version 1.0.10 repo file

github action test

.github/workflows/github-actions-test.yml

@@ -0,0 +1,15 @@
+name: Maven Test
+on: [push]
+jobs:
+  run_tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Set up JDK 11
+        uses: actions/setup-java@v2
+        with:
+          java-version: '11'
+          distribution: 'adopt'
+      - name: Run tests with Maen
+        run: mvn -B test

CHANGES

@@ -2,6 +2,16 @@ Changelog
 
 =========
 
+Version 1.0.10
+
+- feature  Add "result" to dump file after inspect
+
+Version 1.0.9
+
+- feature  Add parent and modules fields to dump file
+- feature  `-DonlyAnalyze` allow not have `endpoint`
+- bugfix   Fix `-DoutputDepToFile` only dump last module dependencies bug
+
 Version 1.0.8
 
 - feature  dump dependencies tree to file include / exclude scan result

README.md

@@ -76,12 +76,13 @@ Maven >= 3.1
 
 > MOSEC_ENDPOINT=http://127.0.0.1:9000/api/plugin \
   mvn com.immomo.momosec:mosec-maven-plugin:1.0.7:test \
-  -DonlyProvenance=true
+  -DonlyProvenance=true \
+  -Dseverity=High
 
 // 或简化方式
 
 > MOSEC_ENDPOINT=http://127.0.0.1:9000/api/plugin \
-  mvn mosec:test -DonlyProvenance=true
+  mvn mosec:test -DonlyProvenance=true -Dseverity=High
 ```
 
 #### 项目中使用
@@ -144,7 +145,7 @@ mosec:test
       User property: onlyProvenance
 
     outputDepToFile (Default: )
-      输出依赖树到文件，如果用户设置了onlyAnalyze=true则仅输出依赖树，否则输出依赖树以及漏洞检查结果
+      输出依赖树到文件。设置-DonlyAnalyze=true仅输出依赖树，否则输出依赖树及漏洞检查结果
       User property: outputDepToFile
 
     severityLevel (Default: High)

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.jar.md5

@@ -0,0 +1 @@
+37a4ba5984e49a3e3d223b1cc4e4155c

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.jar.sha1

@@ -0,0 +1 @@
+46bc283f96e383b3f49dc497f4dae97156b4311a

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.pom

@@ -0,0 +1,134 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <prerequisites>
+    <maven>3.1.0</maven>
+  </prerequisites>
+
+  <groupId>com.immomo.momosec</groupId>
+  <artifactId>mosec-maven-plugin</artifactId>
+  <version>1.0.10</version>
+  <packaging>maven-plugin</packaging>
+
+  <name>Mosec Maven Plugin</name>
+  <description>用于检测Maven项目的第三方依赖组件是否存在安全漏洞</description>
+
+  <developers>
+    <developer>
+      <name>retanoj</name>
+      <email>mmsrc@immomo.com</email>
+    </developer>
+  </developers>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <mavenVersion>3.3.9</mavenVersion>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.maven</groupId>
+      <artifactId>maven-core</artifactId>
+      <version>${mavenVersion}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven.plugin-tools</groupId>
+      <artifactId>maven-plugin-annotations</artifactId>
+      <version>3.2</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.google.code.gson</groupId>
+      <artifactId>gson</artifactId>
+      <version>2.8.5</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <version>4.5.13</version>
+    </dependency>
+
+
+    <dependency>
+      <groupId>org.apache.maven.plugin-testing</groupId>
+      <artifactId>maven-plugin-testing-harness</artifactId>
+      <version>3.3.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <version>2.28.2</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.powermock</groupId>
+      <artifactId>powermock-api-mockito2</artifactId>
+      <version>2.0.9</version>
+    </dependency>
+    <dependency>
+      <groupId>org.powermock</groupId>
+      <artifactId>powermock-module-junit4</artifactId>
+      <version>2.0.9</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven</groupId>
+      <artifactId>maven-compat</artifactId>
+      <version>3.3.9</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-plugin-plugin</artifactId>
+        <version>3.5</version>
+        <configuration>
+          <goalPrefix>mosec</goalPrefix>
+          <skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
+        </configuration>
+        <executions>
+          <execution>
+            <id>mojo-descriptor</id>
+            <goals>
+              <goal>descriptor</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>help-goal</id>
+            <goals>
+              <goal>helpmojo</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.6.2</version>
+        <configuration>
+          <source>1.8</source>
+          <target>1.8</target>
+          <compilerArgument>-Xlint</compilerArgument>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+  <distributionManagement>
+    <repository>
+      <id>internal</id>
+      <url>file://mvn-repo</url>
