From commits-return-1065-archive-asf-public=cust-asf.ponee.io@yetus.apache.org Wed May 9 19:40:54 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id AF61E180649 for ; Wed, 9 May 2018 19:40:53 +0200 (CEST) Received: (qmail 20367 invoked by uid 500); 9 May 2018 17:40:52 -0000 Mailing-List: contact commits-help@yetus.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@yetus.apache.org Delivered-To: mailing list commits@yetus.apache.org Received: (qmail 20357 invoked by uid 99); 9 May 2018 17:40:52 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 May 2018 17:40:52 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id B6A7CE00EB; Wed, 9 May 2018 17:40:52 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: busbey@apache.org To: commits@yetus.apache.org Message-Id: <78c92762b69e4970b6ddd47115040918@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: yetus git commit: YETUS-441 Add a plugin that uses OWASP's depenency-check tool. [Forced Update!] Date: Wed, 9 May 2018 17:40:52 +0000 (UTC) Repository: yetus Updated Branches: refs/heads/YETUS-441 154361595 -> 37dc89c33 (forced update) YETUS-441 Add a plugin that uses OWASP's depenency-check tool. * precommit plugin 'dependency_check' for maven or cli if given * jenkins job that will handle updating a cached vulnerability database Project: http://git-wip-us.apache.org/repos/asf/yetus/repo Commit: http://git-wip-us.apache.org/repos/asf/yetus/commit/37dc89c3 Tree: http://git-wip-us.apache.org/repos/asf/yetus/tree/37dc89c3 Diff: http://git-wip-us.apache.org/repos/asf/yetus/diff/37dc89c3 Branch: refs/heads/YETUS-441 Commit: 37dc89c33caa6fd6f174a5913e3cf3e055c5f481 Parents: e56ba29 Author: Sean Busbey Authored: Wed May 2 11:36:37 2018 -0500 Committer: Sean Busbey Committed: Wed May 9 10:40:18 2018 -0700 ---------------------------------------------------------------------- precommit/core.d/00-yetuslib.sh | 28 ++ .../jenkins/owasp-dependency-check-cache.sh | 96 +++++ precommit/test-patch.d/dependency-check.sh | 361 +++++++++++++++++++ 3 files changed, 485 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/yetus/blob/37dc89c3/precommit/core.d/00-yetuslib.sh ---------------------------------------------------------------------- diff --git a/precommit/core.d/00-yetuslib.sh b/precommit/core.d/00-yetuslib.sh index 983dfe6..fbdb70d 100755 --- a/precommit/core.d/00-yetuslib.sh +++ b/precommit/core.d/00-yetuslib.sh @@ -293,6 +293,34 @@ function yetus_add_array_element fi } +## @description return the array index of given element +## @audience public +## @stability stable +## @replaceable yes +## @param arrayname +## @param element +## @returns 0 found +## @returns 1 not found +## @returns stdout array index +function yetus_array_index_of +{ + local arr_name=$1 + local needle=$2 + # shellcheck disable=SC2016 + local -a 'arr_keys=("${!'"$1"'[@]}")' + local entry + + # shellcheck disable=SC2154 + for entry in "${arr_keys[@]}"; do + local valueref="${arr_name}[${entry}]" + if [[ "${!valueref}" = "${needle}" ]]; then + echo "${entry}" + return 0 + fi + done + return 1 +} + ## @description Sort an array by its elements ## @audience public ## @stability stable http://git-wip-us.apache.org/repos/asf/yetus/blob/37dc89c3/precommit/jenkins/owasp-dependency-check-cache.sh ---------------------------------------------------------------------- diff --git a/precommit/jenkins/owasp-dependency-check-cache.sh b/precommit/jenkins/owasp-dependency-check-cache.sh new file mode 100755 index 0000000..1185312 --- /dev/null +++ b/precommit/jenkins/owasp-dependency-check-cache.sh @@ -0,0 +1,96 @@ +#!