dependency-check · Reamer · Mar 29, 2019 · Mar 25, 2019
diff --git a/examples/multi-module-maven-runner/README.md b/examples/multi-module-maven-runner/README.md
@@ -7,7 +7,7 @@ Usage
 -------------------
 
 ```
-mvn clean package dependency-check:check
+mvn clean package dependency-check:aggregate
 mvn sonar:sonar
 ```
 

diff --git a/sonar-dependency-check-plugin/pom.xml b/sonar-dependency-check-plugin/pom.xml
@@ -13,7 +13,7 @@
     <url>https://www.owasp.org/index.php/OWASP_Dependency_Check</url>
 
     <properties>
-        <sonar.version>7.3</sonar.version>
+        <sonar.version>7.6</sonar.version>
         <!-- Configuration for sonar-packaging-maven-plugin -->
         <sonar.pluginClass>org.sonar.dependencycheck.DependencyCheckPlugin</sonar.pluginClass>
         <sonar.pluginName>Dependency-Check</sonar.pluginName>

diff --git a/...cy-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckConfiguration.java b/...cy-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckConfiguration.java
@@ -23,11 +23,9 @@
 import java.util.List;
 
 import org.sonar.api.PropertyType;
-import org.sonar.api.batch.ScannerSide;
 import org.sonar.api.config.PropertyDefinition;
 import org.sonar.dependencycheck.base.DependencyCheckConstants;
 
-@ScannerSide
 public class DependencyCheckConfiguration {
 
     private DependencyCheckConfiguration() {

diff --git a/...ependency-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckSensor.java b/...ependency-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckSensor.java
@@ -21,205 +21,49 @@
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
-import java.util.Collection;
-import java.util.List;
 
-import javax.annotation.Nullable;
 import javax.xml.stream.XMLStreamException;
 
-import org.apache.commons.lang3.StringUtils;
 import org.sonar.api.batch.fs.FileSystem;
-import org.sonar.api.batch.fs.InputFile;
-import org.sonar.api.batch.rule.Severity;
-import org.sonar.api.batch.sensor.Sensor;
 import org.sonar.api.batch.sensor.SensorContext;
 import org.sonar.api.batch.sensor.SensorDescriptor;
-import org.sonar.api.batch.sensor.issue.internal.DefaultIssueLocation;
-import org.sonar.api.measures.Metric;
-import org.sonar.api.rule.RuleKey;
 import org.sonar.api.scan.filesystem.PathResolver;
+import org.sonar.api.scanner.sensor.ProjectSensor;
 import org.sonar.api.utils.log.Logger;
 import org.sonar.api.utils.log.Loggers;
 import org.sonar.api.utils.log.Profiler;
-import org.sonar.dependencycheck.base.DependencyCheckConstants;
 import org.sonar.dependencycheck.base.DependencyCheckMetrics;
-import org.sonar.dependencycheck.base.DependencyCheckUtils;
 import org.sonar.dependencycheck.parser.ReportParser;
 import org.sonar.dependencycheck.parser.element.Analysis;
-import org.sonar.dependencycheck.parser.element.Dependency;
-import org.sonar.dependencycheck.parser.element.Vulnerability;
+import org.sonar.dependencycheck.reason.DependencyReasonSearcher;
 import org.sonar.dependencycheck.report.HtmlReportFile;
 import org.sonar.dependencycheck.report.XmlReportFile;
 
-public class DependencyCheckSensor implements Sensor {
+public class DependencyCheckSensor implements ProjectSensor {
 
     private static final Logger LOGGER = Loggers.get(DependencyCheckSensor.class);
     private static final String SENSOR_NAME = "Dependency-Check";
 
     private final FileSystem fileSystem;
     private final PathResolver pathResolver;
 
-    private int totalDependencies;
-    private int vulnerableDependencies;
-    private int vulnerabilityCount;
-    private int blockerIssuesCount;
-    private int criticalIssuesCount;
-    private int majorIssuesCount;
-    private int minorIssuesCount;
-    private int infoIssuesCount;
-
     public DependencyCheckSensor(FileSystem fileSystem, PathResolver pathResolver) {
         this.fileSystem = fileSystem;
         this.pathResolver = pathResolver;
     }
 