+    </repository>
+  </distributionManagement>
+</project>

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.pom.md5

@@ -0,0 +1 @@
+9bf2b25d67d575d0b4fac08655b4fbfb

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.10/mosec-maven-plugin-1.0.10.pom.sha1

@@ -0,0 +1 @@
+0e8fbe6e1a3b829903f36a9f125b0508a8c2cc6c

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.jar.md5

@@ -0,0 +1 @@
+b2f9266d0f2b2a87e5e177eaecd35543

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.jar.sha1

@@ -0,0 +1 @@
+5b2151f84cee0197018a567674db051e94dfd334

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.pom

@@ -0,0 +1,124 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <prerequisites>
+    <maven>3.1.0</maven>
+  </prerequisites>
+
+  <groupId>com.immomo.momosec</groupId>
+  <artifactId>mosec-maven-plugin</artifactId>
+  <version>1.0.9</version>
+  <packaging>maven-plugin</packaging>
+
+  <name>Mosec Maven Plugin</name>
+  <description>用于检测Maven项目的第三方依赖组件是否存在安全漏洞</description>
+
+  <developers>
+    <developer>
+      <name>retanoj</name>
+      <email>mmsrc@immomo.com</email>
+    </developer>
+  </developers>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <mavenVersion>3.3.9</mavenVersion>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.maven</groupId>
+      <artifactId>maven-core</artifactId>
+      <version>${mavenVersion}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven.plugin-tools</groupId>
+      <artifactId>maven-plugin-annotations</artifactId>
+      <version>3.2</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.google.code.gson</groupId>
+      <artifactId>gson</artifactId>
+      <version>2.8.5</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <version>4.5.13</version>
+    </dependency>
+
+
+    <dependency>
+      <groupId>org.apache.maven.plugin-testing</groupId>
+      <artifactId>maven-plugin-testing-harness</artifactId>
+      <version>3.3.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <version>2.28.2</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven</groupId>
+      <artifactId>maven-compat</artifactId>
+      <version>3.3.9</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-plugin-plugin</artifactId>
+        <version>3.5</version>
+        <configuration>
+          <goalPrefix>mosec</goalPrefix>
+          <skipErrorNoDescriptorsFound>true</skipErrorNoDescriptorsFound>
+        </configuration>
+        <executions>
+          <execution>
+            <id>mojo-descriptor</id>
+            <goals>
+              <goal>descriptor</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>help-goal</id>
+            <goals>
+              <goal>helpmojo</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.6.2</version>
+        <configuration>
+          <source>1.8</source>
+          <target>1.8</target>
+          <compilerArgument>-Xlint</compilerArgument>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+  <distributionManagement>
+    <repository>
+      <id>internal</id>
+      <url>file://mvn-repo</url>
+    </repository>
+  </distributionManagement>
+</project>

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.pom.md5

@@ -0,0 +1 @@
+591d374bf6de6cd28897bdbf4360b454

mvn-repo/com/immomo/momosec/mosec-maven-plugin/1.0.9/mosec-maven-plugin-1.0.9.pom.sha1

@@ -0,0 +1 @@
+5f6abdce51651103068ef2004f5661f827e1e94d

mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml

@@ -3,12 +3,14 @@
   <groupId>com.immomo.momosec</groupId>
   <artifactId>mosec-maven-plugin</artifactId>
   <versioning>
-    <latest>1.0.8</latest>
+    <latest>1.0.10</latest>
-    <release>1.0.8</release>
+    <release>1.0.10</release>
     <versions>
       <version>1.0.7</version>
       <version>1.0.8</version>
+      <version>1.0.9</version>
+      <version>1.0.10</version>
     </versions>
-    <lastUpdated>20210621033628</lastUpdated>
+    <lastUpdated>20220412023537</lastUpdated>
   </versioning>
 </metadata>

mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml.md5

@@ -1 +1 @@
-95c17d487c921627a9b97445e2a00f47
+2f7ff63cc756db36bc3059a016d7f99a

mvn-repo/com/immomo/momosec/mosec-maven-plugin/maven-metadata.xml.sha1

@@ -1 +1 @@
-4f2ce91855db9e696891caa64a322b381bef5894
+a347d34be60bccb963f0a9796f9780fac85a6eba

pom.xml

@@ -8,7 +8,7 @@
 
   <groupId>com.immomo.momosec</groupId>
   <artifactId>mosec-maven-plugin</artifactId>
-  <version>1.0.8</version>
+  <version>1.0.10</version>
   <packaging>maven-plugin</packaging>
 
   <name>Mosec Maven Plugin</name>
@@ -68,6 +68,16 @@
