Merge pull request #22 from albuch/update_dc_2.1.0

Update dc 2.1.0. Closes #21

README.md

@@ -36,6 +36,7 @@ dependencyCheckCveValidForHours | Sets the number of hours to wait before checki
 dependencyCheckFailBuildOnCVSS | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11.0
 dependencyCheckFormat | The report format to be generated (HTML, XML, VULN, CSV, JSON, ALL). | HTML
 dependencyCheckOutputDirectory | The location to write the report(s). | `crossTarget.value` e.g. `./target/scala-2.11`
+dependencyCheckScanSet | An optional sequence of files that specify additional files and/or directories to analyze as part of the scan. If not specified, defaults to standard scala conventions (see [SBT documentation](http://www.scala-sbt.org/0.13/docs/Directories.html#Source+code) for details). | `/src/main/resources`
 dependencyCheckSkip | Skips the dependency-check analysis |  false
 dependencyCheckSkipTestScope | Skips analysis for artifacts with Test Scope | true
 dependencyCheckSkipRuntimeScope | Skips analysis for artifacts with Runtime Scope | false
@@ -71,7 +72,7 @@ dependencyCheckNSPAnalyzerEnabled | Sets whether or not the Node Security Platfo
 dependencyCheckNuspecAnalyzerEnabled | Sets whether or not the .NET Nuget Nuspec Analyzer will be used. | true
 dependencyCheckCocoapodsEnabled | Sets whether or not the experimental Cocoapods Analyzer should be used. | true
 dependencyCheckSwiftEnabled | Sets whether or not the experimental Swift Package Manager Analyzer should be used. | true
-dependencyCheckBundleAuditEnabled | Sets whether or not the experimental Ruby Bundle Audit Analyzer should be used. | true
+dependencyCheckBundleAuditEnabled | Sets whether or not the Ruby Bundle Audit Analyzer should be used. | true
 dependencyCheckPathToBundleAudit| The path to bundle audit. |
 dependencyCheckAssemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used. | true
 dependencyCheckPathToMono | The path to Mono for .NET assembly analysis on non-windows systems. |

build.sbt

@@ -10,7 +10,7 @@ sbtPlugin := true
 
 libraryDependencies ++= Seq(
 	"commons-collections" % "commons-collections" % "3.2.2",
-	"org.owasp" % "dependency-check-core" % "2.0.1",
+	"org.owasp" % "dependency-check-core" % "2.1.0",
 	"org.slf4j" % "slf4j-simple" % "1.7.25"
 )
 

src/main/scala/net/vonbuchholtz/sbt/dependencycheck/DependencyCheckKeys.scala

@@ -10,11 +10,13 @@ trait DependencyCheckKeys {
 	lazy val dependencyCheckFailBuildOnCVSS = settingKey[Float]("Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.")
 	lazy val dependencyCheckFormat = settingKey[String]("The report format to be generated (HTML, XML, CSV, JSON, VULN, ALL).")
 	lazy val dependencyCheckOutputDirectory = settingKey[Option[File]]("The location to write the report(s).")
+	lazy val dependencyCheckScanSet = settingKey[Seq[File]]("An optional sequence of files that specify additional files and/or directories to analyze as part of the scan. If not specified, defaults to standard scala conventions.")
 	lazy val dependencyCheckSkip = settingKey[Boolean]("Skips the dependency-check analysis ")
 	lazy val dependencyCheckSkipTestScope = settingKey[Boolean]("Skips analysis for artifacts with Test Scope ")
 	lazy val dependencyCheckSkipRuntimeScope = settingKey[Boolean]("Skips analysis for artifacts with Runtime Scope ")
 	lazy val dependencyCheckSkipProvidedScope = settingKey[Boolean]("Skips analysis for artifacts with Provided Scope ")
 	lazy val dependencyCheckSkipOptionalScope = settingKey[Boolean]("Skips analysis for artifacts with Optional Scope ")
+	lazy val dependencyCheckSuppressionFile = settingKey[Option[File]]("The file path to the XML suppression file - used to suppress false positives. If you want to add multiple files use dependencyCheckSuppressionFiles instead.")
 	lazy val dependencyCheckSuppressionFiles = settingKey[Seq[File]]("The sequence of file paths to the XML suppression files - used to suppress false positives")
 	lazy val dependencyCheckHintsFile = settingKey[Option[File]]("The file path to the XML hints file - used to resolve false negatives.")
 	lazy val dependencyCheckEnableExperimental = settingKey[Option[Boolean]]("Enable the experimental analyzers. If not enabled the experimental analyzers (see below) will not be loaded or used. ")

src/main/scala/net/vonbuchholtz/sbt/dependencycheck/DependencyCheckPlugin.scala

@@ -9,7 +9,7 @@ import org.owasp.dependencycheck.utils.Settings
 import org.owasp.dependencycheck.utils.Settings.KEYS._
 import sbt.Keys._
 import sbt.plugins.JvmPlugin
-import sbt.{File, ScopeFilter, _}
+import sbt.{Def, File, ScopeFilter, _}
 
