1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.owasp.dependencycheck.maven;
19
20 import com.github.packageurl.MalformedPackageURLException;
21 import com.github.packageurl.PackageURL.StandardTypes;
22 import com.github.packageurl.PackageURL;
23 import io.github.jeremylong.jcs3.slf4j.Slf4jAdapter;
24 import org.apache.maven.artifact.Artifact;
25 import org.apache.maven.artifact.DefaultArtifact;
26 import org.apache.maven.artifact.handler.DefaultArtifactHandler;
27 import org.apache.maven.artifact.versioning.ArtifactVersion;
28 import org.apache.maven.doxia.sink.Sink;
29 import org.apache.maven.execution.MavenSession;
30 import org.apache.maven.model.License;
31 import org.apache.maven.plugin.AbstractMojo;
32 import org.apache.maven.plugin.MojoExecutionException;
33 import org.apache.maven.plugin.MojoFailureException;
34 import org.apache.maven.plugins.annotations.Component;
35 import org.apache.maven.plugins.annotations.Parameter;
36 import org.apache.maven.project.DefaultProjectBuildingRequest;
37 import org.apache.maven.project.MavenProject;
38 import org.apache.maven.project.ProjectBuildingRequest;
39 import org.apache.maven.reporting.MavenReport;
40 import org.apache.maven.reporting.MavenReportException;
41 import org.apache.maven.settings.Proxy;
42 import org.apache.maven.settings.Server;
43 import org.apache.maven.shared.transfer.artifact.DefaultArtifactCoordinate;
44 import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolver;
45 import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolverException;
46 import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResult;
47 import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolver;
48 import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolverException;
49 import org.eclipse.aether.artifact.ArtifactType;
50 import org.apache.maven.shared.artifact.filter.PatternExcludesArtifactFilter;
51 import org.apache.maven.shared.dependency.graph.DependencyGraphBuilder;
52 import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException;
53 import org.apache.maven.shared.dependency.graph.DependencyNode;
54 import org.apache.maven.shared.dependency.graph.filter.ArtifactDependencyNodeFilter;
55 import org.apache.maven.shared.dependency.graph.internal.DefaultDependencyNode;
56 import org.apache.maven.shared.model.fileset.FileSet;
57 import org.apache.maven.shared.model.fileset.util.FileSetManager;
58 import org.owasp.dependencycheck.Engine;
59 import org.owasp.dependencycheck.analyzer.JarAnalyzer;
60 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
61 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
62 import org.owasp.dependencycheck.dependency.Confidence;
63 import org.owasp.dependencycheck.dependency.Dependency;
64 import org.owasp.dependencycheck.dependency.EvidenceType;
65 import org.owasp.dependencycheck.dependency.Vulnerability;
66 import org.owasp.dependencycheck.exception.DependencyNotFoundException;
67 import org.owasp.dependencycheck.exception.ExceptionCollection;
68 import org.owasp.dependencycheck.exception.ReportException;
69 import org.owasp.dependencycheck.utils.Checksum;
70 import org.owasp.dependencycheck.utils.Filter;
71 import org.owasp.dependencycheck.utils.Settings;
72 import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
73 import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
74 import org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException;
75
76 import java.io.File;
77 import java.io.FileNotFoundException;
78 import java.io.IOException;
79 import java.io.InputStream;
80 import java.util.ArrayList;
81 import java.util.Arrays;
82 import java.util.Collections;
83 import java.util.HashSet;
84 import java.util.List;
85 import java.util.Locale;
86 import java.util.Map;
87 import java.util.Objects;
88 import java.util.Optional;
89 import java.util.Set;
90 import org.apache.maven.artifact.repository.ArtifactRepository;
91
92 import org.apache.maven.artifact.resolver.filter.ExcludesArtifactFilter;
93 import org.apache.maven.artifact.versioning.InvalidVersionSpecificationException;
94 import org.apache.maven.artifact.versioning.Restriction;
95 import org.apache.maven.artifact.versioning.VersionRange;
96
97 import org.owasp.dependencycheck.agent.DependencyCheckScanAgent;
98 import org.owasp.dependencycheck.dependency.naming.GenericIdentifier;
99 import org.owasp.dependencycheck.dependency.naming.Identifier;
100 import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
101 import org.apache.maven.shared.dependency.graph.traversal.DependencyNodeVisitor;
102 import org.apache.maven.shared.dependency.graph.traversal.FilteringDependencyNodeVisitor;
103 import org.apache.maven.shared.transfer.dependencies.DefaultDependableCoordinate;
104 import org.apache.maven.shared.transfer.dependencies.DependableCoordinate;
105 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
106 import org.owasp.dependencycheck.reporting.ReportGenerator;
107 import org.owasp.dependencycheck.utils.SeverityUtil;
108 import org.owasp.dependencycheck.xml.pom.Model;
109 import org.owasp.dependencycheck.xml.pom.PomUtils;
110
111
112
113
114
115 public abstract class BaseDependencyCheckMojo extends AbstractMojo implements MavenReport {
116
117
118
119
120
121 private static final String PROPERTIES_FILE = "mojo.properties";
122
123
124
125 private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
126
127
128
129 private static final String INCLUDE_ALL = "**/*";
130
131
132
133 private boolean generatingSite = false;
134
135
136
137 private Settings settings = null;
138
139
140
141 private final List<File> scannedFiles = new ArrayList<>();
142
143
144
145
146
147 @SuppressWarnings("CanBeFinal")
148 @Parameter(property = "failOnError", defaultValue = "true", required = true)
149 private boolean failOnError;
150
151
152
153
154 @SuppressWarnings("CanBeFinal")
155 @Parameter(property = "project", required = true, readonly = true)
156 private MavenProject project;
157
158
159
160 @SuppressWarnings("CanBeFinal")
161 @Parameter(readonly = true, required = true, property = "reactorProjects")
162 private List<MavenProject> reactorProjects;
163
164
165
166
167
168 @SuppressWarnings("CanBeFinal")
169 @Component
170 private ArtifactResolver artifactResolver;
171
172
173
174
175
176
177
178 @SuppressWarnings("CanBeFinal")
179 @Component
180 private DependencyResolver dependencyResolver;
181
182
183
184
185 @SuppressWarnings("CanBeFinal")
186 @Parameter(defaultValue = "${session}", readonly = true, required = true)
187 private MavenSession session;
188
189
190
191
192 @Component
193 private DependencyGraphBuilder dependencyGraphBuilder;
194
195
196
197
198 @SuppressWarnings("CanBeFinal")
199 @Parameter(defaultValue = "${project.build.directory}", required = true, property = "odc.outputDirectory")
200 private File outputDirectory;
201
202
203
204
205
206 @Parameter(property = "project.reporting.outputDirectory", readonly = true)
207 private File reportOutputDirectory;
208
209
210
211
212
213 @SuppressWarnings("CanBeFinal")
214 @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
215 private float failBuildOnCVSS = 11f;
216
217
218
219
220
221 @SuppressWarnings("CanBeFinal")
222 @Parameter(property = "junitFailOnCVSS", defaultValue = "0", required = true)
223 private float junitFailOnCVSS = 0;
224
225
226
227
228
229
230 @SuppressWarnings("CanBeFinal")
231 @Parameter(property = "failBuildOnAnyVulnerability", defaultValue = "false", required = true)
232 @Deprecated
233 private boolean failBuildOnAnyVulnerability = false;
234
235
236
237
238 @SuppressWarnings("CanBeFinal")
239 @Parameter(property = "autoUpdate")
240 private Boolean autoUpdate;
241
242
243
244 @SuppressWarnings("CanBeFinal")
245 @Parameter(property = "enableExperimental")
246 private Boolean enableExperimental;
247
248
249
250 @SuppressWarnings("CanBeFinal")
251 @Parameter(property = "enableRetired")
252 private Boolean enableRetired;
253
254
255
256 @SuppressWarnings("CanBeFinal")
257 @Parameter(property = "golangDepEnabled")
258 private Boolean golangDepEnabled;
259
260
261
262
263 @SuppressWarnings("CanBeFinal")
264 @Parameter(property = "golangModEnabled")
265 private Boolean golangModEnabled;
266
267
268
269 @SuppressWarnings("CanBeFinal")
270 @Parameter(property = "pathToGo")
271 private String pathToGo;
272
273
274
275
276 @SuppressWarnings("CanBeFinal")
277 @Parameter(property = "pathToYarn")
278 private String pathToYarn;
279
280
281
282 @SuppressWarnings("CanBeFinal")
283 @Parameter(property = "pathToPnpm")
284 private String pathToPnpm;
285
286
287
288
289 @Parameter(property = "dependency-check.virtualSnapshotsFromReactor", defaultValue = "true")
290 private Boolean virtualSnapshotsFromReactor;
291
292
293
294
295
296 @SuppressWarnings("CanBeFinal")
297 @Parameter(property = "format", defaultValue = "HTML", required = true)
298 private String format = "HTML";
299
300
301
302
303
304 @Parameter(property = "prettyPrint")
305 private Boolean prettyPrint;
306
307
308
309
310
311 @Parameter(property = "formats", required = true)
312 private String[] formats;
313
314
315
316 @SuppressWarnings("CanBeFinal")
317 @Parameter(property = "mavenSettings", defaultValue = "${settings}")
318 private org.apache.maven.settings.Settings mavenSettings;
319
320
321
322
323 @SuppressWarnings("CanBeFinal")
324 @Parameter(property = "mavenSettingsProxyId")
325 private String mavenSettingsProxyId;
326
327
328
329
330 @SuppressWarnings("CanBeFinal")
331 @Parameter(property = "connectionTimeout")
332 private String connectionTimeout;
333
334
335
336 @SuppressWarnings("CanBeFinal")
337 @Parameter(property = "readTimeout")
338 private String readTimeout;
339
340
341
342
343 @SuppressWarnings("CanBeFinal")
344 @Parameter(property = "versionCheckEnabled", defaultValue = "true")
345 private boolean versionCheckEnabled;
346
347
348
349
350
351
352 @SuppressWarnings("CanBeFinal")
353 @Parameter(property = "suppressionFiles")
354 private String[] suppressionFiles;
355
356
357
358
359
360
361 @SuppressWarnings("CanBeFinal")
362 @Parameter(property = "suppressionFile")
363 private String suppressionFile;
364
365
366
367 @Parameter(property = "suppressionFileUser")
368 private String suppressionFileUser;
369
370
371
372 @Parameter(property = "suppressionFilePassword")
373 private String suppressionFilePassword;
374
375
376
377
378 @SuppressWarnings("CanBeFinal")
379 @Parameter(property = "suppressionFileServerId")
380 private String suppressionFileServerId;
381
382
383
384 @SuppressWarnings("CanBeFinal")
385 @Parameter(property = "hintsFile")
386 private String hintsFile;
387
388
389
390
391 @SuppressWarnings("CanBeFinal")
392 @Parameter(property = "showSummary", defaultValue = "true")
393 private boolean showSummary = true;
394
395
396
397
398 @SuppressWarnings("CanBeFinal")
399 @Parameter(property = "jarAnalyzerEnabled")
400 private Boolean jarAnalyzerEnabled;
401
402
403
404
405 @SuppressWarnings("CanBeFinal")
406 @Parameter(property = "dartAnalyzerEnabled")
407 private Boolean dartAnalyzerEnabled;
408
409
410
411
412 @SuppressWarnings("CanBeFinal")