       <version>2.28.2</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.powermock</groupId>
+      <artifactId>powermock-api-mockito2</artifactId>
+      <version>2.0.9</version>
+    </dependency>
+    <dependency>
+      <groupId>org.powermock</groupId>
+      <artifactId>powermock-module-junit4</artifactId>
+      <version>2.0.9</version>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven</groupId>
       <artifactId>maven-compat</artifactId>

src/main/java/com/immomo/momosec/maven/plugins/MosecTest.java

@@ -23,6 +23,7 @@ import org.apache.http.client.HttpClient;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.entity.StringEntity;
 import org.apache.maven.plugin.AbstractMojo;
+import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
 import org.apache.maven.plugins.annotations.Component;
 import org.apache.maven.plugins.annotations.Mojo;
@@ -37,7 +38,10 @@ import org.eclipse.aether.repository.RemoteRepository;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.List;
+import java.util.TreeSet;
+import java.util.stream.Collectors;
 
 import static com.immomo.momosec.maven.plugins.Renderer.writeToFile;
 
@@ -104,13 +108,16 @@ public class MosecTest extends AbstractMojo {
     @Parameter(property = "onlyAnalyze", defaultValue = "false")
     private Boolean onlyAnalyze;
 
-    public void execute() throws MojoFailureException {
+    private static List<JsonObject> collectTree = new ArrayList<>();
+    private static List<String> totalProjectsByGAV = null;
+
+    public void execute() throws MojoExecutionException, MojoFailureException {
         String env_endpoint = System.getenv(Constants.MOSEC_ENDPOINT_ENV);
         if (env_endpoint != null) {
             endpoint = env_endpoint;
         }
 
-        if (endpoint == null) {
+        if (Boolean.FALSE.equals(onlyAnalyze) && endpoint == null) {
             throw new MojoFailureException(Constants.ERROR_ON_NULL_ENDPOINT);
         }
 
@@ -142,20 +149,25 @@ public class MosecTest extends AbstractMojo {
             );
             collector.collectDependencies();
             JsonObject projectTree = collector.getTree();
+            String jsonDepTree = new GsonBuilder().setPrettyPrinting().create().toJson(projectTree);
+            getLog().debug(jsonDepTree);
+
+            collectTree.add(projectTree.deepCopy());
+            if (Boolean.TRUE.equals(onlyAnalyze)) {
+                if (this.isAnalyzeTotalFinished()
+                        && outputDepToFile != null
+                        && !"".equals(outputDepToFile)
+                ) {
+                    writeToFile(outputDepToFile, new GsonBuilder().setPrettyPrinting().create().toJson(collectTree));
+                }
+
+                getLog().info("onlyAnalyze mode, Done.");
+                return;
+            }
 
             projectTree.addProperty("type", Constants.BUILD_TOOL_TYPE);
             projectTree.addProperty("language", Constants.PROJECT_LANGUAGE);
             projectTree.addProperty("severityLevel", severityLevel);
-            String jsonDepTree = new GsonBuilder().setPrettyPrinting().create().toJson(projectTree);
-            getLog().debug(jsonDepTree);
-
-            if (Boolean.TRUE.equals(onlyAnalyze)) {
-                if (!"".equals(outputDepToFile) && outputDepToFile != null) {
-                    writeToFile(outputDepToFile, jsonDepTree);
-                }
-                getLog().info("onlyAnalyze mode, Done.");
-                return;
-            }
 
             HttpPost request = new HttpPost(endpoint);
             request.addHeader("content-type", Constants.CONTENT_TYPE_JSON);
@@ -174,17 +186,21 @@ public class MosecTest extends AbstractMojo {
             JsonObject responseJson;
             try {
                 responseJson = parser.parse(new BufferedReader(new InputStreamReader(response.getEntity().getContent()))).getAsJsonObject();
+                JsonObject lastTree = collectTree.get(collectTree.size() - 1);
+                lastTree.add("result", responseJson);
             } catch (JsonParseException | IllegalStateException e) {
                 throw new NetworkErrorException(Constants.ERROR_ON_API);
             }
-            if (!"".equals(outputDepToFile) && outputDepToFile != null) {
+
-                writeToFile(outputDepToFile, jsonDepTree, responseJson);
+            if (outputDepToFile != null && !"".equals(outputDepToFile)) {
+                writeToFile(outputDepToFile, new GsonBuilder().setPrettyPrinting().create().toJson(collectTree));
             }
+
             Renderer renderer = new Renderer(getLog(), failOnVuln);
