View Javadoc
1   /*
2    * This file is part of dependency-check-maven.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.maven;
19  
20  import com.github.packageurl.MalformedPackageURLException;
21  import com.github.packageurl.PackageURL.StandardTypes;
22  import com.github.packageurl.PackageURL;
23  import io.github.jeremylong.jcs3.slf4j.Slf4jAdapter;
24  import java.util.stream.Collectors;
25  import java.util.stream.Stream;
26  
27  import org.apache.commons.lang3.StringUtils;
28  import org.apache.maven.artifact.Artifact;
29  import org.apache.maven.artifact.DefaultArtifact;
30  import org.apache.maven.artifact.handler.DefaultArtifactHandler;
31  import org.apache.maven.artifact.versioning.ArtifactVersion;
32  import org.apache.maven.doxia.sink.Sink;
33  import org.apache.maven.execution.MavenSession;
34  import org.apache.maven.model.License;
35  import org.apache.maven.plugin.AbstractMojo;
36  import org.apache.maven.plugin.MojoExecutionException;
37  import org.apache.maven.plugin.MojoFailureException;
38  import org.apache.maven.plugins.annotations.Component;
39  import org.apache.maven.plugins.annotations.Parameter;
40  import org.apache.maven.project.DefaultProjectBuildingRequest;
41  import org.apache.maven.project.MavenProject;
42  import org.apache.maven.project.ProjectBuildingRequest;
43  import org.apache.maven.reporting.MavenReport;
44  import org.apache.maven.reporting.MavenReportException;
45  import org.apache.maven.settings.Proxy;
46  import org.apache.maven.settings.Server;
47  import org.apache.maven.settings.building.SettingsProblem;
48  import org.apache.maven.settings.crypto.DefaultSettingsDecryptionRequest;
49  import org.apache.maven.settings.crypto.SettingsDecrypter;
50  import org.apache.maven.settings.crypto.SettingsDecryptionResult;
51  import org.apache.maven.shared.transfer.artifact.DefaultArtifactCoordinate;
52  import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolver;
53  import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResolverException;
54  import org.apache.maven.shared.transfer.artifact.resolve.ArtifactResult;
55  import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolver;
56  import org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolverException;
57  import org.eclipse.aether.artifact.ArtifactType;
58  import org.apache.maven.shared.artifact.filter.PatternExcludesArtifactFilter;
59  import org.apache.maven.shared.dependency.graph.DependencyGraphBuilder;
60  import org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException;
61  import org.apache.maven.shared.dependency.graph.DependencyNode;
62  import org.apache.maven.shared.dependency.graph.filter.ArtifactDependencyNodeFilter;
63  import org.apache.maven.shared.dependency.graph.internal.DefaultDependencyNode;
64  import org.apache.maven.shared.model.fileset.FileSet;
65  import org.apache.maven.shared.model.fileset.util.FileSetManager;
66  import org.owasp.dependencycheck.Engine;
67  import org.owasp.dependencycheck.analyzer.JarAnalyzer;
68  import org.owasp.dependencycheck.data.nexus.MavenArtifact;
69  import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
70  import org.owasp.dependencycheck.dependency.Confidence;
71  import org.owasp.dependencycheck.dependency.Dependency;
72  import org.owasp.dependencycheck.dependency.EvidenceType;
73  import org.owasp.dependencycheck.dependency.Vulnerability;
74  import org.owasp.dependencycheck.exception.DependencyNotFoundException;
75  import org.owasp.dependencycheck.exception.ExceptionCollection;
76  import org.owasp.dependencycheck.exception.InitializationException;
77  import org.owasp.dependencycheck.exception.ReportException;
78  import org.owasp.dependencycheck.utils.Checksum;
79  import org.owasp.dependencycheck.utils.Filter;
80  import org.owasp.dependencycheck.utils.Downloader;
81  import org.owasp.dependencycheck.utils.InvalidSettingException;
82  import org.owasp.dependencycheck.utils.Settings;
83  
84  import java.io.File;
85  import java.io.IOException;
86  import java.io.InputStream;
87  import java.util.ArrayList;
88  import java.util.Arrays;
89  import java.util.Collections;
90  import java.util.HashSet;
91  import java.util.List;
92  import java.util.Locale;
93  import java.util.Map;
94  import java.util.Objects;
95  import java.util.Optional;
96  import java.util.Set;
97  import org.apache.maven.artifact.repository.ArtifactRepository;
98  
99  import org.apache.maven.artifact.resolver.filter.ExcludesArtifactFilter;
100 import org.apache.maven.artifact.versioning.InvalidVersionSpecificationException;
101 import org.apache.maven.artifact.versioning.Restriction;
102 import org.apache.maven.artifact.versioning.VersionRange;
103 
104 import org.owasp.dependencycheck.agent.DependencyCheckScanAgent;
105 import org.owasp.dependencycheck.dependency.naming.GenericIdentifier;
106 import org.owasp.dependencycheck.dependency.naming.Identifier;
107 import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
108 import org.apache.maven.shared.dependency.graph.traversal.DependencyNodeVisitor;
109 import org.apache.maven.shared.dependency.graph.traversal.FilteringDependencyNodeVisitor;
110 import org.apache.maven.shared.transfer.dependencies.DefaultDependableCoordinate;
111 import org.apache.maven.shared.transfer.dependencies.DependableCoordinate;
112 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
113 import org.owasp.dependencycheck.reporting.ReportGenerator;
114 import org.owasp.dependencycheck.utils.SeverityUtil;
115 import org.owasp.dependencycheck.xml.pom.Model;
116 import org.owasp.dependencycheck.xml.pom.PomUtils;
117 
118 //CSOFF: FileLength
119 /**
120  * @author Jeremy Long
121  */
122 public abstract class BaseDependencyCheckMojo extends AbstractMojo implements MavenReport {
123 
124     //<editor-fold defaultstate="collapsed" desc="Private fields">
125     /**
126      * The properties file location.
127      */
128     private static final String PROPERTIES_FILE = "mojo.properties";
129     /**
130      * System specific new line character.
131      */
132     private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
133     /**
134      * Pattern to include all files in a FileSet.
135      */
136     private static final String INCLUDE_ALL = "**/*";
137     /**
138      * Constant for the HTTPS protocol string.
139      */
140     public static final String PROTOCOL_HTTPS = "https";
141     /**
142      * Constant for the HTTP protocol string.
143      */
144     public static final String PROTOCOL_HTTP = "http";
145     /**
146      * A flag indicating whether or not the Maven site is being generated.
147      */
148     private boolean generatingSite = false;
149     /**
150      * The configured settings.
151      */
152     private Settings settings = null;
153     /**
154      * The list of files that have been scanned.
155      */
156     private final List<File> scannedFiles = new ArrayList<>();
157     //</editor-fold>
158     // <editor-fold defaultstate="collapsed" desc="Maven bound parameters and components">
159     /**
160      * Sets whether or not the mojo should fail if an error occurs.
161      */
162     @SuppressWarnings("CanBeFinal")
163     @Parameter(property = "failOnError", defaultValue = "true", required = true)
164     private boolean failOnError;
165 
166     /**
167      * The Maven Project Object.
168      */
169     @SuppressWarnings("CanBeFinal")
170     @Parameter(property = "project", required = true, readonly = true)
171     private MavenProject project;
172     /**
173      * List of Maven project of the current build
174      */
175     @SuppressWarnings("CanBeFinal")
176     @Parameter(readonly = true, required = true, property = "reactorProjects")
177     private List<MavenProject> reactorProjects;
178     /**
179      * The entry point towards a Maven version independent way of resolving
180      * artifacts (handles both Maven 3.0 Sonatype and Maven 3.1+ eclipse Aether
181      * implementations).
182      */
183     @SuppressWarnings("CanBeFinal")
184     @Component
185     private ArtifactResolver artifactResolver;
186     /**
187      * The entry point towards a Maven version independent way of resolving
188      * dependencies (handles both Maven 3.0 Sonatype and Maven 3.1+ eclipse
189      * Aether implementations). Contrary to the ArtifactResolver this resolver
190      * also takes into account the additional repositories defined in the
191      * dependency-path towards transitive dependencies.
192      */
193     @SuppressWarnings("CanBeFinal")
194     @Component
195     private DependencyResolver dependencyResolver;
196 
197     /**
198      * The Maven Session.
199      */
200     @SuppressWarnings("CanBeFinal")
201     @Parameter(defaultValue = "${session}", readonly = true, required = true)
202     private MavenSession session;
203 
204     /**
205      * Component within Maven to build the dependency graph.
206      */
207     @Component
208     private DependencyGraphBuilder dependencyGraphBuilder;
209 
210     /**
211      * The output directory. This generally maps to "target".
212      */
213     @SuppressWarnings("CanBeFinal")
214     @Parameter(defaultValue = "${project.build.directory}", required = true, property = "odc.outputDirectory")
215     private File outputDirectory;
216     /**
217      * This is a reference to the &gt;reporting&lt; sections
218      * <code>outputDirectory</code>. This cannot be configured in the
219      * dependency-check mojo directly. This generally maps to "target/site".
220      */
221     @Parameter(property = "project.reporting.outputDirectory", readonly = true)
222     private File reportOutputDirectory;
223     /**
224      * Specifies if the build should be failed if a CVSS score above a specified
225      * level is identified. The default is 11 which means since the CVSS scores
226      * are 0-10, by default the build will never fail.
227      */
228     @SuppressWarnings("CanBeFinal")
229     @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
230     private float failBuildOnCVSS = 11f;
231     /**
232      * Specifies the CVSS score that is considered a "test" failure when
233      * generating a jUnit style report. The default value is 0 - all
234      * vulnerabilities are considered a failure.
235      */
236     @SuppressWarnings("CanBeFinal")
237     @Parameter(property = "junitFailOnCVSS", defaultValue = "0", required = true)
238     private float junitFailOnCVSS = 0;
239     /**
240      * Fail the build if any dependency has a vulnerability listed.
241      *
242      * @deprecated use {@link BaseDependencyCheckMojo#failBuildOnCVSS} with a
243      * value of 0 instead
244      */
245     @SuppressWarnings("CanBeFinal")
246     @Parameter(property = "failBuildOnAnyVulnerability", defaultValue = "false", required = true)
247     @Deprecated
248     private boolean failBuildOnAnyVulnerability = false;
249     /**
250      * Sets whether auto-updating of the NVD CVE data is enabled. It is not
251      * recommended that this be turned to false. Default is true.
252      */
253     @SuppressWarnings("CanBeFinal")
254     @Parameter(property = "autoUpdate")
255     private Boolean autoUpdate;
256     /**
257      * Sets whether Experimental analyzers are enabled. Default is false.
258      */
259     @SuppressWarnings("CanBeFinal")
260     @Parameter(property = "enableExperimental")
261     private Boolean enableExperimental;
262     /**
263      * Sets whether retired analyzers are enabled. Default is false.
264      */
265     @SuppressWarnings("CanBeFinal")
266     @Parameter(property = "enableRetired")
267     private Boolean enableRetired;
268     /**
269      * Sets whether the Golang Dependency analyzer is enabled. Default is true.
270      */
271     @SuppressWarnings("CanBeFinal")
272     @Parameter(property = "golangDepEnabled")
273     private Boolean golangDepEnabled;
274     /**
275      * Sets whether Golang Module Analyzer is enabled; this requires `go` to be
276      * installed. Default is true.
277      */
278     @SuppressWarnings("CanBeFinal")
279     @Parameter(property = "golangModEnabled")
280     private Boolean golangModEnabled;
281     /**
282      * Sets the path to `go`.
283      */
284     @SuppressWarnings("CanBeFinal")
285     @Parameter(property = "pathToGo")
286     private String pathToGo;
287 
288     /**
289      * Sets the path to `yarn`.
290      */
291     @SuppressWarnings("CanBeFinal")
292     @Parameter(property = "pathToYarn")
293     private String pathToYarn;
294     /**
295      * Sets the path to `pnpm`.
296      */
297     @SuppressWarnings("CanBeFinal")
298     @Parameter(property = "pathToPnpm")
299     private String pathToPnpm;
300     /**
301      * Use pom dependency information for snapshot dependencies that are part of
302      * the Maven reactor while aggregate scanning a multi-module project.
303      */
304     @Parameter(property = "dependency-check.virtualSnapshotsFromReactor", defaultValue = "true")
305     private Boolean virtualSnapshotsFromReactor;
306     /**
307      * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
308      * JENKINS, GITLAB, ALL). Multiple formats can be selected using a comma
309      * delineated list.
310      */
311     @SuppressWarnings("CanBeFinal")
312     @Parameter(property = "format", defaultValue = "HTML", required = true)
313     private String format = "HTML";
314 
315     /**
316      * Whether or not the XML and JSON report formats should be pretty printed.
317      * The default is false.
318      */
319     @Parameter(property = "prettyPrint")
320     private Boolean prettyPrint;
321     /**
322      * The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF,
323      * JENKINS, GITLAB, ALL). Multiple formats can be selected using a comma
324      * delineated list.
325      */
326     @Parameter(property = "formats", required = true)
327     private String[] formats;
328     /**
329      * The Maven settings.
330      */
331     @SuppressWarnings("CanBeFinal")
332     @Parameter(property = "mavenSettings", defaultValue = "${settings}")
333     private org.apache.maven.settings.Settings mavenSettings;
334 
335     /**
336      * The maven settings proxy id.
337      */
338     @SuppressWarnings("CanBeFinal")
339     @Parameter(property = "mavenSettingsProxyId")
340     private String mavenSettingsProxyId;
341 
342     /**
343      * The Connection Timeout.
344      */
345     @SuppressWarnings("CanBeFinal")
346     @Parameter(property = "connectionTimeout")
347     private String connectionTimeout;
348     /**
349      * The Read Timeout.
350      */
351     @SuppressWarnings("CanBeFinal")
352     @Parameter(property = "readTimeout")
353     private String readTimeout;
354     /**
355      * Sets whether dependency-check should check if there is a new version
356      * available.
357      */
358     @SuppressWarnings("CanBeFinal")
359     @Parameter(property = "versionCheckEnabled", defaultValue = "true")
360     private boolean versionCheckEnabled;
361     /**
362      * The paths to the suppression files. The parameter value can be a local
363      * file path, a URL to a suppression file, or even a reference to a file on
364      * the class path (see
365      * https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)
366      */
367     @SuppressWarnings("CanBeFinal")
368     @Parameter(property = "suppressionFiles")
369     private String[] suppressionFiles;
370     /**
371      * The paths to the suppression file. The parameter value can be a local
372      * file path, a URL to a suppression file, or even a reference to a file on
373      * the class path (see
374      * https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)
375      */
376     @SuppressWarnings("CanBeFinal")
377     @Parameter(property = "suppressionFile")
378     private String suppressionFile;
379     /**
380      * The username used when connecting to the suppressionFiles.
381      */
382     @Parameter(property = "suppressionFileUser")
383     private String suppressionFileUser;
384     /**
385      * The password used for Basic auth to the suppressionFiles. The `suppressionFileServerId` with user/password should be used instead otherwise maven debug logging could expose the password.
386      */
387     @Parameter(property = "suppressionFilePassword")
388     private String suppressionFilePassword;
389     /**
390      * The token used for Bearer auth to the suppressionFiles. The `suppressionFileServerId` with only password should be used instead otherwise maven debug logging could expose the token.
391      */
392     @Parameter(property = "suppressionFileBearerToken")
393     private String suppressionFileBearerToken;
394     /**
395      * The server id in the settings.xml; used to retrieve encrypted passwords
396      * from the settings.xml for suppressionFile(s).
397      */
398     @SuppressWarnings("CanBeFinal")
399     @Parameter(property = "suppressionFileServerId")
400     private String suppressionFileServerId;
401     /**
402      * The path to the hints file.
403      */
404     @SuppressWarnings("CanBeFinal")
405     @Parameter(property = "hintsFile")
406     private String hintsFile;
407 
408     /**
409      * Flag indicating whether or not to show a summary in the output.
410      */
411     @SuppressWarnings("CanBeFinal")
412     @Parameter(property = "showSummary", defaultValue = "true")
413     private boolean showSummary = true;
414 
415     /**
416      * Whether or not the Jar Analyzer is enabled.
417      */
418     @SuppressWarnings("CanBeFinal")
419     @Parameter(property = "jarAnalyzerEnabled")
420     private Boolean jarAnalyzerEnabled;
421 
422     /**
423      * Sets whether the Dart analyzer is enabled. Default is true.
424      */
425     @SuppressWarnings("CanBeFinal")
426     @Parameter(property = "dartAnalyzerEnabled")
427     private Boolean dartAnalyzerEnabled;
428 
429     /**
430      * Whether or not the Archive Analyzer is enabled.
431      */
432     @SuppressWarnings("CanBeFinal")
433     @Parameter(property = "archiveAnalyzerEnabled")
434     private Boolean archiveAnalyzerEnabled;
435     /**
436      * Whether or not the Known Exploited Vulnerability Analyzer is enabled.
437      */
438     @SuppressWarnings("CanBeFinal")
439     @Parameter(property = "knownExploitedEnabled")
440     private Boolean knownExploitedEnabled;
441     /**
442      * The URL to the CISA Known Exploited Vulnerabilities JSON datafeed.