413 @Parameter(property = "archiveAnalyzerEnabled")
414 private Boolean archiveAnalyzerEnabled;
415
416
417
418 @SuppressWarnings("CanBeFinal")
419 @Parameter(property = "knownExploitedEnabled")
420 private Boolean knownExploitedEnabled;
421
422
423
424 @SuppressWarnings("CanBeFinal")
425 @Parameter(property = "knownExploitedUrl")
426 private String knownExploitedUrl;
427
428
429
430 @SuppressWarnings("CanBeFinal")
431 @Parameter(property = "pyDistributionAnalyzerEnabled")
432 private Boolean pyDistributionAnalyzerEnabled;
433
434
435
436 @Parameter(property = "pyPackageAnalyzerEnabled")
437 private Boolean pyPackageAnalyzerEnabled;
438
439
440
441 @SuppressWarnings("CanBeFinal")
442 @Parameter(property = "rubygemsAnalyzerEnabled")
443 private Boolean rubygemsAnalyzerEnabled;
444
445
446
447 @SuppressWarnings("CanBeFinal")
448 @Parameter(property = "opensslAnalyzerEnabled")
449 private Boolean opensslAnalyzerEnabled;
450
451
452
453 @SuppressWarnings("CanBeFinal")
454 @Parameter(property = "cmakeAnalyzerEnabled")
455 private Boolean cmakeAnalyzerEnabled;
456
457
458
459 @SuppressWarnings("CanBeFinal")
460 @Parameter(property = "autoconfAnalyzerEnabled")
461 private Boolean autoconfAnalyzerEnabled;
462
463
464
465 @SuppressWarnings("CanBeFinal")
466 @Parameter(property = "mavenInstallAnalyzerEnabled")
467 private Boolean mavenInstallAnalyzerEnabled;
468
469
470
471 @SuppressWarnings("CanBeFinal")
472 @Parameter(property = "pipAnalyzerEnabled")
473 private Boolean pipAnalyzerEnabled;
474
475
476
477 @SuppressWarnings("CanBeFinal")
478 @Parameter(property = "pipfileAnalyzerEnabled")
479 private Boolean pipfileAnalyzerEnabled;
480
481
482
483 @SuppressWarnings("CanBeFinal")
484 @Parameter(property = "poetryAnalyzerEnabled")
485 private Boolean poetryAnalyzerEnabled;
486
487
488
489 @Parameter(property = "composerAnalyzerEnabled")
490 private Boolean composerAnalyzerEnabled;
491
492
493
494 @Parameter(property = "cpanfileAnalyzerEnabled")
495 private Boolean cpanfileAnalyzerEnabled;
496
497
498
499 @SuppressWarnings("CanBeFinal")
500 @Parameter(property = "nodeAnalyzerEnabled")
501 private Boolean nodeAnalyzerEnabled;
502
503
504
505 @SuppressWarnings("CanBeFinal")
506 @Parameter(property = "nodeAuditAnalyzerEnabled")
507 private Boolean nodeAuditAnalyzerEnabled;
508
509
510
511
512 @SuppressWarnings("CanBeFinal")
513 @Parameter(property = "nodeAuditAnalyzerUrl")
514 private String nodeAuditAnalyzerUrl;
515
516
517
518
519 @SuppressWarnings("CanBeFinal")
520 @Parameter(property = "yarnAuditAnalyzerEnabled")
521 private Boolean yarnAuditAnalyzerEnabled;
522
523
524
525
526 @SuppressWarnings("CanBeFinal")
527 @Parameter(property = "pnpmAuditAnalyzerEnabled")
528 private Boolean pnpmAuditAnalyzerEnabled;
529
530
531
532
533 @SuppressWarnings("CanBeFinal")
534 @Parameter(property = "nodeAuditAnalyzerUseCache")
535 private Boolean nodeAuditAnalyzerUseCache;
536
537
538
539 @SuppressWarnings("CanBeFinal")
540 @Parameter(property = "nodeAuditSkipDevDependencies")
541 private Boolean nodeAuditSkipDevDependencies;
542
543
544
545 @SuppressWarnings("CanBeFinal")
546 @Parameter(property = "nodePackageSkipDevDependencies")
547 private Boolean nodePackageSkipDevDependencies;
548
549
550
551 @SuppressWarnings("CanBeFinal")
552 @Parameter(property = "retireJsAnalyzerEnabled")
553 private Boolean retireJsAnalyzerEnabled;
554
555
556
557 @SuppressWarnings("CanBeFinal")
558 @Parameter(property = "retireJsUrl")
559 private String retireJsUrl;
560
561
562
563 @Parameter(property = "retireJsUser")
564 private String retireJsUser;
565
566
567
568 @Parameter(property = "retireJsPassword")
569 private String retireJsPassword;
570
571
572
573
574 @SuppressWarnings("CanBeFinal")
575 @Parameter(property = "retireJsUrlServerId")
576 private String retireJsUrlServerId;
577
578
579
580
581 @SuppressWarnings("CanBeFinal")
582 @Parameter(property = "retireJsForceUpdate")
583 private Boolean retireJsForceUpdate;
584
585
586
587 @Parameter(property = "assemblyAnalyzerEnabled")
588 private Boolean assemblyAnalyzerEnabled;
589
590
591
592 @Parameter(property = "msbuildAnalyzerEnabled")
593 private Boolean msbuildAnalyzerEnabled;
594
595
596
597 @SuppressWarnings("CanBeFinal")
598 @Parameter(property = "nuspecAnalyzerEnabled")
599 private Boolean nuspecAnalyzerEnabled;
600
601
602
603
604 @SuppressWarnings("CanBeFinal")
605 @Parameter(property = "nugetconfAnalyzerEnabled")
606 private Boolean nugetconfAnalyzerEnabled;
607
608
609
610
611 @SuppressWarnings("CanBeFinal")
612 @Parameter(property = "libmanAnalyzerEnabled")
613 private Boolean libmanAnalyzerEnabled;
614
615
616
617
618 @SuppressWarnings("CanBeFinal")
619 @Parameter(property = "centralAnalyzerEnabled")
620 private Boolean centralAnalyzerEnabled;
621
622
623
624
625 @SuppressWarnings("CanBeFinal")
626 @Parameter(property = "centralAnalyzerUseCache")
627 private Boolean centralAnalyzerUseCache;
628
629
630
631
632 @SuppressWarnings("CanBeFinal")
633 @Parameter(property = "artifactoryAnalyzerEnabled")
634 private Boolean artifactoryAnalyzerEnabled;
635
636
637
638
639 @SuppressWarnings("CanBeFinal")
640 @Parameter(property = "artifactoryAnalyzerServerId")
641 private String artifactoryAnalyzerServerId;
642
643
644
645
646 @SuppressWarnings("CanBeFinal")
647 @Parameter(property = "artifactoryAnalyzerUsername")
648 private String artifactoryAnalyzerUsername;
649
650
651
652 @SuppressWarnings("CanBeFinal")
653 @Parameter(property = "artifactoryAnalyzerApiToken")
654 private String artifactoryAnalyzerApiToken;
655
656
657
658 @SuppressWarnings("CanBeFinal")
659 @Parameter(property = "artifactoryAnalyzerBearerToken")
660 private String artifactoryAnalyzerBearerToken;
661
662
663
664 @SuppressWarnings("CanBeFinal")
665 @Parameter(property = "artifactoryAnalyzerUrl")
666 private String artifactoryAnalyzerUrl;
667
668
669
670 @SuppressWarnings("CanBeFinal")
671 @Parameter(property = "artifactoryAnalyzerUseProxy")
672 private Boolean artifactoryAnalyzerUseProxy;
673
674
675
676 @SuppressWarnings("CanBeFinal")
677 @Parameter(property = "artifactoryAnalyzerParallelAnalysis", defaultValue = "true")
678 private Boolean artifactoryAnalyzerParallelAnalysis;
679
680
681
682 @SuppressWarnings("CanBeFinal")
683 @Parameter(property = "nexusAnalyzerEnabled")
684 private Boolean nexusAnalyzerEnabled;
685
686
687
688
689 @SuppressWarnings("CanBeFinal")
690 @Parameter(property = "ossindexAnalyzerEnabled")
691 private Boolean ossindexAnalyzerEnabled;
692
693
694
695 @SuppressWarnings("CanBeFinal")
696 @Parameter(property = "ossindexAnalyzerUseCache")
697 private Boolean ossindexAnalyzerUseCache;
698
699
700
701 @SuppressWarnings("CanBeFinal")
702 @Parameter(property = "ossindexAnalyzerUrl")
703 private String ossindexAnalyzerUrl;
704
705
706
707
708
709 @SuppressWarnings("CanBeFinal")
710 @Parameter(property = "ossIndexServerId")
711 private String ossIndexServerId;
712
713
714
715
716
717 @SuppressWarnings("CanBeFinal")
718 @Parameter(property = "ossIndexWarnOnlyOnRemoteErrors")
719 private Boolean ossIndexWarnOnlyOnRemoteErrors;
720
721
722
723
724 @Parameter(property = "mixAuditAnalyzerEnabled")
725 private Boolean mixAuditAnalyzerEnabled;
726
727
728
729
730 @SuppressWarnings("CanBeFinal")
731 @Parameter(property = "mixAuditPath")
732 private String mixAuditPath;
733
734
735
736
737 @Parameter(property = "bundleAuditAnalyzerEnabled")
738 private Boolean bundleAuditAnalyzerEnabled;
739
740
741
742
743 @SuppressWarnings("CanBeFinal")
744 @Parameter(property = "bundleAuditPath")
745 private String bundleAuditPath;
746
747
748
749
750
751 @SuppressWarnings("CanBeFinal")
752 @Parameter(property = "bundleAuditWorkingDirectory")
753 private String bundleAuditWorkingDirectory;
754
755
756
757
758 @SuppressWarnings("CanBeFinal")
759 @Parameter(property = "cocoapodsAnalyzerEnabled")
760 private Boolean cocoapodsAnalyzerEnabled;
761
762
763
764
765 @SuppressWarnings("CanBeFinal")
766 @Parameter(property = "swiftPackageManagerAnalyzerEnabled")
767 private Boolean swiftPackageManagerAnalyzerEnabled;
768
769
770
771 @SuppressWarnings("CanBeFinal")
772 @Parameter(property = "swiftPackageResolvedAnalyzerEnabled")
773 private Boolean swiftPackageResolvedAnalyzerEnabled;
774
775
776
777
778 @SuppressWarnings("CanBeFinal")
779 @Parameter(property = "nexusUrl")
780 private String nexusUrl;
781
782
783
784
785
786
787 @SuppressWarnings("CanBeFinal")
788 @Parameter(property = "nexusServerId")
789 private String nexusServerId;
790
791
792
793 @SuppressWarnings("CanBeFinal")
794 @Parameter(property = "nexusUsesProxy")
795 private Boolean nexusUsesProxy;
796
797
798
799 @SuppressWarnings("CanBeFinal")
800 @Parameter(property = "connectionString")
801 private String connectionString;
802
803
804
805
806 @SuppressWarnings("CanBeFinal")
807 @Parameter(property = "databaseDriverName")
808 private String databaseDriverName;
809
810
811
812 @SuppressWarnings("CanBeFinal")
813 @Parameter(property = "databaseDriverPath")
814 private String databaseDriverPath;
815
816
817
818 @SuppressWarnings("CanBeFinal")
819 @Parameter(defaultValue = "${settings}", readonly = true, required = true)
820 private org.apache.maven.settings.Settings settingsXml;
821
822
823
824 @Component(role = SecDispatcher.class, hint = "default")
825 private SecDispatcher securityDispatcher;
826
827
828
829 @Parameter(property = "databaseUser")
830 private String databaseUser;
831
832
833
834 @Parameter(property = "databasePassword")
835 private String databasePassword;
836
837
838
839
840 @SuppressWarnings("CanBeFinal")
841 @Parameter(property = "zipExtensions")
842 private String zipExtensions;
843
844
845
846 @SuppressWarnings("CanBeFinal")
847 @Parameter(property = "dependency-check.skip", defaultValue = "false")
848 private boolean skip = false;
849
850
851
852 @SuppressWarnings("CanBeFinal")
853 @Parameter(property = "skipTestScope", defaultValue = "true")
854 private boolean skipTestScope = true;
855
856
857
858 @SuppressWarnings("CanBeFinal")
859 @Parameter(property = "skipRuntimeScope", defaultValue = "false")
860 private boolean skipRuntimeScope = false;
861
862
863
864 @SuppressWarnings("CanBeFinal")
865 @Parameter(property = "skipProvidedScope", defaultValue = "false")
866 private boolean skipProvidedScope = false;
867
868
869
870
871 @SuppressWarnings("CanBeFinal")
872 @Parameter(property = "skipSystemScope", defaultValue = "false")
873 private boolean skipSystemScope = false;
874
875
876
877
878 @SuppressWarnings("CanBeFinal")
879 @Parameter(property = "skipDependencyManagement", defaultValue = "true")
880 private boolean skipDependencyManagement = true;
881
882
883
884
885
886
887 @SuppressWarnings("CanBeFinal")
888 @Parameter(property = "skipArtifactType")
889 private String skipArtifactType;
890
891
892
893
894 @SuppressWarnings("CanBeFinal")
895 @Parameter(property = "dataDirectory")
896 private String dataDirectory;
897
898
899
900
901 @SuppressWarnings("CanBeFinal")
902 @Parameter(property = "dbFilename")
903 private String dbFilename;
904
905
906
907
908
909 @SuppressWarnings("CanBeFinal")
