You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@yetus.apache.org by bu...@apache.org on 2018/05/09 17:40:52 UTC
yetus git commit: YETUS-441 Add a plugin that uses OWASP's
depenency-check tool. [Forced Update!]
Repository: yetus
Updated Branches:
refs/heads/YETUS-441 154361595 -> 37dc89c33 (forced update)
YETUS-441 Add a plugin that uses OWASP's depenency-check tool.
* precommit plugin 'dependency_check' for maven or cli if given
* jenkins job that will handle updating a cached vulnerability database
Project: http://git-wip-us.apache.org/repos/asf/yetus/repo
Commit: http://git-wip-us.apache.org/repos/asf/yetus/commit/37dc89c3
Tree: http://git-wip-us.apache.org/repos/asf/yetus/tree/37dc89c3
Diff: http://git-wip-us.apache.org/repos/asf/yetus/diff/37dc89c3
Branch: refs/heads/YETUS-441
Commit: 37dc89c33caa6fd6f174a5913e3cf3e055c5f481
Parents: e56ba29
Author: Sean Busbey <bu...@apache.org>
Authored: Wed May 2 11:36:37 2018 -0500
Committer: Sean Busbey <bu...@apache.org>
Committed: Wed May 9 10:40:18 2018 -0700
----------------------------------------------------------------------
precommit/core.d/00-yetuslib.sh | 28 ++
.../jenkins/owasp-dependency-check-cache.sh | 96 +++++
precommit/test-patch.d/dependency-check.sh | 361 +++++++++++++++++++
3 files changed, 485 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/yetus/blob/37dc89c3/precommit/core.d/00-yetuslib.sh
----------------------------------------------------------------------
diff --git a/precommit/core.d/00-yetuslib.sh b/precommit/core.d/00-yetuslib.sh
index 983dfe6..fbdb70d 100755
--- a/precommit/core.d/00-yetuslib.sh
+++ b/precommit/core.d/00-yetuslib.sh
@@ -293,6 +293,34 @@ function yetus_add_array_element
fi
}
+## @description return the array index of given element
+## @audience public
+## @stability stable
+## @replaceable yes
+## @param arrayname
+## @param element
+## @returns 0 found
+## @returns 1 not found
+## @returns stdout array index
+function yetus_array_index_of
+{
+ local arr_name=$1
+ local needle=$2
+ # shellcheck disable=SC2016
+ local -a 'arr_keys=("${!'"$1"'[@]}")'
+ local entry
+
+ # shellcheck disable=SC2154
+ for entry in "${arr_keys[@]}"; do
+ local valueref="${arr_name}[${entry}]"
+ if [[ "${!valueref}" = "${needle}" ]]; then
+ echo "${entry}"
+ return 0
+ fi
+ done
+ return 1
+}
+
## @description Sort an array by its elements
## @audience public
## @stability stable
http://git-wip-us.apache.org/repos/asf/yetus/blob/37dc89c3/precommit/jenkins/owasp-dependency-check-cache.sh
----------------------------------------------------------------------
diff --git a/precommit/jenkins/owasp-dependency-check-cache.sh b/precommit/jenkins/owasp-dependency-check-cache.sh
new file mode 100755
index 0000000..1185312
--- /dev/null
+++ b/precommit/jenkins/owasp-dependency-check-cache.sh
@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# no shelldocs required from this file
+# SHELLDOC-IGNORE
+
+# Make sure that bash version meets the pre-requisite
+
+if [[ -z "${BASH_VERSINFO[0]}" ]] \
+ || [[ "${BASH_VERSINFO[0]}" -lt 3 ]] \
+ || [[ "${BASH_VERSINFO[0]}" -eq 3 && "${BASH_VERSINFO[1]}" -lt 2 ]]; then
+ echo "bash v3.2+ is required. Sorry."
