package org.owasp.dependencycheck.maven;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.text.DateFormat;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.doxia.sink.Sink;
import org.apache.maven.doxia.sink.SinkFactory;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.plugins.annotations.ResolutionScope;
import org.apache.maven.project.MavenProject;
import org.apache.maven.reporting.MavenMultiPageReport;
import org.apache.maven.reporting.MavenReportException;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Reference;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.LogUtils;
import org.owasp.dependencycheck.utils.Settings;

@Mojo(name = "check", defaultPhase = LifecyclePhase.COMPILE, threadSafe = true, requiresDependencyResolution = ResolutionScope.RUNTIME_PLUS_SYSTEM, requiresOnline = true)
/* loaded from: input_file:org/owasp/dependencycheck/maven/DependencyCheckMojo.class */
public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageReport {
    private static final String PROPERTIES_FILE = "mojo.properties";
    private static final String LOG_PROPERTIES_FILE = "log.properties";
    public static final String TEST_SCOPE = "test";

    @Component
    private MavenProject project;

    @Parameter(property = "report-name", defaultValue = "dependency-check-report")
    private String reportName;

    @Parameter(property = "logfile", defaultValue = "")
    private String logFile;

    @Parameter(property = "name", defaultValue = "Dependency-Check")
    private String name;

    @Parameter(property = "description", defaultValue = "A report providing details on any published vulnerabilities within project dependencies. This report is a best effort but may contain false positives and false negatives.")
    private String description;

    @Parameter(property = "reportOutputDirectory", defaultValue = "${project.reporting.outputDirectory}", required = true)
    private File reportOutputDirectory;

    @Parameter(defaultValue = "${project.build.directory}", required = true)
    private File outputDirectory;

    @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
    private float failBuildOnCVSS = 11.0f;

    @Parameter(property = "autoupdate", defaultValue = "true", required = true)
    private boolean autoUpdate = true;

    @Parameter(property = "format", defaultValue = "HTML", required = true)
    private String format = "HTML";

    @Parameter(property = "externalReport", defaultValue = "false", required = true)
    private boolean externalReport = false;

    @Parameter(property = "proxyUrl", defaultValue = "", required = false)
    private String proxyUrl = null;

    @Parameter(property = "proxyPort", defaultValue = "", required = false)
    private String proxyPort = null;

    @Parameter(property = "connectionTimeout", defaultValue = "", required = false)
    private String connectionTimeout = null;

    private Engine executeDependencyCheck() {
        LogUtils.prepareLogger(DependencyCheckMojo.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE), this.logFile);
        populateSettings();
        Engine engine = new Engine();
        for (Artifact artifact : this.project.getArtifacts()) {
            if (!TEST_SCOPE.equals(artifact.getScope())) {
                engine.scan(artifact.getFile().getAbsolutePath());
            }
        }
        engine.analyzeDependencies();
        return engine;
    }

    private void generateExternalReports(Engine engine) {
        try {
            new ReportGenerator(this.project.getName(), engine.getDependencies(), engine.getAnalyzers()).generateReports(this.outputDirectory.getCanonicalPath(), this.format);
        } catch (IOException e) {
            Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, (String) null, (Throwable) e);
        } catch (Exception e2) {
            Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, (String) null, (Throwable) e2);
        }
    }

    private void generateMavenSiteReport(Engine engine, Sink sink) {
        List<Dependency> dependencies = engine.getDependencies();
        writeSiteReportHeader(sink, this.project.getName());
        writeSiteReportTOC(sink, dependencies);
        int i = 0;
        for (Dependency dependency : dependencies) {
            writeSiteReportDependencyHeader(sink, dependency);
            i = writeSiteReportDependencyRelatedDependencies(dependency, writeSiteReportDependencyEvidenceUsed(dependency, writeSiteReportDependencyAnalysisExceptions(dependency, i, sink), sink), sink);
            writeSiteReportDependencyIdentifiers(dependency, sink);
            writeSiteReportDependencyVulnerabilities(dependency, sink, i);
        }
        sink.body_();
    }