             renderer.renderResponse(responseJson);
 
         } catch (DependencyCollectionException e) {
-            throw new MojoFailureException(e.getMessage());
+            throw new MojoFailureException(e.getMessage(), e.fillInStackTrace());
         } catch(MojoFailureException e) {
             throw e;
         } catch(Exception e) {
@@ -194,6 +210,31 @@ public class MosecTest extends AbstractMojo {
                 getLog().error(Constants.ERROR_GENERAL);
                 getLog().error(Constants.ERROR_RERUN_WITH_DEBUG);
             }
+            throw new MojoFailureException(e.getMessage(), e.fillInStackTrace());
         }
     }
+
+    @SuppressWarnings("unchecked")
+    private boolean isAnalyzeTotalFinished() {
+        if (totalProjectsByGAV == null) {
+            Object key = repositorySystemSession.getWorkspaceReader().getRepository().getKey();
+            if (key instanceof HashSet) {
+                HashSet<String> gavs = (HashSet<String>) key;
+                totalProjectsByGAV = (List<String>) gavs.stream().collect(Collectors.toList());
+            } else {
+                return false;
+            }
+        }
+        List<String> analyzedProjectsByGAV = collectTree.stream()
+                .map(o -> String.format("%s:%s", o.get("name").getAsString(), o.get("version").getAsString()))
+                .collect(Collectors.toList());
+
+        if (totalProjectsByGAV == null
+                || analyzedProjectsByGAV == null
+                || totalProjectsByGAV.size() != analyzedProjectsByGAV.size()
+        ) {
+            return false;
+        }
+        return new TreeSet<String>(totalProjectsByGAV).equals(new TreeSet<String>(analyzedProjectsByGAV));
+    }
 }

src/main/java/com/immomo/momosec/maven/plugins/ProjectDependencyCollector.java

@@ -15,8 +15,10 @@
  */
 package com.immomo.momosec.maven.plugins;
 
+import com.google.gson.Gson;
 import com.google.gson.JsonArray;
 import com.google.gson.JsonObject;
+import org.apache.maven.model.Model;
 import org.apache.maven.project.MavenProject;
 import org.eclipse.aether.DefaultRepositorySystemSession;
 import org.eclipse.aether.RepositorySystem;
@@ -93,6 +95,17 @@ public class ProjectDependencyCollector {
         DependencyNode node = collectResult.getRoot();
 
         this.tree = createJsonTree(node, null);
+        MavenProject parent = this.project.getParent();
+        if (parent == null) {
+            this.tree.add("parent", new JsonObject());
+        } else {
+            JsonObject jParent = new JsonObject();
+            jParent.addProperty("name", String.format("%s:%s", parent.getGroupId(), parent.getArtifactId()));
+            jParent.addProperty("version", parent.getVersion());
+            this.tree.add("parent", jParent);
+        }
+
+        tree.add("modules", (new Gson()).toJsonTree(this.project.getModules()).getAsJsonArray());
     }
 
     private JsonObject createJsonTree(DependencyNode depNode, JsonArray ancestors) {

src/test/java/com/immomo/momosec/maven/plugins/TestMosecTest.java

@@ -15,15 +15,38 @@
  */
 package com.immomo.momosec.maven.plugins;
 
+import org.apache.http.HttpEntity;
+import org.apache.http.HttpResponse;
+import org.apache.http.StatusLine;
+import org.apache.http.client.HttpClient;
+import org.apache.maven.plugin.logging.Log;
 import org.apache.maven.plugin.testing.MojoRule;
 import org.apache.maven.plugin.testing.resources.TestResources;
+import org.eclipse.aether.RepositorySystem;
+import org.eclipse.aether.artifact.DefaultArtifact;
+import org.eclipse.aether.collection.CollectResult;
+import org.eclipse.aether.graph.DefaultDependencyNode;
+import org.eclipse.aether.graph.DependencyNode;
 import org.junit.Assert;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
+import org.junit.runner.RunWith;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
 
+import java.io.ByteArrayInputStream;
 import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Field;
 
+import static org.mockito.ArgumentMatchers.any;
+import static org.powermock.api.mockito.PowerMockito.*;
+
+
+@RunWith(PowerMockRunner.class)
+@PrepareForTest({HttpClientHelper.class, MosecTest.class})
 public class TestMosecTest {
 
     @Rule
@@ -41,8 +64,6 @@ public class TestMosecTest {
     public void invalidProjectTest() throws Exception {
         File projectCopy = this.resources.getBasedir("empty-dir");
         File pom = new File(projectCopy, "pom.xml");
-        Assert.assertNotNull(pom);
-        Assert.assertFalse(pom.exists());
 