443      */
444     @SuppressWarnings("CanBeFinal")
445     @Parameter(property = "knownExploitedUrl")
446     private String knownExploitedUrl;
447     /**
448      * The server id in the settings.xml; used to retrieve encrypted passwords
449      * from the settings.xml for mirror of CISA Known Exploited Vulnerabilities JSON datafeed.
450      * Credentials with only a password will be used for Bearer auth, credentials with both user and password for Basic auth.
451      */
452     @SuppressWarnings("CanBeFinal")
453     @Parameter(property = "knownExploitedServerId")
454     private String knownExploitedServerId;
455     /**
456      * The username for basic auth mirror of CISA Known Exploited Vulnerabilities JSON datafeed. A `knownExploitedServerId` with user/password set should be used instead otherwise maven debug logging could expose the password.
457      */
458     @SuppressWarnings("CanBeFinal")
459     @Parameter(property = "knownExploitedUser")
460     private String knownExploitedUser;
461     /**
462      * The password for basic auth mirror of CISA Known Exploited Vulnerabilities JSON datafeed. A `knownExploitedServerId` with user/password set should be used instead otherwise maven debug logging could expose the password.
463      */
464     @SuppressWarnings("CanBeFinal")
465     @Parameter(property = "knownExploitedPassword")
466     private String knownExploitedPassword;
467     /**
468      * The token for bearer auth mirror of CISA Known Exploited Vulnerabilities JSON datafeed. A `knownExploitedServerId` with only password set should be used instead otherwise maven debug logging could expose the token.
469      */
470     @SuppressWarnings("CanBeFinal")
471     @Parameter(property = "knownExploitedBearerToken")
472     private String knownExploitedBearerToken;
473     /**
474      * Sets whether the Python Distribution Analyzer will be used.
475      */
476     @SuppressWarnings("CanBeFinal")
477     @Parameter(property = "pyDistributionAnalyzerEnabled")
478     private Boolean pyDistributionAnalyzerEnabled;
479     /**
480      * Sets whether the Python Package Analyzer will be used.
481      */
482     @Parameter(property = "pyPackageAnalyzerEnabled")
483     private Boolean pyPackageAnalyzerEnabled;
484     /**
485      * Sets whether the Ruby Gemspec Analyzer will be used.
486      */
487     @SuppressWarnings("CanBeFinal")
488     @Parameter(property = "rubygemsAnalyzerEnabled")
489     private Boolean rubygemsAnalyzerEnabled;
490     /**
491      * Sets whether or not the openssl Analyzer should be used.
492      */
493     @SuppressWarnings("CanBeFinal")
494     @Parameter(property = "opensslAnalyzerEnabled")
495     private Boolean opensslAnalyzerEnabled;
496     /**
497      * Sets whether or not the CMake Analyzer should be used.
498      */
499     @SuppressWarnings("CanBeFinal")
500     @Parameter(property = "cmakeAnalyzerEnabled")
501     private Boolean cmakeAnalyzerEnabled;
502     /**
503      * Sets whether or not the autoconf Analyzer should be used.
504      */
505     @SuppressWarnings("CanBeFinal")
506     @Parameter(property = "autoconfAnalyzerEnabled")
507     private Boolean autoconfAnalyzerEnabled;
508     /**
509      * Sets whether or not the Maven install Analyzer should be used.
510      */
511     @SuppressWarnings("CanBeFinal")
512     @Parameter(property = "mavenInstallAnalyzerEnabled")
513     private Boolean mavenInstallAnalyzerEnabled;
514     /**
515      * Sets whether or not the pip Analyzer should be used.
516      */
517     @SuppressWarnings("CanBeFinal")
518     @Parameter(property = "pipAnalyzerEnabled")
519     private Boolean pipAnalyzerEnabled;
520     /**
521      * Sets whether or not the pipfile Analyzer should be used.
522      */
523     @SuppressWarnings("CanBeFinal")
524     @Parameter(property = "pipfileAnalyzerEnabled")
525     private Boolean pipfileAnalyzerEnabled;
526     /**
527      * Sets whether or not the poetry Analyzer should be used.
528      */
529     @SuppressWarnings("CanBeFinal")
530     @Parameter(property = "poetryAnalyzerEnabled")
531     private Boolean poetryAnalyzerEnabled;
532     /**
533      * Sets whether or not the PHP Composer Lock File Analyzer should be used.
534      */
535     @Parameter(property = "composerAnalyzerEnabled")
536     private Boolean composerAnalyzerEnabled;
537     /**
538      * Sets whether or not the PHP Composer Lock File Analyzer will scan "packages-dev".
539      */
540     @Parameter(property = "composerAnalyzerSkipDev")
541     private boolean composerAnalyzerSkipDev;
542     /**
543      * Whether or not the Perl CPAN File Analyzer is enabled.
544      */
545     @Parameter(property = "cpanfileAnalyzerEnabled")
546     private Boolean cpanfileAnalyzerEnabled;
547     /**
548      * Sets whether or not the Node.js Analyzer should be used.
549      */
550     @SuppressWarnings("CanBeFinal")
551     @Parameter(property = "nodeAnalyzerEnabled")
552     private Boolean nodeAnalyzerEnabled;
553     /**
554      * Sets whether or not the Node Audit Analyzer should be used.
555      */
556     @SuppressWarnings("CanBeFinal")
557     @Parameter(property = "nodeAuditAnalyzerEnabled")
558     private Boolean nodeAuditAnalyzerEnabled;
559 
560     /**
561      * The Node Audit API URL for the Node Audit Analyzer.
562      */
563     @SuppressWarnings("CanBeFinal")
564     @Parameter(property = "nodeAuditAnalyzerUrl")
565     private String nodeAuditAnalyzerUrl;
566 
567     /**
568      * Sets whether or not the Yarn Audit Analyzer should be used.
569      */
570     @SuppressWarnings("CanBeFinal")
571     @Parameter(property = "yarnAuditAnalyzerEnabled")
572     private Boolean yarnAuditAnalyzerEnabled;
573 
574     /**
575      * Sets whether or not the Pnpm Audit Analyzer should be used.
576      */
577     @SuppressWarnings("CanBeFinal")
578     @Parameter(property = "pnpmAuditAnalyzerEnabled")
579     private Boolean pnpmAuditAnalyzerEnabled;
580 
581     /**
582      * Sets whether or not the Node Audit Analyzer should use a local cache.
583      */
584     @SuppressWarnings("CanBeFinal")
585     @Parameter(property = "nodeAuditAnalyzerUseCache")
586     private Boolean nodeAuditAnalyzerUseCache;
587     /**
588      * Sets whether or not the Node Audit Analyzer should skip devDependencies.
589      */
590     @SuppressWarnings("CanBeFinal")
591     @Parameter(property = "nodeAuditSkipDevDependencies")
592     private Boolean nodeAuditSkipDevDependencies;
593     /**
594      * Sets whether or not the Node.js Analyzer should skip devDependencies.
595      */
596     @SuppressWarnings("CanBeFinal")
597     @Parameter(property = "nodePackageSkipDevDependencies")
598     private Boolean nodePackageSkipDevDependencies;
599     /**
600      * Sets whether or not the Retirejs Analyzer should be used.
601      */
602     @SuppressWarnings("CanBeFinal")
603     @Parameter(property = "retireJsAnalyzerEnabled")
604     private Boolean retireJsAnalyzerEnabled;
605     /**
606      * The Retire JS repository URL.
607      */
608     @SuppressWarnings("CanBeFinal")
609     @Parameter(property = "retireJsUrl")
610     private String retireJsUrl;
611     /**
612      * The username for Basic auth to the retireJsUrl.
613      */
614     @Parameter(property = "retireJsUser")
615     private String retireJsUser;
616     /**
617      * The password for Basic auth to the retireJsUrl. The `retireJsUrlServerId` with user/password set should be used instead otherwise maven debug logging could expose the password.
618      */
619     @Parameter(property = "retireJsPassword")
620     private String retireJsPassword;
621     /**
622      * The token for Bearer auth to the retireJsUrl. The `retireJsUrlServerId` with only password set should be used instead otherwise maven debug logging could expose the token.
623      */
624     @Parameter(property = "retireJsBearerToken")
625     private String retireJsBearerToken;
626     /**
627      * The server id in the settings.xml; used to retrieve encrypted passwords
628      * from the settings.xml for retireJsUrl.
629      */
630     @SuppressWarnings("CanBeFinal")
631     @Parameter(property = "retireJsUrlServerId")
632     private String retireJsUrlServerId;
633     /**
634      * Whether the Retire JS repository will be updated regardless of the
635      * `autoupdate` settings.
636      */
637     @SuppressWarnings("CanBeFinal")
638     @Parameter(property = "retireJsForceUpdate")
639     private Boolean retireJsForceUpdate;
640     /**
641      * Whether or not the .NET Assembly Analyzer is enabled.
642      */
643     @Parameter(property = "assemblyAnalyzerEnabled")
644     private Boolean assemblyAnalyzerEnabled;
645     /**
646      * Whether or not the MS Build Analyzer is enabled.
647      */
648     @Parameter(property = "msbuildAnalyzerEnabled")
649     private Boolean msbuildAnalyzerEnabled;
650     /**
651      * Whether or not the .NET Nuspec Analyzer is enabled.
652      */
653     @SuppressWarnings("CanBeFinal")
654     @Parameter(property = "nuspecAnalyzerEnabled")
655     private Boolean nuspecAnalyzerEnabled;
656 
657     /**
658      * Whether or not the .NET packages.config Analyzer is enabled.
659      */
660     @SuppressWarnings("CanBeFinal")
661     @Parameter(property = "nugetconfAnalyzerEnabled")
662     private Boolean nugetconfAnalyzerEnabled;
663 
664     /**
665      * Whether or not the Libman Analyzer is enabled.
666      */
667     @SuppressWarnings("CanBeFinal")
668     @Parameter(property = "libmanAnalyzerEnabled")
669     private Boolean libmanAnalyzerEnabled;
670 
671     /**
672      * Whether or not the Central Analyzer is enabled.
673      */
674     @SuppressWarnings("CanBeFinal")
675     @Parameter(property = "centralAnalyzerEnabled")
676     private Boolean centralAnalyzerEnabled;
677 
678     /**
679      * Whether or not the Central Analyzer should use a local cache.
680      */
681     @SuppressWarnings("CanBeFinal")
682     @Parameter(property = "centralAnalyzerUseCache")
683     private Boolean centralAnalyzerUseCache;
684 
685     /**
686      * Whether or not the Artifactory Analyzer is enabled.
687      */
688     @SuppressWarnings("CanBeFinal")
689     @Parameter(property = "artifactoryAnalyzerEnabled")
690     private Boolean artifactoryAnalyzerEnabled;
691     /**
692      * The serverId inside the settings.xml containing the username and token to
693      * access artifactory
694      */
695     @SuppressWarnings("CanBeFinal")
696     @Parameter(property = "artifactoryAnalyzerServerId")
697     private String artifactoryAnalyzerServerId;
698     /**
699      * The username (only used with API token) to connect to Artifactory
700      * instance
701      */
702     @SuppressWarnings("CanBeFinal")
703     @Parameter(property = "artifactoryAnalyzerUsername")
704     private String artifactoryAnalyzerUsername;
705     /**
706      * The API token to connect to Artifactory instance
707      */
708     @SuppressWarnings("CanBeFinal")
709     @Parameter(property = "artifactoryAnalyzerApiToken")
710     private String artifactoryAnalyzerApiToken;
711     /**
712      * The bearer token to connect to Artifactory instance
713      */
714     @SuppressWarnings("CanBeFinal")
715     @Parameter(property = "artifactoryAnalyzerBearerToken")
716     private String artifactoryAnalyzerBearerToken;
717     /**
718      * The Artifactory URL for the Artifactory analyzer.
719      */
720     @SuppressWarnings("CanBeFinal")
721     @Parameter(property = "artifactoryAnalyzerUrl")
722     private String artifactoryAnalyzerUrl;
723     /**
724      * Whether Artifactory should be accessed through a proxy or not
725      */
726     @SuppressWarnings("CanBeFinal")
727     @Parameter(property = "artifactoryAnalyzerUseProxy")
728     private Boolean artifactoryAnalyzerUseProxy;
729     /**
730      * Whether the Artifactory analyzer should be run in parallel or not.
731      */
732     @SuppressWarnings("CanBeFinal")
733     @Parameter(property = "artifactoryAnalyzerParallelAnalysis", defaultValue = "true")
734     private Boolean artifactoryAnalyzerParallelAnalysis;
735     /**
736      * Whether the Unused Suppression Rule analyzer should fail if there are unused rules.
737      */
738     @SuppressWarnings("CanBeFinal")
739     @Parameter(property = "failBuildOnUnusedSuppressionRule", defaultValue = "false")
740     private Boolean failBuildOnUnusedSuppressionRule;
741     /**
742      * Whether or not the Nexus Analyzer is enabled.
743      */
744     @SuppressWarnings("CanBeFinal")
745     @Parameter(property = "nexusAnalyzerEnabled")
746     private Boolean nexusAnalyzerEnabled;
747 
748     /**
749      * Whether or not the Sonatype OSS Index analyzer is enabled.
750      */
751     @SuppressWarnings("CanBeFinal")
752     @Parameter(property = "ossindexAnalyzerEnabled")
753     private Boolean ossindexAnalyzerEnabled;
754     /**
755      * Whether or not the Sonatype OSS Index analyzer should cache results.
756      */
757     @SuppressWarnings("CanBeFinal")
758     @Parameter(property = "ossindexAnalyzerUseCache")
759     private Boolean ossindexAnalyzerUseCache;
760     /**
761      * URL of the Sonatype OSS Index service.
762      */
763     @SuppressWarnings("CanBeFinal")
764     @Parameter(property = "ossindexAnalyzerUrl")
765     private String ossindexAnalyzerUrl;
766 
767     /**
768      * The id of a server defined in the settings.xml that configures the
769      * credentials (username and password) for a OSS Index service.
770      */
771     @SuppressWarnings("CanBeFinal")
772     @Parameter(property = "ossIndexServerId")
773     private String ossIndexServerId;
774 
775     /**
776      * Whether we should only warn about Sonatype OSS Index remote errors
777      * instead of failing the goal completely.
778      */
779     @SuppressWarnings("CanBeFinal")
780     @Parameter(property = "ossIndexWarnOnlyOnRemoteErrors")
781     private Boolean ossIndexWarnOnlyOnRemoteErrors;
782 
783     /**
784      * Whether or not the Elixir Mix Audit Analyzer is enabled.
785      */
786     @Parameter(property = "mixAuditAnalyzerEnabled")
787     private Boolean mixAuditAnalyzerEnabled;
788 
789     /**
790      * Sets the path for the mix_audit binary.
791      */
792     @SuppressWarnings("CanBeFinal")
793     @Parameter(property = "mixAuditPath")
794     private String mixAuditPath;
795 
796     /**
797      * Whether or not the Ruby Bundle Audit Analyzer is enabled.
798      */
799     @Parameter(property = "bundleAuditAnalyzerEnabled")
800     private Boolean bundleAuditAnalyzerEnabled;
801 
802     /**
803      * Sets the path for the bundle-audit binary.
804      */
805     @SuppressWarnings("CanBeFinal")
806     @Parameter(property = "bundleAuditPath")
807     private String bundleAuditPath;
808 
809     /**
810      * Sets the path for the working directory that the bundle-audit binary
811      * should be executed from.
812      */
813     @SuppressWarnings("CanBeFinal")
814     @Parameter(property = "bundleAuditWorkingDirectory")
815     private String bundleAuditWorkingDirectory;
816 
817     /**
818      * Whether or not the CocoaPods Analyzer is enabled.
819      */
820     @SuppressWarnings("CanBeFinal")
821     @Parameter(property = "cocoapodsAnalyzerEnabled")
822     private Boolean cocoapodsAnalyzerEnabled;
823 
824     /**
825      * Whether or not the Carthage Analyzer is enabled.
826      */
827     @SuppressWarnings("CanBeFinal")
828     @Parameter(property = "carthageAnalyzerEnabled")
829     private Boolean carthageAnalyzerEnabled;
830 
831     /**
832      * Whether or not the Swift package Analyzer is enabled.
833      */
834     @SuppressWarnings("CanBeFinal")
835     @Parameter(property = "swiftPackageManagerAnalyzerEnabled")
836     private Boolean swiftPackageManagerAnalyzerEnabled;
837     /**
838      * Whether or not the Swift package resolved Analyzer is enabled.
839      */
840     @SuppressWarnings("CanBeFinal")
841     @Parameter(property = "swiftPackageResolvedAnalyzerEnabled")
842     private Boolean swiftPackageResolvedAnalyzerEnabled;
843     /**
844      * The URL of a Nexus server's REST API end point
845      * (http://domain/nexus/service/local).
846      */
847     @SuppressWarnings("CanBeFinal")
848     @Parameter(property = "nexusUrl")
849     private String nexusUrl;
850     /**
851      * The id of a server defined in the settings.xml that configures the
852      * credentials (username and password) for a Nexus server's REST API end
853      * point. When not specified the communication with the Nexus server's REST
854      * API will be unauthenticated.
855      */
856     @SuppressWarnings("CanBeFinal")
857     @Parameter(property = "nexusServerId")
858     private String nexusServerId;
859     /**
860      * Whether or not the configured proxy is used to connect to Nexus.
861      */
862     @SuppressWarnings("CanBeFinal")
863     @Parameter(property = "nexusUsesProxy")
864     private Boolean nexusUsesProxy;
865     /**
866      * The database connection string.