    private void writeSiteReportDependencyVulnerabilities(Dependency dependency, Sink sink, int i) {
        int i2 = i;
        if (dependency.getVulnerabilities() == null || dependency.getVulnerabilities().isEmpty()) {
            return;
        }
        for (Vulnerability vulnerability : dependency.getVulnerabilities()) {
            sink.paragraph();
            sink.bold();
            try {
                sink.link("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + URLEncoder.encode(vulnerability.getName(), "US-ASCII"));
                sink.text(vulnerability.getName());
                sink.link_();
                sink.bold_();
            } catch (UnsupportedEncodingException e) {
                sink.text(vulnerability.getName());
                sink.bold_();
                sink.lineBreak();
                sink.text("http://web.nvd.nist.gov/view/vuln/detail?vulnId=" + vulnerability.getName());
            }
            sink.paragraph_();
            sink.paragraph();
            sink.text("Severity: ");
            if (vulnerability.getCvssScore() < 4.0d) {
                sink.text("Low");
            } else if (vulnerability.getCvssScore() >= 7.0d) {
                sink.text("High");
            } else {
                sink.text("Medium");
            }
            sink.lineBreak();
            sink.text("CVSS Score: " + vulnerability.getCvssScore());
            if (vulnerability.getCwe() != null && !vulnerability.getCwe().isEmpty()) {
                sink.lineBreak();
                sink.text("CWE: ");
                sink.text(vulnerability.getCwe());
            }
            sink.paragraph_();
            sink.paragraph();
            sink.text(vulnerability.getDescription());
            if (vulnerability.getReferences() != null && !vulnerability.getReferences().isEmpty()) {
                sink.list();
                for (Reference reference : vulnerability.getReferences()) {
                    sink.listItem();
                    sink.text(reference.getSource());
                    sink.text(" - ");
                    sink.link(reference.getUrl());
                    sink.text(reference.getName());
                    sink.link_();
                    sink.listItem_();
                }
                sink.list_();
            }
            sink.paragraph_();
            if (vulnerability.getVulnerableSoftware() != null && !vulnerability.getVulnerableSoftware().isEmpty()) {
                sink.paragraph();
                i2++;
                sink.rawText("Vulnerable Software <a href=\"javascript:toggleElement(this, 'vulnSoft" + i2 + "')\">[-]</a>");
                sink.rawText("<div id=\"vulnSoft" + i2 + "\" style=\"display:block\">");
                sink.list();
                for (VulnerableSoftware vulnerableSoftware : vulnerability.getVulnerableSoftware()) {
                    sink.listItem();
                    try {
                        sink.link("http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + URLEncoder.encode(vulnerableSoftware.getName(), "US-ASCII"));
                        sink.text(vulnerableSoftware.getName());
                        sink.link_();
                        if (vulnerableSoftware.hasPreviousVersion()) {
                            sink.text(" and all previous versions.");
                        }
                    } catch (UnsupportedEncodingException e2) {
                        sink.text(vulnerableSoftware.getName());
                        if (vulnerableSoftware.hasPreviousVersion()) {
                            sink.text(" and all previous versions.");
                        }
                        sink.text(" (http://web.nvd.nist.gov/view/vuln/search-results?cpe=" + vulnerableSoftware.getName() + ")");
                    }
                    sink.listItem_();
                }
                sink.list_();
                sink.rawText("</div>");
                sink.paragraph_();
            }
        }
    }

    private void writeSiteReportDependencyIdentifiers(Dependency dependency, Sink sink) {
        if (dependency.getIdentifiers() == null || dependency.getIdentifiers().isEmpty()) {
            return;
        }
        sink.sectionTitle4();
        sink.text("Identifiers");
        sink.sectionTitle4_();
        sink.list();
        for (Identifier identifier : dependency.getIdentifiers()) {
            sink.listItem();
            sink.text(identifier.getType());
            sink.text(": ");
            if (identifier.getUrl() == null || identifier.getUrl().length() <= 0) {
                sink.text(identifier.getValue());
            } else {
                sink.link(identifier.getUrl());
                sink.text(identifier.getValue());
                sink.link_();
            }
            if (identifier.getDescription() != null && identifier.getDescription().length() > 0) {
                sink.lineBreak();
                sink.text(identifier.getDescription());
            }
            sink.listItem_();
        }
        sink.list_();
    }

    private int writeSiteReportDependencyRelatedDependencies(Dependency dependency, int i, Sink sink) {
        int i2 = i;
        if (dependency.getRelatedDependencies() != null && !dependency.getRelatedDependencies().isEmpty()) {
            i2++;
            sink.sectionTitle4();
            sink.rawText("Related Dependencies <a href=\"javascript:toggleElement(this, 'related" + i2 + "')\">[+]</a>");
            sink.sectionTitle4_();
            sink.rawText("<div id=\"related" + i2 + "\" style=\"display:none\">");
            sink.list();
            for (Dependency dependency2 : dependency.getRelatedDependencies()) {
                sink.listItem();
                sink.text(dependency2.getFileName());
                sink.list();
                writeListItem(sink, "File Path: " + dependency2.getFilePath());
                writeListItem(sink, "SHA1: " + dependency2.getSha1sum());
                writeListItem(sink, "MD5: " + dependency2.getMd5sum());
                sink.list_();
                sink.listItem_();
            }
            sink.list_();
            sink.rawText("</div>");
        }
        return i2;
    }