         exceptionRule.expect(java.io.FileNotFoundException.class);
         exceptionRule.expectMessage("(No such file or directory)");
@@ -52,14 +73,117 @@ public class TestMosecTest {
 
     @Test
     public void validProjectTest() throws Exception {
-        File projectCopy = this.resources.getBasedir("valid-project");
+        File pom = getPom("valid-project", "pom.xml");
-        File pom = new File(projectCopy, "pom.xml");
-
-        Assert.assertNotNull(pom);
-        Assert.assertTrue(pom.exists());
 
         MosecTest mosecTest = (MosecTest)this.rule.lookupMojo("test", pom);
         Assert.assertNotNull(mosecTest);
     }
 
+    @Test
+    public void onlyAnalyzeWithoutEndpointPom() throws Exception {
+        File pom = getPom("valid-project", "onlyAnalyzeWithoutEndpointPom.xml");
+
+        MosecTest mosecTest = spy((MosecTest) this.rule.lookupMojo("test", pom));
+
+        RepositorySystem mockRepositorySystem = mock(RepositorySystem.class);
+        CollectResult mockCollectResult = mock(CollectResult.class);
+        DependencyNode mockRoot = new DefaultDependencyNode(
+                new DefaultArtifact("com.immomo.momosec", "MyTestProject", "jar", "1.0.0"));
+
+        when(mosecTest.getLog()).thenReturn(mock(Log.class));
+        when(mockRepositorySystem.collectDependencies(any(), any())).thenReturn(mockCollectResult);
+        when(mockCollectResult.getRoot()).thenReturn(mockRoot);
+
+        Field repoSystemField = mosecTest.getClass().getDeclaredField("repositorySystem");
+        repoSystemField.setAccessible(true);
+        repoSystemField.set(mosecTest, mockRepositorySystem);
+
+        mosecTest.execute();
+    }
+
+    @Test
+    public void onlyAnalyzeWithEndpointPom() throws Exception {
+        File pom = getPom("valid-project", "onlyAnalyzeWithEndpointPom.xml");
+
+        MosecTest mosecTest = spy((MosecTest) this.rule.lookupMojo("test", pom));
+
+        RepositorySystem mockRepositorySystem = mock(RepositorySystem.class);
+        CollectResult mockCollectResult = mock(CollectResult.class);
+        DependencyNode mockRoot = new DefaultDependencyNode(
+                new DefaultArtifact("com.immomo.momosec", "MyTestProject", "jar", "1.0.0"));
+
+        when(mosecTest.getLog()).thenReturn(mock(Log.class));
+        when(mockRepositorySystem.collectDependencies(any(), any())).thenReturn(mockCollectResult);
+        when(mockCollectResult.getRoot()).thenReturn(mockRoot);
+
+        Field repoSystemField = mosecTest.getClass().getDeclaredField("repositorySystem");
+        repoSystemField.setAccessible(true);
+        repoSystemField.set(mosecTest, mockRepositorySystem);
+
+        mosecTest.execute();
+    }
+
+    @Test
+    public void testFailOnVulnWithTruePom() throws Exception {
+        File pom = getPom("valid-project", "failOnVulnWithTruePom.xml");
+        exceptionRule.expectMessage("Dependency Vulnerable Found!");
+        failOnVulnPomRunner(pom);
+    }
+
+    @Test
+    public void testFailOnVulnWithFalsePom() throws Exception {
+        File pom = getPom("valid-project", "failOnVulnWithFalsePom.xml");
+        failOnVulnPomRunner(pom);
+    }
+
+    private void failOnVulnPomRunner(File pom) throws Exception {
+        MosecTest mosecTest = spy((MosecTest) this.rule.lookupMojo("test", pom));
+
+        RepositorySystem mockRepositorySystem = mock(RepositorySystem.class);
+        CollectResult mockCollectResult = mock(CollectResult.class);
+        DependencyNode mockRoot = new DefaultDependencyNode(
+                new DefaultArtifact("com.immomo.momosec", "MyTestProject", "jar", "1.0.0"));
+        HttpClientHelper mockHttpClientHelper = mock(HttpClientHelper.class);
+        HttpClient mockHttpClient = mock(HttpClient.class);
+        HttpResponse mockHttpResponse = mock(HttpResponse.class);
+        StatusLine mockStatusLine = mock(StatusLine.class);
+        HttpEntity mockHttpEntity = mock(HttpEntity.class);
+
+        when(mosecTest.getLog()).thenReturn(mock(Log.class));
+        when(mockRepositorySystem.collectDependencies(any(), any())).thenReturn(mockCollectResult);
+        when(mockCollectResult.getRoot()).thenReturn(mockRoot);
+        whenNew(HttpClientHelper.class).withAnyArguments().thenReturn(mockHttpClientHelper);
+        when(mockHttpClientHelper.buildHttpClient()).thenReturn(mockHttpClient);
+        when(mockHttpClient.execute(any())).thenReturn(mockHttpResponse);
+        when(mockHttpResponse.getStatusLine()).thenReturn(mockStatusLine);
+        when(mockStatusLine.getStatusCode()).thenReturn(200);