867      */
868     @SuppressWarnings("CanBeFinal")
869     @Parameter(property = "connectionString")
870     private String connectionString;
871 
872     /**
873      * The database driver name. An example would be org.h2.Driver.
874      */
875     @SuppressWarnings("CanBeFinal")
876     @Parameter(property = "databaseDriverName")
877     private String databaseDriverName;
878     /**
879      * The path to the database driver if it is not on the class path.
880      */
881     @SuppressWarnings("CanBeFinal")
882     @Parameter(property = "databaseDriverPath")
883     private String databaseDriverPath;
884     /**
885      * A reference to the settings.xml settings.
886      */
887     @SuppressWarnings("CanBeFinal")
888     @Parameter(defaultValue = "${settings}", readonly = true, required = true)
889     private org.apache.maven.settings.Settings settingsXml;
890 
891     /**
892      * The settingsDecryptor from Maven to decrypt passwords from Settings.xml servers section
893      */
894     @Component
895     private SettingsDecrypter settingsDecrypter;
896 
897     /**
898      * The database user name.
899      */
900     @Parameter(property = "databaseUser")
901     private String databaseUser;
902     /**
903      * The password to use when connecting to the database. The `serverId` should be used instead otherwise maven debug logging could expose the password.
904      */
905     @Parameter(property = "databasePassword")
906     private String databasePassword;
907     /**
908      * A comma-separated list of file extensions to add to analysis next to jar,
909      * zip, ....
910      */
911     @SuppressWarnings("CanBeFinal")
912     @Parameter(property = "zipExtensions")
913     private String zipExtensions;
914     /**
915      * Skip Dependency Check altogether.
916      */
917     @SuppressWarnings("CanBeFinal")
918     @Parameter(property = "dependency-check.skip", defaultValue = "false")
919     private boolean skip = false;
920     /**
921      * Skip Analysis for Test Scope Dependencies.
922      */
923     @SuppressWarnings("CanBeFinal")
924     @Parameter(property = "skipTestScope", defaultValue = "true")
925     private boolean skipTestScope = true;
926     /**
927      * Skip Analysis for Runtime Scope Dependencies.
928      */
929     @SuppressWarnings("CanBeFinal")
930     @Parameter(property = "skipRuntimeScope", defaultValue = "false")
931     private boolean skipRuntimeScope = false;
932     /**
933      * Skip Analysis for Provided Scope Dependencies.
934      */
935     @SuppressWarnings("CanBeFinal")
936     @Parameter(property = "skipProvidedScope", defaultValue = "false")
937     private boolean skipProvidedScope = false;
938 
939     /**
940      * Skip Analysis for System Scope Dependencies.
941      */
942     @SuppressWarnings("CanBeFinal")
943     @Parameter(property = "skipSystemScope", defaultValue = "false")
944     private boolean skipSystemScope = false;
945 
946     /**
947      * Skip Analysis for dependencyManagement section.
948      */
949     @SuppressWarnings("CanBeFinal")
950     @Parameter(property = "skipDependencyManagement", defaultValue = "true")
951     private boolean skipDependencyManagement = true;
952 
953     /**
954      * Skip analysis for dependencies which type matches this regular
955      * expression. This filters on the `type` of dependency as defined in the
956      * dependency section: jar, pom, test-jar, etc.
957      */
958     @SuppressWarnings("CanBeFinal")
959     @Parameter(property = "skipArtifactType")
960     private String skipArtifactType;
961 
962     /**
963      * The data directory, hold DC SQL DB.
964      */
965     @SuppressWarnings("CanBeFinal")
966     @Parameter(property = "dataDirectory")
967     private String dataDirectory;
968 
969     /**
970      * The name of the DC DB.
971      */
972     @SuppressWarnings("CanBeFinal")
973     @Parameter(property = "dbFilename")
974     private String dbFilename;
975     /**
976      * The server id in the settings.xml; used to retrieve encrypted passwords
977      * from the settings.xml. This is used for the database username and
978      * password.
979      */
980     @SuppressWarnings("CanBeFinal")
981     @Parameter(property = "serverId")
982     private String serverId;
983     /**
984      * The NVD API Key. The parameters {@link #nvdApiKeyEnvironmentVariable} or {@link #nvdApiServerId} should be used instead otherwise
985      * Maven debug logging could expose the API Key (see <a href="https://github.com/advisories/GHSA-qqhq-8r2c-c3f5">GHSA-qqhq-8r2c-c3f5</a>).
986      * This takes precedence over {@link #nvdApiServerId} and {@link #nvdApiKeyEnvironmentVariable}.
987      */
988     @SuppressWarnings("CanBeFinal")
989     @Parameter(property = "nvdApiKey")
990     private String nvdApiKey;
991     /**
992      * The maximum number of retry requests for a single call to the NVD API.
993      */
994     @SuppressWarnings("CanBeFinal")
995     @Parameter(property = "nvdMaxRetryCount")
996     private Integer nvdMaxRetryCount;
997     /**
998      * The server id in the settings.xml; used to retrieve encrypted API Key
999      * from the settings.xml for the NVD API Key. Note that the password is used
1000      * as the API Key.
1001      * Is potentially overwritten by {@link #nvdApiKeyEnvironmentVariable} or {@link #nvdApiKey}.
1002      */
1003     @SuppressWarnings("CanBeFinal")
1004     @Parameter(property = "nvdApiServerId")
1005     private String nvdApiServerId;
1006     /**
1007      * The environment variable from which to retrieve the API key for the NVD API.
1008      * Takes precedence over {@link #nvdApiServerId} but is potentially overwritten by {@link #nvdApiKey}.
1009      * This is the recommended option to pass the API key in CI builds.
1010      */
1011     @SuppressWarnings("CanBeFinal")
1012     @Parameter(property = "nvdApiKeyEnvironmentVariable")
1013     private String nvdApiKeyEnvironmentVariable;
1014     /**
1015      * The number of hours to wait before checking for new updates from the NVD.
1016      */
1017     @SuppressWarnings("CanBeFinal")
1018     @Parameter(property = "nvdValidForHours")
1019     private Integer nvdValidForHours;
1020     /**
1021      * The NVD API Endpoint; setting this is uncommon.
1022      */
1023     @SuppressWarnings("CanBeFinal")
1024     @Parameter(property = "nvdApiEndpoint")
1025     private String nvdApiEndpoint;
1026     /**
1027      * The NVD API Data Feed URL.
1028      */
1029     @SuppressWarnings("CanBeFinal")
1030     @Parameter(property = "nvdDatafeedUrl")
1031     private String nvdDatafeedUrl;
1032 
1033     /**
1034      * The server id in the settings.xml; used to retrieve encrypted credentials
1035      * from the settings.xml for the NVD Data Feed.<br/>
1036      * Credentials with only a password will be used for Bearer auth, credentials with both user and password for Basic auth.
1037      */
1038     @SuppressWarnings("CanBeFinal")
1039     @Parameter(property = "nvdDatafeedServerId")
1040     private String nvdDatafeedServerId;
1041     /**
1042      * The username for basic auth to the NVD Data Feed. A `nvdDatafeedServerId` with user/password set should be used instead otherwise maven debug logging could expose the password.
1043      */
1044     @SuppressWarnings("CanBeFinal")
1045     @Parameter(property = "nvdUser")
1046     private String nvdUser;
1047     /**
1048      * The password for basic auth to the NVD Data Feed. A `nvdDatafeedServerId` with user/password set should be used instead otherwise maven debug logging could expose the password.
1049      */
1050     @SuppressWarnings("CanBeFinal")
1051     @Parameter(property = "nvdPassword")
1052     private String nvdPassword;
1053     /**
1054      * The token for bearer auth to the NVD Data Feed. A `nvdDatafeedServerId` with only password set should be used instead otherwise maven debug logging could expose the token.
1055      */
1056     @SuppressWarnings("CanBeFinal")
1057     @Parameter(property = "nvdBearerToken")
1058     private String nvdBearerToken;
1059     /**
1060      * The time in milliseconds to wait between downloading NVD API data.
1061      */
1062     @SuppressWarnings("CanBeFinal")
1063     @Parameter(property = "nvdApiDelay")
1064     private Integer nvdApiDelay;
1065 
1066     /**
1067      * The number records for a single page from NVD API (must be <=2000).
1068      */
1069     @SuppressWarnings("CanBeFinal")
1070     @Parameter(property = "nvdApiResultsPerPage")
1071     private Integer nvdApiResultsPerPage;
1072 
1073     /**
1074      * The path to dotnet core.
1075      */
1076     @SuppressWarnings("CanBeFinal")
1077     @Parameter(property = "pathToCore")
1078     private String pathToCore;
1079     /**
1080      * The hosted suppressions file URL.
1081      */
1082     @SuppressWarnings("CanBeFinal")
1083     @Parameter(property = "hostedSuppressionsUrl")
1084     private String hostedSuppressionsUrl;
1085     /**
1086      * The password used for Basic auth to the suppressionFiles.
1087      */
1088     @SuppressWarnings("CanBeFinal")
1089     @Parameter(property = "hostedSuppressionsUser")
1090     private String hostedSuppressionsUser;
1091     /**
1092      * The password used for Basic auth to the suppressionFiles. The `hostedSuppressionsServerId` with user/password should be used instead otherwise maven debug logging could expose the password.
1093      */
1094     @SuppressWarnings("CanBeFinal")
1095     @Parameter(property = "hostedSuppressionsPassword")
1096     private String hostedSuppressionsPassword;
1097     /**
1098      * The token used for Bearer auth to the suppressionFiles. The `hostedSuppressionsServerId` with only password should be used instead otherwise maven debug logging could expose the token.
1099      */
1100     @SuppressWarnings("CanBeFinal")
1101     @Parameter(property = "hostedSuppressionsBearerToken")
1102     private String hostedSuppressionsBearerToken;
1103     /**
1104      * The server id in the settings.xml used to retrieve encrypted passwords
1105      * from the settings.xml for a mirror of the HostedSuppressions XML file.
1106      */
1107     @SuppressWarnings("CanBeFinal")
1108     @Parameter(property = "hostedSuppressionsServerId")
1109     private String hostedSuppressionsServerId;
1110     /**
1111      * Whether the hosted suppressions file will be updated regardless of the
1112      * `autoupdate` settings.
1113      */
1114     @SuppressWarnings("CanBeFinal")
1115     @Parameter(property = "hostedSuppressionsForceUpdate")
1116     private Boolean hostedSuppressionsForceUpdate;
1117     /**
1118      * Whether the hosted suppressions file will be used.
1119      */
1120     @SuppressWarnings("CanBeFinal")
1121     @Parameter(property = "hostedSuppressionsEnabled")
1122     private Boolean hostedSuppressionsEnabled;
1123     /**
1124      * Skip excessive hosted suppression file update checks for a designated
1125      * duration in hours (defaults to 2 hours).
1126      */
1127     @SuppressWarnings("CanBeFinal")
1128     @Parameter(property = "hostedSuppressionsValidForHours")
1129     private Integer hostedSuppressionsValidForHours;
1130 
1131     /**
1132      * The RetireJS Analyzer configuration:
1133      * <pre>
1134      *   filters: an array of filter patterns that are used to exclude JS files that contain a match
1135      *   filterNonVulnerable: a boolean that when true will remove non-vulnerable JS from the report
1136      *
1137      * Example:
1138      *   &lt;retirejs&gt;
1139      *     &lt;filters&gt;
1140      *       &lt;filter&gt;copyright 2018\(c\) Jeremy Long&lt;/filter&gt;
1141      *     &lt;/filters&gt;
1142      *     &lt;filterNonVulnerable&gt;true&lt;/filterNonVulnerable&gt;
1143      *   &lt;/retirejs&gt;
1144      * </pre>
1145      */
1146     @SuppressWarnings("CanBeFinal")
1147     @Parameter(property = "retirejs")
1148     private Retirejs retirejs;
1149 
1150     /**
1151      * The list of artifacts (and their transitive dependencies) to exclude from
1152      * the check.
1153      */
1154     @Parameter(property = "odc.excludes")
1155     private List<String> excludes;
1156 
1157     /**
1158      * The artifact scope filter.
1159      */
1160     private Filter<String> artifactScopeExcluded;
1161 
1162     /**
1163      * Filter for artifact type.
1164      */
1165     private Filter<String> artifactTypeExcluded;
1166 
1167     /**
1168      * An collection of <code>fileSet</code>s that specify additional files
1169      * and/or directories (from the basedir) to analyze as part of the scan. If
1170      * not specified, defaults to Maven conventions of: src/main/resources,
1171      * src/main/filters, and src/main/webapp. Note, this cannot be set via the
1172      * command line - use `scanDirectory` instead.
1173      */
1174     @Parameter
1175     private List<FileSet> scanSet;
1176     /**
1177      * A list of directories to scan. Note, this should only be used via the
1178      * command line - if configuring the directories to scan consider using the
1179      * `scanSet` instead.
1180      */
1181     @Parameter(property = "scanDirectory")
1182     private List<String> scanDirectory;
1183 
1184     /**
1185      * Whether the project's plugins should also be scanned.
1186      */
1187     @SuppressWarnings("CanBeFinal")
1188     @Parameter(property = "odc.plugins.scan", defaultValue = "false", required = false)
1189     private boolean scanPlugins = false;
1190     /**
1191      * Whether the project's dependencies should also be scanned.
1192      */
1193     @SuppressWarnings("CanBeFinal")
1194     @Parameter(property = "odc.dependencies.scan", defaultValue = "true", required = false)
1195     private boolean scanDependencies = true;
1196     /**
1197      * The proxy configuration.
1198      */
1199     @Parameter
1200     private ProxyConfig proxy;
1201 
1202     // </editor-fold>
1203     //<editor-fold defaultstate="collapsed" desc="Base Maven implementation">
1204     /**
1205      * Determines if the groupId, artifactId, and version of the Maven
1206      * dependency and artifact match.
1207      *
1208      * @param d the Maven dependency
1209      * @param a the Maven artifact
1210      * @return true if the groupId, artifactId, and version match
1211      */
1212     private static boolean artifactsMatch(org.apache.maven.model.Dependency d, Artifact a) {
1213         return isEqualOrNull(a.getArtifactId(), d.getArtifactId())
1214                 && isEqualOrNull(a.getGroupId(), d.getGroupId())
1215                 && isEqualOrNull(a.getVersion(), d.getVersion());
1216     }
1217 
1218     /**
1219      * Compares two strings for equality; if both strings are null they are
1220      * considered equal.
1221      *
1222      * @param left the first string to compare
1223      * @param right the second string to compare
1224      * @return true if the strings are equal or if they are both null; otherwise
1225      * false.
1226      */
1227     private static boolean isEqualOrNull(String left, String right) {
1228         return (left != null && left.equals(right)) || (left == null && right == null);
1229     }
1230 
1231     /**
1232      * Executes dependency-check.
1233      *
1234      * @throws MojoExecutionException thrown if there is an exception executing
1235      * the mojo
1236      * @throws MojoFailureException thrown if dependency-check failed the build
1237      */
1238     @Override
1239     public void execute() throws MojoExecutionException, MojoFailureException {
1240         generatingSite = false;
1241         final boolean shouldSkip = Boolean.parseBoolean(System.getProperty("dependency-check.skip", Boolean.toString(skip)));
1242         if (shouldSkip) {
1243             getLog().info("Skipping " + getName(Locale.US));
1244         } else {
1245             project.setContextValue("dependency-check-output-dir", this.outputDirectory);
1246             runCheck();
1247         }
1248     }
1249 
1250     /**
1251      * Returns true if the Maven site is being generated.
1252      *
1253      * @return true if the Maven site is being generated
1254      */
1255     protected boolean isGeneratingSite() {
1256         return generatingSite;
1257     }
1258 
1259     /**
1260      * Returns the connection string.
1261      *
1262      * @return the connection string
1263      */
1264     protected String getConnectionString() {
1265         return connectionString;
1266     }
1267 
1268     /**
1269      * Returns if the mojo should fail the build if an exception occurs.
1270      *
1271      * @return whether or not the mojo should fail the build
1272      */
1273     protected boolean isFailOnError() {
1274         return failOnError;
1275     }
1276 
1277     /**
1278      * Generates the Dependency-Check Site Report.
1279      *
1280      * @param sink the sink to write the report to
1281      * @param locale the locale to use when generating the report
1282      * @throws MavenReportException if a maven report exception occurs
1283      */
1284     public void generate(Sink sink, Locale locale) throws MavenReportException {
1285         final boolean shouldSkip = Boolean.parseBoolean(System.getProperty("dependency-check.skip", Boolean.toString(skip)));
1286         if (shouldSkip) {
1287             getLog().info("Skipping report generation " + getName(Locale.US));
1288             return;
1289         }
1290 
1291         generatingSite = true;
1292         project.setContextValue("dependency-check-output-dir", getReportOutputDirectory());
1293         try {
1294             runCheck();
1295         } catch (MojoExecutionException ex) {
1296             throw new MavenReportException(ex.getMessage(), ex);
1297         } catch (MojoFailureException ex) {
1298             getLog().warn("Vulnerabilities were identifies that exceed the CVSS threshold for failing the build");
1299         }
1300     }
1301 
1302     /**
1303      * Returns the correct output directory depending on if a site is being
1304      * executed or not.
