  1138.     public void setOssIndexWarnOnlyOnRemoteErrors(Boolean ossIndexWarnOnlyOnRemoteErrors) {
  1139.         this.ossIndexAnalyzerWarnOnlyOnRemoteErrors = ossIndexWarnOnlyOnRemoteErrors;
  1140.     }

  1141.     /**
  1142.      * Set the value of cmakeAnalyzerEnabled.
  1143.      *
  1144.      * @param cmakeAnalyzerEnabled new value of cmakeAnalyzerEnabled
  1145.      */
  1146.     public void setCmakeAnalyzerEnabled(Boolean cmakeAnalyzerEnabled) {
  1147.         this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
  1148.     }

  1149.     /**
  1150.      * Set the value of artifactoryAnalyzerEnabled.
  1151.      *
  1152.      * @param artifactoryAnalyzerEnabled new value of artifactoryAnalyzerEnabled
  1153.      */
  1154.     public void setArtifactoryAnalyzerEnabled(Boolean artifactoryAnalyzerEnabled) {
  1155.         this.artifactoryAnalyzerEnabled = artifactoryAnalyzerEnabled;
  1156.     }

  1157.     /**
  1158.      * Set the value of artifactoryAnalyzerUrl.
  1159.      *
  1160.      * @param artifactoryAnalyzerUrl new value of artifactoryAnalyzerUrl
  1161.      */
  1162.     public void setArtifactoryAnalyzerUrl(String artifactoryAnalyzerUrl) {
  1163.         this.artifactoryAnalyzerUrl = artifactoryAnalyzerUrl;
  1164.     }

  1165.     /**
  1166.      * Set the value of artifactoryAnalyzerUseProxy.
  1167.      *
  1168.      * @param artifactoryAnalyzerUseProxy new value of
  1169.      * artifactoryAnalyzerUseProxy
  1170.      */
  1171.     public void setArtifactoryAnalyzerUseProxy(Boolean artifactoryAnalyzerUseProxy) {
  1172.         this.artifactoryAnalyzerUseProxy = artifactoryAnalyzerUseProxy;
  1173.     }

  1174.     /**
  1175.      * Set the value of artifactoryAnalyzerParallelAnalysis.
  1176.      *
  1177.      * @param artifactoryAnalyzerParallelAnalysis new value of
  1178.      * artifactoryAnalyzerParallelAnalysis
  1179.      */
  1180.     public void setArtifactoryAnalyzerParallelAnalysis(Boolean artifactoryAnalyzerParallelAnalysis) {
  1181.         this.artifactoryAnalyzerParallelAnalysis = artifactoryAnalyzerParallelAnalysis;
  1182.     }

  1183.     /**
  1184.      * Set the value of artifactoryAnalyzerUsername.
  1185.      *
  1186.      * @param artifactoryAnalyzerUsername new value of
  1187.      * artifactoryAnalyzerUsername
  1188.      */
  1189.     public void setArtifactoryAnalyzerUsername(String artifactoryAnalyzerUsername) {
  1190.         this.artifactoryAnalyzerUsername = artifactoryAnalyzerUsername;
  1191.     }

  1192.     /**
  1193.      * Set the value of artifactoryAnalyzerApiToken.
  1194.      *
  1195.      * @param artifactoryAnalyzerApiToken new value of
  1196.      * artifactoryAnalyzerApiToken
  1197.      */
  1198.     public void setArtifactoryAnalyzerApiToken(String artifactoryAnalyzerApiToken) {
  1199.         this.artifactoryAnalyzerApiToken = artifactoryAnalyzerApiToken;
  1200.     }

  1201.     /**
  1202.      * Set the value of artifactoryAnalyzerBearerToken.
  1203.      *
  1204.      * @param artifactoryAnalyzerBearerToken new value of
  1205.      * artifactoryAnalyzerBearerToken
  1206.      */
  1207.     public void setArtifactoryAnalyzerBearerToken(String artifactoryAnalyzerBearerToken) {
  1208.         this.artifactoryAnalyzerBearerToken = artifactoryAnalyzerBearerToken;
  1209.     }

  1210.     /**
  1211.      * Set the value of failBuildOnUnusedSuppressionRule.
  1212.      *
  1213.      * @param failBuildOnUnusedSuppressionRule new value of
  1214.      * failBuildOnUnusedSuppressionRule
  1215.      */
  1216.     public void setFailBuildOnUnusedSuppressionRule(boolean failBuildOnUnusedSuppressionRule) {
  1217.         this.failBuildOnUnusedSuppressionRule = failBuildOnUnusedSuppressionRule;
  1218.     }

