#155 add failOnDetection plugin configuration to generate report with…

…out failing build
sonatype-nexus-community · Apr 26, 2024 · d8cfdde · d8cfdde
1 parent b0d8252
commit d8cfdde
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -68,7 +68,7 @@ plugins {
 }
 ```
 
-Some basic examples will be provided next, which we strongly advice to read :)
+Some basic examples follow, which we strongly advise reading :)
 
 After doing so, specific usage on CI tools can be found at https://github.com/guillermo-varela/example-scan-gradle-plugin
 
@@ -103,6 +103,10 @@ ossIndexAudit {
     excludeVulnerabilityIds = ['39d74cc8-457a-4e57-89ef-a258420138c5'] // list containing ids of vulnerabilities to be ignored
     excludeCoordinates = ['commons-fileupload:commons-fileupload:1.3'] // list containing coordinate of components which if vulnerable should be ignored
 
+    // By default, the audit scan will fail the task/build if any vulnerabilities are found.
+    // Set this to 'false' to allow the task to succeed even when vulnerabilities are detected.
+    failOnDetection = true
+
     // Output options
     outputFormat = 'DEFAULT' // Optional, other values are: 'DEPENDENCY_GRAPH' prints dependency graph showing direct/transitive dependencies, 'JSON_CYCLONE_DX_1_4' prints a CycloneDX 1.4 SBOM in JSON format.
     cycloneDxComponentType = 'LIBRARY' // Optional, only used when outputFormat = 'JSON_CYCLONE_DX_1_4' to define the type of component this project is for the BOM metadata with possible values: 'LIBRARY' (default), 'APPLICATION', 'FRAMEWORK', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', 'FIRMWARE' and 'FILE'.
@@ -142,6 +146,10 @@ ossIndexAudit {
     excludeCoordinates =
         listOf("commons-fileupload:commons-fileupload:1.3") // list containing coordinate of components which if vulnerable should be ignored
 
+    // By default, the audit scan will fail the task/build if any vulnerabilities are found.
+    // Set this to 'false' to allow the task to succeed even when vulnerabilities are detected.
+    failOnDetection = true
+
     // Output options
     outputFormat = "DEFAULT" // Optional, other values are: "DEPENDENCY_GRAPH" prints dependency graph showing direct/transitive dependencies, "JSON_CYCLONE_DX_1_4" prints a CycloneDX 1.4 SBOM in JSON format.
     cycloneDxComponentType = "LIBRARY" // Optional, only used when outputFormat = "JSON_CYCLONE_DX_1_4" to define the type of component this project is for the BOM metadata with possible values: "LIBRARY" (default), "APPLICATION", "FRAMEWORK", "CONTAINER", "OPERATING_SYSTEM", "DEVICE", "FIRMWARE" and "FILE".

diff --git a/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTask.java b/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTask.java
@@ -121,7 +121,7 @@ public void audit() {
       throw new GradleException("Could not audit the project: " + e.getMessage(), e);
     }
 
-    if (hasVulnerabilities) {
+    if (hasVulnerabilities && extension.isFailOnDetection()) {
       throw new GradleException("Vulnerabilities detected, check log output to review them");
     }
   }

diff --git a/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexPluginExtension.java b/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexPluginExtension.java
@@ -63,6 +63,8 @@ public class OssIndexPluginExtension
 
   private boolean printBanner;
 
+  private boolean failOnDetection;
+
   private Set<String> excludeVulnerabilityIds;
 
   private Set<String> excludeCoordinates;
@@ -84,6 +86,7 @@ public OssIndexPluginExtension(Project project) {
     colorEnabled = true;
     showAll = false;
     printBanner = true;
+    failOnDetection = true;
     excludeVulnerabilityIds = new HashSet<>();
     excludeCoordinates = new HashSet<>();
     outputFormat = OutputFormat.DEFAULT;
@@ -212,6 +215,14 @@ public void setPrintBanner(boolean printBanner) {
     this.printBanner = printBanner;
   }
 
+  public boolean isFailOnDetection() {
+    return failOnDetection;
+  }
+
+  public void setFailOnDetection(boolean failOnDetection) {
+    this.failOnDetection = failOnDetection;
+  }
+
   public Set<String> getExcludeVulnerabilityIds() {
     return excludeVulnerabilityIds;
   }

diff --git a/src/test/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTaskTest.java b/src/test/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTaskTest.java
@@ -44,6 +44,7 @@
 import org.mockito.junit.MockitoJUnitRunner;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.gradle.api.plugins.JavaPlugin.COMPILE_CLASSPATH_CONFIGURATION_NAME;
 import static org.mockito.ArgumentMatchers.anyList;
@@ -91,6 +92,16 @@ public void testAudit_vulnerabilities() throws Exception {
     verify(ossIndexClientMock).requestComponentReports(eq(Collections.singletonList(COMMONS_COLLECTIONS_PURL)));
   }
 
+  @Test
+  public void testAudit_vulnerabilitiesNoFailOnDetection() throws Exception {
+    setupComponentReport(true);
+    OssIndexAuditTask taskSpy = buildAuditTaskSpy(false, (project, extension) -> extension.setFailOnDetection(false));
+
+    assertThatCode(taskSpy::audit).doesNotThrowAnyException();
+
+    verify(ossIndexClientMock).requestComponentReports(eq(Collections.singletonList(COMMONS_COLLECTIONS_PURL)));
+  }
+
   @Test
   public void testAudit_verifyModulesIncludedIsApplied() throws Exception {
     setupComponentReport(true);