1305      *
1306      * @return the directory to write the report(s)
1307      * @throws MojoExecutionException thrown if there is an error loading the
1308      * file path
1309      */
1310     protected File getCorrectOutputDirectory() throws MojoExecutionException {
1311         return getCorrectOutputDirectory(this.project);
1312     }
1313 
1314     /**
1315      * Returns the correct output directory depending on if a site is being
1316      * executed or not.
1317      *
1318      * @param current the Maven project to get the output directory from
1319      * @return the directory to write the report(s)
1320      */
1321     protected File getCorrectOutputDirectory(MavenProject current) {
1322         final Object obj = current.getContextValue("dependency-check-output-dir");
1323         if (obj != null && obj instanceof File) {
1324             return (File) obj;
1325         }
1326         //else we guess
1327         File target = new File(current.getBuild().getDirectory());
1328         if (target.getParentFile() != null && "target".equals(target.getParentFile().getName())) {
1329             target = target.getParentFile();
1330         }
1331         return target;
1332     }
1333 
1334     /**
1335      * Scans the project's artifacts and adds them to the engine's dependency
1336      * list.
1337      *
1338      * @param project the project to scan the dependencies of
1339      * @param engine the engine to use to scan the dependencies
1340      * @return a collection of exceptions that may have occurred while resolving
1341      * and scanning the dependencies
1342      */
1343     protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine) {
1344         return scanArtifacts(project, engine, false);
1345     }
1346 
1347     /**
1348      * Scans the project's artifacts and adds them to the engine's dependency
1349      * list.
1350      *
1351      * @param project the project to scan the dependencies of
1352      * @param engine the engine to use to scan the dependencies
1353      * @param aggregate whether the scan is part of an aggregate build
1354      * @return a collection of exceptions that may have occurred while resolving
1355      * and scanning the dependencies
1356      */
1357     protected ExceptionCollection scanArtifacts(MavenProject project, Engine engine, boolean aggregate) {
1358         try {
1359             final List<String> filterItems = Collections.singletonList(String.format("%s:%s", project.getGroupId(), project.getArtifactId()));
1360             final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project, project.getRemoteArtifactRepositories());
1361             //For some reason the filter does not filter out the project being analyzed
1362             //if we pass in the filter below instead of null to the dependencyGraphBuilder
1363             final DependencyNode dn = dependencyGraphBuilder.buildDependencyGraph(buildingRequest, null);
1364 
1365             final CollectingRootDependencyGraphVisitor collectorVisitor = new CollectingRootDependencyGraphVisitor();
1366 
1367             // exclude artifact by pattern and its dependencies
1368             final DependencyNodeVisitor transitiveFilterVisitor = new FilteringDependencyTransitiveNodeVisitor(collectorVisitor,
1369                     new ArtifactDependencyNodeFilter(new PatternExcludesArtifactFilter(getExcludes())));
1370             // exclude exact artifact but not its dependencies, this filter must be appied on the root for first otherwise
1371             // in case the exclude has the same groupId of the current bundle its direct dependencies are not visited
1372             final DependencyNodeVisitor artifactFilter = new FilteringDependencyNodeVisitor(transitiveFilterVisitor,
1373                     new ArtifactDependencyNodeFilter(new ExcludesArtifactFilter(filterItems)));
1374             dn.accept(artifactFilter);
1375 
1376             //collect dependencies with the filter - see comment above.
1377             final Map<DependencyNode, List<DependencyNode>> nodes = collectorVisitor.getNodes();
1378 
1379             return collectDependencies(engine, project, nodes, buildingRequest, aggregate);
1380         } catch (DependencyGraphBuilderException ex) {
1381             final String msg = String.format("Unable to build dependency graph on project %s", project.getName());
1382             getLog().debug(msg, ex);
1383             return new ExceptionCollection(ex);
1384         }
1385     }
1386 
1387     /**
1388      * Scans the project's artifacts for plugin-dependencies and adds them to
1389      * the engine's dependency list.
1390      *
1391      * @param project the project to scan the plugin-dependencies of
1392      * @param engine the engine to use to scan the plugin-dependencies
1393      * @param exCollection the collection of exceptions that have previously
1394      * occurred
1395      * @return a collection of exceptions that may have occurred while resolving
1396      * and scanning the plugins and their dependencies
1397      */
1398     protected ExceptionCollection scanPlugins(MavenProject project, Engine engine, ExceptionCollection exCollection) {
1399         ExceptionCollection exCol = exCollection;
1400         final Set<Artifact> plugins = new HashSet<>();
1401         final Set<Artifact> buildPlugins = getProject().getPluginArtifacts();
1402         final Set<Artifact> reportPlugins = getProject().getReportArtifacts();
1403         final Set<Artifact> extensions = getProject().getExtensionArtifacts();
1404 
1405         plugins.addAll(buildPlugins);
1406         plugins.addAll(reportPlugins);
1407         plugins.addAll(extensions);
1408 
1409         final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project, project.getPluginArtifactRepositories());
1410         for (Artifact plugin : plugins) {
1411             try {
1412                 final Artifact resolved = artifactResolver.resolveArtifact(buildingRequest, plugin).getArtifact();
1413 
1414                 exCol = addPluginToDependencies(project, engine, resolved, "pom.xml (plugins)", exCol);
1415 
1416                 final DefaultDependableCoordinate pluginCoordinate = new DefaultDependableCoordinate();
1417                 pluginCoordinate.setGroupId(resolved.getGroupId());
1418                 pluginCoordinate.setArtifactId(resolved.getArtifactId());
1419                 pluginCoordinate.setVersion(resolved.getVersion());
1420 
1421                 final String parent = buildReference(resolved.getGroupId(), resolved.getArtifactId(), resolved.getVersion());
1422                 for (Artifact artifact : resolveArtifactDependencies(pluginCoordinate, project)) {
1423                     exCol = addPluginToDependencies(project, engine, artifact, parent, exCol);
1424                 }
1425             } catch (ArtifactResolverException ex) {
1426                 throw new RuntimeException(ex);
1427             } catch (IllegalArgumentException ex) {
1428                 throw new RuntimeException(ex);
1429             } catch (DependencyResolverException ex) {
1430                 throw new RuntimeException(ex);
1431             }
1432         }
1433 
1434         return null;
1435 
1436     }
1437 
1438     private ExceptionCollection addPluginToDependencies(MavenProject project, Engine engine, Artifact artifact, String parent, ExceptionCollection exCollection) {
1439         ExceptionCollection exCol = exCollection;
1440         final String groupId = artifact.getGroupId();
1441         final String artifactId = artifact.getArtifactId();
1442         final String version = artifact.getVersion();
1443         final File artifactFile = artifact.getFile();
1444         if (artifactFile.isFile()) {
1445             final List<ArtifactVersion> availableVersions = artifact.getAvailableVersions();
1446 
1447             final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
1448                     project.getName() + " (plugins)");
1449             if (deps != null) {
1450                 Dependency d = null;
1451                 if (deps.size() == 1) {
1452                     d = deps.get(0);
1453                 } else {
1454                     for (Dependency possible : deps) {
1455                         if (artifactFile.getAbsoluteFile().equals(possible.getActualFile())) {
1456                             d = possible;
1457                             break;
1458                         }
1459                     }
1460                     for (Dependency dep : deps) {
1461                         if (d != null && d != dep) {
1462                             final String includedBy = buildReference(groupId, artifactId, version);
1463                             dep.addIncludedBy(includedBy, "plugins");
1464                         }
1465                     }
1466                 }
1467                 if (d != null) {
1468                     final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
1469                     d.addAsEvidence("pom", ma, Confidence.HIGHEST);
1470                     if (parent != null) {
1471                         d.addIncludedBy(parent, "plugins");
1472                     } else {
1473                         final String includedby = buildReference(
1474                                 project.getGroupId(),
1475                                 project.getArtifactId(),
1476                                 project.getVersion());
1477                         d.addIncludedBy(includedby, "plugins");
1478                     }
1479                     if (availableVersions != null) {
1480                         for (ArtifactVersion av : availableVersions) {
1481                             d.addAvailableVersion(av.toString());
1482                         }
1483                     }
1484                 }
1485             }
1486         } else {
1487             if (exCol == null) {
1488                 exCol = new ExceptionCollection();
1489             }
1490             exCol.addException(new DependencyNotFoundException("Unable to resolve plugin: "
1491                     + groupId + ":" + artifactId + ":" + version));
1492         }
1493 
1494         return exCol;
1495     }
1496 
1497     private String buildReference(final String groupId, final String artifactId, final String version) {
1498         String includedBy;
1499         try {
1500             final PackageURL purl = new PackageURL("maven", groupId, artifactId, version, null, null);
1501             includedBy = purl.toString();
1502         } catch (MalformedPackageURLException ex) {
1503             getLog().warn("Unable to generate build reference for " + groupId
1504                     + ":" + artifactId + ":" + version, ex);
1505             includedBy = groupId + ":" + artifactId + ":" + version;
1506         }
1507         return includedBy;
1508     }
1509 
1510     protected Set<Artifact> resolveArtifactDependencies(final DependableCoordinate artifact, MavenProject project)
1511             throws DependencyResolverException {
1512         final ProjectBuildingRequest buildingRequest = newResolveArtifactProjectBuildingRequest(project, project.getRemoteArtifactRepositories());
1513 
1514         final Iterable<ArtifactResult> artifactResults = dependencyResolver.resolveDependencies(buildingRequest, artifact, null);
1515 
1516         final Set<Artifact> artifacts = new HashSet<>();
1517 
1518         for (ArtifactResult artifactResult : artifactResults) {
1519             artifacts.add(artifactResult.getArtifact());
1520         }
1521 
1522         return artifacts;
1523 
1524     }
1525 
1526     /**
1527      * Converts the dependency to a dependency node object.
1528      *
1529      * @param nodes the list of dependency nodes
1530      * @param buildingRequest the Maven project building request
1531      * @param parent the parent node
1532      * @param dependency the dependency to convert
1533      * @return the resulting dependency node
1534      * @throws ArtifactResolverException thrown if the artifact could not be
1535      * retrieved
1536      */
1537     private DependencyNode toDependencyNode(List<DependencyNode> nodes, ProjectBuildingRequest buildingRequest,
1538             DependencyNode parent, org.apache.maven.model.Dependency dependency) throws ArtifactResolverException {
1539 
1540         final DefaultArtifactCoordinate coordinate = new DefaultArtifactCoordinate();
1541 
1542         coordinate.setGroupId(dependency.getGroupId());
1543         coordinate.setArtifactId(dependency.getArtifactId());
1544         String version = null;
1545         final VersionRange vr;
1546         try {
1547             vr = VersionRange.createFromVersionSpec(dependency.getVersion());
1548         } catch (InvalidVersionSpecificationException ex) {
1549             throw new ArtifactResolverException("Invalid version specification: "
1550                     + dependency.getGroupId() + ":"
1551                     + dependency.getArtifactId() + ":"
1552                     + dependency.getVersion(), ex);
1553         }
1554         if (vr.hasRestrictions()) {
1555             version = findVersion(nodes, dependency.getGroupId(), dependency.getArtifactId());
1556             if (version == null) {
1557                 //TODO - this still may fail if the restriction is not a valid version number (i.e. only 2.9 instead of 2.9.1)
1558                 //need to get available versions and filter on the restrictions.
1559                 if (vr.getRecommendedVersion() != null) {
1560                     version = vr.getRecommendedVersion().toString();
1561                 } else if (vr.hasRestrictions()) {
1562                     for (Restriction restriction : vr.getRestrictions()) {
1563                         if (restriction.getLowerBound() != null) {
1564                             version = restriction.getLowerBound().toString();
1565                         }
1566                         if (restriction.getUpperBound() != null) {
1567                             version = restriction.getUpperBound().toString();
1568                         }
1569                     }
1570                 } else {
1571                     version = vr.toString();
1572                 }
1573             }
1574         }
1575         if (version == null) {
1576             version = dependency.getVersion();
1577         }
1578         coordinate.setVersion(version);
1579 
1580         final ArtifactType type = session.getRepositorySession().getArtifactTypeRegistry().get(dependency.getType());
1581         coordinate.setExtension(type.getExtension());
1582         coordinate.setClassifier((null == dependency.getClassifier() || dependency.getClassifier().isEmpty())
1583                 ? type.getClassifier() : dependency.getClassifier());
1584         final Artifact artifact = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact();
1585         artifact.setScope(dependency.getScope());
1586         return new DefaultDependencyNode(parent, artifact, dependency.getVersion(), dependency.getScope(), null);
1587     }
1588 
1589     /**
1590      * Returns the version from the list of nodes that match the given groupId
1591      * and artifactID.
1592      *
1593      * @param nodes the nodes to search
1594      * @param groupId the group id to find
1595      * @param artifactId the artifact id to find
1596      * @return the version from the list of nodes that match the given groupId
1597      * and artifactID; otherwise <code>null</code> is returned
1598      */
1599     private String findVersion(List<DependencyNode> nodes, String groupId, String artifactId) {
1600         final Optional<DependencyNode> f = nodes.stream().filter(p
1601                 -> groupId.equals(p.getArtifact().getGroupId())
1602                 && artifactId.equals(p.getArtifact().getArtifactId())).findFirst();
1603         if (f.isPresent()) {
1604             return f.get().getArtifact().getVersion();
1605         }
1606         return null;
1607     }
1608 
1609     /**
1610      * Collect dependencies from the dependency management section.
1611      *
1612      * @param engine reference to the ODC engine
1613      * @param buildingRequest the Maven project building request
1614      * @param project the project being analyzed
1615      * @param nodes the list of dependency nodes
1616      * @param aggregate whether or not this is an aggregate analysis
1617      * @return a collection of exceptions if any occurred; otherwise
1618      * <code>null</code>
1619      */
1620     private ExceptionCollection collectDependencyManagementDependencies(Engine engine, ProjectBuildingRequest buildingRequest,
1621             MavenProject project, List<DependencyNode> nodes, boolean aggregate) {
1622         if (skipDependencyManagement || project.getDependencyManagement() == null) {
1623             return null;
1624         }
1625 
1626         ExceptionCollection exCol = null;
1627         for (org.apache.maven.model.Dependency dependency : project.getDependencyManagement().getDependencies()) {
1628             try {
1629                 nodes.add(toDependencyNode(nodes, buildingRequest, null, dependency));
1630             } catch (ArtifactResolverException ex) {
1631                 getLog().debug(String.format("Aggregate : %s", aggregate));
1632                 boolean addException = true;
1633                 //CSOFF: EmptyBlock
1634                 if (!aggregate) {
1635                     // do nothing, exception is to be reported
1636                 } else if (addReactorDependency(engine,
1637                         new DefaultArtifact(dependency.getGroupId(), dependency.getArtifactId(),
1638                                 dependency.getVersion(), dependency.getScope(), dependency.getType(), dependency.getClassifier(),
1639                                 new DefaultArtifactHandler()), project)) {
1640                     addException = false;
1641                 }
1642                 //CSON: EmptyBlock
1643                 if (addException) {
1644                     if (exCol == null) {
1645                         exCol = new ExceptionCollection();
1646                     }
1647                     exCol.addException(ex);
1648                 }
1649             }
1650         }
1651         return exCol;
1652     }
1653 
1654     /**
1655      * Resolves the projects artifacts using Aether and scans the resulting
1656      * dependencies.