+ exit 1
+fi
+
+INSTALL_URL_DEFAULT="http://dl.bintray.com/jeremy-long/owasp/dependency-check-3.1.2-release.zip"
+
+set -e
+function usage {
+ echo "Usage: ${0} [options] /path/to/data/cache/directory"
+ echo ""
+ echo " --dependency-check /path/to/exec Optionally point to 'dependency-check' cli."
+ echo " --install /path/to/dir download and cache dependency-check cli."
+ echo " --install-url url where the cli download is."
+ echo " default: ${INSTALL_URL_DEFAULT}"
+ echo " --verbose /path/to/log log verbose debug information at given path."
+ echo " --help show this usage message."
+ exit 1
+}
+# if no args specified, show usage
+if [ $# -lt 1 ]; then
+ usage
+fi
+
+# Get arguments
+declare dependency_check
+declare install
+declare install_url="${INSTALL_URL_DEFAULT}"
+declare cache_dir
+declare -a verbose
+while [ $# -gt 0 ]
+do
+ case "$1" in
+ --dependency-check) shift; dependency_check=$1; shift;;
+ # make this an absolute path
+ --install) shift; install="$(cd "$(dirname "$1")"; pwd)/$(basename "$1")"; shift;;
+ --install-url) shift; install_url=$1; shift;;
+ --verbose) shift; verbose=(--log "$(cd "$(dirname "$1")"; pwd)/$(basename "$1")"); shift;;
+ --) shift; break;;
+ -*) usage ;;
+ *) break;; # terminate while loop
+ esac
+done
+
+# Should still have the required arg
+if [ $# -lt 1 ]; then
+ usage
+fi
+# Absolute path
+cache_dir="$(cd "$(dirname "$1")"; pwd)/$(basename "$1")"
+
+# If we didn't point to an exec, check for install cache
+if [ -z "${dependency_check}" ] && [ -n "${install}" ]; then
+ # if we have things cached, just point at it otherwise do an install
+ if [ ! -x "${install}/dependency-check/bin/dependency-check.sh" ]; then
+ if [ ! -d "${install}" ]; then
+ mkdir "${install}"
+ fi
+ echo "Downloading '${install_url}' to '${install}'" >&2
+ curl --location -o "${install}/dependency-check.zip" "${install_url}"
+ unzip "${install}/dependency-check.zip" -d "${install}"
+ rm -f "${install}/dependency-check.zip"
+ fi
+ dependency_check="${install}/dependency-check/bin/dependency-check.sh"
+fi
+
+# if we don't point at something by now, give the path a try
+if [ -z "${dependency_check}" ]; then
+ dependency_check=$(which dependency-check)
+fi
+echo "Dependency check CLI version: $("${dependency_check}" --version)"
+"${dependency_check}" --updateonly --data "${cache_dir}" "${verbose[@]}"
+echo "Done updating cache in '${cache_dir}'"
http://git-wip-us.apache.org/repos/asf/yetus/blob/37dc89c3/precommit/test-patch.d/dependency-check.sh
----------------------------------------------------------------------
diff --git a/precommit/test-patch.d/dependency-check.sh b/precommit/test-patch.d/dependency-check.sh
new file mode 100644
index 0000000..11629cc
--- /dev/null
+++ b/precommit/test-patch.d/dependency-check.sh
@@ -0,0 +1,361 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# SHELLDOC-IGNORE
+
+DEPENDENCY_CHECK_ARGS=()
+DEPENDENCY_CHECK_SUPPRESSION_FILES=()
+DEPENDENCY_CHECK_EXCLUDES_PATTERNS=()
+DEPENDENCY_CHECK_TIMER="0"
+DEPENDENCY_CHECK_SEVERITIES=("High" "Medium" "Low")
+DEPENDENCY_CHECK_SEVERITY="${DEPENDENCY_CHECK_SEVERITIES[0]}"
+DEPENDENCY_CHECK_UPDATE=true
+DEPENDENCY_CHECK_EXPERIMENTAL=false
+DEPENDENCY_CHECK_MAVEN_GOAL=check
+
+add_test_type dependency_check
+
+## @audience private
+function dependency_check_usage
+{
+ yetus_add_option "--dependency-check=<path>" "path to the dependency-check executable"
+ yetus_add_option "--dependency-check-severity-threshold=<value>" "ignore findings with a 'highest severity' lower than this. default: ${DEPENDENCY_CHECK_SEVERITY}"
+ yetus_add_option "--dependency-check-suppression=<list>" "path(s) to suppression XML file(s). see https://s.apache.org/ahw7"
+ yetus_add_option "--dependency-check-excludes=<list>" "list of ant style exclusions"
+ yetus_add_option "--dependency-check-experimental" "enable experimental analyzers."