  1219.     //see note on `dealWithReferences()` for information on this suppression
  1220.     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
  1221.     @Override
  1222.     protected void executeWithContextClassloader() throws BuildException {
  1223.         dealWithReferences();
  1224.         validateConfiguration();
  1225.         populateSettings();
  1226.         try {
  1227.             Downloader.getInstance().configure(getSettings());
  1228.         } catch (InvalidSettingException e) {
  1229.             throw new BuildException(e);
  1230.         }
  1231.         try (Engine engine = new Engine(Check.class.getClassLoader(), getSettings())) {
  1232.             for (Resource resource : getPath()) {
  1233.                 final FileProvider provider = resource.as(FileProvider.class);
  1234.                 if (provider != null) {
  1235.                     final File file = provider.getFile();
  1236.                     if (file != null && file.exists()) {
  1237.                         engine.scan(file);
  1238.                     }
  1239.                 }
  1240.             }
  1241.             final ExceptionCollection exceptions = callExecuteAnalysis(engine);
  1242.             if (exceptions == null || !exceptions.isFatal()) {
  1243.                 for (String format : getReportFormats()) {
  1244.                     engine.writeReports(getProjectName(), new File(reportOutputDirectory), format, exceptions);
  1245.                 }
  1246.                 if (this.failBuildOnCVSS <= 10) {
  1247.                     checkForFailure(engine.getDependencies());
  1248.                 }
  1249.                 if (this.showSummary) {
  1250.                     DependencyCheckScanAgent.showSummary(engine.getDependencies());
  1251.                 }
  1252.             }
  1253.         } catch (DatabaseException ex) {
  1254.             final String msg = "Unable to connect to the dependency-check database; analysis has stopped";
  1255.             if (this.isFailOnError()) {
  1256.                 throw new BuildException(msg, ex);
  1257.             }
  1258.             log(msg, ex, Project.MSG_ERR);
  1259.         } catch (ReportException ex) {
  1260.             final String msg = "Unable to generate the dependency-check report";
  1261.             if (this.isFailOnError()) {
  1262.                 throw new BuildException(msg, ex);
  1263.             }
  1264.             log(msg, ex, Project.MSG_ERR);
  1265.         } finally {
  1266.             getSettings().cleanup();
  1267.         }
  1268.     }

  1269.     /**
  1270.      * Wraps the call to `engine.analyzeDependencies()` and correctly handles
  1271.      * any exceptions
  1272.      *
  1273.      * @param engine a reference to the engine
  1274.      * @return the collection of any exceptions that occurred; otherwise
  1275.      * <code>null</code>
  1276.      * @throws BuildException thrown if configured to fail the build on errors
  1277.      */
  1278.     //see note on `dealWithReferences()` for information on this suppression
  1279.     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
  1280.     private ExceptionCollection callExecuteAnalysis(final Engine engine) throws BuildException {
  1281.         ExceptionCollection exceptions = null;
  1282.         try {
  1283.             engine.analyzeDependencies();
  1284.         } catch (ExceptionCollection ex) {
  1285.             if (this.isFailOnError()) {
  1286.                 throw new BuildException(ex);
  1287.             }
  1288.             exceptions = ex;
  1289.         }
  1290.         return exceptions;
  1291.     }

  1292.     /**
  1293.      * Validate the configuration to ensure the parameters have been properly
  1294.      * configured/initialized.
  1295.      *
  1296.      * @throws BuildException if the task was not configured correctly.
  1297.      */
  1298.     //see note on `dealWithReferences()` for information on this suppression
  1299.     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
  1300.     private synchronized void validateConfiguration() throws BuildException {
  1301.         if (path == null) {
  1302.             throw new BuildException("No project dependencies have been defined to analyze.");
  1303.         }
  1304.         if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) {
  1305.             throw new BuildException("Invalid configuration, failBuildOnCVSS must be between 0 and 11.");
  1306.         }
  1307.     }