1657      *
1658      * @param engine the core dependency-check engine
1659      * @param project the project being scanned
1660      * @param nodeMap the map of dependency nodes, generally obtained via the
1661      * DependencyGraphBuilder using the CollectingRootDependencyGraphVisitor
1662      * @param buildingRequest the Maven project building request
1663      * @param aggregate whether the scan is part of an aggregate build
1664      * @return a collection of exceptions that may have occurred while resolving
1665      * and scanning the dependencies
1666      */
1667     //CSOFF: OperatorWrap
1668     private ExceptionCollection collectMavenDependencies(Engine engine, MavenProject project,
1669             Map<DependencyNode, List<DependencyNode>> nodeMap, ProjectBuildingRequest buildingRequest, boolean aggregate) {
1670 
1671         final List<ArtifactResult> allResolvedDeps = new ArrayList<>();
1672 
1673         //dependency management
1674         final List<DependencyNode> dmNodes = new ArrayList<>();
1675         ExceptionCollection exCol = collectDependencyManagementDependencies(engine, buildingRequest, project, dmNodes, aggregate);
1676         for (DependencyNode dependencyNode : dmNodes) {
1677             exCol = scanDependencyNode(dependencyNode, null, engine, project, allResolvedDeps, buildingRequest, aggregate, exCol);
1678         }
1679 
1680         //dependencies
1681         for (Map.Entry<DependencyNode, List<DependencyNode>> entry : nodeMap.entrySet()) {
1682             exCol = scanDependencyNode(entry.getKey(), null, engine, project, allResolvedDeps, buildingRequest, aggregate, exCol);
1683             for (DependencyNode dependencyNode : entry.getValue()) {
1684                 exCol = scanDependencyNode(dependencyNode, entry.getKey(), engine, project, allResolvedDeps, buildingRequest, aggregate, exCol);
1685             }
1686         }
1687         return exCol;
1688     }
1689     //CSON: OperatorWrap
1690 
1691     /**
1692      * Utility method for a work-around to MSHARED-998
1693      *
1694      * @param allDeps The List of ArtifactResults for all dependencies
1695      * @param unresolvedArtifact The ArtifactCoordinate of the artifact we're
1696      * looking for
1697      * @param project The project in whose context resolution was attempted
1698      * @return the resolved artifact matching with {@code unresolvedArtifact}
1699      * @throws DependencyNotFoundException If {@code unresolvedArtifact} could
1700      * not be found within {@code allDeps}
1701      */
1702     private Artifact findInAllDeps(final List<ArtifactResult> allDeps, final Artifact unresolvedArtifact,
1703             final MavenProject project)
1704             throws DependencyNotFoundException {
1705         Artifact result = null;
1706         for (final ArtifactResult res : allDeps) {
1707             if (sameArtifact(res, unresolvedArtifact)) {
1708                 result = res.getArtifact();
1709                 break;
1710             }
1711         }
1712         if (result == null) {
1713             throw new DependencyNotFoundException(String.format("Expected dependency not found in resolved artifacts for "
1714                     + "dependency %s of project-artifact %s", unresolvedArtifact, project.getArtifactId()));
1715         }
1716         return result;
1717     }
1718 
1719     /**
1720      * Utility method for a work-around to MSHARED-998
1721      *
1722      * @param res A single ArtifactResult obtained from the DependencyResolver
1723      * @param unresolvedArtifact The unresolved Artifact from the
1724      * dependencyGraph that we try to find
1725      * @return {@code true} when unresolvedArtifact is non-null and matches with
1726      * the artifact of res
1727      */
1728     private boolean sameArtifact(final ArtifactResult res, final Artifact unresolvedArtifact) {
1729         if (res == null || res.getArtifact() == null || unresolvedArtifact == null) {
1730             return false;
1731         }
1732         boolean result = Objects.equals(res.getArtifact().getGroupId(), unresolvedArtifact.getGroupId());
1733         result &= Objects.equals(res.getArtifact().getArtifactId(), unresolvedArtifact.getArtifactId());
1734         // accept any version as matching "LATEST" and any non-snapshot version as matching "RELEASE" meta-version
1735         if ("RELEASE".equals(unresolvedArtifact.getBaseVersion())) {
1736             result &= !res.getArtifact().isSnapshot();
1737         } else if (!"LATEST".equals(unresolvedArtifact.getBaseVersion())) {
1738             result &= Objects.equals(res.getArtifact().getBaseVersion(), unresolvedArtifact.getBaseVersion());
1739         }
1740         result &= Objects.equals(res.getArtifact().getClassifier(), unresolvedArtifact.getClassifier());
1741         result &= Objects.equals(res.getArtifact().getType(), unresolvedArtifact.getType());
1742         return result;
1743     }
1744 
1745     /**
1746      * @param project the {@link MavenProject}
1747      * @param dependencyNode the {@link DependencyNode}
1748      * @return the name to be used when creating a
1749      * {@link Dependency#getProjectReferences() project reference} in a
1750      * {@link Dependency}. The behavior of this method returns {@link MavenProject#getName() project.getName()}<code> + ":" +
1751      * </code>
1752      * {@link DependencyNode#getArtifact() dependencyNode.getArtifact()}{@link Artifact#getScope() .getScope()}.
1753      */
1754     protected String createProjectReferenceName(MavenProject project, DependencyNode dependencyNode) {
1755         return project.getName() + ":" + dependencyNode.getArtifact().getScope();
1756     }
1757 
1758     /**
1759      * Scans the projects dependencies including the default (or defined)
1760      * FileSets.
1761      *
1762      * @param engine the core dependency-check engine
1763      * @param project the project being scanned
1764      * @param nodes the list of dependency nodes, generally obtained via the
1765      * DependencyGraphBuilder
1766      * @param buildingRequest the Maven project building request
1767      * @param aggregate whether the scan is part of an aggregate build
1768      * @return a collection of exceptions that may have occurred while resolving
1769      * and scanning the dependencies
1770      */
1771     private ExceptionCollection collectDependencies(Engine engine, MavenProject project,
1772             Map<DependencyNode, List<DependencyNode>> nodes, ProjectBuildingRequest buildingRequest, boolean aggregate) {
1773 
1774         ExceptionCollection exCol;
1775         exCol = collectMavenDependencies(engine, project, nodes, buildingRequest, aggregate);
1776 
1777         final List<FileSet> projectScan;
1778 
1779         if (scanDirectory != null && !scanDirectory.isEmpty()) {
1780             if (scanSet == null) {
1781                 scanSet = new ArrayList<>();
1782             }
1783             scanDirectory.forEach(d -> {
1784                 final FileSet fs = new FileSet();
1785                 fs.setDirectory(d);
1786                 fs.addInclude(INCLUDE_ALL);
1787                 scanSet.add(fs);
1788             });
1789         }
1790 
1791         if (scanSet == null || scanSet.isEmpty()) {
1792             // Define the default FileSets
1793             final FileSet resourcesSet = new FileSet();
1794             final FileSet filtersSet = new FileSet();
1795             final FileSet webappSet = new FileSet();
1796             final FileSet mixedLangSet = new FileSet();
1797             try {
1798                 resourcesSet.setDirectory(new File(project.getBasedir(), "src/main/resources").getCanonicalPath());
1799                 resourcesSet.addInclude(INCLUDE_ALL);
1800                 filtersSet.setDirectory(new File(project.getBasedir(), "src/main/filters").getCanonicalPath());
1801                 filtersSet.addInclude(INCLUDE_ALL);
1802                 webappSet.setDirectory(new File(project.getBasedir(), "src/main/webapp").getCanonicalPath());
1803                 webappSet.addInclude(INCLUDE_ALL);
1804                 mixedLangSet.setDirectory(project.getBasedir().getCanonicalPath());
1805                 mixedLangSet.addInclude("package.json");
1806                 mixedLangSet.addInclude("package-lock.json");
1807                 mixedLangSet.addInclude("npm-shrinkwrap.json");
1808                 mixedLangSet.addInclude("Gopkg.lock");
1809                 mixedLangSet.addInclude("go.mod");
1810                 mixedLangSet.addInclude("yarn.lock");
1811                 mixedLangSet.addInclude("pnpm-lock.yaml");
1812                 mixedLangSet.addExclude("/node_modules/");
1813             } catch (IOException ex) {
1814                 if (exCol == null) {
1815                     exCol = new ExceptionCollection();
1816                 }
1817                 exCol.addException(ex);
1818             }
1819             projectScan = new ArrayList<>();
1820             projectScan.add(resourcesSet);
1821             projectScan.add(filtersSet);
1822             projectScan.add(webappSet);
1823             projectScan.add(mixedLangSet);
1824 
1825         } else if (aggregate) {
1826             projectScan = new ArrayList<>();
1827             for (FileSet copyFrom : scanSet) {
1828                 //deep copy of the FileSet - modifying the directory if it is not absolute.
1829                 final FileSet fsCopy = new FileSet();
1830                 final File f = new File(copyFrom.getDirectory());
1831                 if (f.isAbsolute()) {
1832                     fsCopy.setDirectory(copyFrom.getDirectory());
1833                 } else {
1834                     try {
1835                         fsCopy.setDirectory(new File(project.getBasedir(), copyFrom.getDirectory()).getCanonicalPath());
1836                     } catch (IOException ex) {
1837                         if (exCol == null) {
1838                             exCol = new ExceptionCollection();
1839                         }
1840                         exCol.addException(ex);
1841                         fsCopy.setDirectory(copyFrom.getDirectory());
1842                     }
1843                 }
1844                 fsCopy.setDirectoryMode(copyFrom.getDirectoryMode());
1845                 fsCopy.setExcludes(copyFrom.getExcludes());
1846                 fsCopy.setFileMode(copyFrom.getFileMode());
1847                 fsCopy.setFollowSymlinks(copyFrom.isFollowSymlinks());
1848                 fsCopy.setIncludes(copyFrom.getIncludes());
1849                 fsCopy.setLineEnding(copyFrom.getLineEnding());
1850                 fsCopy.setMapper(copyFrom.getMapper());
1851                 fsCopy.setModelEncoding(copyFrom.getModelEncoding());
1852                 fsCopy.setOutputDirectory(copyFrom.getOutputDirectory());
1853                 fsCopy.setUseDefaultExcludes(copyFrom.isUseDefaultExcludes());
1854                 projectScan.add(fsCopy);
1855             }
1856         } else {
1857             projectScan = scanSet;
1858         }
1859 
1860         // Iterate through FileSets and scan included files
1861         final FileSetManager fileSetManager = new FileSetManager();
1862         for (FileSet fileSet : projectScan) {
1863             getLog().debug("Scanning fileSet: " + fileSet.getDirectory());
1864             final String[] includedFiles = fileSetManager.getIncludedFiles(fileSet);
1865             for (String include : includedFiles) {
1866                 final File includeFile = new File(fileSet.getDirectory(), include).getAbsoluteFile();
1867                 if (includeFile.exists()) {
1868                     engine.scan(includeFile, project.getName());
1869                 }
1870             }
1871         }
1872         return exCol;
1873     }
1874 
1875     /**
1876      * Checks if the current artifact is actually in the reactor projects that
1877      * have not yet been built. If true a virtual dependency is created based on
1878      * the evidence in the project.
1879      *
1880      * @param engine a reference to the engine being used to scan
1881      * @param artifact the artifact being analyzed in the mojo
1882      * @param depender The project that depends on this virtual dependency
1883      * @return <code>true</code> if the artifact is in the reactor; otherwise
1884      * <code>false</code>
1885      */
1886     private boolean addReactorDependency(Engine engine, Artifact artifact, final MavenProject depender) {
1887         return addVirtualDependencyFromReactor(engine, artifact, depender, "Unable to resolve %s as it has not been built yet "
1888                 + "- creating a virtual dependency instead.");
1889     }
1890 
1891     /**
1892      * Checks if the current artifact is actually in the reactor projects. If
1893      * true a virtual dependency is created based on the evidence in the
1894      * project.
1895      *
1896      * @param engine a reference to the engine being used to scan
1897      * @param artifact the artifact being analyzed in the mojo
1898      * @param depender The project that depends on this virtual dependency
1899      * @param infoLogTemplate the template for the infoLog entry written when a
1900      * virtual dependency is added. Needs a single %s placeholder for the
1901      * location of the displayName in the message
1902      * @return <code>true</code> if the artifact is in the reactor; otherwise
1903      * <code>false</code>
1904      */
1905     private boolean addVirtualDependencyFromReactor(Engine engine, Artifact artifact,
1906             final MavenProject depender, String infoLogTemplate) {
1907 
1908         getLog().debug(String.format("Checking the reactor projects (%d) for %s:%s:%s",
1909                 reactorProjects.size(),
1910                 artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion()));
1911 
1912         for (MavenProject prj : reactorProjects) {
1913 
1914             getLog().debug(String.format("Comparing %s:%s:%s to %s:%s:%s",
1915                     artifact.getGroupId(), artifact.getArtifactId(), artifact.getBaseVersion(),
1916                     prj.getGroupId(), prj.getArtifactId(), prj.getVersion()));
1917 
1918             if (prj.getArtifactId().equals(artifact.getArtifactId())
1919                     && prj.getGroupId().equals(artifact.getGroupId())
1920                     && prj.getVersion().equals(artifact.getBaseVersion())) {
1921 
1922                 final String displayName = String.format("%s:%s:%s",
1923                         prj.getGroupId(), prj.getArtifactId(), prj.getVersion());
1924                 getLog().info(String.format(infoLogTemplate,
1925                         displayName));
1926                 final Dependency d = newDependency(prj);
1927                 final String key = String.format("%s:%s:%s", prj.getGroupId(), prj.getArtifactId(), prj.getVersion());
1928                 d.setSha1sum(Checksum.getSHA1Checksum(key));
1929                 d.setSha256sum(Checksum.getSHA256Checksum(key));
1930                 d.setMd5sum(Checksum.getMD5Checksum(key));
1931                 d.setEcosystem(JarAnalyzer.DEPENDENCY_ECOSYSTEM);
1932                 d.setDisplayFileName(displayName);
1933                 d.addProjectReference(depender.getName());
1934                 final String includedby = buildReference(
1935                         depender.getGroupId(),
1936                         depender.getArtifactId(),
1937                         depender.getVersion());
1938                 d.addIncludedBy(includedby);
1939                 d.addEvidence(EvidenceType.PRODUCT, "project", "artifactid", prj.getArtifactId(), Confidence.HIGHEST);
1940                 d.addEvidence(EvidenceType.VENDOR, "project", "artifactid", prj.getArtifactId(), Confidence.LOW);
1941 
1942                 d.addEvidence(EvidenceType.VENDOR, "project", "groupid", prj.getGroupId(), Confidence.HIGHEST);
1943                 d.addEvidence(EvidenceType.PRODUCT, "project", "groupid", prj.getGroupId(), Confidence.LOW);
1944                 d.setEcosystem(JarAnalyzer.DEPENDENCY_ECOSYSTEM);
1945                 Identifier id;
1946                 try {
1947                     id = new PurlIdentifier(StandardTypes.MAVEN, artifact.getGroupId(),
1948                             artifact.getArtifactId(), artifact.getVersion(), Confidence.HIGHEST);
1949                 } catch (MalformedPackageURLException ex) {
1950                     getLog().debug("Unable to create PackageURL object:" + key);
1951                     id = new GenericIdentifier("maven:" + key, Confidence.HIGHEST);
1952                 }
1953                 d.addSoftwareIdentifier(id);
1954                 //TODO unify the setName/version and package path - they are equivelent ideas submitted by two seperate committers
1955                 d.setName(String.format("%s:%s", prj.getGroupId(), prj.getArtifactId()));
1956                 d.setVersion(prj.getVersion());
1957                 d.setPackagePath(displayName);
1958                 if (prj.getDescription() != null) {
1959                     JarAnalyzer.addDescription(d, prj.getDescription(), "project", "description");
1960                 }
1961                 for (License l : prj.getLicenses()) {
1962                     final StringBuilder license = new StringBuilder();
1963                     if (l.getName() != null) {
1964                         license.append(l.getName());
1965                     }
1966                     if (l.getUrl() != null) {
1967                         license.append(" ").append(l.getUrl());
1968                     }
1969                     if (d.getLicense() == null) {
1970                         d.setLicense(license.toString());
1971                     } else if (!d.getLicense().contains(license)) {
1972                         d.setLicense(String.format("%s%n%s", d.getLicense(), license));
1973                     }
1974                 }
1975                 engine.addDependency(d);
1976                 return true;
1977             }
1978         }
1979         return false;
1980     }
1981 
1982     Dependency newDependency(MavenProject prj) {
1983         final File pom = new File(prj.getBasedir(), "pom.xml");
1984 
1985         if (pom.isFile()) {
1986             getLog().debug("Adding virtual dependency from pom.xml");
1987             return new Dependency(pom, true);
1988         } else if (prj.getFile().isFile()) {
1989             getLog().debug("Adding virtual dependency from file");
1990             return new Dependency(prj.getFile(), true);
1991         } else {
1992             return new Dependency(true);
1993         }
1994     }
1995 
1996     /**
1997      * Checks if the current artifact is actually in the reactor projects. If
1998      * true a virtual dependency is created based on the evidence in the
1999      * project.
2000      *
2001      * @param engine a reference to the engine being used to scan
2002      * @param artifact the artifact being analyzed in the mojo
2003      * @param depender The project that depends on this virtual dependency
2004      * @return <code>true</code> if the artifact is a snapshot artifact in the
2005      * reactor; otherwise <code>false</code>
2006      */
2007     private boolean addSnapshotReactorDependency(Engine engine, Artifact artifact, final MavenProject depender) {
2008         if (!artifact.isSnapshot()) {
2009             return false;
2010         }
2011         return addVirtualDependencyFromReactor(engine, artifact, depender, "Found snapshot reactor project in aggregate for %s - "
2012                 + "creating a virtual dependency as the snapshot found in the repository may contain outdated dependencies.");
2013     }
2014 
2015     /**
2016      * @param project The target project to create a building request for.
2017      * @param repos the artifact repositories to use.
2018      * @return Returns a new ProjectBuildingRequest populated from the current
2019      * session and the target project remote repositories, used to resolve
2020      * artifacts.
2021      */
2022     public ProjectBuildingRequest newResolveArtifactProjectBuildingRequest(MavenProject project, List<ArtifactRepository> repos) {
2023         final ProjectBuildingRequest buildingRequest = new DefaultProjectBuildingRequest(session.getProjectBuildingRequest());
2024         buildingRequest.setRemoteRepositories(repos);
2025         buildingRequest.setProject(project);
2026         return buildingRequest;
2027     }
2028 
2029     /**
2030      * Executes the dependency-check scan and generates the necessary report.
2031      *
2032      * @throws MojoExecutionException thrown if there is an exception running
2033      * the scan
2034      * @throws MojoFailureException thrown if dependency-check is configured to
2035      * fail the build
2036      */
2037     protected void runCheck() throws MojoExecutionException, MojoFailureException {
2038         muteNoisyLoggers();
2039         try (Engine engine = initializeEngine()) {
2040             ExceptionCollection exCol = null;
2041             if (scanDependencies) {
2042                 exCol = scanDependencies(engine);
2043             }
2044             if (scanPlugins) {
2045                 exCol = scanPlugins(engine, exCol);
2046             }
2047             try {
2048                 engine.analyzeDependencies();
2049             } catch (ExceptionCollection ex) {
2050                 exCol = handleAnalysisExceptions(exCol, ex);
2051             }
2052             if (exCol == null || !exCol.isFatal()) {
2053 
2054                 File outputDir = getCorrectOutputDirectory(this.getProject());
2055                 if (outputDir == null) {
2056                     //in some regards we shouldn't be writing this, but we are anyway.