+ yetus_add_option "--dependency-check-no-updates" "suppress updates of CVE information"
+ yetus_add_option "--dependency-check-data-file=<path>" "path to local H2 database"
+ yetus_add_option "--dependency-check-db-connection-string=<string>" "iff shared db, jdbs connection string"
+ yetus_add_option "--dependency-check-db-driver-name=<classname>" "iff shared db, jdbc driver name"
+ yetus_add_option "--dependency-check-db-driver-jar=<path>" "iff shared db, driver jar path"
+ yetus_add_option "--dependency-check-db-username=<name>" "iff shared db, username"
+ yetus_add_option "--dependency-check-db-password=<passwor>" "iff shared db, password"
+ yetus_add_option "--dependency-check-maven-goal=<goal>" "iff maven build, the plugin goal to use. default: ${DEPENDENCY_CHECK_MAVEN_GOAL}"
+}
+
+## @audience private
+function dependency_check_parse_args
+{
+ declare i
+
+ for i in "$@"; do
+ case ${i} in
+ --dependency-check=*)
+ DEPENDENCY_CHECK=${i#*=}
+ ;;
+ --dependency-check-severity-threshold=*)
+ DEPENDENCY_CHECK_SEVERITY=${i#*=}
+ ;;
+ --dependency-check-suppression=*)
+ yetus_comma_to_array DEPENDENCY_CHECK_SUPPRESSION_FILES "${i#*=}"
+ ;;
+ --dependency-check-excludes=*)
+ yetus_comma_to_array DEPENDENCY_CHECK_EXCLUDES_PATTERNS "${i#*=}"
+ ;;
+ --dependency-check-experimental)
+ DEPENDENCY_CHECK_EXPERIMENTAL=true
+ ;;
+ --dependency-check-no-updates)
+ DEPENDENCY_CHECK_UPDATE=false
+ ;;
+ --dependency-check-data-file=*)
+ DEPENDENCY_CHECK_DATA_FILE=${i#*=}
+ ;;
+ --dependency-check-db-connection-string=*)
+ DEPENDENCY_CHECK_DB_CONNECTION=${i#*=}
+ ;;
+ --dependency-check-db-driver-name=*)
+ DEPENDENCY_CHECK_DB_DRIVER=${i#*=}
+ ;;
+ --dependency-check-db-driver-jar=*)
+ DEPENDENCY_CHECK_DB_DRIVER_JAR=${i#*=}
+ ;;
+ --dependency-check-db-username=*)
+ DEPENDENCY_CHECK_DB_USER=${i#*=}
+ ;;
+ --dependency-check-db-password=*)
+ DEPENDENCY_CHECK_DB_PASSWORD=${i#*=}
+ ;;
+ --dependency-check-maven-goal=*)
+ DEPENDENCY_CHECK_MAVEN_GOAL=${i#*=}
+ ;;
+ esac
+ done
+
+}
+
+## @audience private
+function dependency_check_filefilter
+{
+ declare filename=$1
+
+ case ${BUILDTOOL} in
+ maven)
+ if [[ ${filename} =~ pom\.xml$ ]]; then
+ yetus_debug "tests/dependency_check: ${filename}"
+ add_test dependency_check
+ fi
+ ;;
+ *)
+ add_test dependency_check
+ ;;
+ esac
+}
+
+## @audience private
+function dependency_check_precheck
+{
+ declare dependency_check_version
+
+ if ! yetus_array_contains "${DEPENDENCY_CHECK_SEVERITY}" "${DEPENDENCY_CHECK_SEVERITIES[@]}" ; then
+ yetus_error "Dependency check doesn't know about severity level '${DEPENDENCY_CHECK_SEVERITY}'"
+ return 1
+ fi
+
+ case ${BUILDTOOL} in
+ maven)
+ if [ "${#DEPENDENCY_CHECK_EXCLUDES_PATTERNS[@]}" -gt 0 ]; then
+ yetus_error "dependency_check: The maven plugin doesn't support exclusion patterns."
