Implemented #8 Add support for OWASP dependency check analysis

README.md

@@ -47,6 +47,22 @@ sonar.host.url=<URL to Sonar Web UI>
 
 ## Advanced Reporting
 
+### Mutation Testing
+
+This plugin can integrate Mutation Testing results based on PITest in the review. To enable this,
+PITest must be executed as part of the Maven build.
+
+Additional goals and configuration:
+
+```
+mvn org.pitest:pitest-maven:1.1.9:scmMutationCoverage -DanalyseLastCommit=true
+```
+
+### OWASP Dependency Checks
+
+This plugin also runs a OWASP Dependency Check in case of any changes at the Maven project configuration, hence if a pom.xml is 
+part of the current patchset.
+
 ### Automated Quality Feedback
 
 The Maven plugin can add reports to the review comments. For instance, a SonarQube Plugin can generate a simple text file containing statistics about the submitted change and how it affects SonarQube metrics. This file is stored by the Plugin and can be read and added as a review comment.
@@ -78,8 +94,4 @@ SonarQube will place to files inside the .sonar/issues-report Directory of the w
 * issues-report-light.html contains only the new introduced and removed issues of the PatchSet
 * issues-report.html contains all issues of the PatchSet
 
-These Reports can be easily integrated using the Publish HTML Post Build Action of Jenkins 
-
-
-
-
+These Reports can be easily integrated using the Publish HTML Post Build Action of Jenkins

pom.xml

@@ -124,6 +124,11 @@
             <artifactId>sonar-maven-plugin</artifactId>
             <version>3.0.1</version>
         </dependency>
+        <dependency>
+            <groupId>org.twdata.maven</groupId>
+            <artifactId>mojo-executor</artifactId>
+            <version>2.2.0</version>
+        </dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>

src/main/java/de/mirkosertic/mavensonarsputnik/MavenEnvironment.java

@@ -0,0 +1,122 @@
+package de.mirkosertic.mavensonarsputnik;
+
+import java.io.File;
+import org.apache.maven.artifact.factory.ArtifactFactory;
+import org.apache.maven.artifact.metadata.ArtifactMetadataSource;
+import org.apache.maven.artifact.repository.ArtifactRepository;
+import org.apache.maven.artifact.resolver.ArtifactCollector;
+import org.apache.maven.execution.MavenSession;
+import org.apache.maven.execution.RuntimeInformation;
+import org.apache.maven.lifecycle.LifecycleExecutor;
+import org.apache.maven.plugin.BuildPluginManager;
+import org.apache.maven.plugin.logging.Log;
+import org.apache.maven.project.MavenProjectBuilder;
+import org.apache.maven.shared.dependency.tree.DependencyTreeBuilder;
+import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
+
+public class MavenEnvironment {
+
+    private final static ThreadLocal<MavenEnvironment> ENVIRONMENT = new ThreadLocal();
+
+    private final MavenSession mavenSession;
+    private final BuildPluginManager buildPluginManager;
+    private final Log log;
+    private final DependencyTreeBuilder dependencyTreeBuilder;
+    private final ArtifactRepository localRepository;
+    private final SecDispatcher securityDispatcher;
+    private final MavenProjectBuilder projectBuilder;
+    private final LifecycleExecutor lifecycleExecutor;
+    private final ArtifactFactory artifactFactory;
+    private final ArtifactMetadataSource artifactMetadataSource;
+    private final ArtifactCollector artifactCollector;
+    private final File sonarConfiguration;
+    private final RuntimeInformation runtimeInformation;
+
+    public static void initialize(MavenSession aMavenSession, BuildPluginManager aBuildPluginManager, Log aLog,
+            DependencyTreeBuilder aDependencyTreeBuilder, ArtifactRepository aLocalRepository,
+            SecDispatcher aSecurityDispatcher, MavenProjectBuilder aProjectBuilder,
+            LifecycleExecutor aLifecycleExecutor, ArtifactFactory aArtifactFactory,
+            ArtifactMetadataSource aArtifactMetadataSource, ArtifactCollector aArtifactCollector, File aSonarConfiguration, RuntimeInformation aRuntimeInformation) {
+        ENVIRONMENT.set(new MavenEnvironment(aMavenSession, aBuildPluginManager, aLog,
+                aDependencyTreeBuilder, aLocalRepository,
+                aSecurityDispatcher, aProjectBuilder,
+                aLifecycleExecutor, aArtifactFactory,
+                aArtifactMetadataSource, aArtifactCollector, aSonarConfiguration, aRuntimeInformation));
+    }
+
+    public static MavenEnvironment get() {
+        return ENVIRONMENT.get();
+    }
+
+    public MavenEnvironment(MavenSession aMavenSession, BuildPluginManager aBuildPluginManager, Log aLog,
+            DependencyTreeBuilder aDependencyTreeBuilder, ArtifactRepository aLocalRepository,
+            SecDispatcher aSecurityDispatcher, MavenProjectBuilder aProjectBuilder,
+            LifecycleExecutor aLifecycleExecutor, ArtifactFactory aArtifactFactory,
+            ArtifactMetadataSource aArtifactMetadataSource, ArtifactCollector aArtifactCollector, File aSonarConfiguration, RuntimeInformation aRuntimeInformation) {
+        mavenSession = aMavenSession;
+        buildPluginManager = aBuildPluginManager;
+        log = aLog;
+        dependencyTreeBuilder = aDependencyTreeBuilder;
+        localRepository = aLocalRepository;
+        securityDispatcher = aSecurityDispatcher;
+        projectBuilder = aProjectBuilder;
+        lifecycleExecutor = aLifecycleExecutor;
+        artifactFactory = aArtifactFactory;
+        artifactMetadataSource = aArtifactMetadataSource;
+        artifactCollector = aArtifactCollector;
+        sonarConfiguration = aSonarConfiguration;
+        runtimeInformation = aRuntimeInformation;
+    }
+
+    public MavenSession getMavenSession() {
+        return mavenSession;
+    }
+
+    public BuildPluginManager getBuildPluginManager() {
+        return buildPluginManager;
+    }
+
+    public Log getLog() {
+        return log;
+    }
+
+    public DependencyTreeBuilder getDependencyTreeBuilder() {
+        return dependencyTreeBuilder;
+    }
+
+    public ArtifactRepository getLocalRepository() {
+        return localRepository;
+    }
+
+    public SecDispatcher getSecurityDispatcher() {
+        return securityDispatcher;
+    }
+
+    public MavenProjectBuilder getProjectBuilder() {
+        return projectBuilder;
+    }
+
+    public RuntimeInformation getRuntimeInformation() {
+        return runtimeInformation;
+    }
+
+    public LifecycleExecutor getLifecycleExecutor() {
+        return lifecycleExecutor;
+    }
+
+    public ArtifactFactory getArtifactFactory() {
+        return artifactFactory;
+    }
+
+    public ArtifactMetadataSource getArtifactMetadataSource() {
+        return artifactMetadataSource;
+    }
+
+    public ArtifactCollector getArtifactCollector() {
+        return artifactCollector;
+    }
+
+    public File getSonarConfiguration() {
+        return sonarConfiguration;
+    }
+}