+        String vuln = "{\"ok\":false, \"dependencyCount\": 2, \"vulnerabilities\":[{" +
+                "\"severity\": \"High\"," +
+                "\"title\": \"Fastjson RCE\"," +
+                "\"cve\": \"CVE-0000-0001\"," +
+                "\"packageName\": \"com.alibaba:fastjson\"," +
+                "\"version\": \"1.2.33\"," +
+                "\"target_version\": [\"1.2.80\"]" +
+                "}]}";
+        InputStream httpResponseContent = new ByteArrayInputStream(vuln.getBytes());
+        when(mockHttpResponse.getEntity()).thenReturn(mockHttpEntity);
+        when(mockHttpEntity.getContent()).thenReturn(httpResponseContent);
+
+        Field repoSystemField = mosecTest.getClass().getDeclaredField("repositorySystem");
+        repoSystemField.setAccessible(true);
+        repoSystemField.set(mosecTest, mockRepositorySystem);
+
+        mosecTest.execute();
+    }
+
+    public File getPom(String baseDir, String fn) throws IOException {
+        File projectCopy = this.resources.getBasedir(baseDir);
+        File pom = new File(projectCopy, fn);
+
+        Assert.assertNotNull(pom);
+        Assert.assertTrue(pom.exists());
+
+        return pom;
+    }
+
 }

src/test/java/com/immomo/momosec/maven/plugins/stubs/MyTestProjectSystemSessionStub.java

@@ -15,8 +15,11 @@
  */
 package com.immomo.momosec.maven.plugins.stubs;
 
+import org.apache.maven.model.Model;
+import org.apache.maven.repository.internal.MavenWorkspaceReader;
 import org.codehaus.plexus.PlexusTestCase;
 import org.eclipse.aether.*;
+import org.eclipse.aether.artifact.Artifact;
 import org.eclipse.aether.artifact.ArtifactType;
 import org.eclipse.aether.artifact.ArtifactTypeRegistry;
 import org.eclipse.aether.collection.*;
@@ -25,8 +28,12 @@ import org.eclipse.aether.repository.*;
 import org.eclipse.aether.resolution.ArtifactDescriptorPolicy;
 import org.eclipse.aether.resolution.ResolutionErrorPolicy;
 import org.eclipse.aether.transfer.TransferListener;
+import org.eclipse.aether.util.repository.ChainedWorkspaceReader;
 
+import java.io.File;
 import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 
 public class MyTestProjectSystemSessionStub implements RepositorySystemSession {
@@ -103,7 +110,29 @@ public class MyTestProjectSystemSessionStub implements RepositorySystemSession {
 
     @Override
     public WorkspaceReader getWorkspaceReader() {
-        return null;
+        return new MavenWorkspaceReader() {
+            @Override
+            public Model findModel(Artifact artifact) {
+                return null;
+            }
+
+            @Override
+            public WorkspaceRepository getRepository() {
+                return new WorkspaceRepository("mock", new HashSet<String>(){{
+                    add("com.immomo.momosec:MyTestProject:1.0.0");
+                }});
+            }
+
+            @Override
+            public File findArtifact(Artifact artifact) {
+                return null;
+            }
+
+            @Override
+            public List<String> findVersions(Artifact artifact) {
+                return null;
+            }
+        };
     }
 
     @Override

src/test/resources/projects/empty-dir/foo

@@ -0,0 +1 @@
+

src/test/resources/projects/module-project/dumpDepFile.txt

@@ -0,0 +1,66 @@
+[
+  {
+    "version": "1.0.0",
+    "name": "com.immomo.momosec:ModuleProject",
+    "from": [
+      "com.immomo.momosec:ModuleProject@1.0.0"
+    ],
+    "dependencies": {},
+    "parent": {},
+    "modules": [
+      "moduleA",
+      "moduleB"
+    ]
+  },
+  {
+    "version": "1.0.0",
+    "name": "com.immomo.momosec:ModuleA",
+    "from": [
+      "com.immomo.momosec:ModuleA@1.0.0"
+    ],
+    "dependencies": {},
+    "parent": {
+      "name": "com.immomo.momosec:ModuleProject",
+      "version": "1.0.0"
+    },
+    "modules": [
+      "moduleSubA"
+    ]
+  },
+  {
+    "version": "1.0.0",
+    "name": "com.immomo.momosec:ModuleSubA",
+    "from": [
+      "com.immomo.momosec:ModuleSubA@1.0.0"
+    ],
+    "dependencies": {
+      "com.alibaba:fastjson": {
+        "version": "1.2.33",
+        "name": "com.alibaba:fastjson",
+        "from": [
+          "com.immomo.momosec:ModuleSubA@1.0.0",
+          "com.alibaba:fastjson@1.2.33"
+        ],
+        "dependencies": {}
+      }
+    },
+    "parent": {
+      "name": "com.immomo.momosec:ModuleA",
+      "version": "1.0.0"
+    },
+    "modules": []
+  },
+  {
+    "version": "1.0.0",
+    "name": "com.immomo.momosec:ModuleB",
+    "from": [
+      "com.immomo.momosec:ModuleB@1.0.0"