  1308.     /**
  1309.      * Takes the properties supplied and updates the dependency-check settings.
  1310.      * Additionally, this sets the system properties required to change the
  1311.      * proxy server, port, and connection timeout.
  1312.      *
  1313.      * @throws BuildException thrown when an invalid setting is configured.
  1314.      */
  1315.     //see note on `dealWithReferences()` for information on this suppression
  1316.     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
  1317.     @Override
  1318.     protected void populateSettings() throws BuildException {
  1319.         super.populateSettings();
  1320.         getSettings().setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
  1321.         getSettings().setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles);
  1322.         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_USER, suppressionFileUser);
  1323.         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_PASSWORD, suppressionFilePassword);
  1324.         getSettings().setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_BEARER_TOKEN, suppressionFileBearerToken);
  1325.         getSettings().setBooleanIfNotNull(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, versionCheckEnabled);
  1326.         getSettings().setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
  1327.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
  1328.         getSettings().setBooleanIfNotNull(Settings.KEYS.PRETTY_PRINT, prettyPrint);
  1329.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, enableRetired);
  1330.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
  1331.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
  1332.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
  1333.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
  1334.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
  1335.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);

  1336.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED, artifactoryAnalyzerEnabled);
  1337.         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_URL, artifactoryAnalyzerUrl);
  1338.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY, artifactoryAnalyzerUseProxy);
  1339.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS, artifactoryAnalyzerParallelAnalysis);
  1340.         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME, artifactoryAnalyzerUsername);
  1341.         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN, artifactoryAnalyzerApiToken);
  1342.         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ARTIFACTORY_BEARER_TOKEN, artifactoryAnalyzerBearerToken);

  1343.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
  1344.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled);
  1345.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
  1346.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CARTHAGE_ENABLED, carthageAnalyzerEnabled);
  1347.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
  1348.         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
  1349.         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, bundleAuditWorkingDirectory);
  1350.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
  1351.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, mavenInstallAnalyzerEnabled);
  1352.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIP_ENABLED, pipAnalyzerEnabled);
  1353.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, pipfileAnalyzerEnabled);
  1354.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_POETRY_ENABLED, poetryAnalyzerEnabled);
  1355.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
  1356.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_SKIP_DEV, composerAnalyzerSkipDev);
  1357.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CPANFILE_ENABLED, cpanfileAnalyzerEnabled);
  1358.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
  1359.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, nodePackageSkipDevDependencies);
  1360.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, nodeAuditAnalyzerEnabled);
  1361.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED, yarnAuditAnalyzerEnabled);
  1362.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PNPM_AUDIT_ENABLED, pnpmAuditAnalyzerEnabled);
  1363.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, nodeAuditAnalyzerUseCache);
  1364.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies);
  1365.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, retirejsFilterNonVulnerable);
  1366.         getSettings().setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, retirejsFilters);
  1367.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_DEP_ENABLED, golangDepEnabled);
  1368.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_MOD_ENABLED, golangModEnabled);
  1369.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_DART_ENABLED, dartAnalyzerEnabled);
  1370.         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_GOLANG_PATH, pathToGo);
  1371.         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_YARN_PATH, pathToYarn);
  1372.         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_PNPM_PATH, pathToPnpm);
  1373.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED, mixAuditAnalyzerEnabled);
  1374.         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_PATH, mixAuditPath);
  1375.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
  1376.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, nugetconfAnalyzerEnabled);
  1377.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_LIBMAN_ENABLED, libmanAnalyzerEnabled);
  1378.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
  1379.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE, centralAnalyzerUseCache);
  1380.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
  1381.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
  1382.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
  1383.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED, msbuildAnalyzerEnabled);
  1384.         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
  1385.         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_USER, nexusUser);
  1386.         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_PASSWORD, nexusPassword);
  1387.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
  1388.         getSettings().setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
  1389.         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_DOTNET_PATH, pathToCore);
  1390.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, ossindexAnalyzerEnabled);
  1391.         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, ossindexAnalyzerUrl);
  1392.         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_USER, ossindexAnalyzerUsername);
  1393.         getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD, ossindexAnalyzerPassword);
  1394.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE, ossindexAnalyzerUseCache);
  1395.         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, ossIndexAnalyzerWarnOnlyOnRemoteErrors);
  1396.         getSettings().setFloat(Settings.KEYS.JUNIT_FAIL_ON_CVSS, junitFailOnCVSS);
  1397.         getSettings().setBooleanIfNotNull(Settings.KEYS.FAIL_ON_UNUSED_SUPPRESSION_RULE, failBuildOnUnusedSuppressionRule);
  1398.     }