/usr/bin/env bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# no shelldocs required from this file +# SHELLDOC-IGNORE + +# Make sure that bash version meets the pre-requisite + +if [[ -z "${BASH_VERSINFO[0]}" ]] \ + || [[ "${BASH_VERSINFO[0]}" -lt 3 ]] \ + || [[ "${BASH_VERSINFO[0]}" -eq 3 && "${BASH_VERSINFO[1]}" -lt 2 ]]; then + echo "bash v3.2+ is required. Sorry." + exit 1 +fi + +INSTALL_URL_DEFAULT="http://dl.bintray.com/jeremy-long/owasp/dependency-check-3.1.2-release.zip" + +set -e +function usage { + echo "Usage: ${0} [options] /path/to/data/cache/directory" + echo "" + echo " --dependency-check /path/to/exec Optionally point to 'dependency-check' cli." + echo " --install /path/to/dir download and cache dependency-check cli." + echo " --install-url url where the cli download is." + echo " default: ${INSTALL_URL_DEFAULT}" + echo " --verbose /path/to/log log verbose debug information at given path." + echo " --help show this usage message." + exit 1 +} +# if no args specified, show usage +if [ $# -lt 1 ]; then + usage +fi + +# Get arguments +declare dependency_check +declare install +declare install_url="${INSTALL_URL_DEFAULT}" +declare cache_dir +declare -a verbose +while [ $# -gt 0 ] +do + case "$1" in + --dependency-check) shift; dependency_check=$1; shift;; + # make this an absolute path + --install) shift; install="$(cd "$(dirname "$1")"; pwd)/$(basename "$1")"; shift;; + --install-url) shift; install_url=$1; shift;; + --verbose) shift; verbose=(--log "$(cd "$(dirname "$1")"; pwd)/$(basename "$1")"); shift;; + --) shift; break;; + -*) usage ;; + *) break;; # terminate while loop + esac +done + +# Should still have the required arg +if [ $# -lt 1 ]; then + usage +fi +# Absolute path +cache_dir="$(cd "$(dirname "$1")"; pwd)/$(basename "$1")" + +# If we didn't point to an exec, check for install cache +if [ -z "${dependency_check}" ] && [ -n "${install}" ]; then + # if we have things cached, just point at it otherwise do an install + if [ ! -x "${install}/dependency-check/bin/dependency-check.sh" ]; then + if [ ! -d "${install}" ]; then + mkdir "${install}" + fi + echo "Downloading '${install_url}' to '${install}'" >&2 + curl --location -o "${install}/dependency-check.zip" "${install_url}" + unzip "${install}/dependency-check.zip" -d "${install}" + rm -f "${install}/dependency-check.zip" + fi + dependency_check="${install}/dependency-check/bin/dependency-check.sh" +fi + +# if we don't point at something by now, give the path a try +if [ -z "${dependency_check}" ]; then + dependency_check=$(which dependency-check) +fi +echo "Dependency check CLI version: $("${dependency_check}" --version)" +"${dependency_check}" --updateonly --data "${cache_dir}" "${verbose[@]}" +echo "Done updating cache in '${cache_dir}'" http://git-wip-us.apache.org/repos/asf/yetus/blob/37dc89c3/precommit/test-patch.d/dependency-check.sh ---------------------------------------------------------------------- diff --git a/precommit/test-patch.d/dependency-check.sh b/precommit/test-patch.d/dependency-check.sh new file mode 100644 index 0000000..11629cc --- /dev/null +++ b/precommit/test-patch.d/dependency-check.sh @@ -0,0 +1,361 @@ +#!/usr/bin/env bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# SHELLDOC-IGNORE + +DEPENDENCY_CHECK_ARGS=() +DEPENDENCY_CHECK_SUPPRESSION_FILES=() +DEPENDENCY_CHECK_EXCLUDES_PATTERNS=() +DEPENDENCY_CHECK_TIMER="0" +DEPENDENCY_CHECK_SEVERITIES=("High" "Medium" "Low") +DEPENDENCY_CHECK_SEVERITY="${DEPENDENCY_CHECK_SEVERITIES[0]}" +DEPENDENCY_CHECK_UPDATE=true +DEPENDENCY_CHECK_EXPERIMENTAL=false +DEPENDENCY_CHECK_MAVEN_GOAL=check + +add_test_type dependency_check + +## @audience private +function dependency_check_usage +{ + yetus_add_option "--dependency-check=" "path to the dependency-check executable" + yetus_add_option "--dependency-check-severity-threshold=" "ignore findings with a 'highest severity' lower than this. default: ${DEPENDENCY_CHECK_SEVERITY}" + yetus_add_option "--dependency-check-suppression=" "path(s) to suppression XML file(s). see https://s.apache.org/ahw7" + yetus_add_option "--dependency-check-excludes=" "list of ant style exclusions" + yetus_add_option "--dependency-check-experimental" "enable experimental analyzers." + yetus_add_option "--dependency-check-no-updates" "suppress updates of CVE information" + yetus_add_option "--dependency-check-data-file=" "path to local H2 database" + yetus_add_option "--dependency-check-db-connection-string=" "iff shared db, jdbs connection string" + yetus_add_option "--dependency-check-db-driver-name=" "iff shared db, jdbc driver name" + yetus_add_option "--dependency-check-db-driver-jar=" "iff shared db, driver jar path" + yetus_add_option "--dependency-check-db-username=" "iff shared db, username" + yetus_add_option "--dependency-check-db-password=" "iff shared db, password" + yetus_add_option "--dependency-check-maven-goal=" "iff maven build, the plugin goal to use. default: ${DEPENDENCY_CHECK_MAVEN_GOAL}" +} + +## @audience private +function dependency_check_parse_args +{ + declare i + + for i in "$@"; do + case ${i} in + --dependency-check=*) + DEPENDENCY_CHECK=${i#*=} + ;; + --dependency-check-severity-threshold=*) + DEPENDENCY_CHECK_SEVERITY=${i#*=} + ;; + --dependency-check-suppression=*) + yetus_comma_to_array DEPENDENCY_CHECK_SUPPRESSION_FILES "${i#*=}" + ;; + --dependency-check-excludes=*) + yetus_comma_to_array DEPENDENCY_CHECK_EXCLUDES_PATTERNS "${i#*=}" + ;; + --dependency-check-experimental) + DEPENDENCY_CHECK_EXPERIMENTAL=true + ;; + --dependency-check-no-updates) + DEPENDENCY_CHECK_UPDATE=false + ;; + --dependency-check-data-file=*) + DEPENDENCY_CHECK_DATA_FILE=${i#*=} + ;; + --dependency-check-db-connection-string=*) + DEPENDENCY_CHECK_DB_CONNECTION=${i#*=} + ;; + --dependency-check-db-driver-name=*) + DEPENDENCY_CHECK_DB_DRIVER=${i#*=} + ;; + --dependency-check-db-driver-jar=*) + DEPENDENCY_CHECK_DB_DRIVER_JAR=${i#*=} + ;; + --dependency-check-db-username=*) + DEPENDENCY_CHECK_DB_USER=${i#*=} + ;; + --dependency-check-db-password=*) + DEPENDENCY_CHECK_DB_PASSWORD=${i#*=} + ;; + --dependency-check-maven-goal=*) + DEPENDENCY_CHECK_MAVEN_GOAL=${i#*=} + ;; + esac + done + +} + +## @audience private +function dependency_check_filefilter +{ + declare filename=$1 + + case ${BUILDTOOL} in + maven) + if [[ ${filename} =~ pom\.xml$ ]]; then + yetus_debug "tests/dependency_check: ${filename}" + add_test dependency_check + fi + ;; + *) + add_test dependency_check + ;; + esac +} + +## @audience private +function dependency_check_precheck +{ + declare dependency_check_version + + if ! yetus_array_contains "${DEPENDENCY_CHECK_SEVERITY}" "${DEPENDENCY_CHECK_SEVERITIES[@]}" ; then + yetus_error "Dependency check doesn't know about severity level '${DEPENDENCY_CHECK_SEVERITY}'" + return 1 + fi + + case ${BUILDTOOL} in + maven) + if [ "${#DEPENDENCY_CHECK_EXCLUDES_PATTERNS[@]}" -gt 0 ]; then + yetus_error "dependency_check: The maven plugin doesn't support exclusion patterns." + return 1 + fi + ;; + *) + if ! verify_command "dependency_check" "${DEPENDENCY_CHECK}"; then + add_vote_table 0 dependency_check "dependency-check was not available." + delete_test dependency_check + return 0 + fi + ;; + esac + + # Can't give both data file and db connection info + if [ -n "${DEPENDENCY_CHECK_DATA_FILE}" ] && [ -n "${DEPENDENCY_CHECK_DB_CONNECTION}" ]; then + yetus_debug "Both a local datafile and an external db were given on the cli, behavior of dependency-check isn't well defined." + fi + + # finally let folks know what version they'll be dealing with. + dependency_check_version=$(${DEPENDENCY_CHECK} --noupdate --version 2>/dev/null | head -n 1 2>/dev/null) + add_footer_table dependency_check "version: ${dependency_check_version}" +} + +## @audience private +function dependency_check_initialize +{ + local -a filtered_severities + local -i severity_threshold + severity_threshold=$(yetus_array_index_of "DEPENDENCY_CHECK_SEVERITIES" "${DEPENDENCY_CHECK_SEVERITY}") + yetus_debug "Looking for severities in our list ranked up to ${severity_threshold}" + for key in "${!DEPENDENCY_CHECK_SEVERITIES[@]}"; do + if [ ! "${key}" -gt "${severity_threshold}" ]; then + filtered_severities=("${filtered_severities[@]}" "${DEPENDENCY_CHECK_SEVERITIES[${key}]}") + fi + done + yetus_debug "Given severity threshold of '${DEPENDENCY_CHECK_SEVERITY}' we'll look for: ${filtered_severities[*]}" + # The quotes here are important, because we want to match an entire CSV record + IFS=" " read -r -a DEPENDENCY_CHECK_LOG_FILTERS <<< "$(printf -- '-e "%s" ' "${filtered_severities[@]}")" + + case ${BUILDTOOL} in + maven) + if [[ "${DEPENDENCY_CHECK_EXPERIMENTAL}" = "true" ]]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DenableExperimental=true") + fi + if [[ "${DEPENDENCY_CHECK_UPDATE}" = "false" ]] || [[ "${OFFLINE}" == "true" ]]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DautoUpdate=false") + fi + if [[ "${OFFLINE}" == "true" ]]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DcentralAnalyzerEnabled=false") + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DnexusAnalyzerEnabled=false") + fi + if [ -n "${DEPENDENCY_CHECK_DATA_FILE}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DdataDirectory=${DEPENDENCY_CHECK_DATA_FILE}") + fi + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-Dformat=ALL") + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DversionCheckEnabled=false") + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DskipProvidedScope=true") + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DskipSystemScope=true") + if [ "${#DEPENDENCY_CHECK_SUPPRESSION_FILES[@]}" -gt 0 ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DsuppressionFiles=$(printf -- "%s," "${DEPENDENCY_CHECK_SUPPRESSION_FILES[@]}")") + fi + if [ -n "${DEPENDENCY_CHECK_DB_CONNECTION}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DconnectionString=${DEPENDENCY_CHECK_DB_CONNECTION}") + if [ -n "${DEPENDENCY_CHECK_DB_DRIVER}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DdatabaseDriverName=${DEPENDENCY_CHECK_DB_DRIVER}") + fi + if [ -n "${DEPENDENCY_CHECK_DB_DRIVER_JAR}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DdatabaseDriverPath=${DEPENDENCY_CHECK_DB_DRIVER_JAR}") + fi + if [ -n "${DEPENDENCY_CHECK_DB_USER}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DdatabaseUser=${DEPENDENCY_CHECK_DB_USER}") + fi + if [ -n "${DEPENDENCY_CHECK_DB_PASSWORD}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DdatabasePassword=${DEPENDENCY_CHECK_DB_PASSWORD}") + fi + fi + ;; + *) + if [[ "${DEPENDENCY_CHECK_EXPERIMENTAL}" = "true" ]]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --enableExperimental) + fi + if [[ "${DEPENDENCY_CHECK_UPDATE}" = "false" ]] || [[ "${OFFLINE}" == "true" ]]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --noupdate) + fi + if [[ "${OFFLINE}" == "true" ]]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --disableCentral) + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --disableNexus) + fi + if [ -n "${DEPENDENCY_CHECK_DATA_FILE}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --data "${DEPENDENCY_CHECK_DATA_FILE}") + fi + + if [ -n "${DEPENDENCY_CHECK_DB_CONNECTION}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --connectionString "${DEPENDENCY_CHECK_DB_CONNECTION}") + if [ -n "${DEPENDENCY_CHECK_DB_DRIVER}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --dbDriverName "${DEPENDENCY_CHECK_DB_DRIVER}") + fi + if [ -n "${DEPENDENCY_CHECK_DB_DRIVER_JAR}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --dbDriverPath "${DEPENDENCY_CHECK_DB_DRIVER_JAR}") + fi + if [ -n "${DEPENDENCY_CHECK_DB_USER}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --dbUser "${DEPENDENCY_CHECK_DB_USER}") + fi + if [ -n "${DEPENDENCY_CHECK_DB_PASSWORD}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --dbPassword "${DEPENDENCY_CHECK_DB_PASSWORD}") + fi + fi + + if [ "${#DEPENDENCY_CHECK_SUPPRESSION_FILES[@]}" -gt 0 ]; then + local -a suppressions + IFS=" " read -r -a suppressions <<< "$(printf -- "--suppression '%s' " "${DEPENDENCY_CHECK_SUPPRESSION_FILES[@]}")" + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "${suppressions[@]}") + fi + if [ "${#DEPENDENCY_CHECK_EXCLUDES_PATTERNS[@]}" -gt 0 ]; then + local -a