910 @Parameter(property = "serverId")
911 private String serverId;
912
913
914
915
916
917 @SuppressWarnings("CanBeFinal")
918 @Parameter(property = "nvdApiKey")
919 private String nvdApiKey;
920
921
922
923 @SuppressWarnings("CanBeFinal")
924 @Parameter(property = "nvdMaxRetryCount")
925 private Integer nvdMaxRetryCount;
926
927
928
929
930
931
932 @SuppressWarnings("CanBeFinal")
933 @Parameter(property = "nvdApiServerId")
934 private String nvdApiServerId;
935
936
937
938
939
940 @SuppressWarnings("CanBeFinal")
941 @Parameter(property = "nvdApiKeyEnvironmentVariable")
942 private String nvdApiKeyEnvironmentVariable;
943
944
945
946 @SuppressWarnings("CanBeFinal")
947 @Parameter(property = "nvdValidForHours")
948 private Integer nvdValidForHours;
949
950
951
952 @SuppressWarnings("CanBeFinal")
953 @Parameter(property = "nvdApiEndpoint")
954 private String nvdApiEndpoint;
955
956
957
958 @SuppressWarnings("CanBeFinal")
959 @Parameter(property = "nvdDatafeedUrl")
960 private String nvdDatafeedUrl;
961
962
963
964
965
966 @SuppressWarnings("CanBeFinal")
967 @Parameter(property = "nvdDatafeedServerId")
968 private String nvdDatafeedServerId;
969
970
971
972 @SuppressWarnings("CanBeFinal")
973 @Parameter(property = "nvdUser")
974 private String nvdUser;
975
976
977
978 @SuppressWarnings("CanBeFinal")
979 @Parameter(property = "nvdPassword")
980 private String nvdPassword;
981
982
983
984 @SuppressWarnings("CanBeFinal")
985 @Parameter(property = "nvdApiDelay")
986 private Integer nvdApiDelay;
987
988
989
990
991 @SuppressWarnings("CanBeFinal")
992 @Parameter(property = "pathToCore")
993 private String pathToCore;
994
995
996
997 @SuppressWarnings("CanBeFinal")
998 @Parameter(property = "hostedSuppressionsUrl")
999 private String hostedSuppressionsUrl;
1000
1001
1002
1003
1004 @SuppressWarnings("CanBeFinal")
1005 @Parameter(property = "hostedSuppressionsForceUpdate")
1006 private Boolean hostedSuppressionsForceUpdate;
1007
1008
1009
1010 @SuppressWarnings("CanBeFinal")
1011 @Parameter(property = "hostedSuppressionsEnabled")
1012 private Boolean hostedSuppressionsEnabled;
1013
1014
1015
1016
1017 @SuppressWarnings("CanBeFinal")
1018 @Parameter(property = "hostedSuppressionsValidForHours")
1019 private Integer hostedSuppressionsValidForHours;
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036 @SuppressWarnings("CanBeFinal")
1037 @Parameter(property = "retirejs")
1038 private Retirejs retirejs;
1039
1040
1041
1042
1043
1044 @Parameter(property = "odc.excludes")
1045 private List<String> excludes;
1046
1047
1048
1049
1050 private Filter<String> artifactScopeExcluded;
1051
1052
1053
1054
1055 private Filter<String> artifactTypeExcluded;
1056
1057
1058
1059
1060
1061
1062
1063
1064 @Parameter
1065 private List<FileSet> scanSet;
1066
1067
1068
1069
1070
1071 @Parameter(property = "scanDirectory")
1072 private List<String> scanDirectory;
1073
1074
1075
1076
1077 @SuppressWarnings("CanBeFinal")
1078 @Parameter(property = "odc.plugins.scan", defaultValue = "false", required = false)
1079 private boolean scanPlugins = false;
1080
1081
1082
1083 @SuppressWarnings("CanBeFinal")
1084 @Parameter(property = "odc.dependencies.scan", defaultValue = "true", required = false)
1085 private boolean scanDependencies = true;
1086
1087
1088
1089 @Parameter
1090 private ProxyConfig proxy;
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102 private static boolean artifactsMatch(org.apache.maven.model.Dependency d, Artifact a) {
1103 return isEqualOrNull(a.getArtifactId(), d.getArtifactId())
1104 && isEqualOrNull(a.getGroupId(), d.getGroupId())
1105 && isEqualOrNull(a.getVersion(), d.getVersion());
1106 }
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117 private static boolean isEqualOrNull(String left, String right) {
1118 return (left != null && left.equals(right)) || (left == null && right == null);
1119 }
1120
1121
1122
1123
1124
1125
1126
1127
1128 @Override
1129 public void execute() throws MojoExecutionException, MojoFailureException {
1130 generatingSite = false;
1131 final boolean shouldSkip = Boolean.parseBoolean(System.getProperty("dependency-check.skip", Boolean.toString(skip)));
1132 if (shouldSkip) {
1133 getLog().info("Skipping " + getName(Locale.US));
1134 } else {
1135 project.setContextValue("dependency-check-output-dir", this.outputDirectory);
1136 runCheck();
1137 }
1138 }
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150 @Deprecated
1151 public final void generate(@SuppressWarnings("deprecation") org.codehaus.doxia.sink.Sink sink, Locale locale) throws MavenReportException {
1152 generate((Sink) sink, locale);
1153 }
1154
1155
1156
1157
1158
1159
1160 protected boolean isGeneratingSite() {
1161 return generatingSite;
1162 }
1163
1164
1165
1166
1167
1168
1169 protected String getConnectionString() {
1170 return connectionString;
1171 }
1172
1173
1174
1175
1176
1177
1178 protected boolean isFailOnError() {
1179 return failOnError;
1180 }
1181
1182
1183
1184
1185
1186
1187
1188
1189 public void generate(Sink sink, Locale locale) throws MavenReportException {
1190 final boolean shouldSkip = Boolean.parseBoolean(System.getProperty("dependency-check.skip", Boolean.toString(skip)));
1191 if (shouldSkip) {
1192 getLog().info("Skipping report generation " + getName(Locale.US));
1193 return;
1194 }
1195
1196 generatingSite = true;
1197 project.setContextValue("dependency-check-output-dir", getReportOutputDirectory());
1198 try {
1199 runCheck();
1200 } catch (MojoExecutionException ex) {
1201 throw new MavenReportException(ex.getMessage(), ex);
1202 } catch (MojoFailureException ex) {
1203 getLog().warn("Vulnerabilities were identifies that exceed the CVSS threshold for failing the build");
1204 }
1205 }
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215 protected File getCorrectOutputDirectory() throws MojoExecutionException {
1216 return getCorrectOutputDirectory(this.project);
1217 }
1218
1219
1220
1221
1222
1223
1224
1225
1226 protected File getCorrectOutputDirectory(MavenProject current) {
1227 final Object obj = current.getContextValue("dependency-check-output-dir");
1228 if (obj != null && obj instanceof File) {
1229 return (File) obj;
1230 }
1231
1232 File target = new File(current.getBuild().getDirectory());
1233 if (target.getParentFile() != null && "target".equals(target.getParentFile().getName())) {
1234 target = target.getParentFile();
1235 }
1236 return target;
1237 }
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248 protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine) {
1249 return scanArtifacts(project, engine, false);
1250 }
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262 protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine, boolean aggregate) {
1263 try {
1264 final List<String> filterItems = Collections.singletonList(String.format("%s:%s", project.getGroupId(), project.getArtifactId()));
1265 final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project, project.getRemoteArtifactRepositories());
1266
1267
1268 final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(buildingRequest, null);
1269
1270 final CollectingRootDependencyGraphVisitor collectorVisitor = new CollectingRootDependencyGraphVisitor();
1271
1272
1273 final DependencyNodeVisitor transitiveFilterVisitor = new FilteringDependencyTransitiveNodeVisitor(collectorVisitor,
1274 new ArtifactDependencyNodeFilter(new PatternExcludesArtifactFilter(getExcludes())));
1275
1276
1277 final DependencyNodeVisitor artifactFilter = new FilteringDependencyNodeVisitor(transitiveFilterVisitor,
1278 new ArtifactDependencyNodeFilter(new ExcludesArtifactFilter(filterItems)));
1279 dn.accept(artifactFilter);
1280
1281
1282 final Map<DependencyNode, List<DependencyNode>> nodes = collectorVisitor.getNodes();
1283
1284 return collectDependencies(engine, project, nodes, buildingRequest, aggregate);
1285 } catch (DependencyGraphBuilderException ex) {
1286 final String msg = String.format("Unable to build dependency graph on project %s", project.getName());
1287 getLog().debug(msg, ex);
1288 return new ExceptionCollection(ex);
1289 }
1290 }
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303 protected ExceptionCollection scanPlugins(MavenProject project, Engine engine, ExceptionCollection exCollection) {
1304 ExceptionCollection exCol = exCollection;
1305 final Set<Artifact> plugins = new HashSet<>();
1306 final Set<Artifact> buildPlugins = getProject().getPluginArtifacts();
1307 final Set<Artifact> reportPlugins = getProject().getReportArtifacts();
1308 final Set<Artifact> extensions = getProject().getExtensionArtifacts();
1309
1310 plugins.addAll(buildPlugins);
1311 plugins.addAll(reportPlugins);
1312 plugins.addAll(extensions);
1313
1314 final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project, project.getPluginArtifactRepositories());
1315 for (Artifact plugin : plugins) {
1316 try {
1317 final Artifact resolved = artifactResolver.resolveArtifact(buildingRequest, plugin).getArtifact();
1318
1319 exCol = addPluginToDependencies(project, engine, resolved, "pom.xml (plugins)", exCol);
1320
1321 final DefaultDependableCoordinate pluginCoordinate = new DefaultDependableCoordinate();
1322 pluginCoordinate.setGroupId(resolved.getGroupId());
1323 pluginCoordinate.setArtifactId(resolved.getArtifactId());
1324 pluginCoordinate.setVersion(resolved.getVersion());
1325
1326 final String parent = buildReference(resolved.getGroupId(), resolved.getArtifactId(), resolved.getVersion());
1327 for (Artifact artifact : resolveArtifactDependencies(pluginCoordinate, project)) {
1328 exCol = addPluginToDependencies(project, engine, artifact, parent, exCol);
1329 }
1330 } catch (ArtifactResolverException ex) {
1331 throw new RuntimeException(ex);
1332 } catch (IllegalArgumentException ex) {
1333 throw new RuntimeException(ex);
1334 } catch (DependencyResolverException ex) {
1335 throw new RuntimeException(ex);
1336 }
1337 }
1338
1339 return null;
1340
1341 }
1342
1343 private ExceptionCollection addPluginToDependencies(MavenProject project, Engine engine, Artifact artifact, String parent, ExceptionCollection exCollection) {
1344 ExceptionCollection exCol = exCollection;
1345 final String groupId = artifact.getGroupId();
1346 final String artifactId = artifact.getArtifactId();
1347 final String version = artifact.getVersion();
1348 final File artifactFile = artifact.getFile();
1349 if (artifactFile.isFile()) {
1350 final List<ArtifactVersion> availableVersions = artifact.getAvailableVersions();
1351
1352 final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
1353 project.getName() + " (plugins)");
1354 if (deps != null) {
1355 Dependency d = null;
1356 if (deps.size() == 1) {
1357 d = deps.get(0);
1358 } else {
1359 for (Dependency possible : deps) {
1360 if (artifactFile.getAbsoluteFile().equals(possible.getActualFile())) {
1361 d = possible;
1362 break;
1363 }
1364 }
1365 for (Dependency dep : deps) {
1366 if (d != null && d != dep) {
1367 final String includedBy = buildReference(groupId, artifactId, version);
1368 dep.addIncludedBy(includedBy, "plugins");