2057                     //we shouldn't write this because nothing is configured to generate this report.
2058                     outputDir = new File(this.getProject().getBuild().getDirectory());
2059                 }
2060                 try {
2061                     final MavenProject p = this.getProject();
2062                     for (String f : getFormats()) {
2063                         engine.writeReports(p.getName(), p.getGroupId(), p.getArtifactId(), p.getVersion(), outputDir, f, exCol);
2064                     }
2065                 } catch (ReportException ex) {
2066                     if (exCol == null) {
2067                         exCol = new ExceptionCollection(ex);
2068                     } else {
2069                         exCol.addException(ex);
2070                     }
2071                     if (this.isFailOnError()) {
2072                         throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol);
2073                     } else {
2074                         getLog().debug("Error writing the report", ex);
2075                     }
2076                 }
2077                 showSummary(this.getProject(), engine.getDependencies());
2078                 checkForFailure(engine.getDependencies());
2079                 if (exCol != null && this.isFailOnError()) {
2080                     throw new MojoExecutionException("One or more exceptions occurred during dependency-check analysis", exCol);
2081                 }
2082             }
2083         } catch (DatabaseException ex) {
2084             if (getLog().isDebugEnabled()) {
2085                 getLog().debug("Database connection error", ex);
2086             }
2087             final String msg = "An exception occurred connecting to the local database. Please see the log file for more details.";
2088             if (this.isFailOnError()) {
2089                 throw new MojoExecutionException(msg, ex);
2090             }
2091             getLog().error(msg, ex);
2092         } finally {
2093             getSettings().cleanup();
2094         }
2095     }
2096 
2097     /**
2098      * Combines the two exception collections and if either are fatal, throw an
2099      * MojoExecutionException
2100      *
2101      * @param currentEx the primary exception collection
2102      * @param newEx the new exception collection to add
2103      * @return the combined exception collection
2104      * @throws MojoExecutionException thrown if dependency-check is configured
2105      * to fail on errors
2106      */
2107     private ExceptionCollection handleAnalysisExceptions(ExceptionCollection currentEx, ExceptionCollection newEx) throws MojoExecutionException {
2108         ExceptionCollection returnEx = currentEx;
2109         if (returnEx == null) {
2110             returnEx = newEx;
2111         } else {
2112             returnEx.getExceptions().addAll(newEx.getExceptions());
2113             if (newEx.isFatal()) {
2114                 returnEx.setFatal(true);
2115             }
2116         }
2117         if (returnEx.isFatal()) {
2118             final String msg = String.format("Fatal exception(s) analyzing %s", getProject().getName());
2119             if (this.isFailOnError()) {
2120                 throw new MojoExecutionException(msg, returnEx);
2121             }
2122             getLog().error(msg);
2123             if (getLog().isDebugEnabled()) {
2124                 getLog().debug(returnEx);
2125             }
2126         } else {
2127             final String msg = String.format("Exception(s) analyzing %s", getProject().getName());
2128             if (getLog().isDebugEnabled()) {
2129                 getLog().debug(msg, returnEx);
2130             }
2131         }
2132         return returnEx;
2133     }
2134 
2135     /**
2136      * Scans the dependencies of the projects.
2137      *
2138      * @param engine the engine used to perform the scanning
2139      * @return a collection of exceptions
2140      * @throws MojoExecutionException thrown if a fatal exception occurs
2141      */
2142     protected abstract ExceptionCollection scanDependencies(Engine engine) throws MojoExecutionException;
2143 
2144     /**
2145      * Scans the plugins of the projects.
2146      *
2147      * @param engine the engine used to perform the scanning
2148      * @param exCol the collection of any exceptions that have previously been
2149      * captured.
2150      * @return a collection of exceptions
2151      * @throws MojoExecutionException thrown if a fatal exception occurs
2152      */
2153     protected abstract ExceptionCollection scanPlugins(Engine engine, ExceptionCollection exCol) throws MojoExecutionException;
2154 
2155     /**
2156      * Returns the report output directory.
2157      *
2158      * @return the report output directory
2159      */
2160     @Override
2161     public File getReportOutputDirectory() {
2162         return reportOutputDirectory;
2163     }
2164 
2165     /**
2166      * Sets the Reporting output directory.
2167      *
2168      * @param directory the output directory
2169      */
2170     @Override
2171     public void setReportOutputDirectory(File directory) {
2172         reportOutputDirectory = directory;
2173     }
2174 
2175     /**
2176      * Returns the output directory.
2177      *
2178      * @return the output directory
2179      */
2180     public File getOutputDirectory() {
2181         return outputDirectory;
2182     }
2183 
2184     /**
2185      * Returns whether this is an external report. This method always returns
2186      * true.
2187      *
2188      * @return <code>true</code>
2189      */
2190     @Override
2191     public final boolean isExternalReport() {
2192         return true;
2193     }
2194 
2195     /**
2196      * Returns the output name.
2197      *
2198      * @return the output name
2199      */
2200     @Override
2201     public String getOutputName() {
2202         final Set<String> selectedFormats = getFormats();
2203         if (selectedFormats.contains("HTML") || selectedFormats.contains("ALL") || selectedFormats.size() > 1) {
2204             return "dependency-check-report";
2205         } else if (selectedFormats.contains("JENKINS")) {
2206             return "dependency-check-jenkins.html";
2207         } else if (selectedFormats.contains("XML")) {
2208             return "dependency-check-report.xml";
2209         } else if (selectedFormats.contains("JUNIT")) {
2210             return "dependency-check-junit.xml";
2211         } else if (selectedFormats.contains("JSON")) {
2212             return "dependency-check-report.json";
2213         } else if (selectedFormats.contains("SARIF")) {
2214             return "dependency-check-report.sarif";
2215         } else if (selectedFormats.contains("CSV")) {
2216             return "dependency-check-report.csv";
2217         } else {
2218             getLog().warn("Unknown report format used during site generation.");
2219             return "dependency-check-report";
2220         }
2221     }
2222 
2223     /**
2224      * Returns the category name.
2225      *
2226      * @return the category name
2227      */
2228     @Override
2229     public String getCategoryName() {
2230         return MavenReport.CATEGORY_PROJECT_REPORTS;
2231     }
2232     //</editor-fold>
2233 
2234     /**
2235      * Initializes a new <code>Engine</code> that can be used for scanning. This
2236      * method should only be called in a try-with-resources to ensure that the
2237      * engine is properly closed.
2238      *
2239      * @return a newly instantiated <code>Engine</code>
2240      * @throws DatabaseException thrown if there is a database exception
2241      * @throws MojoExecutionException on configuration errors when failOnError is true
2242      * @throws MojoFailureException on configuration errors when failOnError is false
2243      */
2244     protected Engine initializeEngine() throws DatabaseException, MojoExecutionException, MojoFailureException {
2245         populateSettings();
2246         try {
2247             Downloader.getInstance().configure(settings);
2248         } catch (InvalidSettingException e) {
2249             if (this.failOnError) {
2250                 throw new MojoFailureException(e.getMessage(), e);
2251             } else {
2252                 throw new MojoExecutionException(e.getMessage(), e);
2253             }
2254         }
2255         return new Engine(settings);
2256     }
2257 
2258     //CSOFF: MethodLength
2259     /**
2260      * Takes the properties supplied and updates the dependency-check settings.
2261      * Additionally, this sets the system properties required to change the
2262      * proxy URL, port, and connection timeout.
2263      */
2264     protected void populateSettings() throws MojoFailureException, MojoExecutionException {
2265         settings = new Settings();
2266         InputStream mojoProperties = null;
2267         try {
2268             mojoProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
2269             settings.mergeProperties(mojoProperties);
2270         } catch (IOException ex) {
2271             getLog().warn("Unable to load the dependency-check maven mojo.properties file.");
2272             if (getLog().isDebugEnabled()) {
2273                 getLog().debug("", ex);
2274             }
2275         } finally {
2276             if (mojoProperties != null) {
2277                 try {
2278                     mojoProperties.close();
2279                 } catch (IOException ex) {
2280                     if (getLog().isDebugEnabled()) {
2281                         getLog().debug("", ex);
2282                     }
2283                 }
2284             }
2285         }
2286         settings.setStringIfNotEmpty(Settings.KEYS.MAVEN_LOCAL_REPO, mavenSettings.getLocalRepository());
2287         settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
2288         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
2289         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, enableRetired);
2290         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_DEP_ENABLED, golangDepEnabled);
2291         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_GOLANG_MOD_ENABLED, golangModEnabled);
2292         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_DART_ENABLED, dartAnalyzerEnabled);
2293         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_GOLANG_PATH, pathToGo);
2294         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_YARN_PATH, pathToYarn);
2295         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_PNPM_PATH, pathToPnpm);
2296 
2297         // use global maven proxy if provided and system properties are not set
2298         final Proxy mavenProxyHttp = getMavenProxy(PROTOCOL_HTTP);
2299         final Proxy mavenProxyHttps = getMavenProxy(PROTOCOL_HTTPS);
2300         String httpsNonProxyHosts = null;
2301         String httpNonProxyHosts = null;
2302         boolean proxySetFromMavenSettings = false;
2303         if (mavenProxyHttps != null || mavenProxyHttp != null) {
2304             final String existingHttps = StringUtils.trimToNull(System.getProperty("https.proxyHost"));
2305             if (existingHttps == null) {
2306                 proxySetFromMavenSettings = true;
2307                 if (mavenProxyHttps != null) {
2308                     setProxyServerSysPropsFromMavenProxy(mavenProxyHttps, PROTOCOL_HTTPS);
2309                     if (mavenProxyHttps.getNonProxyHosts() != null && !mavenProxyHttps.getNonProxyHosts().isEmpty()) {
2310                         httpsNonProxyHosts = mavenProxyHttps.getNonProxyHosts();
2311                     }
2312                 } else {
2313                     setProxyServerSysPropsFromMavenProxy(mavenProxyHttp, PROTOCOL_HTTPS);
2314                     httpsNonProxyHosts = mavenProxyHttp.getNonProxyHosts();
2315                 }
2316             }
2317             final String existingHttp = StringUtils.trimToNull(System.getProperty("http.proxyHost"));
2318             if (mavenProxyHttp != null && existingHttp == null) {
2319                 proxySetFromMavenSettings = true;
2320                 setProxyServerSysPropsFromMavenProxy(mavenProxyHttp, PROTOCOL_HTTP);
2321                 httpNonProxyHosts = mavenProxyHttp.getNonProxyHosts();
2322             }
2323             if (proxySetFromMavenSettings) {
2324                 final String existingNonProxyHosts = System.getProperty("http.nonProxyHosts");
2325                 System.setProperty("http.nonProxyHosts", mergeNonProxyHosts(existingNonProxyHosts, httpNonProxyHosts, httpsNonProxyHosts));
2326             }
2327         } else if (this.proxy != null && this.proxy.getHost() != null) {
2328             // or use configured <proxy>
2329             settings.setString(Settings.KEYS.PROXY_SERVER, this.proxy.getHost());
2330             settings.setString(Settings.KEYS.PROXY_PORT, Integer.toString(this.proxy.getPort()));
2331             // user name and password from <server> entry settings.xml
2332             configureServerCredentials(this.proxy.getServerId(), Settings.KEYS.PROXY_USERNAME, Settings.KEYS.PROXY_PASSWORD);
2333         }
2334 
2335         final String[] suppressions = determineSuppressions();
2336         settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressions);
2337         settings.setBooleanIfNotNull(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, versionCheckEnabled);
2338         settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
2339         settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_READ_TIMEOUT, readTimeout);
2340         settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
2341         settings.setFloat(Settings.KEYS.JUNIT_FAIL_ON_CVSS, junitFailOnCVSS);
2342         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
2343         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
2344         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, nugetconfAnalyzerEnabled);
2345         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_LIBMAN_ENABLED, libmanAnalyzerEnabled);
2346         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
2347         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE, centralAnalyzerUseCache);
2348         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED, artifactoryAnalyzerEnabled);
2349         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
2350         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
2351         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MSBUILD_PROJECT_ENABLED, msbuildAnalyzerEnabled);
2352         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
2353         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_KNOWN_EXPLOITED_ENABLED, knownExploitedEnabled);
2354         settings.setStringIfNotEmpty(Settings.KEYS.KEV_URL, knownExploitedUrl);
2355         try {
2356             configureCredentials(knownExploitedServerId, knownExploitedUser, knownExploitedPassword, knownExploitedBearerToken,
2357                     Settings.KEYS.KEV_USER, Settings.KEYS.KEV_PASSWORD, Settings.KEYS.KEV_BEARER_TOKEN);
2358         } catch (InitializationException ex) {
2359             if (this.failOnError) {
2360                 throw new MojoFailureException("Invalid plugin configuration specified for Known Exploited data feed authentication", ex);
2361             } else {
2362                 throw new MojoExecutionException("Invalid plugin configuration specified for Known Exploited data feed authentication", ex);
2363             }
2364         }
2365         settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
2366         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_DOTNET_PATH, pathToCore);
2367         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
2368         configureServerCredentials(nexusServerId, Settings.KEYS.ANALYZER_NEXUS_USER, Settings.KEYS.ANALYZER_NEXUS_PASSWORD);
2369         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
2370         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_URL, artifactoryAnalyzerUrl);
2371         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY, artifactoryAnalyzerUseProxy);
2372         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_PARALLEL_ANALYSIS, artifactoryAnalyzerParallelAnalysis);
2373         settings.setBooleanIfNotNull(Settings.KEYS.FAIL_ON_UNUSED_SUPPRESSION_RULE, failBuildOnUnusedSuppressionRule);
2374         if (Boolean.TRUE.equals(artifactoryAnalyzerEnabled)) {
2375             if (artifactoryAnalyzerServerId != null) {
2376                 configureServerCredentials(artifactoryAnalyzerServerId, Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME,
2377                         Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN);
2378             } else {
2379                 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME, artifactoryAnalyzerUsername);
2380                 settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN, artifactoryAnalyzerApiToken);
2381             }
2382             settings.setStringIfNotNull(Settings.KEYS.ANALYZER_ARTIFACTORY_BEARER_TOKEN, artifactoryAnalyzerBearerToken);
2383         }
2384         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
2385         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
2386         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
2387         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
2388         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
2389         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
2390         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MAVEN_INSTALL_ENABLED, mavenInstallAnalyzerEnabled);
2391         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIP_ENABLED, pipAnalyzerEnabled);
2392         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PIPFILE_ENABLED, pipfileAnalyzerEnabled);
2393         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_POETRY_ENABLED, poetryAnalyzerEnabled);
2394         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
2395         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_SKIP_DEV, composerAnalyzerSkipDev);
2396         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CPANFILE_ENABLED, cpanfileAnalyzerEnabled);
2397         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
2398         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, nodeAuditAnalyzerEnabled);
2399         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_URL, nodeAuditAnalyzerUrl);
2400         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_USE_CACHE, nodeAuditAnalyzerUseCache);
2401         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, nodePackageSkipDevDependencies);
2402         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_AUDIT_SKIPDEV, nodeAuditSkipDevDependencies);
2403         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED, yarnAuditAnalyzerEnabled);
2404         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PNPM_AUDIT_ENABLED, pnpmAuditAnalyzerEnabled);
2405         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_ENABLED, retireJsAnalyzerEnabled);
2406         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_URL, retireJsUrl);
2407         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FORCEUPDATE, retireJsForceUpdate);
2408 
2409         try {
2410             configureCredentials(retireJsUrlServerId, retireJsUser, retireJsPassword, retireJsBearerToken,
2411                     Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_USER, Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_PASSWORD, Settings.KEYS.ANALYZER_RETIREJS_REPO_JS_BEARER_TOKEN);
2412         } catch (InitializationException ex) {
2413             if (this.failOnError) {
2414                 throw new MojoFailureException("Invalid plugin configuration specified for retireJsUrl authentication", ex);
2415             } else {
2416                 throw new MojoExecutionException("Invalid plugin configuration specified for retireJsUrl authentication", ex);
2417             }
2418         }
2419         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_ENABLED, mixAuditAnalyzerEnabled);
2420         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_MIX_AUDIT_PATH, mixAuditPath);
2421         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
2422         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
2423         settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, bundleAuditWorkingDirectory);
2424         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
2425         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CARTHAGE_ENABLED, carthageAnalyzerEnabled);
2426         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
2427         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled);
2428         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, ossindexAnalyzerEnabled);
2429         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, ossindexAnalyzerUrl);
2430         configureServerCredentials(ossIndexServerId, Settings.KEYS.ANALYZER_OSSINDEX_USER, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD);
2431         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE, ossindexAnalyzerUseCache);
2432         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, ossIndexWarnOnlyOnRemoteErrors);
2433         if (retirejs != null) {
2434             settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIREJS_FILTER_NON_VULNERABLE, retirejs.getFilterNonVulnerable());
2435             settings.setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, retirejs.getFilters());
2436         }
2437         //Database configuration
2438         settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
2439         settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
2440         settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
2441         if (databaseUser == null && databasePassword == null && serverId != null) {
2442             configureServerCredentials(serverId, Settings.KEYS.DB_USER, Settings.KEYS.DB_PASSWORD);
2443         } else {
2444             settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
2445             settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
2446         }
2447         settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
2448         settings.setStringIfNotEmpty(Settings.KEYS.DB_FILE_NAME, dbFilename);
2449         settings.setStringIfNotNull(Settings.KEYS.NVD_API_ENDPOINT, nvdApiEndpoint);
2450         settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, nvdApiDelay);
2451         settings.setIntIfNotNull(Settings.KEYS.NVD_API_RESULTS_PER_PAGE, nvdApiResultsPerPage);
2452         settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, nvdDatafeedUrl);
2453         settings.setIntIfNotNull(Settings.KEYS.NVD_API_VALID_FOR_HOURS, nvdValidForHours);
2454         settings.setIntIfNotNull(Settings.KEYS.NVD_API_MAX_RETRY_COUNT, nvdMaxRetryCount);
2455         if (nvdApiKey == null) {
2456             if (nvdApiKeyEnvironmentVariable != null) {
2457                 settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, System.getenv(nvdApiKeyEnvironmentVariable));
2458                 getLog().debug("Using NVD API key from environment variable " + nvdApiKeyEnvironmentVariable);
2459             } else if (nvdApiServerId != null) {
2460                 try {
2461                     configureServerCredentialsApiKey(nvdApiServerId, Settings.KEYS.NVD_API_KEY);
2462                 } catch (InitializationException ex) {
2463                     if (this.failOnError) {
2464                         throw new MojoFailureException("Invalid plugin configuration specified for NVD API authentication", ex);
2465                     } else {
2466                         throw new MojoExecutionException("Invalid plugin configuration specified for NVD API authentication", ex);
2467                     }
2468                 }
2469                 getLog().debug("Using NVD API key from server's password with id " + nvdApiServerId + " in settings.xml");
2470             }
2471         } else {
2472             settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, nvdApiKey);
2473         }
2474         try {
2475             configureCredentials(nvdDatafeedServerId, nvdUser, nvdPassword, nvdBearerToken,
2476                     Settings.KEYS.NVD_API_DATAFEED_USER, Settings.KEYS.NVD_API_DATAFEED_PASSWORD, Settings.KEYS.NVD_API_DATAFEED_BEARER_TOKEN);
2477         } catch (InitializationException ex) {
2478             if (this.failOnError) {
2479                 throw new MojoFailureException("Invalid plugin configuration specified for NVD Datafeed authentication", ex);
2480             } else {
2481                 throw new MojoExecutionException("Invalid plugin configuration specified for NVD Datafeed authentication", ex);
2482             }
2483         }
2484         settings.setBooleanIfNotNull(Settings.KEYS.PRETTY_PRINT, prettyPrint);
2485         artifactScopeExcluded = new ArtifactScopeExcluded(skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope);
2486         artifactTypeExcluded = new ArtifactTypeExcluded(skipArtifactType);
2487         try {
2488             configureCredentials(suppressionFileServerId, suppressionFileUser, suppressionFilePassword, suppressionFileBearerToken,
2489                     Settings.KEYS.SUPPRESSION_FILE_USER, Settings.KEYS.SUPPRESSION_FILE_PASSWORD, Settings.KEYS.SUPPRESSION_FILE_BEARER_TOKEN);
2490         } catch (InitializationException ex) {
2491             if (this.failOnError) {
2492                 throw new MojoFailureException("Invalid plugin configuration specified for suppression file authentication", ex);
2493             } else {
2494                 throw new MojoExecutionException("Invalid plugin configuration specified for suppression file authentication", ex);
2495             }
2496         }
2497 
2498         settings.setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, hostedSuppressionsValidForHours);
2499         settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_URL, hostedSuppressionsUrl);
2500         settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, hostedSuppressionsForceUpdate);
2501         settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled);
2502         try {
2503             configureCredentials(hostedSuppressionsServerId, hostedSuppressionsUser, hostedSuppressionsPassword, hostedSuppressionsBearerToken,
2504                     Settings.KEYS.HOSTED_SUPPRESSIONS_USER, Settings.KEYS.HOSTED_SUPPRESSIONS_PASSWORD, Settings.KEYS.HOSTED_SUPPRESSIONS_BEARER_TOKEN);
2505         } catch (InitializationException ex) {
2506             if (this.failOnError) {
2507                 throw new MojoFailureException("Invalid plugin configuration specified for hostedSuppressions authentication", ex);
2508             } else {
2509                 throw new MojoExecutionException("Invalid plugin configuration specified for hostedSuppressions authentication", ex);
2510             }
2511         }
2512     }
2513     //CSON: MethodLength
2514 
2515     /**
2516      * Configure the credentials in the settings for a certain connection.<br/>
2517      * <p>
2518      * When a serverId is given, then its values are used instead of the less secure direct values.<br />
2519      * A serverId with username/password will fill the `userKey` and `passwordKey` settings for Basic Auth. A serverId with only password
2520      * filled will fill the `tokenKey` fro Bearer Auth.<br/>
2521      * In absence of the serverId any non-null value will be transferred to the settings.
