ounce:report

Generate the scan results as part of the site.

Mojo Attributes:

  • Requires a Maven 2.0 project to execute.
  • Executes as an aggregator plugin.
  • Automatically executes within the lifecycle phase: site
  • Invokes the execution of the lifecycle phase package prior to executing itself.
  • Executes in its own lifecycle: scan

Optional Parameters

Name Type Description
applicationFile String The location of the application file (.paf) to scan. Default value is ${basedir}/${project.artifactId}.paf.
assessmentName String A name to help identify the assessment.
assessmentOutput String A filename to which to save the assessment.

If filename is not specified, Ounce/Maven generates a name based on the application name and timestamp and saves it to the applicationŐs working directory.
caller String A short string to help identify the corresponding entries in the ounceauto log file.
coreHint String This hint provides a way to switch the core implementation. Consult Ounce support for details, most users should leave this set to the default. Use -Dounce.core=console to have have the output displayed instead of written to the file for debugging purposes. Default value is ouncexml.
existingAssessmentFile String Specify the name of an existing assessment for which to generate a report. If not specified, Ounce/Maven scans the application and generates the report from that assessment.
includeSrcAfter int Number of lines of source code to include in the report after each finding.
includeSrcBefore int Number of lines of source code to include in the report before each finding.
installDir String The location of the Ounce client installation directory if the Ounce client is not on the path.
pathVariableMap Map Map of Ounce variable names and paths.

pathVariableMap variables are automatically registered with Ounce by the Ounce/Maven plugin if the Ounce Automation Server is installed.
publish boolean Automatically publish the assessment following the completion of the scan. Default value is false.
reportOutputPath String The path to which to write the report specified in reportType. Required with reportType.
reportOutputType String The output to generate for the report specified in reportType. Required with reportType. Output type may be html, zip, pdf-summary, pdf-detailed, pdf-comprehensive, or pdf-annotated.
reportType String Generates an Ounce report of the specified type, including findings reports, SmartAudit Reports, and, if available, custom reports. Ounce/Maven generates a report for this assessment after the scan completes.

The following report types are included: Findings, Findings By CWE, Findings By API, Findings By Classification, Findings By File, Findings By Type, Findings By Bundle, OWASP Top Ten, PCI Data Security Standard, Ounce Software Security Profile, or OWASP Top Ten 2007

If you specify reportType, then reportOutputType and reportOutputPath are required.
siteRenderer Renderer For internal use only.
skipPoms boolean If pom packaging projects should be skipped. Typically these will not have source code and should be excluded. This is true by default because typically the application or projects will be created at a pom level and the poms have no source to be analyzed Only set this if you have source in your "pom" packaging projects that needs to be scanned. Default value is true.
waitForScan boolean Forces the goal to wait until the scan finishes, thus blocking the Maven build. This is useful if the scan is being performed from the report mojo as part of integration with the site target and the site is getting deployed. Default value is false.

Parameter Details

applicationFile The location of the application file (.paf) to scan.
  • Type: java.lang.String
  • Required: No
  • Expression: ${ounce.applicationFile}
  • Default: ${basedir}/${project.artifactId}.paf
assessmentName A name to help identify the assessment.
  • Type: java.lang.String
  • Required: No
  • Expression: ${project.name}-${project.version}
assessmentOutput A filename to which to save the assessment.

If filename is not specified, Ounce/Maven generates a name based on the application name and timestamp and saves it to the applicationŐs working directory.
  • Type: java.lang.String
  • Required: No
  • Expression: ${ounce.assessmentOutput}
caller A short string to help identify the corresponding entries in the ounceauto log file.
  • Type: java.lang.String
  • Required: No
  • Expression: ${ounce.caller}
coreHint This hint provides a way to switch the core implementation. Consult Ounce support for details, most users should leave this set to the default. Use -Dounce.core=console to have have the output displayed instead of written to the file for debugging purposes.
  • Type: java.lang.String
  • Required: No
  • Expression: ${ounce.core}
  • Default: ouncexml
existingAssessmentFile Specify the name of an existing assessment for which to generate a report. If not specified, Ounce/Maven scans the application and generates the report from that assessment.
  • Type: java.lang.String
  • Required: No
  • Expression: ${ounce.existingAssessmentFile}
includeSrcAfter Number of lines of source code to include in the report after each finding.
  • Type: int
  • Required: No
  • Expression: ${ounce.includeSrcAfter}
includeSrcBefore Number of lines of source code to include in the report before each finding.
  • Type: int
  • Required: No
  • Expression: ${ounce.includeSrcBefore}
installDir The location of the Ounce client installation directory if the Ounce client is not on the path.
  • Type: java.lang.String
  • Required: No
  • Expression: ${ounce.installDir}
pathVariableMap Map of Ounce variable names and paths.

pathVariableMap variables are automatically registered with Ounce by the Ounce/Maven plugin if the Ounce Automation Server is installed.
  • Type: java.util.Map
  • Required: No
publish Automatically publish the assessment following the completion of the scan.
  • Type: boolean
  • Required: No
  • Expression: ${ounce.publish}
  • Default: false
reportOutputPath The path to which to write the report specified in reportType. Required with reportType.
  • Type: java.lang.String
  • Required: No
  • Expression: ${ounce.reportOutputPath}
reportOutputType The output to generate for the report specified in reportType. Required with reportType. Output type may be html, zip, pdf-summary, pdf-detailed, pdf-comprehensive, or pdf-annotated.
  • Type: java.lang.String
  • Required: No
  • Expression: ${ounce.reportOutputType}
reportType Generates an Ounce report of the specified type, including findings reports, SmartAudit Reports, and, if available, custom reports. Ounce/Maven generates a report for this assessment after the scan completes.

The following report types are included: Findings, Findings By CWE, Findings By API, Findings By Classification, Findings By File, Findings By Type, Findings By Bundle, OWASP Top Ten, PCI Data Security Standard, Ounce Software Security Profile, or OWASP Top Ten 2007

If you specify reportType, then reportOutputType and reportOutputPath are required.
  • Type: java.lang.String
  • Required: No
  • Expression: ${ounce.reportType}
siteRenderer For internal use only.
  • Type: org.apache.maven.doxia.siterenderer.Renderer
  • Required: No
skipPoms If pom packaging projects should be skipped. Typically these will not have source code and should be excluded. This is true by default because typically the application or projects will be created at a pom level and the poms have no source to be analyzed Only set this if you have source in your "pom" packaging projects that needs to be scanned.
  • Type: boolean
  • Required: No
  • Expression: ${ounce.skipPoms}
  • Default: true
waitForScan Forces the goal to wait until the scan finishes, thus blocking the Maven build. This is useful if the scan is being performed from the report mojo as part of integration with the site target and the site is getting deployed.
  • Type: boolean
  • Required: No
  • Expression: ${ounce.wait}
  • Default: false