1369 }
1370 }
1371 }
1372 if (d != null) {
1373 final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
1374 d.addAsEvidence("pom", ma, Confidence.HIGHEST);
1375 if (parent != null) {
1376 d.addIncludedBy(parent, "plugins");
1377 } else {
1378 final String includedby = buildReference(
1379 project.getGroupId(),
1380 project.getArtifactId(),
1381 project.getVersion());
1382 d.addIncludedBy(includedby, "plugins");
1383 }
1384 if (availableVersions != null) {
1385 for (ArtifactVersion av : availableVersions) {
1386 d.addAvailableVersion(av.toString());
1387 }
1388 }
1389 }
1390 }
1391 } else {
1392 if (exCol == null) {
1393 exCol = new ExceptionCollection();
1394 }
1395 exCol.addException(new DependencyNotFoundException("Unable to resolve plugin: "
1396 + groupId + ":" + artifactId + ":" + version));
1397 }
1398
1399 return exCol;
1400 }
1401
1402 private String buildReference(final String groupId, final String artifactId, final String version) {
1403 String includedBy;
1404 try {
1405 final PackageURL purl = new PackageURL("maven", groupId, artifactId, version, null, null);
1406 includedBy = purl.toString();
1407 } catch (MalformedPackageURLException ex) {
1408 getLog().warn("Unable to generate build reference for " + groupId
1409 + ":" + artifactId + ":" + version, ex);
1410 includedBy = groupId + ":" + artifactId + ":" + version;
1411 }
1412 return includedBy;
1413 }
1414
1415 protected Set<Artifact> resolveArtifactDependencies(final DependableCoordinate artifact, MavenProject project)
1416 throws DependencyResolverException {
1417 final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project, project.getRemoteArtifactRepositories());
1418
1419 final Iterable<ArtifactResult> artifactResults = dependencyResolver.resolveDependencies(buildingRequest, artifact, null);
1420
1421 final Set<Artifact> artifacts = new HashSet<>();
1422
1423 for (ArtifactResult artifactResult : artifactResults) {
1424 artifacts.add(artifactResult.getArtifact());
1425 }
1426
1427 return artifacts;
1428
1429 }
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442 private DependencyNode toDependencyNode(List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest,
1443 DependencyNode parent, org.apache.maven.model.Dependency dependency) throws ArtifactResolverException {
1444
1445 final DefaultArtifactCoordinate coordinate = new DefaultArtifactCoordinate();
1446
1447 coordinate.setGroupId(dependency.getGroupId());
1448 coordinate.setArtifactId(dependency.getArtifactId());
1449 String version = null;
1450 final VersionRange vr;
1451 try {
1452 vr = VersionRange.createFromVersionSpec(dependency.getVersion());
1453 } catch (InvalidVersionSpecificationException ex) {
1454 throw new ArtifactResolverException("Invalid version specification: "
1455 + dependency.getGroupId() + ":"
1456 + dependency.getArtifactId() + ":"
1457 + dependency.getVersion(), ex);
1458 }
1459 if (vr.hasRestrictions()) {
1460 version = findVersion(nodes, dependency.getGroupId(), dependency.getArtifactId());
1461 if (version == null) {
1462
1463
1464 if (vr.getRecommendedVersion() != null) {
1465 version = vr.getRecommendedVersion().toString();
1466 } else if (vr.hasRestrictions()) {
1467 for (Restriction restriction : vr.getRestrictions()) {
1468 if (restriction.getLowerBound() != null) {
1469 version = restriction.getLowerBound().toString();
1470 }
1471 if (restriction.getUpperBound() != null) {
1472 version = restriction.getUpperBound().toString();
1473 }
1474 }
1475 } else {
1476 version = vr.toString();
1477 }
1478 }
1479 }
1480 if (version == null) {
1481 version = dependency.getVersion();
1482 }
1483 coordinate.setVersion(version);
1484
1485 final ArtifactType type = session.getRepositorySession().getArtifactTypeRegistry().get(dependency.getType());
1486 coordinate.setExtension(type.getExtension());
1487 coordinate.setClassifier((null == dependency.getClassifier() || dependency.getClassifier().isEmpty())
1488 ? type.getClassifier() : dependency.getClassifier());
1489 final Artifact artifact = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
1490 artifact.setScope(dependency.getScope());
1491 return new DefaultDependencyNode(parent, artifact, dependency.getVersion(), dependency.getScope(), null);
1492 }
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504 private String findVersion(List<DependencyNode> nodes, String groupId, String artifactId) {
1505 final Optional<DependencyNode> f = nodes.stream().filter(p
1506 -> groupId.equals(p.getArtifact().getGroupId())
1507 && artifactId.equals(p.getArtifact().getArtifactId())).findFirst();
1508 if (f.isPresent()) {
1509 return f.get().getArtifact().getVersion();
1510 }
1511 return null;
1512 }
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525 private ExceptionCollection collectDependencyManagementDependencies(Engine engine, ProjectBuildingRequest buildingRequest,
1526 MavenProject project, List<DependencyNode> nodes, boolean aggregate) {
1527 if (skipDependencyManagement || project.getDependencyManagement() == null) {
1528 return null;
1529 }
1530
1531 ExceptionCollection exCol = null;
1532 for (org.apache.maven.model.Dependency dependency : project.getDependencyManagement().getDependencies()) {
1533 try {
1534 nodes.add(toDependencyNode(nodes, buildingRequest, null, dependency));
1535 } catch (ArtifactResolverException ex) {
1536 getLog().debug(String.format("Aggregate : %s", aggregate));
1537 boolean addException = true;
1538
1539 if (!aggregate) {
1540
1541 } else if (addReactorDependency(engine,
1542 new DefaultArtifact(dependency.getGroupId(), dependency.getArtifactId(),
1543 dependency.getVersion(), dependency.getScope(), dependency.getType(), dependency.getClassifier(),
1544 new DefaultArtifactHandler()), project)) {
1545 addException = false;
1546 }
1547
1548 if (addException) {
1549 if (exCol == null) {
1550 exCol = new ExceptionCollection();
1551 }
1552 exCol.addException(ex);
1553 }
1554 }
1555 }
1556 return exCol;
1557 }
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573 private ExceptionCollection collectMavenDependencies(Engine engine, MavenProject project,
1574 Map<DependencyNode, List<DependencyNode>> nodeMap, ProjectBuildingRequest buildingRequest, boolean aggregate) {
1575
1576 final List<ArtifactResult> allResolvedDeps = new ArrayList<>();
1577
1578
1579 final List<DependencyNode> dmNodes = new ArrayList<>();
1580 ExceptionCollection exCol = collectDependencyManagementDependencies(engine, buildingRequest, project, dmNodes, aggregate);
1581 for (DependencyNode dependencyNode : dmNodes) {
1582 exCol = scanDependencyNode(dependencyNode, null, engine, project, allResolvedDeps, buildingRequest, aggregate, exCol);
1583 }
1584
1585
1586 for (Map.Entry<DependencyNode, List<DependencyNode>> entry : nodeMap.entrySet()) {
1587 exCol = scanDependencyNode(entry.getKey(), null, engine, project, allResolvedDeps, buildingRequest, aggregate, exCol);
1588 for (DependencyNode dependencyNode : entry.getValue()) {
1589 exCol = scanDependencyNode(dependencyNode, entry.getKey(), engine, project, allResolvedDeps, buildingRequest, aggregate, exCol);
1590 }
1591 }
1592 return exCol;
1593 }
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607 private Artifact findInAllDeps(final List<ArtifactResult> allDeps, final Artifact unresolvedArtifact,
1608 final MavenProject project)
1609 throws DependencyNotFoundException {
1610 Artifact result = null;
1611 for (final ArtifactResult res : allDeps) {
1612 if (sameArtifact(res, unresolvedArtifact)) {
1613 result = res.getArtifact();
1614 break;
1615 }
1616 }
1617 if (result == null) {
1618 throw new DependencyNotFoundException(String.format("Expected dependency not found in resolved artifacts for "
1619 + "dependency %s of project-artifact %s", unresolvedArtifact, project.getArtifactId()));
1620 }
1621 return result;
1622 }
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633 private boolean sameArtifact(final ArtifactResult res, final Artifact unresolvedArtifact) {
1634 if (res == null || res.getArtifact() == null || unresolvedArtifact == null) {
1635 return false;
1636 }
1637 boolean result = Objects.equals(res.getArtifact().getGroupId(), unresolvedArtifact.getGroupId());
1638 result &= Objects.equals(res.getArtifact().getArtifactId(), unresolvedArtifact.getArtifactId());
1639
1640 if ("RELEASE".equals(unresolvedArtifact.getBaseVersion())) {
1641 result &= !res.getArtifact().isSnapshot();
1642 } else if (!"LATEST".equals(unresolvedArtifact.getBaseVersion())) {
1643 result &= Objects.equals(res.getArtifact().getBaseVersion(), unresolvedArtifact.getBaseVersion());
1644 }
1645 result &= Objects.equals(res.getArtifact().getClassifier(), unresolvedArtifact.getClassifier());
1646 result &= Objects.equals(res.getArtifact().getType(), unresolvedArtifact.getType());
1647 return result;
1648 }
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659 protected String createProjectReferenceName(MavenProject project, DependencyNode dependencyNode) {
1660 return project.getName() + ":" + dependencyNode.getArtifact().getScope();
1661 }
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676 private ExceptionCollection collectDependencies(Engine engine, MavenProject project,
1677 Map<DependencyNode, List<DependencyNode>> nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) {
1678
1679 ExceptionCollection exCol;
1680 exCol = collectMavenDependencies(engine, project, nodes, buildingRequest, aggregate);
1681
1682 final List<FileSet> projectScan;
1683
1684 if (scanDirectory != null && !scanDirectory.isEmpty()) {
1685 if (scanSet == null) {
1686 scanSet = new ArrayList<>();
1687 }
1688 scanDirectory.forEach(d -> {
1689 final FileSet fs = new FileSet();
1690 fs.setDirectory(d);
1691 fs.addInclude(INCLUDE_ALL);
1692 scanSet.add(fs);
1693 });
1694 }
1695
1696 if (scanSet == null || scanSet.isEmpty()) {
1697
1698 final FileSet resourcesSet = new FileSet();
1699 final FileSet filtersSet = new FileSet();
1700 final FileSet webappSet = new FileSet();
1701 final FileSet mixedLangSet = new FileSet();
1702 try {
1703 resourcesSet.setDirectory(new File(project.getBasedir(), "src/main/resources").getCanonicalPath());
1704 resourcesSet.addInclude(INCLUDE_ALL);
1705 filtersSet.setDirectory(new File(project.getBasedir(), "src/main/filters").getCanonicalPath());
1706 filtersSet.addInclude(INCLUDE_ALL);
1707 webappSet.setDirectory(new File(project.getBasedir(), "src/main/webapp").getCanonicalPath());
1708 webappSet.addInclude(INCLUDE_ALL);
1709 mixedLangSet.setDirectory(project.getBasedir().getCanonicalPath());
1710 mixedLangSet.addInclude("package.json");
1711 mixedLangSet.addInclude("package-lock.json");
1712 mixedLangSet.addInclude("npm-shrinkwrap.json");
1713 mixedLangSet.addInclude("Gopkg.lock");
1714 mixedLangSet.addInclude("go.mod");
1715 mixedLangSet.addInclude("yarn.lock");
1716 mixedLangSet.addInclude("pnpm-lock.yaml");
1717 mixedLangSet.addExclude("/node_modules/");
1718 } catch (IOException ex) {
1719 if (exCol == null) {
1720 exCol = new ExceptionCollection();
1721 }
1722 exCol.addException(ex);
1723 }