src/main/java/de/mirkosertic/mavensonarsputnik/MavenSonarSputnikMojo.java

@@ -9,16 +9,13 @@
 import org.apache.maven.execution.RuntimeInformation;
 import org.apache.maven.lifecycle.LifecycleExecutor;
 import org.apache.maven.plugin.AbstractMojo;
+import org.apache.maven.plugin.BuildPluginManager;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
 import org.apache.maven.plugins.annotations.*;
 import org.apache.maven.project.MavenProjectBuilder;
 import org.apache.maven.shared.dependency.tree.DependencyTreeBuilder;
 
-import org.sonar.runner.api.EmbeddedRunner;
-import org.sonarsource.scanner.maven.DependencyCollector;
-import org.sonarsource.scanner.maven.ExtensionsFactory;
-import org.sonarsource.scanner.maven.bootstrap.*;
 import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
 
 import pl.touk.sputnik.configuration.CliOption;
@@ -50,6 +47,9 @@ public class MavenSonarSputnikMojo extends AbstractMojo {
     @Component
     private RuntimeInformation runtimeInformation;
 
+    @Component
+    private BuildPluginManager pluginManager;
+
     /**
      * The gerrit change id.
      */
@@ -132,59 +132,26 @@ public void execute() throws MojoExecutionException, MojoFailureException {
             theSputnikProperties.setProperty(CliOption.CHANGE_ID.getKey(), theChangeID);
             theSputnikProperties.setProperty(CliOption.REVISION_ID.getKey(), theRevision);
 