-    private void addIssue(SensorContext context, Dependency dependency, Vulnerability vulnerability) {
-        Severity severity = DependencyCheckUtils.cvssToSonarQubeSeverity(vulnerability.getCvssScore(), context.config());
-
-        context.newIssue()
-                .forRule(RuleKey.of(DependencyCheckConstants.REPOSITORY_KEY, DependencyCheckConstants.RULE_KEY))
-                .at(new DefaultIssueLocation()
-                        .on(context.module())
-                        .message(formatDescription(dependency, vulnerability))
-                )
-                .overrideSeverity(severity)
-                .save();
-
-        incrementCount(severity);
-    }
-
-    private void addIssue(SensorContext context, Dependency dependency) {
-        dependency.sortVulnerabilityBycvssScore();
-        List<Vulnerability> vulnerabilities = dependency.getVulnerabilities();
-        Vulnerability highestVulnerability = vulnerabilities.get(0);
-        Severity severity = DependencyCheckUtils.cvssToSonarQubeSeverity(highestVulnerability.getCvssScore(), context.config());
-        context.newIssue()
-            .forRule(RuleKey.of(DependencyCheckConstants.REPOSITORY_KEY, DependencyCheckConstants.RULE_KEY))
-            .at(new DefaultIssueLocation()
-                .on(context.module())
-                .message(formatDescription(dependency, vulnerabilities, highestVulnerability)))
-            .overrideSeverity(severity)
-            .save();
-
-        incrementCount(severity);
-    }
-
-    /**
-     * TODO: Add Markdown formatting if and when Sonar supports it
-     * https://jira.sonarsource.com/browse/SONAR-4161
-     */
-    private String formatDescription(Dependency dependency, Vulnerability vulnerability) {
-        StringBuilder sb = new StringBuilder();
-        sb.append("Filename: ").append(dependency.getFileName()).append(" | ");
-        sb.append("Reference: ").append(vulnerability.getName()).append(" | ");
-        sb.append("CVSS Score: ").append(vulnerability.getCvssScore()).append(" | ");
-        if (StringUtils.isNotBlank(vulnerability.getCwe())) {
-            sb.append("Category: ").append(vulnerability.getCwe()).append(" | ");
-        }
-        sb.append(vulnerability.getDescription());
-        return sb.toString();
-    }
-
-    private String formatDescription(Dependency dependency, Collection<Vulnerability> vulnerabilities, Vulnerability highestVulnerability) {
-        StringBuilder sb = new StringBuilder();
-        sb.append("Filename: ").append(dependency.getFileName()).append(" | ");
-        sb.append("Highest CVSS Score: ").append(highestVulnerability.getCvssScore()).append(" | ");
-        sb.append("Amount of CVSS: ").append(vulnerabilities.size()).append(" | ");
-        sb.append("References: ");
-        for (Vulnerability vulnerability : vulnerabilities) {
-            sb.append(vulnerability.getName()).append(" (").append(vulnerability.getCvssScore()).append(") ");
-        }
-        return sb.toString().trim();
-    }
-
-    private void incrementCount(Severity severity) {
-        switch (severity) {
-            case BLOCKER:
-                this.blockerIssuesCount++;
-                break;
-            case CRITICAL:
-                this.criticalIssuesCount++;
-                break;
-            case MAJOR:
-                this.majorIssuesCount++;
-                break;
-            case MINOR:
-                this.minorIssuesCount++;
-                break;
-            case INFO:
-                this.infoIssuesCount++;
-                break;
-            default:
-                LOGGER.debug("Unknown severity {}", severity);
-                break;
-        }
-    }
-
-    private void addIssues(SensorContext context, Analysis analysis) {
-        if (analysis.getDependencies() == null) {
-            return;
-        }
-        for (Dependency dependency : analysis.getDependencies()) {
-            InputFile testFile = fileSystem.inputFile(
-                    fileSystem.predicates().hasPath(
-                            escapeReservedPathChars(dependency.getFilePath())
-                    )
-            );
-
-            int depVulnCount = dependency.getVulnerabilities().size();
-            vulnerabilityCount += depVulnCount;
-
-            if (depVulnCount > 0) {
-                vulnerableDependencies++;
-                saveMetricOnFile(context, testFile, DependencyCheckMetrics.VULNERABLE_DEPENDENCIES, depVulnCount);
-            }
-            saveMetricOnFile(context, testFile, DependencyCheckMetrics.TOTAL_VULNERABILITIES, depVulnCount);
-            saveMetricOnFile(context, testFile, DependencyCheckMetrics.TOTAL_DEPENDENCIES, depVulnCount);
-
-            if (!dependency.getVulnerabilities().isEmpty()
-                && context.config().getBoolean(DependencyCheckConstants.SUMMARIZE_PROPERTY).orElse(DependencyCheckConstants.SUMMARIZE_PROPERTY_DEFAULT)) {
-                // One Issue per dependency
-                addIssue(context, dependency);
-            } else {
-                for (Vulnerability vulnerability : dependency.getVulnerabilities()) {
-                    addIssue(context, dependency, vulnerability);
-                }
-            }
-        }
-    }
-
-    private void saveMetricOnFile(SensorContext context, @Nullable InputFile inputFile, Metric<Integer> metric, int value) {
-        if (inputFile != null) {
-            context.<Integer>newMeasure().on(inputFile).forMetric(metric).withValue(value);
-        }
-    }
-
     private Analysis parseAnalysis(SensorContext context) throws IOException, XMLStreamException {
         XmlReportFile report = XmlReportFile.getXmlReport(context.config(), fileSystem, this.pathResolver);
         return ReportParser.parse(report.getInputStream());
     }
 
