feat: Add support for failBuildOnUnusedSuppressionRule (#430)

Signed-off-by: Chad Wilson <chadw@thoughtworks.com>

Author: chadlwilson

src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy

@@ -166,6 +166,10 @@ class DependencyCheckExtension {
      * is 0.0 which means all identified vulnerabilities would be considered a failure.
      */
     Float junitFailOnCVSS = 0.0f
+    /**
+     * Specifies that if any unused suppression rule is found, the build will fail.
+     */
+    Boolean failBuildOnUnusedSuppressionRule = false
     /**
      * Displays a summary of the findings. Defaults to true.
      */

src/main/groovy/org/owasp/dependencycheck/gradle/tasks/ConfiguredTask.groovy

@@ -106,6 +106,7 @@ abstract class ConfiguredTask extends DefaultTask {
 
         settings.setBooleanIfNotNull(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp)
         settings.setFloat(JUNIT_FAIL_ON_CVSS, config.junitFailOnCVSS)
+        settings.setBooleanIfNotNull(FAIL_ON_UNUSED_SUPPRESSION_RULE, config.failBuildOnUnusedSuppressionRule)
         settings.setBooleanIfNotNull(HOSTED_SUPPRESSIONS_ENABLED, config.hostedSuppressions.enabled)
         settings.setBooleanIfNotNull(HOSTED_SUPPRESSIONS_FORCEUPDATE, config.hostedSuppressions.forceupdate)
         settings.setStringIfNotNull(HOSTED_SUPPRESSIONS_URL, config.hostedSuppressions.url)

src/test/groovy/org/owasp/dependencycheck/gradle/DependencyCheckConfigurationSelectionIntegSpec.groovy

@@ -132,6 +132,20 @@ class DependencyCheckConfigurationSelectionIntegSpec extends Specification {
         result.task(":$ANALYZE_TASK").outcome == SUCCESS
     }
 
+    def "analysis fails when unused suppression rule is present"() {
+        given:
+        copyBuildFileIntoProjectDir('suppressionFilesFailOnUnusedRule.gradle')
+        copyResourceFileIntoProjectDir('suppressions.xml', 'suppressions.xml')
+
+        when:
+        def result = executeTaskAndGetResult(ANALYZE_TASK, false)
+
+        then:
+        result.task(":$ANALYZE_TASK").outcome == FAILED
+        result.output.contains('Suppression Rule had zero matches')
+        result.output.contains('commons-collections')
+    }
+
 
     private void copyBuildFileIntoProjectDir(String buildFileName) {
         copyResourceFileIntoProjectDir(buildFileName, 'build.gradle')

src/test/groovy/org/owasp/dependencycheck/gradle/DependencyCheckGradlePluginSpec.groovy

@@ -97,46 +97,31 @@ class DependencyCheckGradlePluginSpec extends Specification {
         def slackWebhookUrl = 'https://slack.com/webhook'
         when:
         project.dependencyCheck {
-            proxy {
-                server = '127.0.0.1'
-                port = 3128
-                username = 'proxyUsername'
-                password = 'proxyPassword'
-                nonProxyHosts = ['localhost']
-            }
-            nvd {
-                apiKey = 'apiKey'
-                delay = 5000
-                maxRetryCount = 20
-            }
-
-            hostedSuppressions {
-                url = 'suppressionsurl'
-                validForHours = 5
-                forceupdate = true
-            }
-
-            slack {
-                enabled = true
-                webhookUrl = slackWebhookUrl
-            }
-
-            analyzers {
-                artifactory {
-                    enabled = true
-                    url = 'https://example.com/artifacgtory'
-                    bearerToken = 'abc123=='
-                }
-                kev {
-                    enabled = false
-                    url = "https://example.com"
-                    validForHours = 12
-                }
-                retirejs {
-                    filters = ['filter1', 'filter2']
-                    filterNonVulnerable = true
-                }
-            }
+            proxy.server = '127.0.0.1'
+            proxy.port = 3128
+            proxy.username = 'proxyUsername'
+            proxy.password = 'proxyPassword'
+            proxy.nonProxyHosts = ['localhost']
+
+            nvd.apiKey = 'apiKey'
+            nvd.delay = 5000
+            nvd.maxRetryCount = 20
+
+            hostedSuppressions.url = 'suppressionsurl'
+            hostedSuppressions.validForHours = 5
+            hostedSuppressions.forceupdate = true
+
+            slack.enabled = true
+            slack.webhookUrl = slackWebhookUrl
+
+            analyzers.artifactory.enabled = true
+            analyzers.artifactory.url = 'https://example.com/artifacgtory'
+            analyzers.artifactory.bearerToken = 'abc123=='
+            analyzers.kev.enabled = false
+            analyzers.kev.url = "https://example.com"
+            analyzers.kev.validForHours = 12
+            analyzers.retirejs.filters = ['filter1', 'filter2']
+            analyzers.retirejs.filterNonVulnerable = true
 
             outputDirectory = 'outputDirectory'
             quickQueryTimestamp = false

src/test/groovy/org/owasp/dependencycheck/gradle/DependencyCheckPluginIntegSpec.groovy

@@ -57,9 +57,7 @@ class DependencyCheckPluginIntegSpec extends Specification {
                         implementation group: 'commons-collections', name: 'commons-collections', version: '3.2'
                     }
                     dependencyCheck {
-                        nvd {
-                            datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
-                        }
+                        nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
                     }
                 """.stripIndent()
             }
@@ -100,9 +98,7 @@ class DependencyCheckPluginIntegSpec extends Specification {
                         implementation group: 'commons-collections', name: 'commons-collections', version: '3.2'
                     }
                     dependencyCheck {
-                        nvd {
-                            datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
-                        }
+                        nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
                     }
                 """.stripIndent()
             }

src/test/resources/aggregateParent.gradle

@@ -6,9 +6,7 @@ plugins {
 dependencyCheck {
     failOnError=true
     format="HTML"
-    nvd {
-        datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
-    }
+    nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
 }
 
 subprojects {

src/test/resources/blacklistCustomConfiguration.gradle

@@ -22,7 +22,5 @@ dependencies {
 dependencyCheck {
     failBuildOnCVSS = 0
     skipConfigurations = ['foo']
-    nvd {
-        datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
-    }
+    nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
 }

src/test/resources/noSkipTestGroups.gradle

@@ -30,7 +30,5 @@ dependencies {
 dependencyCheck {
     failBuildOnCVSS = 0
     skipTestGroups = false
-    nvd {
-        datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
-    }
+    nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
 }

src/test/resources/outputDir.gradle

@@ -20,7 +20,5 @@ dependencies {
 }
 
 dependencyCheck {
-    nvd {
-        datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
-    }
+    nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
 }

src/test/resources/scanAdditionalCpesConfiguration.gradle

@@ -23,7 +23,5 @@ dependencyCheck {
             cpe = "cpe:2.3:a:apache:commons_fileupload:1.3.1:*:*:*:*:*:*:*"
         }
     }
-    nvd {
-        datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
-    }
+    nvd.datafeedUrl = 'https://jeremylong.github.io/DependencyCheck/hb_nvd/'
 }