    private int writeSiteReportDependencyEvidenceUsed(Dependency dependency, int i, Sink sink) {
        int i2 = i;
        if (dependency.getEvidenceUsed() != null && dependency.getEvidenceUsed().size() > 0) {
            i2++;
            sink.sectionTitle4();
            sink.rawText("Evidence Collected <a href=\"javascript:toggleElement(this, 'evidence" + i2 + "')\">[+]</a>");
            sink.sectionTitle4_();
            sink.rawText("<div id=\"evidence" + i2 + "\" style=\"display:none\">");
            sink.table();
            sink.tableRow();
            writeTableHeaderCell(sink, "Source");
            writeTableHeaderCell(sink, "Name");
            writeTableHeaderCell(sink, "Value");
            sink.tableRow_();
            Iterator it = dependency.getEvidenceUsed().iterator();
            while (it.hasNext()) {
                Evidence evidence = (Evidence) it.next();
                sink.tableRow();
                writeTableCell(sink, evidence.getSource());
                writeTableCell(sink, evidence.getName());
                writeTableCell(sink, evidence.getValue());
                sink.tableRow_();
            }
            sink.table_();
            sink.rawText("</div>");
        }
        return i2;
    }

    private int writeSiteReportDependencyAnalysisExceptions(Dependency dependency, int i, Sink sink) {
        int i2 = i;
        if (dependency.getAnalysisExceptions() != null && !dependency.getAnalysisExceptions().isEmpty()) {
            i2++;
            sink.sectionTitle4();
            sink.rawText("<font style=\"color:red\">Errors occurred during analysis:</font> <a href=\"javascript:toggleElement(this, 'errors" + i2 + "')\">[+]</a>");
            sink.sectionTitle4_();
            sink.rawText("<div id=\"errors" + i2 + "\">");
            sink.list();
            for (Exception exc : dependency.getAnalysisExceptions()) {
                sink.listItem();
                sink.text(exc.getMessage());
                sink.listItem_();
            }
            sink.list_();
            sink.rawText("</div>");
        }
        return i2;
    }

    private void writeSiteReportDependencyHeader(Sink sink, Dependency dependency) {
        sink.sectionTitle2();
        sink.anchor("sha1" + dependency.getSha1sum());
        sink.text(dependency.getFileName());
        sink.anchor_();
        sink.sectionTitle2_();
        if (dependency.getDescription() != null && dependency.getDescription().length() > 0) {
            sink.paragraph();
            sink.bold();
            sink.text("Description: ");
            sink.bold_();
            sink.text(dependency.getDescription());
            sink.paragraph_();
        }
        if (dependency.getLicense() == null || dependency.getLicense().length() <= 0) {
            return;
        }
        sink.paragraph();
        sink.bold();
        sink.text("License: ");
        sink.bold_();
        if (!dependency.getLicense().startsWith("http://") || dependency.getLicense().contains(" ")) {
            sink.text(dependency.getLicense());
        } else {
            sink.link(dependency.getLicense());
            sink.text(dependency.getLicense());
            sink.link_();
        }
        sink.paragraph_();
    }

    private void writeListItem(Sink sink, String str) {
        sink.listItem();
        sink.text(str);
        sink.listItem_();
    }

    private void writeTableCell(Sink sink, String str) {
        sink.tableCell();
        sink.text(str);
        sink.tableCell_();
    }

    private void writeTableHeaderCell(Sink sink, String str) {
        sink.tableHeaderCell();
        sink.text(str);
        sink.tableHeaderCell_();
    }

    private void writeSiteReportTOC(Sink sink, List<Dependency> list) {
        sink.list();
        for (Dependency dependency : list) {
            sink.listItem();
            sink.link("#sha1" + dependency.getSha1sum());
            sink.text(dependency.getFileName());
            sink.link_();
            if (!dependency.getVulnerabilities().isEmpty()) {
                sink.rawText(" <font style=\"color:red\">•</font>");
            }
            if (!dependency.getRelatedDependencies().isEmpty()) {
                sink.list();
                Iterator it = dependency.getRelatedDependencies().iterator();
                while (it.hasNext()) {
                    writeListItem(sink, ((Dependency) it.next()).getFileName());
                }
                sink.list_();
            }
            sink.listItem_();
        }
        sink.list_();
    }