1724 projectScan = new ArrayList<>();
1725 projectScan.add(resourcesSet);
1726 projectScan.add(filtersSet);
1727 projectScan.add(webappSet);
1728 projectScan.add(mixedLangSet);
1729
1730 } else if (aggregate) {
1731 projectScan = new ArrayList<>();
1732 for (FileSet copyFrom : scanSet) {
1733
1734 final FileSet fsCopy = new FileSet();
1735 final File f = new File(copyFrom.getDirectory());
1736 if (f.isAbsolute()) {
1737 fsCopy.setDirectory(copyFrom.getDirectory());
1738 } else {
1739 try {
1740 fsCopy.setDirectory(new File(project.getBasedir(), copyFrom.getDirectory()).getCanonicalPath());
1741 } catch (IOException ex) {
1742 if (exCol == null) {
1743 exCol = new ExceptionCollection();
1744 }
1745 exCol.addException(ex);
1746 fsCopy.setDirectory(copyFrom.getDirectory());
1747 }
1748 }
1749 fsCopy.setDirectoryMode(copyFrom.getDirectoryMode());
1750 fsCopy.setExcludes(copyFrom.getExcludes());
1751 fsCopy.setFileMode(copyFrom.getFileMode());
1752 fsCopy.setFollowSymlinks(copyFrom.isFollowSymlinks());
1753 fsCopy.setIncludes(copyFrom.getIncludes());
1754 fsCopy.setLineEnding(copyFrom.getLineEnding());
1755 fsCopy.setMapper(copyFrom.getMapper());
1756 fsCopy.setModelEncoding(copyFrom.getModelEncoding());
1757 fsCopy.setOutputDirectory(copyFrom.getOutputDirectory());
1758 fsCopy.setUseDefaultExcludes(copyFrom.isUseDefaultExcludes());
1759 projectScan.add(fsCopy);
1760 }
1761 } else {
1762 projectScan = scanSet;
1763 }
1764
1765
1766 final FileSetManager fileSetManager = new FileSetManager();
1767 for (FileSet fileSet : projectScan) {
1768 getLog().debug("Scanning fileSet: " + fileSet.getDirectory());
1769 final String[] includedFiles = fileSetManager.getIncludedFiles(fileSet);
1770 for (String include : includedFiles) {
1771 final File includeFile = new File(fileSet.getDirectory(), include).getAbsoluteFile();
1772 if (includeFile.exists()) {
1773 engine.scan(includeFile, project.getName());
1774 }
1775 }
1776 }
1777 return exCol;
1778 }
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791 private boolean addReactorDependency(Engine engine, Artifact artifact, final MavenProject depender) {
1792 return addVirtualDependencyFromReactor(engine, artifact, depender, "Unable to resolve %s as it has not been built yet "
1793 + "- creating a virtual dependency instead.");
1794 }
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810 private boolean addVirtualDependencyFromReactor(Engine engine, Artifact artifact,
1811 final MavenProject depender, String infoLogTemplate) {
1812
1813 getLog().debug(String.format("Checking the reactor projects (%d) for %s:%s:%s",
1814 reactorProjects.size(),
1815 artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion()));
1816
1817 for (MavenProject prj : reactorProjects) {
1818
1819 getLog().debug(String.format("Comparing %s:%s:%s to %s:%s:%s",
1820 artifact.getGroupId(), artifact.getArtifactId(), artifact.getBaseVersion(),
1821 prj.getGroupId(), prj.getArtifactId(), prj.getVersion()));
1822
1823 if (prj.getArtifactId().equals(artifact.getArtifactId())
1824 && prj.getGroupId().equals(artifact.getGroupId())
1825 && prj.getVersion().equals(artifact.getBaseVersion())) {
1826
1827 final String displayName = String.format("%s:%s:%s",
1828 prj.getGroupId(), prj.getArtifactId(), prj.getVersion());
1829 getLog().info(String.format(infoLogTemplate,
1830 displayName));
1831 final Dependency d = newDependency(prj);
1832 final String key = String.format("%s:%s:%s", prj.getGroupId(), prj.getArtifactId(), prj.getVersion());
1833 d.setSha1sum(Checksum.getSHA1Checksum(key));
1834 d.setSha256sum(Checksum.getSHA256Checksum(key));
1835 d.setMd5sum(Checksum.getMD5Checksum(key));
1836 d.setEcosystem(JarAnalyzer.DEPENDENCY_ECOSYSTEM);
1837 d.setDisplayFileName(displayName);
1838 d.addProjectReference(depender.getName());
1839 final String includedby = buildReference(
1840 depender.getGroupId(),
1841 depender.getArtifactId(),
1842 depender.getVersion());
1843 d.addIncludedBy(includedby);
1844 d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", prj.getArtifactId(), Confidence.HIGHEST);
1845 d.addEvidence(EvidenceType.VENDOR, "project", "artifactid", prj.getArtifactId(), Confidence.LOW);
1846
1847 d.addEvidence(EvidenceType.VENDOR, "project", "groupid", prj.getGroupId(), Confidence.HIGHEST);
1848 d.addEvidence(EvidenceType.PRODUCT, "project", "groupid", prj.getGroupId(), Confidence.LOW);
1849 d.setEcosystem(JarAnalyzer.DEPENDENCY_ECOSYSTEM);
1850 Identifier id;
1851 try {
1852 id = new PurlIdentifier(StandardTypes.MAVEN, artifact.getGroupId(),
1853 artifact.getArtifactId(), artifact.getVersion(), Confidence.HIGHEST);
1854 } catch (MalformedPackageURLException ex) {
1855 getLog().debug("Unable to create PackageURL object:" + key);
1856 id = new GenericIdentifier("maven:" + key, Confidence.HIGHEST);
1857 }
1858 d.addSoftwareIdentifier(id);
1859
1860 d.setName(String.format("%s:%s", prj.getGroupId(), prj.getArtifactId()));
1861 d.setVersion(prj.getVersion());
1862 d.setPackagePath(displayName);
1863 if (prj.getDescription() != null) {
1864 JarAnalyzer.addDescription(d, prj.getDescription(), "project", "description");
1865 }
1866 for (License l : prj.getLicenses()) {
1867 final StringBuilder license = new StringBuilder();
1868 if (l.getName() != null) {
1869 license.append(l.getName());
1870 }
1871 if (l.getUrl() != null) {
1872 license.append(" ").append(l.getUrl());
1873 }
1874 if (d.getLicense() == null) {
1875 d.setLicense(license.toString());
1876 } else if (!d.getLicense().contains(license)) {
1877 d.setLicense(String.format("%s%n%s", d.getLicense(), license));
1878 }
1879 }
1880 engine.addDependency(d);
1881 return true;
1882 }
1883 }
1884 return false;
1885 }
1886
1887 Dependency newDependency(MavenProject prj) {
1888 final File pom = new File(prj.getBasedir(), "pom.xml");
1889
1890 if (pom.isFile()) {
1891 getLog().debug("Adding virtual dependency from pom.xml");
1892 return new Dependency(pom, true);
1893 } else if (prj.getFile().isFile()) {
1894 getLog().debug("Adding virtual dependency from file");
1895 return new Dependency(prj.getFile(), true);
1896 } else {
1897 return new Dependency(true);
1898 }
1899 }
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912 private boolean addSnapshotReactorDependency(Engine engine, Artifact artifact, final MavenProject depender) {
1913 if (!artifact.isSnapshot()) {
1914 return false;
1915 }
1916 return addVirtualDependencyFromReactor(engine, artifact, depender, "Found snapshot reactor project in aggregate for %s - "
1917 + "creating a virtual dependency as the snapshot found in the repository may contain outdated dependencies.");
1918 }
1919
1920
1921
1922
1923
1924
1925
1926
1927 public ProjectBuildingRequest newResolveArtifactProjectBuildingRequest(MavenProject project, List<ArtifactRepository> repos) {
1928 final ProjectBuildingRequest buildingRequest = new DefaultProjectBuildingRequest(session.getProjectBuildingRequest());
1929 buildingRequest.setRemoteRepositories(repos);
1930 buildingRequest.setProject(project);
1931 return buildingRequest;
1932 }
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942 protected void runCheck() throws MojoExecutionException, MojoFailureException {
1943 muteNoisyLoggers();
1944 try (Engine engine = initializeEngine()) {
1945 ExceptionCollection exCol = null;
1946 if (scanDependencies) {
1947 exCol = scanDependencies(engine);
1948 }
1949 if (scanPlugins) {
1950 exCol = scanPlugins(engine, exCol);
1951 }
1952 try {
1953 engine.analyzeDependencies();
1954 } catch (ExceptionCollection ex) {
1955 exCol = handleAnalysisExceptions(exCol, ex);
1956 }
1957 if (exCol == null || !exCol.isFatal()) {
1958
1959 File outputDir = getCorrectOutputDirectory(this.getProject());
1960 if (outputDir == null) {
1961
1962
1963 outputDir = new File(this.getProject().getBuild().getDirectory());
1964 }
1965 try {
1966 final MavenProject p = this.getProject();
1967 for (String f : getFormats()) {
1968 engine.writeReports(p.getName(), p.getGroupId(), p.getArtifactId(), p.getVersion(), outputDir, f, exCol);
1969 }
1970 } catch (ReportException ex) {
1971 if (exCol == null) {
1972 exCol = new ExceptionCollection(ex);
1973 } else {
1974 exCol.addException(ex);
1975 }
1976 if (this.isFailOnError()) {
1977 throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol);
1978 } else {
1979 getLog().debug("Error writing the report", ex);
1980 }
1981 }
1982 showSummary(this.getProject(), engine.getDependencies());
1983 checkForFailure(engine.getDependencies());
1984 if (exCol != null && this.isFailOnError()) {
1985 throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol);
1986 }
1987 }
1988 } catch (DatabaseException ex) {
1989 if (getLog().isDebugEnabled()) {
1990 getLog().debug("Database connection error", ex);
1991 }
1992 final String msg = "An exception occurred connecting to the local database. Please see the log file for more details.";
1993 if (this.isFailOnError()) {
1994 throw new MojoExecutionException(msg, ex);
1995 }
1996 getLog().error(msg, ex);
1997 } finally {
1998 getSettings().cleanup();
1999 }
2000 }
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012 private ExceptionCollection handleAnalysisExceptions(ExceptionCollection currentEx, ExceptionCollection newEx) throws MojoExecutionException {
2013 ExceptionCollection returnEx = currentEx;
2014 if (returnEx == null) {
2015 returnEx = newEx;
2016 } else {
2017 returnEx.getExceptions().addAll(newEx.getExceptions());
2018 if (newEx.isFatal()) {
2019 returnEx.setFatal(true);
2020 }
2021 }
2022 if (returnEx.isFatal()) {
2023 final String msg = String.format("Fatal exception(s) analyzing %s", getProject().getName());
2024 if (this.isFailOnError()) {
2025 throw new MojoExecutionException(msg, returnEx);
2026 }
2027 getLog().error(msg);
2028 if (getLog().isDebugEnabled()) {
2029 getLog().debug(returnEx);
2030 }
2031 } else {
2032 final String msg = String.format("Exception(s) analyzing %s", getProject().getName());
2033 if (getLog().isDebugEnabled()) {
2034 getLog().debug(msg, returnEx);
2035 }
2036 }
2037 return returnEx;
2038 }
2039
2040
2041
2042
2043
2044
2045
2046
2047 protected abstract ExceptionCollection scanDependencies(Engine engine) throws MojoExecutionException;
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058 protected abstract ExceptionCollection scanPlugins(Engine engine, ExceptionCollection exCol) throws MojoExecutionException;
2059
2060
2061
2062
2063
2064
2065 @Override
2066 public File getReportOutputDirectory() {
2067 return reportOutputDirectory;
2068 }
2069
2070
2071
2072
2073
2074
2075 @Override
2076 public void setReportOutputDirectory(File directory) {
2077 reportOutputDirectory = directory;
2078 }
2079
2080
2081
2082
2083
2084
2085 public File getOutputDirectory() {
2086 return outputDirectory;
2087 }
2088
2089
2090
2091
2092
2093
2094
2095 @Override
2096 public final boolean isExternalReport() {
2097 return true;
2098 }
2099
2100
2101
2102
2103
2104
2105 @Override
2106 public String getOutputName() {
2107 final Set<String> selectedFormats = getFormats();
2108 if (selectedFormats.contains("HTML") || selectedFormats.contains("ALL") || selectedFormats.size() > 1) {