+ return 1
+ fi
+ ;;
+ *)
+ if ! verify_command "dependency_check" "${DEPENDENCY_CHECK}"; then
+ add_vote_table 0 dependency_check "dependency-check was not available."
+ delete_test dependency_check
+ return 0
+ fi
+ ;;
+ esac
+
+ # Can't give both data file and db connection info
+ if [ -n "${DEPENDENCY_CHECK_DATA_FILE}" ] && [ -n "${DEPENDENCY_CHECK_DB_CONNECTION}" ]; then
+ yetus_debug "Both a local datafile and an external db were given on the cli, behavior of dependency-check isn't well defined."
+ fi
+
+ # finally let folks know what version they'll be dealing with.
+ dependency_check_version=$(${DEPENDENCY_CHECK} --noupdate --version 2>/dev/null | head -n 1 2>/dev/null)
+ add_footer_table dependency_check "version: ${dependency_check_version}"
+}
+
+## @audience private
+function dependency_check_initialize
+{
+ local -a filtered_severities
+ local -i severity_threshold
+ severity_threshold=$(yetus_array_index_of "DEPENDENCY_CHECK_SEVERITIES" "${DEPENDENCY_CHECK_SEVERITY}")
+ yetus_debug "Looking for severities in our list ranked up to ${severity_threshold}"
+ for key in "${!DEPENDENCY_CHECK_SEVERITIES[@]}"; do
+ if [ ! "${key}" -gt "${severity_threshold}" ]; then
+ filtered_severities=("${filtered_severities[@]}" "${DEPENDENCY_CHECK_SEVERITIES[${key}]}")
+ fi
+ done
+ yetus_debug "Given severity threshold of '${DEPENDENCY_CHECK_SEVERITY}' we'll look for: ${filtered_severities[*]}"
+ # The quotes here are important, because we want to match an entire CSV record
+ IFS=" " read -r -a DEPENDENCY_CHECK_LOG_FILTERS <<< "$(printf -- '-e "%s" ' "${filtered_severities[@]}")"
+
+ case ${BUILDTOOL} in
+ maven)
+ if [[ "${DEPENDENCY_CHECK_EXPERIMENTAL}" = "true" ]]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DenableExperimental=true")
+ fi
+ if [[ "${DEPENDENCY_CHECK_UPDATE}" = "false" ]] || [[ "${OFFLINE}" == "true" ]]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DautoUpdate=false")
+ fi
+ if [[ "${OFFLINE}" == "true" ]]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DcentralAnalyzerEnabled=false")
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DnexusAnalyzerEnabled=false")
+ fi
+ if [ -n "${DEPENDENCY_CHECK_DATA_FILE}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DdataDirectory=${DEPENDENCY_CHECK_DATA_FILE}")
+ fi
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-Dformat=ALL")
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DversionCheckEnabled=false")
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DskipProvidedScope=true")
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DskipSystemScope=true")
+ if [ "${#DEPENDENCY_CHECK_SUPPRESSION_FILES[@]}" -gt 0 ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DsuppressionFiles=$(printf -- "%s," "${DEPENDENCY_CHECK_SUPPRESSION_FILES[@]}")")
+ fi
+ if [ -n "${DEPENDENCY_CHECK_DB_CONNECTION}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DconnectionString=${DEPENDENCY_CHECK_DB_CONNECTION}")
+ if [ -n "${DEPENDENCY_CHECK_DB_DRIVER}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DdatabaseDriverName=${DEPENDENCY_CHECK_DB_DRIVER}")
+ fi
+ if [ -n "${DEPENDENCY_CHECK_DB_DRIVER_JAR}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DdatabaseDriverPath=${DEPENDENCY_CHECK_DB_DRIVER_JAR}")
+ fi
+ if [ -n "${DEPENDENCY_CHECK_DB_USER}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DdatabaseUser=${DEPENDENCY_CHECK_DB_USER}")
+ fi
