#155 add failOnDetection plugin configuration to generate OSS Index report without failing build (#158)

sgilhooly · web-flow · commit 2e0cea399683 · 2024-05-09T15:06:47.000-05:00
diff --git a/README.md b/README.md
@@ -68,7 +68,7 @@ plugins {
 }
 ```
 
-Some basic examples will be provided next, which we strongly advice to read :)
+Some basic examples follow, which we strongly advise reading :)
 
 After doing so, specific usage on CI tools can be found at https://github.com/guillermo-varela/example-scan-gradle-plugin
 
@@ -104,6 +104,10 @@ ossIndexAudit {
     excludeCoordinates = ['commons-fileupload:commons-fileupload:1.3'] // list containing coordinate of components which if vulnerable should be ignored
     excludeCompileOnly = true // if true then dependencies under the 'compileOnly' configuration will be ignored. By default is false
 
+    // By default, the audit scan will fail the task/build if any vulnerabilities are found.
+    // Set this to 'false' to allow the task to succeed even when vulnerabilities are detected.
+    failOnDetection = true
+
     // Output options
     outputFormat = 'DEFAULT' // Optional, other values are: 'DEPENDENCY_GRAPH' prints dependency graph showing direct/transitive dependencies, 'JSON_CYCLONE_DX_1_4' prints a CycloneDX 1.4 SBOM in JSON format.
     cycloneDxComponentType = 'LIBRARY' // Optional, only used when outputFormat = 'JSON_CYCLONE_DX_1_4' to define the type of component this project is for the BOM metadata with possible values: 'LIBRARY' (default), 'APPLICATION', 'FRAMEWORK', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', 'FIRMWARE' and 'FILE'.
@@ -144,6 +148,10 @@ ossIndexAudit {
         listOf("commons-fileupload:commons-fileupload:1.3") // list containing coordinate of components which if vulnerable should be ignored
     excludeCompileOnly = true // if true then dependencies under the 'compileOnly' configuration will be ignored. By default is false
 
+    // By default, the audit scan will fail the task/build if any vulnerabilities are found.
+    // Set this to 'false' to allow the task to succeed even when vulnerabilities are detected.
+    failOnDetection = true
+
     // Output options
     outputFormat = "DEFAULT" // Optional, other values are: "DEPENDENCY_GRAPH" prints dependency graph showing direct/transitive dependencies, "JSON_CYCLONE_DX_1_4" prints a CycloneDX 1.4 SBOM in JSON format.
     cycloneDxComponentType = "LIBRARY" // Optional, only used when outputFormat = "JSON_CYCLONE_DX_1_4" to define the type of component this project is for the BOM metadata with possible values: "LIBRARY" (default), "APPLICATION", "FRAMEWORK", "CONTAINER", "OPERATING_SYSTEM", "DEVICE", "FIRMWARE" and "FILE".
diff --git a/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTask.java b/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTask.java
@@ -122,7 +122,7 @@ public void audit() {
       throw new GradleException("Could not audit the project: " + e.getMessage(), e);
     }
 
-    if (hasVulnerabilities) {
+    if (hasVulnerabilities && extension.isFailOnDetection()) {
       throw new GradleException("Vulnerabilities detected, check log output to review them");
     }
   }
diff --git a/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexPluginExtension.java b/src/main/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexPluginExtension.java
@@ -63,6 +63,8 @@ public class OssIndexPluginExtension
 
   private boolean printBanner;
 
+  private boolean failOnDetection;
+
   private Set<String> excludeVulnerabilityIds;
 
   private Set<String> excludeCoordinates;
@@ -86,6 +88,7 @@ public OssIndexPluginExtension(Project project) {
     colorEnabled = true;
     showAll = false;
     printBanner = true;
+    failOnDetection = true;
     excludeVulnerabilityIds = new HashSet<>();
     excludeCoordinates = new HashSet<>();
     outputFormat = OutputFormat.DEFAULT;
@@ -214,6 +217,14 @@ public void setPrintBanner(boolean printBanner) {
     this.printBanner = printBanner;
   }
 
+  public boolean isFailOnDetection() {
+    return failOnDetection;
+  }
+
+  public void setFailOnDetection(boolean failOnDetection) {
+    this.failOnDetection = failOnDetection;
+  }
+
   public Set<String> getExcludeVulnerabilityIds() {
     return excludeVulnerabilityIds;
   }
diff --git a/src/test/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTaskTest.java b/src/test/java/org/sonatype/gradle/plugins/scan/ossindex/OssIndexAuditTaskTest.java
@@ -44,6 +44,7 @@
 import org.mockito.junit.MockitoJUnitRunner;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.gradle.api.plugins.JavaPlugin.COMPILE_CLASSPATH_CONFIGURATION_NAME;
 import static org.mockito.ArgumentMatchers.anyList;
@@ -91,6 +92,16 @@ public void testAudit_vulnerabilities() throws Exception {
     verify(ossIndexClientMock).requestComponentReports(eq(Collections.singletonList(COMMONS_COLLECTIONS_PURL)));
   }
 
+  @Test
+  public void testAudit_vulnerabilitiesNoFailOnDetection() throws Exception {
+    setupComponentReport(true);
+    OssIndexAuditTask taskSpy = buildAuditTaskSpy(false, (project, extension) -> extension.setFailOnDetection(false));
+
+    assertThatCode(taskSpy::audit).doesNotThrowAnyException();
+
+    verify(ossIndexClientMock).requestComponentReports(eq(Collections.singletonList(COMMONS_COLLECTIONS_PURL)));
+  }
+
   @Test
   public void testAudit_verifyModulesIncludedIsApplied() throws Exception {
     setupComponentReport(true);

Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ public void audit() {`
`122`	`122`	`throw new GradleException("Could not audit the project: " + e.getMessage(), e);`
`123`	`123`	`}`
`124`	`124`
`125`		`- if (hasVulnerabilities) {`
	`125`	`+ if (hasVulnerabilities && extension.isFailOnDetection()) {`
`126`	`126`	`throw new GradleException("Vulnerabilities detected, check log output to review them");`
`127`	`127`	`}`
`128`	`128`	`}`