2522      *
2523      * @param serverId      The serverId specified for the connection or {@code null}
2524      * @param usernameValue The username specified for the connection or {@code null}
2525      * @param passwordValue The password specified for the connection or {@code null}
2526      * @param tokenValue    The token specified for the connection or {@code null}
2527      * @param userKey       The settings key that configures the user or {@code null} when Basic auth is not configurable for the connection
2528      * @param passwordKey   The settings key that configures the password or {@code null} when Basic auth is not configurable for the connection
2529      * @param tokenKey      The settings key that configures the token or {@code null} when Bearer auth is not configurable for the connection
2530      * @throws InitializationException When both serverId and at least one other property value are filled.
2531      */
2532     private void configureCredentials(String serverId, String usernameValue, String passwordValue, String tokenValue,
2533                                       String userKey, String passwordKey, String tokenKey) throws InitializationException {
2534         if (serverId != null) {
2535             if (usernameValue != null || passwordValue != null || tokenValue != null) {
2536                 throw new InitializationException(
2537                         "Username/password/token configurations should be left out when a serverId (" + serverId + ") is configured");
2538             }
2539             final Server server = settingsXml.getServer(serverId);
2540             if (server != null) {
2541                 configureFromServer(server, userKey, passwordKey, tokenKey, serverId);
2542             } else {
2543                 getLog().error(String.format("Server '%s' not found in the settings.xml file", serverId));
2544             }
2545         } else {
2546             settings.setStringIfNotEmpty(userKey, usernameValue);
2547             settings.setStringIfNotEmpty(passwordKey, passwordValue);
2548             settings.setStringIfNotEmpty(tokenKey, tokenValue);
2549         }
2550     }
2551 
2552     /**
2553      * Configure the credentials in the settings for a certain connection from a settings Server object.<br/>
2554      * <p>
2555      * A serverId with username/password will fill the `userKey` and `passwordKey` settings for Basic Auth.<br/>
2556      * A serverId with only password filled will fill the `tokenKey` fro Bearer Auth.<br/>
2557      *
2558      * @param server        The server entry from the settings to configure authentication
2559      * @param userKey       The settings key that configures the user or {@code null} when Basic auth is not configurable for the connection
2560      * @param passwordKey   The settings key that configures the password or {@code null} when Basic auth is not configurable for the connection
2561      * @param tokenKey      The settings key that configures the token or {@code null} when Bearer auth is not configurable for the connection
2562      * @param serverId      The serverId specified for the connection or {@code null}
2563      * @throws InitializationException When both serverId and at least one other property value are filled.
2564      */
2565     private void configureFromServer(Server server, String userKey, String passwordKey, String tokenKey, String serverId) throws InitializationException {
2566         final SettingsDecryptionResult result = settingsDecrypter.decrypt(new DefaultSettingsDecryptionRequest(server));
2567         final String username = server.getUsername();
2568         final String password;
2569         if (result.getProblems().isEmpty()) {
2570             password = result.getServer().getPassword();
2571         } else {
2572             logProblems(result.getProblems(), "server setting for " + serverId);
2573             getLog().debug("Using raw password from settings.xml for server " + serverId);
2574             password = server.getPassword();
2575         }
2576         if (username != null) {
2577             if (userKey != null && passwordKey != null) {
2578                 settings.setStringIfNotEmpty(userKey, username);
2579                 settings.setStringIfNotEmpty(passwordKey, password);
2580             } else {
2581                 getLog().warn("Basic type server authentication encountered in serverId " + serverId + ", but only Bearer authentication is "
2582                         + "supported for the resource. For Bearer authentication tokens you should leave out the username in the server-entry in"
2583                         + " settings.xml");
2584                 settings.setStringIfNotEmpty(tokenKey, password);
2585             }
2586         } else {
2587             if (tokenKey != null) {
2588                 settings.setStringIfNotEmpty(tokenKey, password);
2589             } else {
2590                 throw new InitializationException(
2591                         "Bearer type server authentication encountered in serverId " + serverId + ", but only Basic authentication is supported for "
2592                                 + "the  resource. Looks like the username was forgotten to be added in the server-entry in settings.xml");
2593             }
2594         }
2595     }
2596 
2597     private String mergeNonProxyHosts(String existingNonProxyHosts, String httpNonProxyHosts, String httpsNonProxyHosts) {
2598         final HashSet<String> mergedNonProxyHosts = new HashSet<>();
2599         mergedNonProxyHosts.addAll(Arrays.asList(StringUtils.trimToEmpty(existingNonProxyHosts).split("\\|")));
2600         mergedNonProxyHosts.addAll(Arrays.asList(StringUtils.trimToEmpty(httpNonProxyHosts).split("\\|")));
2601         mergedNonProxyHosts.addAll(Arrays.asList(StringUtils.trimToEmpty(httpsNonProxyHosts).split("\\|")));
2602         return String.join("|", mergedNonProxyHosts);
2603     }
2604 
2605     private void setProxyServerSysPropsFromMavenProxy(Proxy mavenProxy, String protocol) {
2606         System.setProperty(protocol + ".proxyHost", mavenProxy.getHost());
2607         if (mavenProxy.getPort() > 0) {
2608             System.setProperty(protocol + ".proxyPort", String.valueOf(mavenProxy.getPort()));
2609         }
2610         if (mavenProxy.getUsername() != null && !mavenProxy.getUsername().isEmpty()) {
2611             System.setProperty(protocol + ".proxyUser", mavenProxy.getUsername());
2612         }
2613         final SettingsDecryptionResult result = settingsDecrypter.decrypt(new DefaultSettingsDecryptionRequest(mavenProxy));
2614         final String password;
2615         if (result.getProblems().isEmpty()) {
2616             password = result.getProxy().getPassword();
2617         } else {
2618             logProblems(result.getProblems(), "proxy settings for " + mavenProxy.getId());
2619             getLog().debug("Using raw password from settings.xml for proxy " + mavenProxy.getId());
2620             password = mavenProxy.getPassword();
2621         }
2622         if (password != null && !password.isEmpty()) {
2623             System.setProperty(protocol + ".proxyPassword", password);
2624         }
2625     }
2626 
2627     /**
2628      * Retrieves the server credentials from the settings.xml, decrypts the
2629      * password, and places the values into the settings under the given key
2630      * names.
2631      *
2632      * @param serverId the server id
2633      * @param userSettingKey the property name for the username
2634      * @param passwordSettingKey the property name for the password
2635      */
2636     private void configureServerCredentials(String serverId, String userSettingKey, String passwordSettingKey) throws MojoFailureException, MojoExecutionException {
2637         try {
2638             configureCredentials(serverId, null, null, null, userSettingKey, passwordSettingKey, null);
2639         } catch (InitializationException ex) {
2640             if (this.failOnError) {
2641                 throw new MojoFailureException(String.format("Error setting credentials (%s, %s) from serverId %s", userSettingKey, passwordSettingKey, serverId), ex);
2642             } else {
2643                 throw new MojoExecutionException(String.format("Error setting credentials (%s, %s) from serverId %s", userSettingKey, passwordSettingKey, serverId), ex);
2644             }
2645         }
2646     }
2647 
2648     /**
2649      * Retrieves the server credentials from the settings.xml, decrypts the
2650      * password, and places the values into the settings under the given key
2651      * names. This is used to retrieve an encrypted password as an API key.
2652      *
2653      * @param serverId the server id
2654      * @param apiKeySetting the property name for the API key
2655      */
2656     private void configureServerCredentialsApiKey(String serverId, String apiKeySetting) throws InitializationException {
2657         configureCredentials(serverId, null, null, null, null, null, apiKeySetting);
2658     }
2659 
2660     /**
2661      * Logs the problems encountered during settings decryption of a {@code <}server>} or {@code <proxy>} config
2662      * from the maven settings.<br/>
2663      * Logs a generic message about decryption problems at WARN level. If debug logging is enabled a additional message is logged at DEBUG level
2664      * detailing all the encountered problems and their underlying exceptions.
2665      *
2666      * @param problems The problems as reported by the settingsDecrypter.
2667      * @param credentialDesc an identification of what was attempted to be decrypted
2668      */
2669     private void logProblems(List<SettingsProblem> problems, String credentialDesc) {
2670         final String message = "Problems while decrypting " + credentialDesc;
2671         getLog().warn(message);
2672         if (getLog().isDebugEnabled()) {
2673             final StringBuilder dbgMessage = new StringBuilder("Problems while decrypting ").append(credentialDesc).append(": ");
2674             boolean first = true;
2675             for (SettingsProblem problem : problems) {
2676                 dbgMessage.append(first ? "" : ", ").append(problem.getMessage());
2677                 dbgMessage.append("caused by ").append(problem.getException());
2678                 first = false;
2679             }
2680             getLog().debug(dbgMessage.toString());
2681         }
2682     }
2683 
2684     /**
2685      * Combines the configured suppressionFile and suppressionFiles into a
2686      * single array.
2687      *
2688      * @return an array of suppression file paths
2689      */
2690     private String[] determineSuppressions() {
2691         String[] suppressions = suppressionFiles;
2692         if (suppressionFile != null) {
2693             if (suppressions == null) {
2694                 suppressions = new String[]{suppressionFile};
2695             } else {
2696                 suppressions = Arrays.copyOf(suppressions, suppressions.length + 1);
2697                 suppressions[suppressions.length - 1] = suppressionFile;
2698             }
2699         }
2700         return suppressions;
2701     }
2702 
2703     /**
2704      * Hacky method of muting the noisy logging from JCS
2705      */
2706     private void muteNoisyLoggers() {
2707         System.setProperty("jcs.logSystem", "slf4j");
2708         if (!getLog().isDebugEnabled()) {
2709             Slf4jAdapter.muteLogging(true);
2710         }
2711 
2712         final String[] noisyLoggers = {
2713             "org.apache.hc"
2714         };
2715         for (String loggerName : noisyLoggers) {
2716             System.setProperty("org.slf4j.simpleLogger.log." + loggerName, "error");
2717         }
2718     }
2719 
2720     /**
2721      * Returns the maven proxy.
2722      *
2723      * @param protocol The protocol of the target URL.
2724      * @return the maven proxy configured for that protocol
2725      */
2726     private Proxy getMavenProxy(String protocol) {
2727         if (mavenSettings != null) {
2728             final List<Proxy> proxies = mavenSettings.getProxies();
2729             if (proxies != null && !proxies.isEmpty()) {
2730                 if (mavenSettingsProxyId != null) {
2731                     for (Proxy proxy : proxies) {
2732                         if (mavenSettingsProxyId.equalsIgnoreCase(proxy.getId())) {
2733                             return proxy;
2734                         }
2735                     }
2736                 } else {
2737                     for (Proxy aProxy : proxies) {
2738                         if (aProxy.isActive() && aProxy.getProtocol().equals(protocol)) {
2739                             return aProxy;
2740                         }
2741                     }
2742                 }
2743             }
2744         }
2745         return null;
2746     }
2747 
2748     /**
2749      * Returns a reference to the current project. This method is used instead
2750      * of auto-binding the project via component annotation in concrete
2751      * implementations of this. If the child has a
2752      * <code>@Component MavenProject project;</code> defined then the abstract
2753      * class (i.e. this class) will not have access to the current project (just
2754      * the way Maven works with the binding).
2755      *
2756      * @return returns a reference to the current project
2757      */
2758     protected MavenProject getProject() {
2759         return project;
2760     }
2761 
2762     /**
2763      * Returns the list of Maven Projects in this build.
2764      *
2765      * @return the list of Maven Projects in this build
2766      */
2767     protected List<MavenProject> getReactorProjects() {
2768         return reactorProjects;
2769     }
2770 
2771     /**
2772      * Combines the format and formats properties into a single collection.
2773      *
2774      * @return the selected report formats
2775      */
2776     private Set<String> getFormats() {
2777         final Set<String> invalid = new HashSet<>();
2778         final Set<String> selectedFormats = formats == null || formats.length == 0 ? new HashSet<>() : new HashSet<>(Arrays.asList(formats));
2779         selectedFormats.forEach((s) -> {
2780             try {
2781                 ReportGenerator.Format.valueOf(s.toUpperCase());
2782             } catch (IllegalArgumentException ex) {
2783                 invalid.add(s);
2784             }
2785         });
2786         invalid.forEach((s) -> getLog().warn("Invalid report format specified: " + s));
2787         if (selectedFormats.contains("true")) {
2788             selectedFormats.remove("true");
2789         }
2790         if (format != null && selectedFormats.isEmpty()) {
2791             selectedFormats.add(format);
2792         }
2793         return selectedFormats;
2794     }
2795 
2796     /**
2797      * Returns the list of excluded artifacts based on either artifact id or
2798      * group id and artifact id.