  1399.     /**
  1400.      * Checks to see if a vulnerability has been identified with a CVSS score
  1401.      * that is above the threshold set in the configuration.
  1402.      *
  1403.      * @param dependencies the list of dependency objects
  1404.      * @throws BuildException thrown if a CVSS score is found that is higher
  1405.      * than the threshold set
  1406.      */
  1407.     //see note on `dealWithReferences()` for information on this suppression
  1408.     @SuppressWarnings("squid:RedundantThrowsDeclarationCheck")
  1409.     private void checkForFailure(Dependency[] dependencies) throws BuildException {
  1410.         final StringBuilder ids = new StringBuilder();
  1411.         for (Dependency d : dependencies) {
  1412.             boolean addName = true;
  1413.             for (Vulnerability v : d.getVulnerabilities()) {
  1414.                 if ((v.getCvssV2() != null && v.getCvssV2().getCvssData().getBaseScore() >= failBuildOnCVSS)
  1415.                         || (v.getCvssV3() != null && v.getCvssV3().getCvssData().getBaseScore() >= failBuildOnCVSS)
  1416.                         || (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore() >= failBuildOnCVSS)
  1417.                         || (v.getUnscoredSeverity() != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) >= failBuildOnCVSS)
  1418.                         //safety net to fail on any if for some reason the above misses on 0
  1419.                         || (failBuildOnCVSS <= 0.0f)) {
  1420.                     if (addName) {
  1421.                         addName = false;
  1422.                         ids.append(NEW_LINE).append(d.getFileName()).append(" (")
  1423.                            .append(Stream.concat(d.getSoftwareIdentifiers().stream(), d.getVulnerableSoftwareIdentifiers().stream())
  1424.                                          .map(Identifier::getValue)
  1425.                                          .collect(Collectors.joining(", ")))
  1426.                            .append("): ")
  1427.                            .append(v.getName());
  1428.                     } else {
  1429.                         ids.append(", ").append(v.getName());
  1430.                     }
  1431.                 }
  1432.             }
  1433.         }
  1434.         if (ids.length() > 0) {
  1435.             final String msg;
  1436.             if (showSummary) {
  1437.                 msg = String.format("%n%nDependency-Check Failure:%n"
  1438.                         + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '%.1f': %s%n"
  1439.                         + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids);
  1440.             } else {
  1441.                 msg = String.format("%n%nDependency-Check Failure:%n"
  1442.                         + "One or more dependencies were identified with vulnerabilities.%n%n"
  1443.                         + "See the dependency-check report for more details.%n%n");
  1444.             }
  1445.             throw new BuildException(msg);
  1446.         }
  1447.     }

  1448.     /**
  1449.      * An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV",
  1450.      * "JSON", "JUNIT", "SARIF", 'JENkINS', etc..
  1451.      */
  1452.     public static class ReportFormats extends EnumeratedAttribute {

  1453.         /**
  1454.          * Returns the list of values for the report format.
  1455.          *
  1456.          * @return the list of values for the report format
  1457.          */
  1458.         @Override
  1459.         public String[] getValues() {
  1460.             int i = 0;
  1461.             final Format[] formats = Format.values();
  1462.             final String[] values = new String[formats.length];
  1463.             for (Format format : formats) {
  1464.                 values[i++] = format.name();
  1465.             }
  1466.             return values;
  1467.         }
  1468.     }

  1469.     /**
  1470.      * A class for Ant to represent the
  1471.      * {@code <reportFormat format="<format>"/>} nested element to define
  1472.      * multiple report formats for the ant-task.
  1473.      */
  1474.     public static class ReportFormat {

  1475.         /**
  1476.          * The format of this ReportFormat.
  1477.          */
  1478.         private ReportFormats format;

  1479.         /**
  1480.          * Gets the format as a String.
  1481.          *
  1482.          * @return the String representing a report format
  1483.          */
  1484.         public String getFormat() {
  1485.             return this.format.getValue();
  1486.         }

  1487.         /**
  1488.          * Sets the format.
  1489.          *
  1490.          * @param format the String value for one of the {@link ReportFormats}
  1491.          * @throws BuildException When the offered String is not one of the
  1492.          * valid values of the {@link ReportFormats} EnumeratedAttribute
  1493.          */
  1494.         public void setFormat(final String format) {
  1495.             this.format = (ReportFormats) EnumeratedAttribute.getInstance(ReportFormats.class, format);
  1496.         }
  1497.     }
  1498. }
  1499. //CSON: MethodCount