2109 return "dependency-check-report";
2110 } else if (selectedFormats.contains("JENKINS")) {
2111 return "dependency-check-jenkins.html";
2112 } else if (selectedFormats.contains("XML")) {
2113 return "dependency-check-report.xml";
2114 } else if (selectedFormats.contains("JUNIT")) {
2115 return "dependency-check-junit.xml";
2116 } else if (selectedFormats.contains("JSON")) {
2117 return "dependency-check-report.json";
2118 } else if (selectedFormats.contains("SARIF")) {
2119 return "dependency-check-report.sarif";
2120 } else if (selectedFormats.contains("CSV")) {
2121 return "dependency-check-report.csv";
2122 } else {
2123 getLog().warn("Unknown report format used during site generation.");
2124 return "dependency-check-report";
2125 }
2126 }
2127
2128
2129
2130
2131
2132
2133 @Override
2134 public String getCategoryName() {
2135 return MavenReport.CATEGORY_PROJECT_REPORTS;
2136 }
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147 protected Engine initializeEngine() throws DatabaseException {
2148 populateSettings();
2149 return new Engine(settings);
2150 }
2151
2152
2153
2154
2155
2156
2157
2158 protected void populateSettings() {
2159 settings = new Settings();
2160 InputStream mojoProperties = null;
2161 try {
2162 mojoProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
2163 settings.mergeProperties(mojoProperties);
2164 } catch (IOException ex) {
2165 getLog().warn("Unable to load the dependency-check maven mojo.properties file.");
2166 if (getLog().isDebugEnabled()) {
2167 getLog().debug("", ex);
2168 }
2169 } finally {
2170 if (mojoProperties != null) {
2171 try {
2172 mojoProperties.close();
2173 } catch (IOException ex) {
2174 if (getLog().isDebugEnabled()) {
2175 getLog().debug("", ex);
2176 }
2177 }
2178 }
2179 }
2180 settings.setStringIfNotEmpty(Settings.KEYS.MAVEN_LOCAL_REPO, mavenSettings.getLocalRepository());
2181 settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
2182 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
2183 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, enableRetired);
2184 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_DEP_ENABLED, golangDepEnabled);
2185 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_MOD_ENABLED, golangModEnabled);
2186 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_DART_ENABLED, dartAnalyzerEnabled);
2187 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_GOLANG_PATH, pathToGo);
2188 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_YARN_PATH, pathToYarn);
2189 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_PNPM_PATH, pathToPnpm);
2190
2191
2192 final Proxy mavenProxy = getMavenProxy();
2193 if (mavenProxy != null) {
2194 final String existing = System.getProperty("https.proxyHost");
2195 if (existing == null && mavenProxy.getHost() != null && !mavenProxy.getHost().isEmpty()) {
2196 System.setProperty("https.proxyHost", mavenProxy.getHost());
2197 if (mavenProxy.getPort() > 0) {
2198 System.setProperty("https.proxyPort", String.valueOf(mavenProxy.getPort()));
2199 }
2200 if (mavenProxy.getUsername() != null && !mavenProxy.getUsername().isEmpty()) {
2201 System.setProperty("https.proxyUser", mavenProxy.getUsername());
2202 }
2203 if (mavenProxy.getPassword() != null && !mavenProxy.getPassword().isEmpty()) {
2204 System.setProperty("https.proxyPassword", mavenProxy.getPassword());
2205 }
2206 if (mavenProxy.getNonProxyHosts() != null && !mavenProxy.getNonProxyHosts().isEmpty()) {
2207 System.setProperty("http.nonProxyHosts", mavenProxy.getNonProxyHosts());
2208 }
2209 }
2210
2211 settings.setString(Settings.KEYS.PROXY_SERVER, mavenProxy.getHost());
2212 settings.setString(Settings.KEYS.PROXY_PORT, Integer.toString(mavenProxy.getPort()));
2213 final String userName = mavenProxy.getUsername();
2214 String password = mavenProxy.getPassword();
2215 if (password != null && !password.isEmpty()) {
2216 if (settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) {
2217 System.setProperty("jdk.http.auth.tunneling.disabledSchemes", "");
2218 }
2219 try {
2220 password = decryptPasswordFromSettings(password);
2221 } catch (SecDispatcherException ex) {
2222 password = handleSecDispatcherException("proxy", mavenProxy.getId(), password, ex);
2223 }
2224 }
2225 settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName);
2226 settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password);
2227 settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, mavenProxy.getNonProxyHosts());
2228 } else if (System.getProperty("http.proxyHost") != null) {
2229
2230 settings.setString(Settings.KEYS.PROXY_SERVER, System.getProperty("http.proxyHost", ""));
2231 if (System.getProperty("http.proxyPort") != null) {
2232 settings.setString(Settings.KEYS.PROXY_PORT, System.getProperty("http.proxyPort"));
2233 }
2234 if (System.getProperty("http.proxyUser") != null) {
2235 settings.setString(Settings.KEYS.PROXY_USERNAME, System.getProperty("http.proxyUser"));
2236 }
2237 if (System.getProperty("http.proxyPassword") != null) {
2238 settings.setString(Settings.KEYS.PROXY_PASSWORD, System.getProperty("http.proxyPassword"));
2239 }
2240 if (System.getProperty("http.nonProxyHosts") != null) {
2241 settings.setString(Settings.KEYS.PROXY_NON_PROXY_HOSTS, System.getProperty("http.nonProxyHosts"));
2242 }
2243 } else if (this.proxy != null && this.proxy.getHost() != null) {
2244
2245 settings.setString(Settings.KEYS.PROXY_SERVER, this.proxy.getHost());
2246 settings.setString(Settings.KEYS.PROXY_PORT, Integer.toString(this.proxy.getPort()));
2247
2248 configureServerCredentials(this.proxy.getServerId(), Settings.KEYS.PROXY_USERNAME, Settings.KEYS.PROXY_PASSWORD);
2249 }
2250
2251 final String[] suppressions = determineSuppressions();
2252 settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressions);
2253 settings.setBooleanIfNotNull(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, versionCheckEnabled);
2254 settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
2255 settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_READ_TIMEOUT, readTimeout);
2256 settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
2257 settings.setFloat(Settings.KEYS.JUNIT_FAIL_ON_CVSS, junitFailOnCVSS);
2258 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
2259 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
2260 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, nugetconfAnalyzerEnabled);
2261 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_LIBMAN_ENABLED, libmanAnalyzerEnabled);
2262 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
2263 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE, centralAnalyzerUseCache);
2264 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED, artifactoryAnalyzerEnabled);
2265 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
2266 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
2267 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED, msbuildAnalyzerEnabled);
2268 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
2269 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_KNOWN_EXPLOITED_ENABLED, knownExploitedEnabled);
2270 settings.setStringIfNotEmpty(Settings.KEYS.KEV_URL, knownExploitedUrl);
2271 settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
2272 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_DOTNET_PATH, pathToCore);
2273 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
2274 configureServerCredentials(nexusServerId, Settings.KEYS.ANALYZER_NEXUS_USER, Settings.KEYS.ANALYZER_NEXUS_PASSWORD);
2275 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
2276 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_URL, artifactoryAnalyzerUrl);
2277 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY, artifactoryAnalyzerUseProxy);
2278 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS, artifactoryAnalyzerParallelAnalysis);
2279 if (Boolean.TRUE.equals(artifactoryAnalyzerEnabled)) {
2280 if (artifactoryAnalyzerServerId != null) {
2281 configureServerCredentials(artifactoryAnalyzerServerId, Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME,
2282 Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN);
2283 } else {
2284 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME, artifactoryAnalyzerUsername);
2285 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN, artifactoryAnalyzerApiToken);
2286 }
2287 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_BEARER_TOKEN, artifactoryAnalyzerBearerToken);
2288 }
2289 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
2290 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
2291 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
2292 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
2293 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
2294 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
2295 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, mavenInstallAnalyzerEnabled);
2296 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIP_ENABLED, pipAnalyzerEnabled);
2297 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, pipfileAnalyzerEnabled);
2298 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_POETRY_ENABLED, poetryAnalyzerEnabled);
2299 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
2300 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CPANFILE_ENABLED, cpanfileAnalyzerEnabled);
2301 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
2302 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, nodeAuditAnalyzerEnabled);
2303 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_URL, nodeAuditAnalyzerUrl);
2304 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, nodeAuditAnalyzerUseCache);
2305 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, nodePackageSkipDevDependencies);
2306 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies);
2307 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED, yarnAuditAnalyzerEnabled);
2308 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PNPM_AUDIT_ENABLED, pnpmAuditAnalyzerEnabled);
2309 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_ENABLED, retireJsAnalyzerEnabled);
2310 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_URL, retireJsUrl);
2311 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FORCEUPDATE, retireJsForceUpdate);
2312 if (retireJsUser == null && retireJsPassword == null && retireJsUrlServerId != null) {
2313 configureServerCredentials(retireJsUrlServerId, Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_USER, Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_PASSWORD);
2314 } else {
2315 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_USER, retireJsUser);
2316 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_PASSWORD, retireJsPassword);
2317 }
2318 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED, mixAuditAnalyzerEnabled);
2319 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_PATH, mixAuditPath);
2320 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
2321 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