    private void writeSiteReportHeader(Sink sink, String str) {
        sink.head();
        sink.title();
        sink.text("Dependency-Check Report: " + str);
        sink.title_();
        sink.head_();
        sink.body();
        sink.rawText("<script type=\"text/javascript\">");
        sink.rawText("function toggleElement(el, targetId) {");
        sink.rawText("if (el.innerText == '[+]') {");
        sink.rawText("    el.innerText = '[-]';");
        sink.rawText("    document.getElementById(targetId).style.display='block';");
        sink.rawText("} else {");
        sink.rawText("    el.innerText = '[+]';");
        sink.rawText("    document.getElementById(targetId).style.display='none';");
        sink.rawText("}");
        sink.rawText("}");
        sink.rawText("</script>");
        sink.section1();
        sink.sectionTitle1();
        sink.text("Project: " + str);
        sink.sectionTitle1_();
        sink.date();
        sink.text(DateFormat.getDateTimeInstance().format(new Date()));
        sink.date_();
        sink.section1_();
    }

    private void populateSettings() {
        InputStream inputStream = null;
        try {
            try {
                inputStream = getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
                Settings.mergeProperties(inputStream);
                if (inputStream != null) {
                    try {
                        inputStream.close();
                    } catch (IOException e) {
                        Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINEST, (String) null, (Throwable) e);
                    }
                }
            } catch (IOException e2) {
                Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
                Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINE, (String) null, (Throwable) e2);
                if (inputStream != null) {
                    try {
                        inputStream.close();
                    } catch (IOException e3) {
                        Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINEST, (String) null, (Throwable) e3);
                    }
                }
            }
            Settings.setBoolean("autoupdate", this.autoUpdate);
            if (this.proxyUrl != null && !this.proxyUrl.isEmpty()) {
                Settings.setString("proxy.url", this.proxyUrl);
            }
            if (this.proxyPort != null && !this.proxyPort.isEmpty()) {
                Settings.setString("proxy.port", this.proxyPort);
            }
            if (this.connectionTimeout == null || this.connectionTimeout.isEmpty()) {
                return;
            }
            Settings.setString("connection.timeout", this.connectionTimeout);
        } catch (Throwable th) {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (IOException e4) {
                    Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.FINEST, (String) null, (Throwable) e4);
                }
            }
            throw th;
        }
    }

    public void execute() throws MojoExecutionException, MojoFailureException {
        Engine executeDependencyCheck = executeDependencyCheck();
        generateExternalReports(executeDependencyCheck);
        if (this.failBuildOnCVSS <= 10.0f) {
            checkForFailure(executeDependencyCheck.getDependencies());
        }
    }

    public void generate(org.codehaus.doxia.sink.Sink sink, Locale locale) throws MavenReportException {
        generate(sink, null, locale);
    }

    public void generate(Sink sink, SinkFactory sinkFactory, Locale locale) throws MavenReportException {
        generateMavenSiteReport(executeDependencyCheck(), sink);
    }

    public String getOutputName() {
        return this.reportName;
    }

    public String getCategoryName() {
        return "Project Reports";
    }

    public String getName(Locale locale) {
        return this.name;
    }

    public void setReportOutputDirectory(File file) {
        this.reportOutputDirectory = file;
    }

    public File getReportOutputDirectory() {
        return this.reportOutputDirectory;
    }

    public String getDescription(Locale locale) {
        return this.description;
    }

    public boolean isExternalReport() {
        return this.externalReport;
    }

    public boolean canGenerateReport() {
        return true;
    }

    private void checkForFailure(List<Dependency> list) throws MojoFailureException {
        StringBuilder sb = new StringBuilder();
        Iterator<Dependency> it = list.iterator();
        while (it.hasNext()) {
            for (Vulnerability vulnerability : it.next().getVulnerabilities()) {
                if (vulnerability.getCvssScore() >= this.failBuildOnCVSS) {
                    if (sb.length() == 0) {
                        sb.append(vulnerability.getName());
                    } else {
                        sb.append(", ").append(vulnerability.getName());
                    }
                }
            }
        }
        if (sb.length() > 0) {
            throw new MojoFailureException(String.format("%n%nDependency-Check Failure:%nOne or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%nSee the dependency-check report for more details.%n%n", Float.valueOf(this.failBuildOnCVSS), sb.toString()));
        }
    }
}