+ if [ -n "${DEPENDENCY_CHECK_DB_PASSWORD}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "-DdatabasePassword=${DEPENDENCY_CHECK_DB_PASSWORD}")
+ fi
+ fi
+ ;;
+ *)
+ if [[ "${DEPENDENCY_CHECK_EXPERIMENTAL}" = "true" ]]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --enableExperimental)
+ fi
+ if [[ "${DEPENDENCY_CHECK_UPDATE}" = "false" ]] || [[ "${OFFLINE}" == "true" ]]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --noupdate)
+ fi
+ if [[ "${OFFLINE}" == "true" ]]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --disableCentral)
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --disableNexus)
+ fi
+ if [ -n "${DEPENDENCY_CHECK_DATA_FILE}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --data "${DEPENDENCY_CHECK_DATA_FILE}")
+ fi
+
+ if [ -n "${DEPENDENCY_CHECK_DB_CONNECTION}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --connectionString "${DEPENDENCY_CHECK_DB_CONNECTION}")
+ if [ -n "${DEPENDENCY_CHECK_DB_DRIVER}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --dbDriverName "${DEPENDENCY_CHECK_DB_DRIVER}")
+ fi
+ if [ -n "${DEPENDENCY_CHECK_DB_DRIVER_JAR}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --dbDriverPath "${DEPENDENCY_CHECK_DB_DRIVER_JAR}")
+ fi
+ if [ -n "${DEPENDENCY_CHECK_DB_USER}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --dbUser "${DEPENDENCY_CHECK_DB_USER}")
+ fi
+ if [ -n "${DEPENDENCY_CHECK_DB_PASSWORD}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --dbPassword "${DEPENDENCY_CHECK_DB_PASSWORD}")
+ fi
+ fi
+
+ if [ "${#DEPENDENCY_CHECK_SUPPRESSION_FILES[@]}" -gt 0 ]; then
+ local -a suppressions
+ IFS=" " read -r -a suppressions <<< "$(printf -- "--suppression '%s' " "${DEPENDENCY_CHECK_SUPPRESSION_FILES[@]}")"
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "${suppressions[@]}")
+ fi
+ if [ "${#DEPENDENCY_CHECK_EXCLUDES_PATTERNS[@]}" -gt 0 ]; then
+ local -a excludes
+ IFS=" " read -r -a excludes <<< "$(printf -- "--exclude '%s' " "${DEPENDENCY_CHECK_EXCLUDES_PATTERNS[@]}")"
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" "${excludes[@]}")
+ fi
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --format ALL)
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --project "${PROJECT_NAME}")
+ if [ -n "${BASEDIR}" ]; then
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --scan "${BASEDIR}")
+ else
+ DEPENDENCY_CHECK_ARGS=("${DEPENDENCY_CHECK_ARGS[@]}" --scan ".")
+ fi
+ ;;
+ esac
+
+
+}
+
+## @audience private
+function dependency_check_logfilter
+{
+ declare input=$1
+ declare output=$2
+
+ # TODO we should be parsing CSV columns properly
+ yetus_debug "dependency_check: filtering out lines based on severities with '${DEPENDENCY_CHECK_LOG_FILTERS[*]}'"
+
+ "${GREP}" "${DEPENDENCY_CHECK_LOG_FILTERS[@]}" "${input}" > "${output}"
+
+}
+
+## @audience private
+function dependency_check_postcompile
+{
+ declare repostatus=$1
+ declare reports="dependency_check_${repostatus}.reports"
+ if ! verify_needed_test dependency_check; then
+ return 0
+ fi
+
+ big_console_header "Determining number of dependency concerns (${repostatus})"
+
+ start_clock
+
+ # Add our previously calculated time
+ if [[ "${repostatus}" != branch ]]; then
+ offset_clock "${DEPENDENCY_CHECK_TIMER}"
+ fi
+
+ mkdir "${PATCH_DIR}/${reports}"
+
+ case ${BUILDTOOL} in
+ maven)
+ # invoke on a specific version, because older ones don't support options we need
+ # like CSV report output.
