View Javadoc
1   /*
2    * This file is part of dependency-check-maven.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.maven;
19  
20  import java.util.Locale;
21  import org.apache.maven.artifact.Artifact;
22  import org.apache.maven.plugin.MojoExecutionException;
23  import org.apache.maven.plugin.MojoFailureException;
24  import org.apache.maven.plugins.annotations.LifecyclePhase;
25  import org.apache.maven.plugins.annotations.Mojo;
26  import org.apache.maven.plugins.annotations.Parameter;
27  import org.apache.maven.plugins.annotations.ResolutionScope;
28  import org.owasp.dependencycheck.Engine;
29  import org.owasp.dependencycheck.exception.ExceptionCollection;
30  
31  /**
32   * Maven Plugin that checks the project dependencies to see if they have any
33   * known published vulnerabilities.
34   *
35   * @author Jeremy Long
36   */
37  @Mojo(
38          name = "check",
39          defaultPhase = LifecyclePhase.VERIFY,
40          threadSafe = true,
41          requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
42          requiresOnline = true
43  )
44  public class CheckMojo extends BaseDependencyCheckMojo {
45  
46      /**
47       * The name of the report in the site.
48       */
49      @SuppressWarnings("CanBeFinal")
50      @Parameter(property = "name", defaultValue = "dependency-check", required = true)
51      private String name = "dependency-check";
52  
53      /**
54       * Returns whether or not a the report can be generated.
55       *
56       * @return <code>true</code> if the report can be generated; otherwise
57       * <code>false</code>
58       */
59      @Override
60      public boolean canGenerateReport() {
61          try {
62              populateSettings();
63          } catch (MojoFailureException | MojoExecutionException e) {
64              return false;
65          }
66          boolean isCapable = false;
67          for (Artifact a : getProject().getArtifacts()) {
68              if (!getArtifactScopeExcluded().passes(a.getScope())) {
69                  isCapable = true;
70                  break;
71              }
72          }
73          return isCapable;
74      }
75  
76      /**
77       * Returns the report name.
78       *
79       * @param locale the location
80       * @return the report name
81       */
82      @Override
83      public String getName(Locale locale) {
84          return name;
85      }
86  
87      /**
88       * Gets the description of the Dependency-Check report to be displayed in
89       * the Maven Generated Reports page.
90       *
91       * @param locale The Locale to get the description for
92       * @return the description
93       */
94      @Override
95      public String getDescription(Locale locale) {
96          return "Generates a report providing details on any published vulnerabilities within project dependencies. "
97                  + "This report is a best effort and may contain false positives and false negatives.";
98      }
99  
100     /**
101      * Scans the dependencies of the project.
102      *
103      * @param engine the engine used to perform the scanning
104      * @return a collection of exceptions
105      * @throws MojoExecutionException thrown if a fatal exception occurs
106      */
107     @Override
108     protected ExceptionCollection scanDependencies(final Engine engine) throws MojoExecutionException {
109         return scanArtifacts(getProject(), engine);
110     }
111 
112     /**
113      * Scans the plugins of the project.
114      *
115      * @param engine the engine used to perform the scanning
116      * @param exCollection the collection of exceptions that might have occurred
117      * previously
118      * @return a collection of exceptions
119      * @throws MojoExecutionException thrown if a fatal exception occurs
120      */
121     @Override
122     protected ExceptionCollection scanPlugins(final Engine engine, final ExceptionCollection exCollection) throws MojoExecutionException {
123         final ExceptionCollection exCol = scanPlugins(getProject(), engine, exCollection);
124         return exCol;
125     }
126 
127 }