From d8cfdded17fbed5e63d5b77f8f1e0904454a9449 Mon Sep 17 00:00:00 2001 From: Sean Gilhooly Date: Fri, 26 Apr 2024 21:15:13 +0000 Subject: [PATCH] #155 add failOnDetection plugin configuration to generate report without failing build --- README.md | 10 +++++++++- .../plugins/scan/ossindex/OssIndexAuditTask.java | 2 +- .../scan/ossindex/OssIndexPluginExtension.java | 11 +++++++++++ .../plugins/scan/ossindex/OssIndexAuditTaskTest.java | 11 +++++++++++ 4 files changed, 32 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a6feefc..7f5b876 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ plugins { } ``` -Some basic examples will be provided next, which we strongly advice to read :) +Some basic examples follow, which we strongly advise reading :) After doing so, specific usage on CI tools can be found at https://github.com/guillermo-varela/example-scan-gradle-plugin @@ -103,6 +103,10 @@ ossIndexAudit { excludeVulnerabilityIds = ['39d74cc8-457a-4e57-89ef-a258420138c5'] // list containing ids of vulnerabilities to be ignored excludeCoordinates = ['commons-fileupload:commons-fileupload:1.3'] // list containing coordinate of components which if vulnerable should be ignored + // By default, the audit scan will fail the task/build if any vulnerabilities are found. + // Set this to 'false' to allow the task to succeed even when vulnerabilities are detected. + failOnDetection = true + // Output options outputFormat = 'DEFAULT' // Optional, other values are: 'DEPENDENCY_GRAPH' prints dependency graph showing direct/transitive dependencies, 'JSON_CYCLONE_DX_1_4' prints a CycloneDX 1.4 SBOM in JSON format. cycloneDxComponentType = 'LIBRARY' // Optional, only used when outputFormat = 'JSON_CYCLONE_DX_1_4' to define the type of component this project is for the BOM metadata with possible values: 'LIBRARY' (default), 'APPLICATION', 'FRAMEWORK', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', 'FIRMWARE' and 'FILE'. @@ -142,6 +146,10 @@ ossIndexAudit { excludeCoordinates = listOf("commons-fileupload:commons-fileupload:1.3") // list containing coordinate of components which if vulnerable should be ignored + // By default, the audit scan will fail the task/build if any vulnerabilities are found. + // Set this to 'false' to allow the task to succeed even when vulnerabilities are detected. + failOnDetection = true + // Output options outputFormat = "DEFAULT" // Optional, other values are: "DEPENDENCY_GRAPH" prints dependency graph showing direct/transitive dependencies, "JSON_CYCLONE_DX_1_4" prints a CycloneDX 1.4 SBOM in JSON format. cycloneDxComponentType = "LIBRARY" // Optional, only used when outputFormat = "JSON_CYCLONE_DX_1_4" to define the type of component this project is for the BOM metadata with possible values: "LIBRARY" (default), "APPLICATION", "FRAMEWORK", "CONTAINER", "OPERATING_SYSTEM", "DEVICE", "FIRMWARE" and "FILE". diff --git a/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTask.java b/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTask.java index 80dffc9..304ba56 100644 --- a/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTask.java +++ b/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTask.java @@ -121,7 +121,7 @@ public void audit() { throw new GradleException("Could not audit the project: " + e.getMessage(), e); } - if (hasVulnerabilities) { + if (hasVulnerabilities && extension.isFailOnDetection()) { throw new GradleException("Vulnerabilities detected, check log output to review them"); } } diff --git a/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexPluginExtension.java b/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexPluginExtension.java index 9a16bc7..f629a00 100644 --- a/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexPluginExtension.java +++ b/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexPluginExtension.java @@ -63,6 +63,8 @@ public class OssIndexPluginExtension private boolean printBanner; + private boolean failOnDetection; + private Set excludeVulnerabilityIds; private Set excludeCoordinates; @@ -84,6 +86,7 @@ public OssIndexPluginExtension(Project project) { colorEnabled = true; showAll = false; printBanner = true; + failOnDetection = true; excludeVulnerabilityIds = new HashSet<>(); excludeCoordinates = new HashSet<>(); outputFormat = OutputFormat.DEFAULT; @@ -212,6 +215,14 @@ public void setPrintBanner(boolean printBanner) { this.printBanner = printBanner; } + public boolean isFailOnDetection() { + return failOnDetection; + } + + public void setFailOnDetection(boolean failOnDetection) { + this.failOnDetection = failOnDetection; + } + public Set getExcludeVulnerabilityIds() { return excludeVulnerabilityIds; } diff --git a/src/test/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTaskTest.java b/src/test/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTaskTest.java index eaf26a0..836e587 100644 --- a/src/test/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTaskTest.java +++ b/src/test/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTaskTest.java @@ -44,6 +44,7 @@ import org.mockito.junit.MockitoJUnitRunner; import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatCode; import static org.assertj.core.api.Assertions.assertThatThrownBy; import static org.gradle.api.plugins.JavaPlugin.COMPILE_CLASSPATH_CONFIGURATION_NAME; import static org.mockito.ArgumentMatchers.anyList; @@ -91,6 +92,16 @@ public void testAudit_vulnerabilities() throws Exception { verify(ossIndexClientMock).requestComponentReports(eq(Collections.singletonList(COMMONS_COLLECTIONS_PURL))); } + @Test + public void testAudit_vulnerabilitiesNoFailOnDetection() throws Exception { + setupComponentReport(true); + OssIndexAuditTask taskSpy = buildAuditTaskSpy(false, (project, extension) -> extension.setFailOnDetection(false)); + + assertThatCode(taskSpy::audit).doesNotThrowAnyException(); + + verify(ossIndexClientMock).requestComponentReports(eq(Collections.singletonList(COMMONS_COLLECTIONS_PURL))); + } + @Test public void testAudit_verifyModulesIncludedIsApplied() throws Exception { setupComponentReport(true);