+ # shellcheck disable=2046
+ echo_and_redirect "${PATCH_DIR}/dependency_check_${repostatus}.log" \
+ $(maven_executor) --batch-mode "${DEPENDENCY_CHECK_ARGS[@]}" \
+ "org.owasp:dependency-check-maven:3.1.2:${DEPENDENCY_CHECK_MAVEN_GOAL}"
+
+ if [ ! -f "${BASEDIR:-.}/target/dependency-check-report.csv" ]; then
+ yetus_debug "maven goal did not generate csv report"
+ add_vote_table 0 dependency_check "${BUILDMODEMSG} maven goal did not generate needed report"
+ return 1
+ fi
+ # TODO get the plugin to allow configuring the output directory to something other than the project build dir.
+ # TODO maybe use the archive functionality here?
+ mv "${BASEDIR:-.}/target/dependency-check-"*{csv,html,json,xml} "${PATCH_DIR}/${reports}/"
+ ;;
+ *)
+ echo_and_redirect "${PATCH_DIR}/dependency_check_${repostatus}.log" \
+ "${DEPENDENCY_CHECK}" "${DEPENDENCY_CHECK_ARGS[@]}" \
+ --log "${PATCH_DIR}/dependency_check_${repostatus}.verbose.log" \
+ --out "${PATCH_DIR}/${reports}"
+ ;;
+ esac
+
+ generic_logfilter dependency_check \
+ "${PATCH_DIR}/${reports}/dependency-check-report.csv" \
+ "${PATCH_DIR}/dependency_check_${repostatus}_filtered.csv"
+
+ if [[ "${repostatus}" = branch ]]; then
+ DEPENDENCY_CHECK_TIMER=$(stop_clock)
+ else
+ # shellcheck disable=SC2016
+ numPostpatch=$(wc -l < "${PATCH_DIR}/dependency_check_patch_filtered.csv")
+
+ # iff the branch report doesn't already exist, we must be in a qbt build via --empty-patch
+ if [ -f "${PATCH_DIR}/dependency_check_branch_filtered.csv" ]; then
+ calcdiffs \
+ "${PATCH_DIR}/dependency_check_branch_filtered.csv" \
+ "${PATCH_DIR}/dependency_check_patch_filtered.csv" \
+ dependency_check \
+ > "${PATCH_DIR}/diff-dependency-check.csv"
+ diffPostpatch=$(wc -l < "${PATCH_DIR}/diff-dependency-check.csv")
+
+ # shellcheck disable=SC2016
+ numPrepatch=$(wc -l < "${PATCH_DIR}/dependency_check_branch_filtered.csv")
+ else
+ numPrepatch=0
+ diffPostpatch="${numPostpatch}"
+ cp "${PATCH_DIR}/dependency_check_patch_filtered.csv" \
+ "${PATCH_DIR}/diff-dependency-check.csv"
+ fi
+
+ statstring=$(generic_calcdiff_status "${numPrepatch}" "${numPostpatch}" "${diffPostpatch}" )
+
+ if [[ ${diffPostpatch} -gt 0 ]] ; then
+ add_vote_table -1 dependency_check "${BUILDMODEMSG} ${statstring}"
+ add_footer_table dependency_check "@@BASE@@/diff-dependency-check.csv"
+ return 1
+ fi
+
+ add_vote_table +1 dependency_check "${BUILDMODEMSG} ${statstring}"
+ fi
+ return 0
+}
+