 import scala.collection.JavaConverters._
 
@@ -29,11 +29,13 @@ object DependencyCheckPlugin extends sbt.AutoPlugin {
     dependencyCheckCveValidForHours := None,
     dependencyCheckFailBuildOnCVSS := 11,
     dependencyCheckOutputDirectory := Some(crossTarget.value),
+    dependencyCheckScanSet := Seq(baseDirectory.value / "src/main/resources"),
     dependencyCheckSkip := false,
     dependencyCheckSkipTestScope := true,
     dependencyCheckSkipRuntimeScope := false,
     dependencyCheckSkipProvidedScope := false,
     dependencyCheckSkipOptionalScope := false,
+    dependencyCheckSuppressionFile := None,
     dependencyCheckSuppressionFiles := Seq(),
     dependencyCheckHintsFile := None,
     dependencyCheckEnableExperimental := None,
@@ -97,8 +99,8 @@ object DependencyCheckPlugin extends sbt.AutoPlugin {
     setIntSetting(CVE_CHECK_VALID_FOR_HOURS, dependencyCheckCveValidForHours.value)
 
     Settings.setStringIfNotEmpty(APPLICATION_NAME, name.value)
-
-    setFileSequenceSetting(SUPPRESSION_FILE, dependencyCheckSuppressionFiles.value)
+    val suppressionFiles = dependencyCheckSuppressionFiles.value ++ Seq(dependencyCheckSuppressionFile.value).flatten
+    setFileSequenceSetting(SUPPRESSION_FILE, suppressionFiles)
     setFileSetting(HINTS_FILE, dependencyCheckHintsFile.value)
     setBooleanSetting(ANALYZER_EXPERIMENTAL_ENABLED, dependencyCheckEnableExperimental.value)
 
@@ -219,8 +221,16 @@ object DependencyCheckPlugin extends sbt.AutoPlugin {
         checkDependencies --= logRemoveDependencies(Classpaths.managedJars(Optional, classpathTypes.value, update.value), Optional, log)
       }
 
-      val engine: Engine = createReport(checkDependencies, outputDir, reportFormat, useSbtModuleIdAsGav, log)
-      determineTaskFailureStatus(cvssScore, engine)
+      val scanSet: Seq[File] = (dependencyCheckScanSet.value.map { _ ** "*" } reduceLeft( _ +++ _) filter {_.isFile}).get
+
+      try {
+        val engine: Engine = createReport(checkDependencies, scanSet, outputDir, reportFormat, useSbtModuleIdAsGav, log)
+        determineTaskFailureStatus(cvssScore, engine)
+      } catch {
+        case e: Exception =>
+          log.error(s"Failed creating report: ${e.getLocalizedMessage}")
+          throw e
+      }
     }
     else {
       log.info(s"Skipping dependency check for ${name.value}")
@@ -253,8 +263,9 @@ object DependencyCheckPlugin extends sbt.AutoPlugin {
     val optionalDependencies: Seq[(ProjectRef, Configuration, Seq[Attributed[File]])] = aggregateOptionalTask.all(aggregateOptionalFilter).value
     aggregatedDependencies = removeClasspathDependencies(optionalDependencies, aggregatedDependencies, log)
 
+    val scanSet: Seq[File] = (dependencyCheckScanSet.value.map { _ ** "*" } reduceLeft( _ +++ _) filter {_.isFile}).get
     try {
-      val engine: Engine = createReport(aggregatedDependencies, outputDir, reportFormat, useSbtModuleIdAsGav, log)
+      val engine: Engine = createReport(aggregatedDependencies, scanSet, outputDir, reportFormat, useSbtModuleIdAsGav, log)
       determineTaskFailureStatus(cvssScore, engine)
     } catch {
       case e: Exception =>
@@ -384,8 +395,10 @@ object DependencyCheckPlugin extends sbt.AutoPlugin {
     }
   }
 
-  def createReport(checkClasspath: Set[Attributed[File]], outputDir: File, reportFormat: String, useSbtModuleIdAsGav: Boolean, log: Logger): Engine = {
+  def createReport(checkClasspath: Set[Attributed[File]], scanSet: Seq[File], outputDir: File, reportFormat: String, useSbtModuleIdAsGav: Boolean, log: Logger): Engine = {
     addDependencies(checkClasspath, engine, useSbtModuleIdAsGav, log)
+    scanSet.foreach(file => engine.scan(file))
+
     engine.analyzeDependencies()
     engine.writeReports(Settings.getString(APPLICATION_NAME), outputDir , reportFormat)
     //writeReports(outputDir, reportFormat, log)

src/sbt-test/sbt-dependency-check/checkScanSet/build.sbt

@@ -0,0 +1,6 @@
+version := "0.1"
+lazy val root = project in file(".")
+scalaVersion := "2.10.6"
+
+dependencyCheckFailBuildOnCVSS := 0
+dependencyCheckScanSet := Seq(baseDirectory.value / "src/main/customDir")

src/sbt-test/sbt-dependency-check/checkScanSet/project/plugins.sbt

@@ -0,0 +1,5 @@
+sys.props.get("plugin.version") match {
+  case Some(x) => addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % x)
+  case _ => sys.error("""|The system property 'plugin.version' is not defined.
+                        |Specify this property using the scriptedLaunchOpts -D.""".stripMargin)
+}

src/sbt-test/sbt-dependency-check/checkScanSet/test

@@ -0,0 +1,2 @@
+-> dependencyCheck
+$ exists target/scala-2.10/dependency-check-report.html