-            SonarExecutor theExecutor = new SonarExecutor() {
-                @Override
-                public File executeSonar() throws Exception {
-                    File theWorkingDirectory = MavenProjectConverter.getSonarWorkDir(mavenSession.getCurrentProject());
-                    theWorkingDirectory.mkdirs();
-
-                    // This will switch the cache to the working directory
-                    System.setProperty("SONAR_USER_HOME", theWorkingDirectory.toString());
-
-                    ExtensionsFactory theExtensionsFactory = new ExtensionsFactory(getLog(), mavenSession, lifecycleExecutor, artifactFactory, localRepository, artifactMetadataSource, artifactCollector,
-                            dependencyTreeBuilder, projectBuilder);
-                    DependencyCollector theDependencyCollector = new DependencyCollector(dependencyTreeBuilder, localRepository);
-                    MavenProjectConverter theMavenProjectConverter = new MavenProjectConverter(getLog(), theDependencyCollector);
-                    LogHandler theLogHandler = new LogHandler(getLog());
-
-                    PropertyDecryptor thePropertyDecryptor = new PropertyDecryptor(getLog(), securityDispatcher);
-
-                    RunnerFactory theRunnerFactory = new RunnerFactory(theLogHandler, getLog().isDebugEnabled(), runtimeInformation, mavenSession, thePropertyDecryptor);
-
-                    EmbeddedRunner theRunner = theRunnerFactory.create();
-
-                    Properties theSonarConfigurationToAdd = new Properties();
-                    theSonarConfigurationToAdd.load(getClass().getResourceAsStream("/default-sonar.properties"));
-                    try (InputStream theStream = new FileInputStream(sonarConfiguration)) {
-                        theSonarConfigurationToAdd.load(theStream);
-                    }
-
-                    theRunner.addGlobalProperties(theSonarConfigurationToAdd);
-
-                    new RunnerBootstrapper(getLog(), mavenSession, theRunner, theMavenProjectConverter, theExtensionsFactory, thePropertyDecryptor).execute();
-
-                    return new File(theWorkingDirectory, "sonar-report.json");
-                };
-            };
-
-            SonarExecutorHelper.set(theExecutor);
+            MavenEnvironment.initialize(mavenSession, pluginManager, getLog(),
+                    dependencyTreeBuilder, localRepository,
+                    securityDispatcher, projectBuilder,
+                    lifecycleExecutor, artifactFactory,
+                    artifactMetadataSource, artifactCollector, sonarConfiguration, runtimeInformation);
 
             Configuration theConfiguration = ConfigurationBuilder.initFromProperties(theSputnikProperties);
 
             ConnectorFacade facade = getConnectorFacade(theConfiguration);
             new Engine(facade, theConfiguration).run();
         } catch (Exception e) {
             throw new MojoExecutionException("Error invoking sputnik", e);
-        } finally {
-            SonarExecutorHelper.remove();
         }
     }
 
-    private static ConnectorFacade getConnectorFacade(Configuration configuration) {
+    private static ConnectorFacade getConnectorFacade(Configuration aConfiguration) {
         ConnectorType theConnectorType = ConnectorType
-                .getValidConnectorType(configuration.getProperty(GeneralOption.CONNECTOR_TYPE));
-        ConnectorFacade theFacade = ConnectorFacadeFactory.INSTANCE.build(theConnectorType, configuration);
-        theFacade.validate(configuration);
+                .getValidConnectorType(aConfiguration.getProperty(GeneralOption.CONNECTOR_TYPE));
+        ConnectorFacade theFacade = ConnectorFacadeFactory.INSTANCE.build(theConnectorType, aConfiguration);
+        theFacade.validate(aConfiguration);
         return theFacade;
     }
 }

src/main/java/pl/touk/sputnik/engine/ProcessorBuilder.java

@@ -8,6 +8,7 @@
 import pl.touk.sputnik.processor.findbugs.FindBugsProcessor;
 import pl.touk.sputnik.processor.jshint.JsHintProcessor;
 import pl.touk.sputnik.processor.jslint.JsLintProcessor;
+import pl.touk.sputnik.processor.owasp.OWASPDependencyCheckProcessor;
 import pl.touk.sputnik.processor.pitest.PITestProcessor;
 import pl.touk.sputnik.processor.pmd.PmdProcessor;
 import pl.touk.sputnik.processor.scalastyle.ScalastyleProcessor;
@@ -49,6 +50,9 @@ public static List<ReviewProcessor> buildProcessors(Configuration configuration)
         if (Boolean.valueOf(configuration.getProperty(PITestProcessor.PITEST_ENABLED))) {
             processors.add(new PITestProcessor(configuration));
         }
+        if (Boolean.valueOf(configuration.getProperty(OWASPDependencyCheckProcessor.OWASPDEPENDENCYCHECK_ENABLED))) {
+            processors.add(new OWASPDependencyCheckProcessor(configuration));
+        }
         return processors;
     }
 }