-    private void saveMeasures(SensorContext context) {
-        context.<Integer>newMeasure().forMetric(DependencyCheckMetrics.CRITICAL_SEVERITY_VULNS).on(context.module()).withValue(blockerIssuesCount).save();
-        context.<Integer>newMeasure().forMetric(DependencyCheckMetrics.HIGH_SEVERITY_VULNS).on(context.module()).withValue(criticalIssuesCount).save();
-        context.<Integer>newMeasure().forMetric(DependencyCheckMetrics.MEDIUM_SEVERITY_VULNS).on(context.module()).withValue(majorIssuesCount).save();
-        context.<Integer>newMeasure().forMetric(DependencyCheckMetrics.LOW_SEVERITY_VULNS).on(context.module()).withValue(minorIssuesCount).save();
-        context.<Integer>newMeasure().forMetric(DependencyCheckMetrics.TOTAL_DEPENDENCIES).on(context.module()).withValue(totalDependencies).save();
-        context.<Integer>newMeasure().forMetric(DependencyCheckMetrics.VULNERABLE_DEPENDENCIES).on(context.module()).withValue(vulnerableDependencies).save();
-        context.<Integer>newMeasure().forMetric(DependencyCheckMetrics.TOTAL_VULNERABILITIES).on(context.module()).withValue(vulnerabilityCount).save();
-        LOGGER.debug("Found {} info Issues", infoIssuesCount);
-
-        context.<Integer>newMeasure().forMetric(DependencyCheckMetrics.INHERITED_RISK_SCORE).on(context.module())
-            .withValue(DependencyCheckMetrics.inheritedRiskScore(blockerIssuesCount, criticalIssuesCount, majorIssuesCount, minorIssuesCount)).save();
-        context.<Double>newMeasure().forMetric(DependencyCheckMetrics.VULNERABLE_COMPONENT_RATIO).on(context.module())
-            .withValue(DependencyCheckMetrics.vulnerableComponentRatio(vulnerabilityCount, vulnerableDependencies)).save();
-
+    private void uploadHTMLReport (SensorContext context){
         try {
             HtmlReportFile htmlReportFile = HtmlReportFile.getHtmlReport(context.config(), fileSystem, pathResolver);
             String htmlReport = htmlReportFile.getReportContent();
             if (htmlReport != null) {
                 LOGGER.info("Upload Dependency-Check HTML-Report");
-                context.<String>newMeasure().forMetric(DependencyCheckMetrics.REPORT).on(context.module()).withValue(htmlReport).save();
+                context.<String>newMeasure().forMetric(DependencyCheckMetrics.REPORT).on(context.project()).withValue(htmlReport).save();
             }
         } catch (FileNotFoundException e) {
             LOGGER.info(e.getMessage());
@@ -243,8 +87,9 @@ public void execute(SensorContext sensorContext) {
         profiler.startInfo("Process Dependency-Check report");
         try {
             Analysis analysis = parseAnalysis(sensorContext);
-            this.totalDependencies = analysis.getDependencies().size();
-            addIssues(sensorContext, analysis);
+            DependencyReasonSearcher dependencyReasonSearcher = new DependencyReasonSearcher(sensorContext);
+            dependencyReasonSearcher.addDependenciesToProjectConfigurationFiles(analysis, sensorContext);
+            dependencyReasonSearcher.saveMeasures(sensorContext);
         } catch (FileNotFoundException e) {
             LOGGER.info("Analysis skipped/aborted due to missing report file");
             LOGGER.debug(e.getMessage(), e);
@@ -253,30 +98,7 @@ public void execute(SensorContext sensorContext) {
         } catch (XMLStreamException e) {
             LOGGER.warn("Analysis aborted due to: XML is not valid", e);
         }
-        saveMeasures(sensorContext);
+        uploadHTMLReport(sensorContext);
         profiler.stopInfo();
     }
-
-    /**
-     * The following characters are reserved on Windows systems.
-     * Some are also reserved on Unix systems.
-     *
-     * < (less than)
-     * > (greater than)
-     * : (colon)
-     * " (double quote)
-     * / (forward slash)
-     * \ (backslash)
-     * | (vertical bar or pipe)
-     * ? (question mark)
-     * (asterisk)
-     */
-    private String escapeReservedPathChars(String path) {
-        /*
-         * TODO: For the time being, only try to replace ? (question mark) since that is the only reserved character
-         * intentionally used by Dependency-Check.
-         */
-        String replacement = path.contains("/") ? "/" : "\\";
-        return path.replace("?", replacement);
-    }
 }