2322 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, bundleAuditWorkingDirectory);
2323 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
2324 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
2325 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled);
2326 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, ossindexAnalyzerEnabled);
2327 settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, ossindexAnalyzerUrl);
2328 configureServerCredentials(ossIndexServerId, Settings.KEYS.ANALYZER_OSSINDEX_USER, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD);
2329 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE, ossindexAnalyzerUseCache);
2330 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, ossIndexWarnOnlyOnRemoteErrors);
2331 if (retirejs != null) {
2332 settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, retirejs.getFilterNonVulnerable());
2333 settings.setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, retirejs.getFilters());
2334 }
2335
2336 settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
2337 settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
2338 settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
2339 if (databaseUser == null && databasePassword == null && serverId != null) {
2340 configureServerCredentials(serverId, Settings.KEYS.DB_USER, Settings.KEYS.DB_PASSWORD);
2341 } else {
2342 settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
2343 settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
2344 }
2345 settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
2346 settings.setStringIfNotEmpty(Settings.KEYS.DB_FILE_NAME, dbFilename);
2347 settings.setStringIfNotNull(Settings.KEYS.NVD_API_ENDPOINT, nvdApiEndpoint);
2348 settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, nvdApiDelay);
2349 settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, nvdDatafeedUrl);
2350 settings.setIntIfNotNull(Settings.KEYS.NVD_API_VALID_FOR_HOURS, nvdValidForHours);
2351 settings.setIntIfNotNull(Settings.KEYS.NVD_API_MAX_RETRY_COUNT, nvdMaxRetryCount);
2352 if (nvdApiKey == null) {
2353 if (nvdApiKeyEnvironmentVariable != null) {
2354 settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, System.getenv(nvdApiKeyEnvironmentVariable));
2355 getLog().debug("Using NVD API key from environment variable " + nvdApiKeyEnvironmentVariable);
2356 } else if (nvdApiServerId != null) {
2357 configureServerCredentialsApiKey(nvdApiServerId, Settings.KEYS.NVD_API_KEY);
2358 getLog().debug("Using NVD API key from server's password with id " + nvdApiServerId + " in settings.xml");
2359 }
2360 } else {
2361 settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, nvdApiKey);
2362 }
2363 if (nvdUser == null && nvdPassword == null && nvdDatafeedServerId != null) {
2364 configureServerCredentials(nvdDatafeedServerId, Settings.KEYS.NVD_API_DATAFEED_USER, Settings.KEYS.NVD_API_DATAFEED_PASSWORD);
2365 } else {
2366 settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_USER, nvdUser);
2367 settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_PASSWORD, nvdPassword);
2368 }
2369 settings.setBooleanIfNotNull(Settings.KEYS.PRETTY_PRINT, prettyPrint);
2370 artifactScopeExcluded = new ArtifactScopeExcluded(skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope);
2371 artifactTypeExcluded = new ArtifactTypeExcluded(skipArtifactType);
2372 if (suppressionFileUser == null && suppressionFilePassword == null && suppressionFileServerId != null) {
2373 configureServerCredentials(suppressionFileServerId, Settings.KEYS.SUPPRESSION_FILE_USER, Settings.KEYS.SUPPRESSION_FILE_PASSWORD);
2374 } else {
2375 settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_USER, suppressionFileUser);
2376 settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE_PASSWORD, suppressionFilePassword);
2377 }
2378 settings.setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, hostedSuppressionsValidForHours);
2379 settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_URL, hostedSuppressionsUrl);
2380 settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, hostedSuppressionsForceUpdate);
2381 settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled);
2382 }
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394 private void configureServerCredentials(String serverId, String userSettingKey, String passwordSettingKey) {
2395 if (serverId != null) {
2396 final Server server = settingsXml.getServer(serverId);
2397 if (server != null) {
2398 final String username = server.getUsername();
2399 String password = null;
2400 try {
2401 password = decryptPasswordFromSettings(server.getPassword());
2402 } catch (SecDispatcherException ex) {
2403 password = handleSecDispatcherException("server", serverId, server.getPassword(), ex);
2404 }
2405 settings.setStringIfNotEmpty(userSettingKey, username);
2406 settings.setStringIfNotEmpty(passwordSettingKey, password);
2407 } else {
2408 getLog().error(String.format("Server '%s' not found in the settings.xml file", serverId));
2409 }
2410 }
2411 }
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421 private void configureServerCredentialsApiKey(String serverId, String apiKeySetting) {
2422 if (serverId != null) {
2423 final Server server = settingsXml.getServer(serverId);
2424 if (server != null) {
2425 String password = null;
2426 try {
2427 password = decryptPasswordFromSettings(server.getPassword());
2428 } catch (SecDispatcherException ex) {
2429 password = handleSecDispatcherException("server", serverId, server.getPassword(), ex);
2430 }
2431 settings.setStringIfNotEmpty(apiKeySetting, password);
2432 } else {
2433 getLog().error(String.format("Server '%s' not found in the settings.xml file", serverId));
2434 }
2435 }
2436 }
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447 private String decryptPasswordFromSettings(String password) throws SecDispatcherException {
2448
2449
2450
2451
2452
2453
2454
2455 if (securityDispatcher instanceof DefaultSecDispatcher) {
2456 ((DefaultSecDispatcher) securityDispatcher).setConfigurationFile("~/.m2/settings-security.xml");
2457 }
2458
2459 return securityDispatcher.decrypt(password);
2460 }
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475 private String handleSecDispatcherException(String settingsElementName, String settingsElementId, String passwordValueFromSettings,
2476 SecDispatcherException ex) {
2477 String password = passwordValueFromSettings;
2478 if (ex.getCause() instanceof FileNotFoundException
2479 || (ex.getCause() != null && ex.getCause().getCause() instanceof FileNotFoundException)) {
2480
2481 final String tmp = passwordValueFromSettings;
2482 if (tmp.startsWith("{") && tmp.endsWith("}")) {
2483 getLog().error(String.format(
2484 "Unable to decrypt the %s password for %s id '%s' in settings.xml%n\tCause: %s",
2485 settingsElementName, settingsElementName, settingsElementId, ex.getMessage()));
2486 } else {
2487 password = tmp;
2488 }
2489 } else {
2490 getLog().error(String.format(
2491 "Unable to decrypt the %s password for %s id '%s' in settings.xml%n\tCause: %s",
2492 settingsElementName, settingsElementName, settingsElementId, ex.getMessage()));
2493 }
2494 return password;
2495 }
2496
2497
2498
2499
2500
2501
2502
2503 private String[] determineSuppressions() {
2504 String[] suppressions = suppressionFiles;
2505 if (suppressionFile != null) {
2506 if (suppressions == null) {
2507 suppressions = new String[]{suppressionFile};
2508 } else {
2509 suppressions = Arrays.copyOf(suppressions, suppressions.length + 1);
2510 suppressions[suppressions.length - 1] = suppressionFile;
2511 }
2512 }
2513 return suppressions;
2514 }
2515
2516
2517
2518
2519 private void muteNoisyLoggers() {
2520 System.setProperty("jcs.logSystem", "slf4j");
2521 if (!getLog().isDebugEnabled()) {
2522 Slf4jAdapter.muteLogging(true);
2523 }
2524
2525 final String[] noisyLoggers = {
2526 "org.apache.hc"
2527 };
2528 for (String loggerName : noisyLoggers) {
2529 System.setProperty("org.slf4j.simpleLogger.log." + loggerName, "error");
2530 }
2531 }
2532
2533
2534
2535
2536
2537
2538 private Proxy getMavenProxy() {
2539 if (mavenSettings != null) {
2540 final List<Proxy> proxies = mavenSettings.getProxies();
2541 if (proxies != null && !proxies.isEmpty()) {
2542 if (mavenSettingsProxyId != null) {
2543 for (Proxy proxy : proxies) {
2544 if (mavenSettingsProxyId.equalsIgnoreCase(proxy.getId())) {
2545 return proxy;
2546 }
2547 }
2548 } else {
2549 for (Proxy aProxy : proxies) {
2550 if (aProxy.isActive()) {
2551 return aProxy;
2552 }
2553 }
2554 }
2555 }
2556 }
2557 return null;
2558 }
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570 protected MavenProject getProject() {
2571 return project;
2572 }
2573
2574
2575
2576
2577
2578
2579 protected List<MavenProject> getReactorProjects() {
2580 return reactorProjects;
2581 }
2582
2583
2584
2585
2586
2587
2588 private Set<String> getFormats() {
2589 final Set<String> invalid = new HashSet<>();
2590 final Set<String> selectedFormats = formats == null || formats.length == 0 ? new HashSet<>() : new HashSet<>(Arrays.asList(formats));
2591 selectedFormats.forEach((s) -> {
2592 try {
2593 ReportGenerator.Format.valueOf(s.toUpperCase());
2594 } catch (IllegalArgumentException ex) {
2595 invalid.add(s);
2596 }
2597 });
2598 invalid.forEach((s) -> getLog().warn("Invalid report format specified: " + s));
2599 if (selectedFormats.contains("true")) {
2600 selectedFormats.remove("true");
2601 }
2602 if (format != null && selectedFormats.isEmpty()) {
2603 selectedFormats.add(format);
2604 }
2605 return selectedFormats;
2606 }
2607
2608
2609
2610
2611
2612
2613
2614 public List<String> getExcludes() {
2615 if (excludes == null) {
2616 excludes = new ArrayList<>();
2617 }
2618 return excludes;
2619 }
2620
2621
2622
2623
2624
2625
2626 protected Filter<String> getArtifactScopeExcluded() {
2627 return artifactScopeExcluded;
2628 }
2629
2630
2631
2632
2633
2634
2635 protected Settings getSettings() {
2636 return settings;
2637 }
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648 protected void checkForFailure(Dependency[] dependencies) throws MojoFailureException {
2649 final StringBuilder ids = new StringBuilder();
2650 for (Dependency d : dependencies) {
2651 boolean addName = true;
2652 for (Vulnerability v : d.getVulnerabilities()) {
2653 final Double cvssV2 = v.getCvssV2() != null && v.getCvssV2().getCvssData() != null && v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1;
2654 final Double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null && v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1;
2655 final Double unscoredCvss = v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1;
2656
2657 if (failBuildOnAnyVulnerability || cvssV2 >= failBuildOnCVSS
2658 || cvssV3 >= failBuildOnCVSS
2659 || unscoredCvss >= failBuildOnCVSS
2660
2661 || (failBuildOnCVSS <= 0.0)) {
2662 String name = v.getName();
2663 if (cvssV3 >= 0.0) {
2664 name += "(" + cvssV3 + ")";
2665 } else if (cvssV2 >= 0.0) {
2666 name += "(" + cvssV2 + ")";
2667 } else if (unscoredCvss >= 0.0) {