+    ],
+    "dependencies": {},
+    "parent": {
+      "name": "com.immomo.momosec:ModuleProject",
+      "version": "1.0.0"
+    },
+    "modules": []
+  }
+]

src/test/resources/projects/module-project/moduleA/moduleSubA/pom.xml

@@ -0,0 +1,19 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>com.immomo.momosec</groupId>
+        <artifactId>ModuleA</artifactId>
+        <version>1.0.0</version>
+    </parent>
+    <artifactId>ModuleSubA</artifactId>
+    <packaging>pom</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>fastjson</artifactId>
+        </dependency>
+    </dependencies>
+</project>

src/test/resources/projects/module-project/moduleA/pom.xml

@@ -0,0 +1,16 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>com.immomo.momosec</groupId>
+        <artifactId>ModuleProject</artifactId>
+        <version>1.0.0</version>
+    </parent>
+    <artifactId>ModuleA</artifactId>
+    <packaging>pom</packaging>
+
+    <modules>
+        <module>moduleSubA</module>
+    </modules>
+</project>

src/test/resources/projects/module-project/moduleB/pom.xml

@@ -0,0 +1,13 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>com.immomo.momosec</groupId>
+        <artifactId>ModuleProject</artifactId>
+        <version>1.0.0</version>
+    </parent>
+    <artifactId>ModuleB</artifactId>
+    <packaging>pom</packaging>
+
+</project>

src/test/resources/projects/module-project/pom.xml

@@ -0,0 +1,26 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.immomo.momosec</groupId>
+    <artifactId>ModuleProject</artifactId>
+    <packaging>pom</packaging>
+    <version>1.0.0</version>
+
+    <modules>
+        <module>moduleA</module>
+        <module>moduleB</module>
+    </modules>
+
+    <name>Mosec Maven Plugin Test Project</name>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>com.alibaba</groupId>
+                <artifactId>fastjson</artifactId>
+                <version>1.2.33</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+</project>

src/test/resources/projects/valid-project/failOnVulnWithFalsePom.xml

@@ -0,0 +1,49 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.immomo.momosec</groupId>
+  <artifactId>MyTestProject</artifactId>
+  <version>1.0.0</version>
+
+  <name>Mosec Maven Plugin Test Project</name>
+
+
+  <dependencies>
+    <dependency>
+      <groupId>com.alibaba</groupId>
+      <artifactId>fastjson</artifactId>
+      <version>1.2.33</version>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>com.immomo.momosec</groupId>
+        <artifactId>mosec-maven-plugin</artifactId>
+        <configuration>
+          <!-- The defined stubs -->
+          <project implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectStub"/>
+          <settings implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSettingsStub"/>
+          <repositorySystemSession implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSystemSessionStub" />
+          <!-- The defined stubs end -->
+          <remoteProjectRepositories></remoteProjectRepositories>
+          <remotePluginRepositories></remotePluginRepositories>
+
+          <severityLevel>High</severityLevel>
+          <failOnVuln>False</failOnVuln>
+          <onlyProvenance>true</onlyProvenance>
+          <endpoint>https://fake.endpoint.com/</endpoint>
+          <includeProvidedDependency>false</includeProvidedDependency>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

src/test/resources/projects/valid-project/failOnVulnWithTruePom.xml

@@ -0,0 +1,49 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.immomo.momosec</groupId>
+  <artifactId>MyTestProject</artifactId>
+  <version>1.0.0</version>
+
+  <name>Mosec Maven Plugin Test Project</name>
+
+
+  <dependencies>
+    <dependency>
+      <groupId>com.alibaba</groupId>
+      <artifactId>fastjson</artifactId>
+      <version>1.2.33</version>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>com.immomo.momosec</groupId>
+        <artifactId>mosec-maven-plugin</artifactId>
+        <configuration>
+          <!-- The defined stubs -->
+          <project implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectStub"/>
+          <settings implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSettingsStub"/>
+          <repositorySystemSession implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSystemSessionStub" />
+          <!-- The defined stubs end -->
+          <remoteProjectRepositories></remoteProjectRepositories>
+          <remotePluginRepositories></remotePluginRepositories>
+