2799      *
2800      * @return a list of artifact to exclude
2801      */
2802     public List<String> getExcludes() {
2803         if (excludes == null) {
2804             excludes = new ArrayList<>();
2805         }
2806         return excludes;
2807     }
2808 
2809     /**
2810      * Returns the artifact scope excluded filter.
2811      *
2812      * @return the artifact scope excluded filter
2813      */
2814     protected Filter<String> getArtifactScopeExcluded() {
2815         return artifactScopeExcluded;
2816     }
2817 
2818     /**
2819      * Returns the configured settings.
2820      *
2821      * @return the configured settings
2822      */
2823     protected Settings getSettings() {
2824         return settings;
2825     }
2826 
2827     //<editor-fold defaultstate="collapsed" desc="Methods to fail build or show summary">
2828     /**
2829      * Checks to see if a vulnerability has been identified with a CVSS score
2830      * that is above the threshold set in the configuration.
2831      *
2832      * @param dependencies the list of dependency objects
2833      * @throws MojoFailureException thrown if a CVSS score is found that is
2834      * higher than the threshold set
2835      */
2836     protected void checkForFailure(Dependency[] dependencies) throws MojoFailureException {
2837         final StringBuilder ids = new StringBuilder();
2838         for (Dependency d : dependencies) {
2839             boolean addName = true;
2840             for (Vulnerability v : d.getVulnerabilities()) {
2841                 final Double cvssV2 = v.getCvssV2() != null && v.getCvssV2().getCvssData() != null && v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1;
2842                 final Double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null && v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1;
2843                 final Double cvssV4 = v.getCvssV4() != null && v.getCvssV4().getCvssData() != null && v.getCvssV4().getCvssData().getBaseScore() != null ? v.getCvssV4().getCvssData().getBaseScore() : -1;
2844                 final Double unscoredCvss = v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1;
2845 
2846                 if (failBuildOnAnyVulnerability || cvssV2 >= failBuildOnCVSS
2847                         || cvssV3 >= failBuildOnCVSS
2848                         || cvssV4 >= failBuildOnCVSS
2849                         || unscoredCvss >= failBuildOnCVSS
2850                         //safety net to fail on any if for some reason the above misses on 0
2851                         || (failBuildOnCVSS <= 0.0)) {
2852                     String name = v.getName();
2853                     if (cvssV4 >= 0.0) {
2854                         name += "(" + cvssV4 + ")";
2855                     } else if (cvssV3 >= 0.0) {
2856                         name += "(" + cvssV3 + ")";
2857                     } else if (cvssV2 >= 0.0) {
2858                         name += "(" + cvssV2 + ")";
2859                     } else if (unscoredCvss >= 0.0) {
2860                         name += "(" + unscoredCvss + ")";
2861                     }
2862                     if (addName) {
2863                         addName = false;
2864                         ids.append(NEW_LINE).append(d.getFileName()).append(" (")
2865                            .append(Stream.concat(d.getSoftwareIdentifiers().stream(), d.getVulnerableSoftwareIdentifiers().stream())
2866                                          .map(Identifier::getValue)
2867                                          .collect(Collectors.joining(", ")))
2868                            .append("): ")
2869                            .append(name);
2870                     } else {
2871                         ids.append(", ").append(name);
2872                     }
2873                 }
2874             }
2875         }
2876         if (ids.length() > 0) {
2877             final String msg;
2878             if (showSummary) {
2879                 if (failBuildOnAnyVulnerability) {
2880                     msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities: %n%s%n%n"
2881                             + "See the dependency-check report for more details.%n%n", ids);
2882                 } else {
2883                     msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities that have a CVSS score greater than or "
2884                             + "equal to '%.1f': %n%s%n%nSee the dependency-check report for more details.%n%n", failBuildOnCVSS, ids);
2885                 }
2886             } else {
2887                 msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities.%n%n"
2888                         + "See the dependency-check report for more details.%n%n");
2889             }
2890             throw new MojoFailureException(msg);
2891         }
2892     }
2893 
2894     /**
2895      * Generates a warning message listing a summary of dependencies and their
2896      * associated CPE and CVE entries.
2897      *
2898      * @param mp the Maven project for which the summary is shown
2899      * @param dependencies a list of dependency objects
2900      */
2901     protected void showSummary(MavenProject mp, Dependency[] dependencies) {
2902         if (showSummary) {
2903             DependencyCheckScanAgent.showSummary(mp.getName(), dependencies);
2904         }
2905     }
2906 
2907     //</editor-fold>
2908     //CSOFF: ParameterNumber
2909     private ExceptionCollection scanDependencyNode(DependencyNode dependencyNode, DependencyNode root,
2910             Engine engine, MavenProject project, List<ArtifactResult> allResolvedDeps,
2911             ProjectBuildingRequest buildingRequest, boolean aggregate, ExceptionCollection exceptionCollection) {
2912         ExceptionCollection exCol = exceptionCollection;
2913         if (artifactScopeExcluded.passes(dependencyNode.getArtifact().getScope())
2914                 || artifactTypeExcluded.passes(dependencyNode.getArtifact().getType())) {
2915             return exCol;
2916         }
2917 
2918         boolean isResolved = false;
2919         File artifactFile = null;
2920         String artifactId = null;
2921         String groupId = null;
2922         String version = null;
2923         List<ArtifactVersion> availableVersions = null;
2924         if (org.apache.maven.artifact.Artifact.SCOPE_SYSTEM.equals(dependencyNode.getArtifact().getScope())) {
2925             final Artifact a = dependencyNode.getArtifact();
2926             if (a.isResolved() && a.getFile().isFile()) {
2927                 artifactFile = a.getFile();
2928                 isResolved = artifactFile.isFile();
2929                 groupId = a.getGroupId();
2930                 artifactId = a.getArtifactId();
2931                 version = a.getVersion();
2932                 availableVersions = a.getAvailableVersions();
2933             } else {
2934                 for (org.apache.maven.model.Dependency d : project.getDependencies()) {
2935                     if (d.getSystemPath() != null && artifactsMatch(d, a)) {
2936                         artifactFile = new File(d.getSystemPath());
2937                         isResolved = artifactFile.isFile();
2938                         groupId = a.getGroupId();
2939                         artifactId = a.getArtifactId();
2940                         version = a.getVersion();
2941                         availableVersions = a.getAvailableVersions();
2942                         break;
2943                     }
2944                 }
2945             }
2946             Throwable ignored = null;
2947             if (!isResolved) {
2948                 // Issue #4969 Tycho appears to add System-scoped libraries in reactor projects in unresolved state
2949                 // so attempt to do a resolution for system-scoped too if still nothing found
2950                 try {
2951                     tryResolutionOnce(project, allResolvedDeps, buildingRequest);
2952                     final Artifact result = findInAllDeps(allResolvedDeps, dependencyNode.getArtifact(), project);
2953                     isResolved = result.isResolved();
2954                     artifactFile = result.getFile();
2955                     groupId = result.getGroupId();
2956                     artifactId = result.getArtifactId();
2957                     version = result.getVersion();
2958                     availableVersions = result.getAvailableVersions();
2959                 } catch (DependencyNotFoundException | DependencyResolverException e) {
2960                     getLog().warn("Error performing last-resort System-scoped dependency resolution: " + e.getMessage());
2961                     ignored = e;
2962                 }
2963             }
2964             if (!isResolved) {
2965                 final StringBuilder message = new StringBuilder("Unable to resolve system scoped dependency: ");
2966                 if (artifactFile != null) {
2967                     message.append(dependencyNode.toNodeString()).append(" at path ").append(artifactFile);
2968                 } else {
2969                     message.append(dependencyNode.toNodeString()).append(" at path ").append(a.getFile());
2970                 }
2971                 getLog().error(message);
2972                 if (exCol == null) {
2973                     exCol = new ExceptionCollection();
2974                 }
2975                 final Exception thrown = new DependencyNotFoundException(message.toString());
2976                 if (ignored != null) {
2977                     thrown.addSuppressed(ignored);
2978                 }
2979                 exCol.addException(thrown);
2980             }
2981         } else {
2982             final Artifact dependencyArtifact = dependencyNode.getArtifact();
2983             final Artifact result;
2984             if (dependencyArtifact.isResolved()) {
2985                 //All transitive dependencies, excluding reactor and dependencyManagement artifacts should
2986                 //have been resolved by Maven prior to invoking the plugin - resolving the dependencies
2987                 //manually is unnecessary, and does not work in some cases (issue-1751)
2988                 getLog().debug(String.format("Skipping artifact %s, already resolved", dependencyArtifact.getArtifactId()));
2989                 result = dependencyArtifact;
2990             } else {
2991                 try {
2992                     tryResolutionOnce(project, allResolvedDeps, buildingRequest);
2993                     result = findInAllDeps(allResolvedDeps, dependencyNode.getArtifact(), project);
2994                 } catch (DependencyNotFoundException | DependencyResolverException ex) {
2995                     getLog().debug(String.format("Aggregate : %s", aggregate));
2996                     boolean addException = true;
2997                     //CSOFF: EmptyBlock
2998                     if (!aggregate) {
2999                         // do nothing - the exception is to be reported
3000                     } else if (addReactorDependency(engine, dependencyNode.getArtifact(), project)) {
3001                         // successfully resolved as a reactor dependency - swallow the exception
3002                         addException = false;
3003                     }
3004                     if (addException) {
3005                         if (exCol == null) {
3006                             exCol = new ExceptionCollection();
3007                         }
3008                         exCol.addException(ex);
3009                     }
3010                     return exCol;
3011                 }
3012             }
3013             if (aggregate && virtualSnapshotsFromReactor
3014                     && dependencyNode.getArtifact().isSnapshot()
3015                     && addSnapshotReactorDependency(engine, dependencyNode.getArtifact(), project)) {
3016                 return exCol;
3017             }
3018             isResolved = result.isResolved();
3019             artifactFile = result.getFile();
3020             groupId = result.getGroupId();
3021             artifactId = result.getArtifactId();
3022             version = result.getVersion();
3023             availableVersions = result.getAvailableVersions();
3024         }
3025         if (isResolved && artifactFile != null) {
3026             final List<Dependency> deps = engine.scan(artifactFile.getAbsoluteFile(),
3027                     createProjectReferenceName(project, dependencyNode));
3028             if (deps != null) {
3029                 processResolvedArtifact(artifactFile, deps, groupId, artifactId, version, root, project, availableVersions, dependencyNode);
3030             } else if ("import".equals(dependencyNode.getArtifact().getScope())) {
3031                 final String msg = String.format("Skipping '%s:%s' in project %s as it uses an `import` scope",
3032                         dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
3033                 getLog().debug(msg);
3034             } else if ("pom".equals(dependencyNode.getArtifact().getType())) {
3035                 exCol = processPomArtifact(artifactFile, root, project, engine, exCol);
3036             } else {
3037                 if (!scannedFiles.contains(artifactFile)) {
3038                     final String msg = String.format("No analyzer could be found or the artifact has been scanned twice for '%s:%s' in project %s",
3039                             dependencyNode.getArtifact().getId(), dependencyNode.getArtifact().getScope(), project.getName());
3040                     getLog().warn(msg);
3041                 }
3042             }
3043         } else {
3044             final String msg = String.format("Unable to resolve '%s' in project %s",
3045                     dependencyNode.getArtifact().getId(), project.getName());
3046             getLog().debug(msg);
3047             if (exCol == null) {
3048                 exCol = new ExceptionCollection();
3049             }
3050         }
3051         return exCol;
3052     }
3053 
3054     /**
3055      * Try resolution of artifacts once, allowing for
3056      * DependencyResolutionException due to reactor-dependencies not being
3057      * resolvable.
3058      * <br>
3059      * The resolution is attempted only if allResolvedDeps is still empty. The
3060      * assumption is that for any given project at least one of the dependencies
3061      * will successfully resolve. If not, resolution will be attempted once for
3062      * every dependency (as allResolvedDeps remains empty).
3063      *
3064      * @param project The project to dependencies for
3065      * @param allResolvedDeps The collection of successfully resolved
3066      * dependencies, will be filled with the successfully resolved dependencies,
3067      * even in case of resolution failures.
3068      * @param buildingRequest The buildingRequest to hand to Maven's
3069      * DependencyResolver.
3070      * @throws DependencyResolverException For any DependencyResolverException
3071      * other than an Eclipse Aether DependencyResolutionException
3072      */
3073     private void tryResolutionOnce(MavenProject project, List<ArtifactResult> allResolvedDeps, ProjectBuildingRequest buildingRequest) throws DependencyResolverException {
3074         if (allResolvedDeps.isEmpty()) { // no (partially successful) resolution attempt done
3075             try {
3076                 final List<org.apache.maven.model.Dependency> dependencies = project.getDependencies();
3077                 final List<org.apache.maven.model.Dependency> managedDependencies = project
3078                         .getDependencyManagement() == null ? null : project.getDependencyManagement().getDependencies();
3079                 final Iterable<ArtifactResult> allDeps = dependencyResolver
3080                         .resolveDependencies(buildingRequest, dependencies, managedDependencies, null);
3081                 allDeps.forEach(allResolvedDeps::add);
3082             } catch (DependencyResolverException dre) {
3083                 if (dre.getCause() instanceof org.eclipse.aether.resolution.DependencyResolutionException) {
3084                     final List<ArtifactResult> successResults = Mshared998Util
3085                             .getResolutionResults((org.eclipse.aether.resolution.DependencyResolutionException) dre.getCause());
3086                     allResolvedDeps.addAll(successResults);
3087                 } else {
3088                     throw dre;
3089                 }
3090             }
3091         }
3092     }
3093     //CSON: ParameterNumber
3094 
3095     //CSOFF: ParameterNumber
3096     private void processResolvedArtifact(File artifactFile, final List<Dependency> deps,
3097             String groupId, String artifactId, String version, DependencyNode root,
3098             MavenProject project1, List<ArtifactVersion> availableVersions,
3099             DependencyNode dependencyNode) {
3100         scannedFiles.add(artifactFile);
3101         Dependency d = null;
3102         if (deps.size() == 1) {
3103             d = deps.get(0);
3104 
3105         } else {
3106             for (Dependency possible : deps) {
3107                 if (artifactFile.getAbsoluteFile().equals(possible.getActualFile())) {
3108                     d = possible;
3109                     break;
3110                 }
3111             }
3112             for (Dependency dep : deps) {
3113                 if (d != null && d != dep) {
3114                     final String includedBy = buildReference(groupId, artifactId, version);
3115                     dep.addIncludedBy(includedBy);
3116                 }
3117             }
3118         }
3119         if (d != null) {
3120             final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
3121             d.addAsEvidence("pom", ma, Confidence.HIGHEST);
3122             if (root != null) {
3123                 final String includedby = buildReference(
3124                         root.getArtifact().getGroupId(),
3125                         root.getArtifact().getArtifactId(),
3126                         root.getArtifact().getVersion());
3127                 d.addIncludedBy(includedby);
3128             } else {
3129                 final String includedby = buildReference(project1.getGroupId(), project1.getArtifactId(), project1.getVersion());
3130                 d.addIncludedBy(includedby);
3131             }
3132             if (availableVersions != null) {
3133                 for (ArtifactVersion av : availableVersions) {
3134                     d.addAvailableVersion(av.toString());
3135                 }
3136             }
3137             getLog().debug(String.format("Adding project reference %s on dependency %s", project1.getName(), d.getDisplayFileName()));
3138         } else if (getLog().isDebugEnabled()) {
3139             final String msg = String.format("More than 1 dependency was identified in first pass scan of '%s' in project %s", dependencyNode.getArtifact().getId(), project1.getName());
3140             getLog().debug(msg);
3141         }
3142     }
3143     //CSON: ParameterNumber
3144 
3145     private ExceptionCollection processPomArtifact(File artifactFile, DependencyNode root,
3146             MavenProject project1, Engine engine, ExceptionCollection exCollection) {
3147         ExceptionCollection exCol = exCollection;
3148         try {
3149             final Dependency d = new Dependency(artifactFile.getAbsoluteFile());
3150             final Model pom = PomUtils.readPom(artifactFile.getAbsoluteFile());
3151             JarAnalyzer.setPomEvidence(d, pom, null, true);
3152             if (root != null) {
3153                 final String includedby = buildReference(
3154                         root.getArtifact().getGroupId(),
3155                         root.getArtifact().getArtifactId(),
3156                         root.getArtifact().getVersion());
3157                 d.addIncludedBy(includedby);
3158             } else {
3159                 final String includedby = buildReference(project1.getGroupId(), project1.getArtifactId(), project1.getVersion());
3160                 d.addIncludedBy(includedby);
3161             }
3162             engine.addDependency(d);
3163         } catch (AnalysisException ex) {
3164             if (exCol == null) {
3165                 exCol = new ExceptionCollection();
3166             }
3167             exCol.addException(ex);
3168             getLog().debug("Error reading pom " + artifactFile.getAbsoluteFile(), ex);
3169         }
3170         return exCol;
3171     }
3172 
3173 }
3174 //CSON: FileLength