2668 name += "(" + unscoredCvss + ")";
2669 }
2670 if (addName) {
2671 addName = false;
2672 ids.append(NEW_LINE).append(d.getFileName()).append(": ");
2673 ids.append(name);
2674 } else {
2675 ids.append(", ").append(name);
2676 }
2677 }
2678 }
2679 }
2680 if (ids.length() > 0) {
2681 final String msg;
2682 if (showSummary) {
2683 if (failBuildOnAnyVulnerability) {
2684 msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities: %n%s%n%n"
2685 + "See the dependency-check report for more details.%n%n", ids);
2686 } else {
2687 msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities that have a CVSS score greater than or "
2688 + "equal to '%.1f': %n%s%n%nSee the dependency-check report for more details.%n%n", failBuildOnCVSS, ids);
2689 }
2690 } else {
2691 msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities.%n%n"
2692 + "See the dependency-check report for more details.%n%n");
2693 }
2694 throw new MojoFailureException(msg);
2695 }
2696 }
2697
2698
2699
2700
2701
2702
2703
2704
2705 protected void showSummary(MavenProject mp, Dependency[] dependencies) {
2706 if (showSummary) {
2707 DependencyCheckScanAgent.showSummary(mp.getName(), dependencies);
2708 }
2709 }
2710
2711
2712
2713 private ExceptionCollection scanDependencyNode(DependencyNode dependencyNode, DependencyNode root,
2714 Engine engine, MavenProject project, List<ArtifactResult> allResolvedDeps,
2715 ProjectBuildingRequest buildingRequest, boolean aggregate, ExceptionCollection exceptionCollection) {
2716 ExceptionCollection exCol = exceptionCollection;
2717 if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope())
2718 || artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) {
2719 return exCol;
2720 }
2721
2722 boolean isResolved = false;
2723 File artifactFile = null;
2724 String artifactId = null;
2725 String groupId = null;
2726 String version = null;
2727 List<ArtifactVersion> availableVersions = null;
2728 if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
2729 final Artifact a = dependencyNode.getArtifact();
2730 if (a.isResolved() && a.getFile().isFile()) {
2731 artifactFile = a.getFile();
2732 isResolved = artifactFile.isFile();
2733 groupId = a.getGroupId();
2734 artifactId = a.getArtifactId();
2735 version = a.getVersion();
2736 availableVersions = a.getAvailableVersions();
2737 } else {
2738 for (org.apache.maven.model.Dependency d : project.getDependencies()) {
2739 if (d.getSystemPath() != null && artifactsMatch(d, a)) {
2740 artifactFile = new File(d.getSystemPath());
2741 isResolved = artifactFile.isFile();
2742 groupId = a.getGroupId();
2743 artifactId = a.getArtifactId();
2744 version = a.getVersion();
2745 availableVersions = a.getAvailableVersions();
2746 break;
2747 }
2748 }
2749 }
2750 Throwable ignored = null;
2751 if (!isResolved) {
2752
2753
2754 try {
2755 tryResolutionOnce(project, allResolvedDeps, buildingRequest);
2756 final Artifact result = findInAllDeps(allResolvedDeps, dependencyNode.getArtifact(), project);
2757 isResolved = result.isResolved();
2758 artifactFile = result.getFile();
2759 groupId = result.getGroupId();
2760 artifactId = result.getArtifactId();
2761 version = result.getVersion();
2762 availableVersions = result.getAvailableVersions();
2763 } catch (DependencyNotFoundException | DependencyResolverException e) {
2764 getLog().warn("Error performing last-resort System-scoped dependency resolution: " + e.getMessage());
2765 ignored = e;
2766 }
2767 }
2768 if (!isResolved) {
2769 final StringBuilder message = new StringBuilder("Unable to resolve system scoped dependency: ");
2770 if (artifactFile != null) {
2771 message.append(dependencyNode.toNodeString()).append(" at path ").append(artifactFile);
2772 } else {
2773 message.append(dependencyNode.toNodeString()).append(" at path ").append(a.getFile());
2774 }
2775 getLog().error(message);
2776 if (exCol == null) {
2777 exCol = new ExceptionCollection();
2778 }
2779 final Exception thrown = new DependencyNotFoundException(message.toString());
2780 if (ignored != null) {
2781 thrown.addSuppressed(ignored);
2782 }
2783 exCol.addException(thrown);
2784 }
2785 } else {
2786 final Artifact dependencyArtifact = dependencyNode.getArtifact();
2787 final Artifact result;
2788 if (dependencyArtifact.isResolved()) {
2789
2790
2791
2792 getLog().debug(String.format("Skipping artifact %s, already resolved", dependencyArtifact.getArtifactId()));
2793 result = dependencyArtifact;
2794 } else {
2795 try {
2796 tryResolutionOnce(project, allResolvedDeps, buildingRequest);
2797 result = findInAllDeps(allResolvedDeps, dependencyNode.getArtifact(), project);
2798 } catch (DependencyNotFoundException | DependencyResolverException ex) {
2799 getLog().debug(String.format("Aggregate : %s", aggregate));
2800 boolean addException = true;
2801
2802 if (!aggregate) {
2803
2804 } else if (addReactorDependency(engine, dependencyNode.getArtifact(), project)) {
2805
2806 addException = false;
2807 }
2808 if (addException) {
2809 if (exCol == null) {
2810 exCol = new ExceptionCollection();
2811 }
2812 exCol.addException(ex);
2813 }
2814 return exCol;
2815 }
2816 }
2817 if (aggregate && virtualSnapshotsFromReactor
2818 && dependencyNode.getArtifact().isSnapshot()
2819 && addSnapshotReactorDependency(engine, dependencyNode.getArtifact(), project)) {
2820 return exCol;
2821 }
2822 isResolved = result.isResolved();
2823 artifactFile = result.getFile();
2824 groupId = result.getGroupId();
2825 artifactId = result.getArtifactId();
2826 version = result.getVersion();
2827 availableVersions = result.getAvailableVersions();
2828 }
2829 if (isResolved && artifactFile != null) {
2830 final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
2831 createProjectReferenceName(project, dependencyNode));
2832 if (deps != null) {
2833 processResolvedArtifact(artifactFile, deps, groupId, artifactId, version, root, project, availableVersions, dependencyNode);
2834 } else if ("import".equals(dependencyNode.getArtifact().getScope())) {
2835 final String msg = String.format("Skipping '%s:%s' in project %s as it uses an `import` scope",
2836 dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
2837 getLog().debug(msg);
2838 } else if ("pom".equals(dependencyNode.getArtifact().getType())) {
2839 exCol = processPomArtifact(artifactFile, root, project, engine, exCol);
2840 } else {
2841 if (!scannedFiles.contains(artifactFile)) {
2842 final String msg = String.format("No analyzer could be found or the artifact has been scanned twice for '%s:%s' in project %s",
2843 dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
2844 getLog().warn(msg);
2845 }
2846 }
2847 } else {
2848 final String msg = String.format("Unable to resolve '%s' in project %s",
2849 dependencyNode.getArtifact().getId(), project.getName());
2850 getLog().debug(msg);
2851 if (exCol == null) {
2852 exCol = new ExceptionCollection();
2853 }
2854 }
2855 return exCol;
2856 }
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877 private void tryResolutionOnce(MavenProject project, List<ArtifactResult> allResolvedDeps, ProjectBuildingRequest buildingRequest) throws DependencyResolverException {
2878 if (allResolvedDeps.isEmpty()) {
2879 try {
2880 final List<org.apache.maven.model.Dependency> dependencies = project.getDependencies();
2881 final List<org.apache.maven.model.Dependency> managedDependencies = project
2882 .getDependencyManagement() == null ? null : project.getDependencyManagement().getDependencies();
2883 final Iterable<ArtifactResult> allDeps = dependencyResolver
2884 .resolveDependencies(buildingRequest, dependencies, managedDependencies, null);
2885 allDeps.forEach(allResolvedDeps::add);
2886 } catch (DependencyResolverException dre) {
2887 if (dre.getCause() instanceof org.eclipse.aether.resolution.DependencyResolutionException) {
2888 final List<ArtifactResult> successResults = Mshared998Util
2889 .getResolutionResults((org.eclipse.aether.resolution.DependencyResolutionException) dre.getCause());
2890 allResolvedDeps.addAll(successResults);
2891 } else {
2892 throw dre;
2893 }
2894 }
2895 }
2896 }
2897
2898
2899
2900 private void processResolvedArtifact(File artifactFile, final List<Dependency> deps,
2901 String groupId, String artifactId, String version, DependencyNode root,
2902 MavenProject project1, List<ArtifactVersion> availableVersions,
2903 DependencyNode dependencyNode) {
2904 scannedFiles.add(artifactFile);
2905 Dependency d = null;
2906 if (deps.size() == 1) {
2907 d = deps.get(0);
2908
2909 } else {
2910 for (Dependency possible : deps) {
2911 if (artifactFile.getAbsoluteFile().equals(possible.getActualFile())) {
2912 d = possible;
2913 break;
2914 }
2915 }
2916 for (Dependency dep : deps) {
2917 if (d != null && d != dep) {
2918 final String includedBy = buildReference(groupId, artifactId, version);
2919 dep.addIncludedBy(includedBy);
2920 }
2921 }
2922 }
2923 if (d != null) {
2924 final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
2925 d.addAsEvidence("pom", ma, Confidence.HIGHEST);
2926 if (root != null) {
2927 final String includedby = buildReference(
2928 root.getArtifact().getGroupId(),
2929 root.getArtifact().getArtifactId(),
2930 root.getArtifact().getVersion());
2931 d.addIncludedBy(includedby);
2932 } else {
2933 final String includedby = buildReference(project1.getGroupId(), project1.getArtifactId(), project1.getVersion());
2934 d.addIncludedBy(includedby);
2935 }
2936 if (availableVersions != null) {
2937 for (ArtifactVersion av : availableVersions) {
2938 d.addAvailableVersion(av.toString());
2939 }
2940 }
2941 getLog().debug(String.format("Adding project reference %s on dependency %s", project1.getName(), d.getDisplayFileName()));
2942 } else if (getLog().isDebugEnabled()) {
2943 final String msg = String.format("More than 1 dependency was identified in first pass scan of '%s' in project %s", dependencyNode.getArtifact().getId(), project1.getName());
2944 getLog().debug(msg);
2945 }
2946 }
2947
2948
2949 private ExceptionCollection processPomArtifact(File artifactFile, DependencyNode root,
2950 MavenProject project1, Engine engine, ExceptionCollection exCollection) {
2951 ExceptionCollection exCol = exCollection;
2952 try {
2953 final Dependency d = new Dependency(artifactFile.getAbsoluteFile());
2954 final Model pom = PomUtils.readPom(artifactFile.getAbsoluteFile());
2955 JarAnalyzer.setPomEvidence(d, pom, null, true);
2956 if (root != null) {
2957 final String includedby = buildReference(
2958 root.getArtifact().getGroupId(),
2959 root.getArtifact().getArtifactId(),
2960 root.getArtifact().getVersion());
2961 d.addIncludedBy(includedby);
2962 } else {
2963 final String includedby = buildReference(project1.getGroupId(), project1.getArtifactId(), project1.getVersion());
2964 d.addIncludedBy(includedby);
2965 }
2966 engine.addDependency(d);
2967 } catch (AnalysisException ex) {
2968 if (exCol == null) {
2969 exCol = new ExceptionCollection();
2970 }
2971 exCol.addException(ex);
2972 getLog().debug("Error reading pom " + artifactFile.getAbsoluteFile(), ex);
2973 }
2974 return exCol;
2975 }
2976
2977 }
2978