+          <severityLevel>High</severityLevel>
+          <failOnVuln>True</failOnVuln>
+          <onlyProvenance>true</onlyProvenance>
+          <endpoint>https://fake.endpoint.com/</endpoint>
+          <includeProvidedDependency>false</includeProvidedDependency>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

src/test/resources/projects/valid-project/onlyAnalyzeWithEndpointPom.xml

@@ -0,0 +1,50 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.immomo.momosec</groupId>
+  <artifactId>MyTestProject</artifactId>
+  <version>1.0.0</version>
+
+  <name>Mosec Maven Plugin Test Project</name>
+
+
+  <dependencies>
+    <dependency>
+      <groupId>com.alibaba</groupId>
+      <artifactId>fastjson</artifactId>
+      <version>1.2.33</version>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>com.immomo.momosec</groupId>
+        <artifactId>mosec-maven-plugin</artifactId>
+        <configuration>
+          <!-- The defined stubs -->
+          <project implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectStub"/>
+          <settings implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSettingsStub"/>
+          <repositorySystemSession implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSystemSessionStub" />
+          <!-- The defined stubs end -->
+          <remoteProjectRepositories></remoteProjectRepositories>
+          <remotePluginRepositories></remotePluginRepositories>
+
+          <severityLevel>High</severityLevel>
+          <failOnVuln>False</failOnVuln>
+          <onlyProvenance>true</onlyProvenance>
+          <onlyAnalyze>true</onlyAnalyze>
+          <endpoint>https://fake.endpoint.com/</endpoint>
+          <includeProvidedDependency>false</includeProvidedDependency>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

src/test/resources/projects/valid-project/onlyAnalyzeWithoutEndpointPom.xml

@@ -0,0 +1,49 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.immomo.momosec</groupId>
+  <artifactId>MyTestProject</artifactId>
+  <version>1.0.0</version>
+
+  <name>Mosec Maven Plugin Test Project</name>
+
+
+  <dependencies>
+    <dependency>
+      <groupId>com.alibaba</groupId>
+      <artifactId>fastjson</artifactId>
+      <version>1.2.33</version>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>com.immomo.momosec</groupId>
+        <artifactId>mosec-maven-plugin</artifactId>
+        <configuration>
+          <!-- The defined stubs -->
+          <project implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectStub"/>
+          <settings implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSettingsStub"/>
+          <repositorySystemSession implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSystemSessionStub" />
+          <!-- The defined stubs end -->
+          <remoteProjectRepositories></remoteProjectRepositories>
+          <remotePluginRepositories></remotePluginRepositories>
+
+          <severityLevel>High</severityLevel>
+          <failOnVuln>False</failOnVuln>
+          <onlyProvenance>true</onlyProvenance>
+          <onlyAnalyze>true</onlyAnalyze>
+          <includeProvidedDependency>false</includeProvidedDependency>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

src/test/resources/projects/vuln-project/pom.xml

@@ -15,12 +15,29 @@
       <artifactId>fastjson</artifactId>
       <version>1.2.33</version>
     </dependency>
-    <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
-      <version>4.13</version>
-      <scope>test</scope>
-    </dependency>
   </dependencies>
 
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>com.immomo.momosec</groupId>
+        <artifactId>mosec-maven-plugin</artifactId>
+        <configuration>
+          <!-- The defined stubs -->
+          <project implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectStub"/>
+          <settings implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSettingsStub"/>
+          <repositorySystemSession implementation="com.immomo.momosec.maven.plugins.stubs.MyTestProjectSystemSessionStub" />
+          <!-- The defined stubs end -->
+          <remoteProjectRepositories></remoteProjectRepositories>
+          <remotePluginRepositories></remotePluginRepositories>
+
+          <severityLevel>High</severityLevel>
+          <failOnVuln>False</failOnVuln>
+          <onlyProvenance>true</onlyProvenance>
+          <endpoint>https://fake.endpoint.com/</endpoint>
+          <includeProvidedDependency>false</includeProvidedDependency>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
 </project>