Generated at: $generatedAt

Generated for:

Space	GroupId	ArtifactId	Version
$space.getSpaceToken()	$app.getMvnGroup()	$app.getArtifact()	$app.getVersion()

Aggregated report: $isAggregated

#if($isAggregated)

Aggregated projects ($projects.size()): +

#end

Parameter	Actual Value	Parameter Description
exceptionThreshold	$exceptionThreshold	Specifies if and when the plugin will throw a build exception. Possible values (default: dependsOn): noException - no build exception will be thrown, regardless of the analysis results dependsOn - an exception will be thrown if at least one application project depends on an archive with known vulnerabilities (typically by declaring a dependency in the POM file) potentiallyExecutes* - an exception will be thrown if at least one application project can potentially execute vulnerable code (according to static source code analysis). actuallyExecutes* - an exception will be thrown if at least one application project actually executes vulnerable code during application tests. * Please consider this notice when using those configuration options.
exceptionScopeBlacklist	$exceptionScopeBlacklist	List of scopes that will be ignored when deciding whether to throw a build exception Possible values: compile, provided, runtime, test, system Default: [TEST, PROVIDED]
exceptionExcludedBugs	$exceptionExcludedBugs	List of security vulnerabilities that will be ignored (exempted) when deciding whether to throw a build exception Example: CVE-2014-0050 Default: none #if( $obsoleteExemptionsHistorical || $obsoleteExemptionsSignatureNotPresent ) Obsolete exemptions (historical vulnerabilities): $obsoleteExemptionsHistorical Obsolete exemptions (signatures of vulnerable code not present): $obsoleteExemptionsSignatureNotPresent #end

#if($thresholdMet) No critical dependencies on vulnerable archives have been found (critical according to the defined threshold of "$exceptionThreshold"), no build exception is thrown.

#else One or more critical dependencies on vulnerable archives have been found (critical according to the defined threshold of $exceptionThreshold, and considering the excluded scopes and bugs). Accordingly, a build exception is thrown in order to break the current build process. Those application projects in whose context the exception threshold is violated are highlighted in red font. Please correct those dependencies in order to avoid the build exception. #end

The following table shows all archives (column #1) that are subject to a known vulnerability (column #2). Columns #3-5 list Maven application projects that have a dependency on the respective archive, click on them to see more details in the Vulas Web Frontend.

#if($isAggregated) Since this is an aggregated report, the application projects listed in the table are submodules of the project for which the report was created. #else Since this a non-aggregated report, the application project listed in the table is identical to the project for which the report was created. #end

Note that historical vulnerabilities, i.e., cases in which a previous than the used release of a library was vulnerable are skipped in this report. You can still see them in the Vulas Web frontend.

#foreach( $vul in $vulnsToReport ) #if( $vul.hasFindingsAboveThreshold() ) #else #end #end

Archive Filename (SHA1)	Vulnerability (CVSS Score)	Applications including vulnerable code	Applications potentially executing vulnerable code	Applications actually executing vulnerable code
		Applications listed here: depend on a vulnerable release of the respective archive (directly or transitively)	Applications listed here: potentially execute vulnerable code of the respective archive (according to static source code analysis)	Applications listed here: actually execute Vulnerable code of the respective archive during application tests (JUnit or integration)
$vul.filename $vul.archiveid	#if( $vul.bug.getReference().isEmpty() ) $vul.bug.getBugId() $vul.bug.getCvssDisplayString() #else $vul.bug.getBugId() $vul.bug.getCvssDisplayString() #end	$vul.filename $vul.archiveid	#if( $vul.bug.getReference().isEmpty() ) $vul.bug.getBugId() $vul.bug.getCvssDisplayString() #else $vul.bug.getBugId() $vul.bug.getCvssDisplayString() #end	#foreach( $analysis in $vul.analyses ) $analysis.getApp().getArtifact() $analysis.getApp().getMvnGroup() : $analysis.getApp().getArtifact() : $analysis.getApp().getVersion() Scope: $analysis.getDep().getScope() Transitive dependency: $analysis.getDep().getTransitive() #if( $exceptionThreshold=='dependsOn' && $analysis.isThrowsExceptionExcluded() ) A build exception for this finding was suppressed according to the goal configuration #end #if( $analysis.isAffectedVersion() && $analysis.isAffectedVersionConfirmed() ) The application uses a library version with vulnerable code #elseif( $analysis.isNoneAffectedVersion() ) Historical vulnerability: The application uses a library version with non-vulnerable code #elseif( !$analysis.isAffectedVersionConfirmed() ) It could not automatically be determined whether "$vul.filename" is indeed a vulnerable release, please get back to the Vulas team to have this case checked #end #end	#foreach( $analysis in $vul.analyses ) #if( !$analysis.isNoneAffectedVersion()) $analysis.getApp().getArtifact() $analysis.getApp().getMvnGroup() : $analysis.getApp().getArtifact() : $analysis.getApp().getVersion() Scope: $analysis.getDep().getScope() Transitive dependency: $analysis.getDep().getTransitive() #if( $exceptionThreshold=='potentiallyExecutes' && $analysis.isThrowsExceptionExcluded() ) A build exception for this finding was suppressed according to the goal configuration #end #if( $analysis.isReachable() ) Vulnerable library code is potentially reachable #elseif( $analysis.isNotReachable() ) Non-vulnerable library is potentially reachable #elseif( !$analysis.isReachableConfirmed() ) No library code reachable or reachability analysis not performed #end #end #end	#foreach( $analysis in $vul.analyses ) #if( !$analysis.isNoneAffectedVersion()) $analysis.getApp().getArtifact() $analysis.getApp().getMvnGroup() : $analysis.getApp().getArtifact() : $analysis.getApp().getVersion() Scope: $analysis.getDep().getScope() Transitive dependency: $analysis.getDep().getTransitive() #if( $exceptionThreshold=='actuallyExecutes' && $analysis.isThrowsExceptionExcluded() ) A build exception for this finding was suppressed according to the goal configuration #end #if( $analysis.isTraced() ) Vulnerable library code executed during tests #elseif( $analysis.isNotTraced() ) Non-vulnerable library code executed during tests #elseif( !$analysis.isTracedConfirmed() ) No library code executed or no tests have been performed #end #end #end

• Vulas Web Frontend: The frontend of the central Vulas engine (with which the Maven plugin communicates during execution)
• Vulas Wiki: General end user and background information
• mailto: DL VULAS: Get assistance from and provide feedback to the Vulas development team