excludes + IFS=" " read -r -a excludes <<< "$(printf -- "--exclude '%s' " "${DEPENDENCY_CHECK_EXCLUDES_PATTERNS[@]}")" + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "${excludes[@]}") + fi + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --format ALL) + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --project "${PROJECT_NAME}") + if [ -n "${BASEDIR}" ]; then + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --scan "${BASEDIR}") + else + DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --scan ".") + fi + ;; + esac + + +} + +## @audience private +function dependency_check_logfilter +{ + declare input=$1 + declare output=$2 + + # TODO we should be parsing CSV columns properly + yetus_debug "dependency_check: filtering out lines based on severities with '${DEPENDENCY_CHECK_LOG_FILTERS[*]}'" + + "${GREP}" "${DEPENDENCY_CHECK_LOG_FILTERS[@]}" "${input}" > "${output}" + +} + +## @audience private +function dependency_check_postcompile +{ + declare repostatus=$1 + declare reports="dependency_check_${repostatus}.reports" + if ! verify_needed_test dependency_check; then + return 0 + fi + + big_console_header "Determining number of dependency concerns (${repostatus})" + + start_clock + + # Add our previously calculated time + if [[ "${repostatus}" != branch ]]; then + offset_clock "${DEPENDENCY_CHECK_TIMER}" + fi + + mkdir "${PATCH_DIR}/${reports}" + + case ${BUILDTOOL} in + maven) + # invoke on a specific version, because older ones don't support options we need + # like CSV report output. + # shellcheck disable=2046 + echo_and_redirect "${PATCH_DIR}/dependency_check_${repostatus}.log" \ + $(maven_executor) --batch-mode "${DEPENDENCY_CHECK_ARGS[@]}" \ + "org.owasp:dependency-check-maven:3.1.2:${DEPENDENCY_CHECK_MAVEN_GOAL}" + + if [ ! -f "${BASEDIR:-.}/target/dependency-check-report.csv" ]; then + yetus_debug "maven goal did not generate csv report" + add_vote_table 0 dependency_check "${BUILDMODEMSG} maven goal did not generate needed report" + return 1 + fi + # TODO get the plugin to allow configuring the output directory to something other than the project build dir. + # TODO maybe use the archive functionality here? + mv "${BASEDIR:-.}/target/dependency-check-"*{csv,html,json,xml} "${PATCH_DIR}/${reports}/" + ;; + *) + echo_and_redirect "${PATCH_DIR}/dependency_check_${repostatus}.log" \ + "${DEPENDENCY_CHECK}" "${DEPENDENCY_CHECK_ARGS[@]}" \ + --log "${PATCH_DIR}/dependency_check_${repostatus}.verbose.log" \ + --out "${PATCH_DIR}/${reports}" + ;; + esac + + generic_logfilter dependency_check \ + "${PATCH_DIR}/${reports}/dependency-check-report.csv" \ + "${PATCH_DIR}/dependency_check_${repostatus}_filtered.csv" + + if [[ "${repostatus}" = branch ]]; then + DEPENDENCY_CHECK_TIMER=$(stop_clock) + else + # shellcheck disable=SC2016 + numPostpatch=$(wc -l < "${PATCH_DIR}/dependency_check_patch_filtered.csv") + + # iff the branch report doesn't already exist, we must be in a qbt build via --empty-patch + if [ -f "${PATCH_DIR}/dependency_check_branch_filtered.csv" ]; then + calcdiffs \ + "${PATCH_DIR}/dependency_check_branch_filtered.csv" \ + "${PATCH_DIR}/dependency_check_patch_filtered.csv" \ + dependency_check \ + > "${PATCH_DIR}/diff-dependency-check.csv" + diffPostpatch=$(wc -l < "${PATCH_DIR}/diff-dependency-check.csv") + + # shellcheck disable=SC2016 + numPrepatch=$(wc -l < "${PATCH_DIR}/dependency_check_branch_filtered.csv") + else + numPrepatch=0 + diffPostpatch="${numPostpatch}" + cp "${PATCH_DIR}/dependency_check_patch_filtered.csv" \ + "${PATCH_DIR}/diff-dependency-check.csv" + fi + + statstring=$(generic_calcdiff_status "${numPrepatch}" "${numPostpatch}" "${diffPostpatch}" ) + + if [[ ${diffPostpatch} -gt 0 ]] ; then + add_vote_table -1 dependency_check "${BUILDMODEMSG} ${statstring}" + add_footer_table dependency_check "@@BASE@@/diff-dependency-check.csv" + return 1 + fi + + add_vote_table +1 dependency_check "${BUILDMODEMSG} ${statstring}" + fi + return 0 +} +